foreign welcome back everyone to our special presentation here at thecube with Horizon 3.a I'm John Furrier host thecube here in Palo Alto back it's niho and Tony CEO and co-founder of horizon 3 for deep dive on going under the hood around the big news and also the platform autonomous pen testing changing the game and security great to see you welcome back thank you John I love what you guys have been doing with the cube huge fan been here a bunch of times and yeah looking forward to the conversation let's get into it all right so what what's the market look like and how do you see it evolving we're in a down Market relative to startups some say our data we're reporting on siliconangle in the cube that yeah there might be a bit of downturn in the economy with inflation but the tech Market is booming because the hyperscalers are still pumping out massive scale and still innovating so so you know for the first time in history this is a recession or downturn where there's now Cloud scale players that are an economic engine what's your view on this where's the market heading relative to the downturn and how are you guys navigating that so um I think about it one the there's a lot of belief out there that we're going to hit a downturn and we started to see that we started to see deals get longer and longer to close back in May across the board in the industry we continue to see deals get at least backloaded in the quarter as people understand their procurement how much money they really have to spend what their earnings are going to be so we're seeing this across the board one is quarters becoming lumpier for tech companies and we think that that's going to become kind of the norm over the next over the next year but what's interesting in our space of security testing is a very basic supply and demand problem the demand for security testing has skyrocketed when I was a CIO eight years ago I only had to worry about my on-prem attack surface my perimeter and Insider threat those are my primary threat vectors now if I was a CIO I have to include multiple clouds all of the data in my SAS offerings my Salesforce account and so on as well as work from home threat vectors and other pieces and I've got Regulatory Compliance in Europe in Asia in in the U.S tons of demand for testing and there's just not enough Supply there's only 5 000 certified pen testers in the United States so I think for starters you have a fundamental supply and demand problem that plays to our strength because we're able to bring a tremendous amount of pen testing supply to the table but now let's flip to if you are the CEO of a large security company or whether it's a Consulting shop or so on you've got a whole bunch of deferred revenue in your business model around security testing services and what we've done in our past in previous companies I worked at is if we didn't think we were going to make the money the quarter with product Revenue we would start to unlock some of that deferred Services Revenue to make the number to hit what we expected Wall Street to hit what Wall Street expected of us in testing that's not possible because there's not enough Supply except us so if I'm the CEO of an mssp or a large security company and I need I see a huge backlog of security testing revenue on the table the easy button to convert that to recognized revenue is Horizon 3. and when I think about the next six months and the amount of Revenue misses we're going to see in security shops especially those that can't fulfill their orders I think there's a ripe opportunity for us to win yeah one of the few opportunities where on any Market you win because the forces will drive your flywheel that's exactly right very basic supply and demand forces that are only increasing with pressure and there's no way it takes 10 years just to build a master hacker just it's a very hard complex space we become the easy button to address that supply problem yeah and this and the autonomous aspect makes appsec reviews as new things get pushed with Cloud native developers they're shifting left but still the security policies need to stay Pace as these new vectors threat vectors appear yeah I mean because that's what's happening a new new thing makes a vector possible that's exactly right I think there's two aspects one is the as you in increase change in your environment you need to increase testing they are absolutely correlated the second thing though is you know for 20 years we focused on remote code execution or rces as an industry what was the latest rce that gave an attacker access to my environment but if you look over the past few years that entire mindset has shifted credentials are the new code execution what I mean by that is if I have a large organization with a hundred a thousand ten thousand employees all it takes is one of them to have a password I can crack in credential spray and gain access to as an attacker and once I've gained access to a single user I'm going to systematically snowball that into something of consequence and so I think that the attackers have shifted away from looking for code execution and looked more towards harvesting credentials and cascading credentials from a regular domain user into an admin this brings up the conversation I would like to do it more Deep dive now shift into more of like the real kind of landscape of the market and your positioning and value proposition in that and that is managed services are becoming really popular as we move into this next next wave of super cloud and multi-cloud and hybrid Cloud because I mean multi-cloud and hybrid hybrid than multi-cloud sounds good on paper but the security Ops become big and one of the things we're reporting with here on the cube and siliconangle the past six months is devops has made the developer the IT team because they've essentially run it now in CI CD pipeline as they say that means it's replaced by data Ops or AI Ops or security Ops and data and security kind of go hand in hand so I can see that playing out do you believe that to be true that that's kind of the new operational kind of beach head that's critical and if so secure if data is part of security that makes security the new it yeah I I think that if you think about organizations hell even for Horizon 3 right now I don't need to hire a CIO I'll have a CSO and that CSO will own it and governance risk and compliance and security operations because at the end of the day the most pressing question for me to answer as a CEO is my security posture IIT is a supporting function of that security posture and we see that at say or a growth stage company like Horizon 3 but when I thought about my time at GE Capital we really shifted to this mindset of security by Design architecture as code and it was very much security driven conversation and I think that is the norm going forward and how do you view the idea that you have to enable a managed service provider with security also managing comp and which then manages the company to enable them to have agile security um security is code because what you're getting at is this autonomous layer that's going to be automated away to make the next talented layer whether it's coder or architect scale so the question is what is abstracted away at at automation seems to be the conversation that's coming out of this big cloud native or super cloud next wave of cloud scale I think there's uh there's two Dimensions to that and honestly I think the more interesting Dimension is not the technical side of it but rather think of the Equifax hack a bunch of years ago had Equifax used a managed security services provider would the CEO have been fired after the breach and the answer is probably not I think the CEO would have transferred enough reputational risk in operational risk to the third party mssp to save his job from being you know from him being fired you can look at that across the board I think that if if I were a CIO again I would be hard-pressed to build my own internal security function because I'm accepting that risk as an executive and we saw what just happened at Uber there's a ton of risk coming with that with the with accepting that as a security person so I think in the future the role of the mssp becomes more significant as a mechanism for transferring enough reputational and operational and legal risk to a third party so that you as the Core Company are able to protect yourself and your people now then what you think is a super cloud printables and Concepts being applied at mssp scale and I think that becomes really interesting talk about the talent opportunity because I think the managed service providers point to markets that are growing and changing also having managed service means that the customers can't always hire Talent hence they go to a Channel or a partner this seems to be a key part of the growth in your area talk about the talent aspect of it yeah um think back to what we saw in Cloud so as as Cloud picked up we saw IBM HP other Hardware companies sell more servers but to fewer customers Amazon Google and others right and so I think something similar is going to happen in the security space where I think you're going to see security tools providers selling more volume but to fewer customers that are just really big mssps so that is the the path forward and I think that the underlying Talent issue gives us economies at scale and that's what we saw this with Cloud we're going to see the same thing in the mssp space I've got a density of Talent Plus a density of automation plus a density of of relationships and ecosystem that give mssps a huge economies of scale advantage over everybody else I mean I want to get into the mssp business sounds like I make a lot of money yeah definitely it's profitable no doubt about it like that I got to ask more on the more of the burden side of it because if you're a partner I don't need another training class I don't need another tool I don't need someone saying this is the highest margin product I need to actually downsize my tools so right now there's hundreds of tools that mssps have all the time dealing with and does the customer so tools platforms we've kind of teased this out in previous conversations together but more more relevant to the mssp is what they do to the customers so talk about this uh burden of tools and the socks out there in the in in the landscape how do you how do you view that and what's the conversation like on average an organization has 130 different cyber security tools installed none of those tools were designed to work together none of those tools are from the same vendor and in fact oftentimes they're from vendors that have competing products and so what we don't have and they're still getting breached in the industry we don't have a tools problem we have an Effectiveness problem we have to reduce the number of tools we have get more out of out of the the effectiveness out of the existing infrastructure build muscle memory you know how to detect and respond to a breach and continuously verify that posture I think that's what the the most successful security organizations have mastered the fundamentals and they mastered that by making sure they were effective in detection and response not mastering it by buying the next shiny AI tool on the defensive side okay so you mentioned supply and demand early since you're brought up economics we'll get into the economic equations here when you have great profits that's going to attract more entrance into the marketplace so as more mssps enter the market you're going to start to see a little bit of competition maybe some fud maybe some price competitive price penetration all kinds of different Tactics get out go on there um how does that impact you because now does that impact your price or are you now part of them just competing on their own value what's that mean for the channel as more entrants come in hey you know I can compete against that other one does that create conflict is that an opportunity does are you neutral on that what's the position it's a great question actually I think the way it plays out is one we are neutral two the mssp has to stand on their own with their own unique value proposition otherwise they're going to become commoditized we saw this in the early cloud provider days the cloud providers that were just basically wrapping existing Hardware with with a race to the bottom pricing model didn't survive those that use the the cloud infrastructure as a starting point to build higher value capabilities they're the ones that have succeeded to this day the same Mo I think will occur in mssps which is there's a base level of capability that they've got to be able to deliver and it is the burden of the mssp to innovate effectively to elevate their value problem it's interesting Dynamic and I brought it up mainly because if you believe that this is going to be a growing New Market price erosion is more in mature markets so it's interesting to see that Dynamic come up and we'll see how that handles on the on the economics and just the macro side of it getting more into kind of like the next gen autonomous pen testing is a leading indicator that a new kind of security assessment is here um if I said that to you how do you respond to that what is this new security assessment mean what does that mean for the customer and to the partner and that that relationship down that whole chain yeah um back to I'm wearing a CIO hat right now don't tell me we're secure in PowerPoint show me we're secure Today Show me where we're secure tomorrow and then show me we're secure again next week because that's what matters to me if you can show me we're secure I can understand the risk I'm accepting and articulate it up to my board to my Regulators up until now we've had a PowerPoint tell me where secure culture and security and I just don't think that's going to last all that much longer so I think the future of security testing and assessment is this shift from a PowerPoint report to truly showing me that my I'm secure enough you guys auto-generate those statements now you mentioned that earlier that's exactly right because the other part is you know the classic way to do security reports was garbage in garbage out you had a human kind of theoretically fill out a spreadsheet that magically came up with the risk score or security posture that doesn't work that's a check the box mentality what you want to have is an accurate High Fidelity understanding of your blind spots your threat vectors what data is at risk what credentials are at risk you want to look at those results over time how quickly did I find problems how quickly did I fix them how often did they reoccur and that is how you get to a show me where secure culture whether I'm a company or I'm a channel partner working with Horizon 3.ai I have to put my name on the line and say Here's a service level agreement I'm going to stand behind there's levels of compliance you mentioned that earlier how do you guys help that area because that becomes I call the you know below the line I got to do it anyway usually it's you know they grind out the work but it has to be fundamental because if the threats vectors are increasing and you're handling it like you say you are the way it is real time today tomorrow the next day you got to have that other stuff flow into it can you describe how that works under the hood yeah there's there's two parts to it the first part is that attackers don't have to hack in with zero days they log in with credentials that they found but often what attackers are doing is chaining together different types of problems so if you have 10 different tactics you can chain those together a number of different ways it's not just 10 to the 10th it's it's actually because you don't you don't have to use all the tactics at once this is a very large number of combinations that an attacker can apply upon you is what it comes down to and so at the base level what you want to have is what are the the primary tactics that are being used and those tactics are always being added to and evolving what are the primary outcomes that an attacker is trying to achieve steal your data disrupt your systems become a domain admin and borrow and now what you have is it actually looks more like a chess game algorithm than it does any sort of hard-coded automation or anything else which is based on the pieces on the board the the it infrastructure I've discovered what is the next best action to become a domain admin or steal your data and that's the underlying innovation in IP we've created which is next best action Knowledge Graph analytics and adaptiveness to figure out how to combine different problems together to achieve an objective that an attacker cares about so the 3D chess players out there I'd say that's more like 3D chess are the practitioners implementing it but when I think about compliance managers I don't see 3D chess players I see back office accountants in my mind like okay are they actually even understand what comes out of that so how do you handle the compliance side do you guys just check the boxes there is it not part of it is it yeah I I know I don't Envision the compliance guys on the front lines identifying vectors do you know what it doesn't even know what it means yeah it's a great question when you think about uh the market segmentation I think there are we've seen are three basic types of users you've got the the really mature high frequency security testing purple team type folks and for them we are the the force multiplier for them to secure the environment you then have the middle group where the IT person and the security person are the same individual they are barely Treading Water they don't know what their attack surface is and they don't know what to focus on we end up that's actually where we started with the barely Treading Water Persona and that's why we had a product that helped those Network Engineers become superheroes the third segment are those that view security and compliance as synonymous and they don't really care about continuous they care about running and checking the box for PCI and forever else and those customers while they use us they are better served by our partner ecosystem and that's really so the the first two categories tend to use us directly self-service pen tests as often as they want that compliance-minded folks end up going through our partners because they're better served there steel great to have you on thanks for this deep dive on um under the hood section of the interview appreciate it and I think autonomous is is an indicator Beyond pen testing pen testing has become like okay penetration security but this is not going away where do you see this evolving what's next what's next for Horizon take a minute to give a plug for what's going on with copy how do you see it I know you got good margins you're raising Capital always raising money you're not yet public um looking good right now as they say yeah yeah well I think the first thing is our company strategy is in three chapters chapter one is become the best security testing platform in the industry period that's it and be very good at helping you find and fix your security blind spots that's chapter one we've been crushing it there with great customer attraction great partner traction chapter two which we've started to enter is look at our results over time to help that that GRC officer or auditor accurately assess the security posture of an organization and we're going to enter that chapter about this time next year longer term though the big Vision I have is how do I use offense to inform defense so for me chapter three is how do I get away from just security testing towards autonomous security overall where you can use our security testing platform to identify ways to attack that informs defensive tools exactly where to focus how to adjust and so on and now you've got offset and integrated learning Loop between attack and defense that's the future never been done before Master the art of attack to become a better Defender is the bigger vision of the company love the new paradigm security congratulations been following you guys we will continue to follow you thanks for coming on the Special Report congratulations on the new Market expansion International going indirect that a big way congratulations thank you John appreciate it okay this is a special presentation with the cube and Horizon 3.ai I'm John Furrier your host thanks for watching thank you

(electronic music) >> Hello everybody, welcome back to Boston. This is Dave Vellante and you're watching theCUBE's continuous coverage of AWS re:Inforce 2022. We're here at the convention center in Boston where theCUBE got started in May of 2010. I'm really excited. Lena Smart is here, she's the chief information security officer at MongoDB rocket ship company We covered MongoDB World earlier this year, June, down in New York. Lena, thanks for coming to theCUBE. >> Thank you for having me. >> You're very welcome, I enjoyed your keynote yesterday. You had a big audience, I mean, this is a big deal. >> Yeah. >> This is the cloud security conference, AWS, putting its mark in the sand back in 2019. Of course, a couple of years of virtual, now back in Boston. You talked in your keynote about security, how it used to be an afterthought, used to be the responsibility of a small group of people. >> Yeah. >> You know, it used to be a bolt on. >> Yep. >> That's changed dramatically and that change has really accelerated through the pandemic. >> Yep. >> Just describe that change from your perspective. >> So when I started at MongoDB about three and a half years ago, we had a very strong security program, but it wasn't under one person. So I was their first CISO that they employed. And I brought together people who were already doing security and we employed people from outside the company as well. The person that I employed as my deputy is actually a third time returnee, I guess? So he's worked for, MongoDB be twice before, his name is Chris Sandalo, and having someone of that stature in the company is really helpful to build the security culture that I wanted. That's why I really wanted Chris to come back. He's technically brilliant, but he also knew all the people who'd been there for a while and having that person as a trusted second in command really, really helped me grow the team very quickly. I've already got a reputation as a strong female leader. He had a reputation as a strong technical leader. So us combined is like indestructible, we we're a great team. >> Is your scope of responsibility, obviously you're protecting Mongo, >> Yeah. >> How much of your role extends into the product? >> So we have a product security team that report into Sahir Azam, our chief product officer. I think you even spoke to him. >> Yeah, he's amazing. >> He's awesome, isn't he? He's just fabulous. And so his team, they've got security experts on our product side who are really kind of the customer facing. I'm also to a certain extent customer facing, but the product folks are the absolute experts. They will listen to what our customers need, what they want, and together we can then work out and translate that. I'm also responsible for governance risk and compliance. So there's a large portion of our customers that give us input via that program too. So there's a lot of avenues to allow us to facilitate change in the security field. And I think that's really important. We have to listen to what our customers want, but also internally. You know, what our internal groups need as well to help them grow. >> I remember last year, Re:invent 2021, I was watching a talk on security. It was the, I forget his name, but it was the individual who responsible for data center security. And one of the things he said was, you know, look it's not at the end of the day, the technology's important but it's not the technology. It's how you apply the tools and the practices and the culture- >> Right. That you build in the organization that will ultimately determine how successful you are at decreasing the ROI for the bad guys. >> Yes. >> Let's put it that way. So talk about the challenges of building that culture, how you go about that, and how you sustain that cultural aspect. >> So, I think having the security champion program, so that's just, it's like one of my babies, that and helping underrepresented groups in MongoDB kind of get on in the tech world are both really important to me. And so the security champion program is purely voluntary. We have over a hundred members. And these are people, there's no bar to join. You don't have to be technical. If you're an executive assistant who wants to learn more about security, like my assistant does, you're more than welcome. Up to, we actually people grade themselves, when they join us, we give them a little tick box. Like five is, I walk in security water. One is, I can spell security but I'd like to learn more. Mixing those groups together has been game changing for us. We now have over a hundred people who volunteer their time, with their supervisors permission, they help us with their phishing campaigns, testing AWS tool sets, testing things like queryable encryption. I mean, we have people who have such an in-depth knowledge in other areas of the business that I could never learn, no matter how much time I had. And so to have them- And we have people from product as security champions as well, and security, and legal, and HR, and every department is recognized. And I think almost every geographical location is also recognized. So just to have that scope and depth of people with long tenure in the company, technically brilliant, really want to understand how they can apply the cultural values that we live with each day to make our security program stronger. As I say, that's been a game changer for us. We use it as a feeder program. So we've had five people transfer from other departments into the security and GRC teams through this Champions program. >> Makes a lot of sense. You take somebody who walks on water in security, mix them with somebody who really doesn't know a lot about it but wants to learn and then can ask really basic questions, and then the experts can actually understand better how to communicate. >> Absolutely. >> To that you know that 101 level. >> It's absolutely true. Like my mom lives in her iPad. She worships her iPad. Unfortunately she thinks everything on it is true. And so for me to try and dumb it down, and she's not a dumb person, but for me to try and dumb down the message of most of it's rubbish, mom, Facebook is made up. It's just people telling stories. For me to try and get that over to- So she's a one, and I might be a five, that's hard. That's really hard. And so that's what we're doing in the office as well. It's like, if you can explain to my mother how not everything on the internet is true, we're golden. >> My mom, rest her soul, when she first got a- we got her a Macintosh, this was years and years and years ago, and we were trying to train her over the phone, and said, mom, just grab the mouse. And she's like, I don't like mice. (Lena laughs) There you go. I know, I know, Lena, what that's like. Years ago, it was early last decade, we started to think about, wow, security really has to become a board level item. >> Yeah. >> And it really wasn't- 2010, you know, for certain companies. But really, and so I had the pleasure of interviewing Dr. Robert Gates, who was the defense secretary. >> Yes. >> We had this conversation, and he sits on a number, or sat on a number of boards, probably still does, but he was adamant. Oh, absolutely. Here's how you know, here. This is the criticality. Now it's totally changed. >> Right. >> I mean, it's now a board level item. But how do you communicate to the C-Suite, the board? How often do you do that? What do you recommend is the right regime? And I know there's not any perfect- there's got to be situational, but how do you approach it? >> So I am extremely lucky. We have a very technical board. Our chairman of the board is Tom Killalea. You know, Amazon alum, I mean, just genius. And he, and the rest of the board, it's not like a normal board. Like I actually have the meeting on this coming Monday. So this weekend will be me reading as much stuff as I possibly can, trying to work out what questions they're going to ask me. And it's never a gotcha kind of thing. I've been at board meetings before where you almost feel personally attacked and that's not a good thing. Where, at MongoDB, you can see they genuinely want us to grow and mature. And so I actually meet with our board four times a year, just for security. So we set up our own security meeting just with board members who are specifically interested in security, which is all of them. And so this is actually off cadence. So I actually get their attention for at least an hour once a quarter, which is almost unheard of. And we actually use the AWS memo format. People have a chance to comment and read prior to the meeting. So they know what we're going to talk about and we know what their concerns are. And so you're not going in like, oh my gosh, what what's going to happen for this hour? We come prepared. We have statistics. We can show them where we're growing. We can show them where we need more growth and maturity. And I think having that level of just development of programs, but also the ear of the board has has helped me mature my role 10 times. And then also we have the chance to ask them, well what are your other CISOs doing? You know, they're members of other boards. So I can say to Dave, for example, you know, what's so-and-so doing at Datadog? Or Tom Killelea, what's the CISO of Capital One doing? And they help me make a lot of those connections as well. I mean, the CISO world is small and me being a female in the world with a Scottish accent, I'm probably more memorable than most. So it's like, oh yeah, that's the Irish girl. Yeah. She's Scottish, thank you. But they remember me and I can use that. And so just having all those mentors from the board level down, and obviously Dev is a huge, huge fan of security and GRC. It's no longer that box ticking exercise that I used to feel security was, you know, if you heated your SOC2 type two in FinTech, oh, you were good to go. You know, if you did a HERC set for the power industry. All right, right. You know, we can move on now. It's not that anymore. >> Right. It's every single day. >> Yeah. Of course. Dev is Dev at the Chario. Dev spelled D E V. I spell Dave differently. My Dave. But, Lena, it sounds like you present a combination of metrics, so, the board, you feel like that's appropriate to dig into the metrics. But also I'm presuming you're talking strategy, potentially, you know, gaps- >> Road roadmaps, the whole nine yards. Yep. >> What's the, you know, I look at the budget scenario. At the macro level, CIOs have told us, they came into the year saying, hey we're going to grow spending at the macro, around eight percent, eight and a half percent. That's dialed down a little bit post Ukraine and the whole recession and Fed tightening. So now they're down maybe around six percent. So not dramatically lower, but still. And they tell us security is still the number one priority. >> Yes. >> That's been the case for many, many quarters, and actually years, but you don't have an unlimited budget. >> Sure >> Right. It's not like, oh, here is an open checkbook. >> Right. >> Lena, so, how does Mongo balance that with the other priorities in the organization, obviously, you know, you got to spend money on product, you got to spend money and go to market. What's the climate like now, is it, you know continuing on in 2022 despite some of the macro concerns? Is it maybe tapping the brakes? What's the general sentiment? >> We would never tap the breaks. I mean, this is something that's- So my other half works in the finance industry still. So we have, you know, interesting discussions when it comes to geopolitics and financial politics and you know, Dev, the chairman of the board, all very technical people, get that security is going to be taken advantage of if we're seeing to be tapping the brakes. So it does kind of worry me when I hear other people are saying, oh, we're, you know, we're cutting back our budget. We are not. That being said, you also have to be fiscally responsible. I'm Scottish, we're cheap, really frugal with money. And so I always tell my team: treat this money as if it's your own. As if it's my money. And so when we're buying tool sets, I want to make sure that I'm talking to the CISO, or the CISO of the company that's supplying it, and saying are you giving me the really the best value? You know, how can we maybe even partner with you as a database platform? How could we partner with you, X company, to, you know, maybe we'll give you credits on our platform. If you look to moving to us and then we could have a partnership, and I mean, that's how some of this stuff builds, and so I've been pretty good at doing that. I enjoy doing that. But then also just in terms of being fiscally responsible, yeah, I get it. There's CISOs who have every tool that's out there because it's shiny and it's new and they know the board is never going to say no, but at some point, people will get wise to that and be like, I think we need a new CISO. So it's not like we're going to stop spending it. So we're going to get someone who actually knows how to budget and get us what the best value for money. And so that's always been my view is we're always going to be financed. We're always going to be financed well. But I need to keep showing that value for money. And we do that every board meeting, every Monday when I meet with my boss. I mean, I report to the CFO but I've got a dotted line to the CTO. So I'm, you know, I'm one of the few people at this level that's got my feet in both camps. You know budgets are talked at Dev's level. So, you know, it's really important that we get the spend right. >> And that value is essentially, as I was kind of alluding to before, it's decreasing the value equation for the hackers, for the adversary. >> Hopefully, yes. >> Right? Who's the- of course they're increasingly sophisticated. I want to ask you about your relationship with AWS in this context. It feels like, when I look around here, I think back to 2019, there was a lot of talk about the shared responsibility model. >> Yes. >> You know, AWS likes to educate people and back then it was like, okay, hey, by the way, you know you got to, you know, configure the S3 bucket properly. And then, oh, by the way, there's more than just, it's not just binary. >> Right, right. >> There's other factors involved. The application access and identity and things like that, et cetera, et cetera. So that was all kind of cool. But I feel like the cloud is becoming the first line of defense for the CISO but because of the shared responsibility model, CISO is now the second line of defense >> Yes. Does that change your role? Does it make it less complicated in a way? Maybe, you know, more complicated because you now got to get your DevSecOps team? The developers are now much more involved in security? How is that shifting, specifically in the context of your relationship with AWS? >> It's honestly not been that much of a shift. I mean, these guys are very proactive when it comes to where we are from the security standpoint. They listen to their customers as much as we do. So when we sit down with them, when I meet with Steve Schmidt or CJ or you know, our account manager, its not a conversation that's a surprise to me when I tell them this is what we need. They're like, yep, we're on that already. And so I think that relationship has been very proactive rather than reactive. And then in terms of MongoDB, as a tech company, security is always at the forefront. So it's not been a huge lift for me. It's really just been my time that I've taken to understand where DevSecOps is coming from. And you know, how far are we shifting left? Are we actually shifting right now? It's like, you know, get the balance, right? You can't be too much to one side. But I think in terms of where we're teaching the developers, you know, we are a company by developers for developers. So, we get it, we understand where they're coming from, and we try and be as proactive as AWS is. >> When you obviously the SolarWinds hack was a a major mile- I think in security, there's always something in the headlines- >> Yes. But when you think of things like, you know, Stuxnet, you know, Log4J, obviously Solarwinds and the whole supply chain infiltration and the bill of materials. As I said before, the adversary is extremely capable and sophisticated and you know, much more automated. It's always been automated attacks, but you know island hopping and infiltrating and self-forming malware and really sophisticated techniques. >> Yep. >> How are you thinking about that supply chain, bill of materials from inside Mongo and ultimately externally to your customers? >> So you've picked on my third favorite topic to talk about. So I came from the power industry before, so I've got a lot of experience with critical infrastructure. And that was really, I think, where a lot of the supply chain management rules and regulations came from. If you're building a turbine and the steel's coming from China, we would send people to China to make sure that the steel we were buying was the steel we were using. And so that became the H bomb. The hardware bill of materials, bad name. But, you know, we remember what it stood for. And then fast forward: President Biden's executive order. SBOs front and center, cloud first front and center. It's like, this is perfect. And so I was actually- I actually moderated a panel earlier this year at Homeland Security Week in DC, where we had a sneak CISA, So Dr. Allen Friedman from CISA, and also Patrick Weir from OWASP for the framework, CISA for the framework as well, and just the general guidance, and Snake for the front end. That was where my head was going. And MongoDB is the back-end database. And what we've done is we've taken our work with Snake and we now have a proof of concept for SBOs. And so I'm now trying to kind of package that, if you like, as a program and get the word out that SBOs shouldn't be something to be afraid of. If you want to do business with the government you're going to have to create one. We are offering a secure repository to store that data, the government could have access to that repository and see that data. So there's one source of truth. And so I think SBOs is going to be really interesting. I know that, you know, some of my peers are like, oh, it's just another box to tick. And I think it's more than that. I definitely- I've just, there's something percolating in the back of my mind that this is going to be big and we're going to be able to use it to hopefully not stop things like another Log4j, there's always going to be another Log4j, we know that. we don't know everything, the unknown unknown, but at least if we're prepared to go find stuff quicker than we were then before Log4j, I think having SBOs on hand, having that one source of truth, that one repository, I think is going to make it so much easier to find those things. >> Last question, what's the CISO's number one challenge? Either yours or the CISO, generally. >> Keeping up with the fire hose that is security. Like, what do you pick tomorrow? And if you pick the wrong thing, what's the impact? So that's why I'm always networking and talking to my peers. And, you know, we're sometimes like meerkats, you know. there's meerkats, you see like this, it's like, what do we talk about? But there's always something to talk about. And you just have to learn and keep learning. >> Last question, part B. As a hot technology company, that's, you know, rising star, you know not withstanding the tech lash and the stock market- >> Yeah. >> But Mongo's growing, you know, wonderfully. Do you find it easier to attract talent? Like many CISOs will say, you know, lack of talent is my biggest, biggest challenge. Do you find that that's not the challenge for you? >> Not at all. I think on two fronts, one, we have the champions program. So we've got a whole internal ecosystem who love working there. So the minute one of my jobs goes on the board, they get first dibs at it. So they'd already phoning their friends. So we've got, you know, there's ripple effects out from over a hundred people internally. You know, I think just having that, that's been a game changer. >> I was so looking forward to interviewing you, Lena, thanks so much for coming. >> Thank you, this was a pleasure. >> It was really great to have you. >> Thank you so much. Thank you. >> You're really welcome. All right, keep it right there. This is Dave Villante for theCUBE. We'll be right back at AWS Re:inforce22 right after this short break.

>>Hello, everyone. Welcome to the Cube's live coverage here in Boston, Massachusetts for AWS reinforce 2022. I'm John fur, host of the cube with Dave. Valante my co-host for breaking analysis, famous podcast, Dave, great to see you. Um, Beck in Boston, 2010, we started >>The queue. It all started right here in this building. John, >>12 years ago, we started here, but here, you know, just 12 years, it just seems like a marathon with the queue. Over the years, we've seen many ways. You call yourself a historian, which you are. We are both now, historians security is doing over. And we said in 2013 is security to do where we asked pat GSK. Now the CEO of Intel prior to that, he was the CEO of VMware. This is the security show fors. It's called the reinforce. They have reinvent, which is their big show. Now they have these, what they call reshow, re Mars, machine learning, automation, um, robotics and space. And then they got reinforced, which is security. It's all about security in the cloud. So great show. Lot of talk about the keynotes were, um, pretty, I wouldn't say generic on one hand, but specific in the other clear AWS posture, we were both watching. What's your take? >>Well, John, actually looking back to may of 2010, when we started the cube at EMC world, and that was the beginning of this massive boom run, uh, which, you know, finally, we're starting to see some, some cracks of the armor. Of course, we're threats of recession. We're in a recession, most likely, uh, in inflationary pressures, interest rate hikes. And so, you know, finally the tech market has chilled out a little bit and you have this case before we get into the security piece of is the glass half full or half empty. So budgets coming into this year, it was expected. They would grow at a very robust eight point half percent CIOs have tuned that down, but it's still pretty strong at around 6%. And one of the areas that they really have no choice, but to focus on is security. They moved everything into the cloud or a lot of stuff into the cloud. >>They had to deal with remote work and that created a lot of security vulnerabilities. And they're still trying to figure that out and plug the holes with the lack of talent that they have. So it's interesting re the first reinforc that we did, which was also here in 2019, Steven Schmidt, who at the time was chief information security officer at Amazon web services said the state of cloud security is really strong. All this narrative, like the pat Gelsinger narrative securities, a do over, which you just mentioned, security is broken. It doesn't help the industry. The state of cloud security is very strong. If you follow the prescription. Well, see, now Steven Schmidt, as you know, is now chief security officer at Amazon. So we followed >>Jesse all Amazon, not just AWS. So >>He followed Jesse over and I asked him, well, why no, I, and they said, well, he's responsible now for physical security. Presumably the warehouses I'm like, well, wait a minute. What about the data centers? Who's responsible for that? So it's kind of funny, CJ. Moses is now the CSO at AWS and you know, these events are, are good. They're growing. And it's all about best practices, how to apply the practices. A lot of recommendations from, from AWS, a lot of tooling and really an ecosystem because let's face it. Amazon doesn't have the breadth and depth of tools to do it alone. >>And also the attendance is interesting, cuz we are just in New York city for the, uh, ado summit, 19,000 people, massive numbers, certainly in the pandemic. That's probably one of the top end shows and it was a summit. This is a different audience. It's security. It's really nerdy. You got OT, you got cloud. You've got on-prem. So now you have cloud operations. We're calling super cloud. Of course we're having our inaugural pilot event on August 9th, check it out. We're called super cloud, go to the cube.net to check it out. But this is the super cloud model evolving with security. And what you're hearing today, Dave, I wanna get your reaction to this is things like we've got billions of observational points. We're certainly there's no perimeter, right? So the perimeter's dead. The new perimeter, if you will, is every transaction at scale. So you have to have a new model. So security posture needs to be rethought. They actually said that directly on the keynote. So security, although numbers aren't as big as last week or two weeks ago in New York still relevant. So alright. There's sessions here. There's networking. Very interesting demographic, long hair. Lot of >>T-shirts >>No lot of, not a lot of nerds doing to build out things over there. So, so I gotta ask you, what's your reaction to this scale as the new advantage? Is that a tailwind or a headwind? What's your read? >>Well, it is amazing. I mean he actually, Steven Schmidt talked about quadrillions of events every month, quadrillions 15 zeros. What surprised me, John. So they, they, Amazon talks about five areas, but by the, by the way, at the event, they got five tracks in 125 sessions, data protection and privacy, GRC governance, risk and compliance, identity network security and threat detection. I was really surprised given the focus on developers, they didn't call out container security. I would've thought that would be sort of a separate area of focus, but to your point about scale, it's true. Amazon has a scale where they'll see events every day or every month that you might not see in a generation if you just kind of running your own data center. So I do think that's, that's, that's, that's a, a, a, a valid statement having said that Amazon's got a limited capability in terms of security. That's why they have to rely on the ecosystem. Now it's all about APIs connecting in and APIs are one of the biggest security vulnerability. So that's kind of, I, I I'm having trouble squaring that circle. >>Well, they did just to come up, bring back to the whole open source and software. They did say they did make a measurement was store, but at the beginning, Schmidt did say that, you know, besides scale being an advantage for Amazon with a quadri in 15 zeros, don't bolt on security. So that's a classic old school. We've heard that before, right. But he said specifically, weave in security in the dev cycles. And the C I C D pipeline that is, that basically means shift left. So sneak is here, uh, company we've covered. Um, and they, their whole thing is shift left. That implies Docker containers that implies Kubernetes. Um, but this is not a cloud native show per se. It's much more crypto crypto. You heard about, you know, the, uh, encrypt everything message on the keynote. You heard, um, about reasoning, quantum, quantum >>Skating to the puck. >>Yeah. So yeah, so, you know, although the middleman is logged for J heard that little little mention, I love the quote from Lewis Hamilton that they put up on stage CJ, Moses said, team behind the scenes make it happen. So a big emphasis on teamwork, big emphasis on don't bolt on security, have it in the beginning. We've heard that before a lot of threat modeling discussions, uh, and then really this, you know, the news around the cloud audit academy. So clearly skills gap, more threats, more use cases happening than ever before. >>Yeah. And you know, to your point about, you know, the teamwork, I think the problem that CISOs have is they just don't have the talent to that. AWS has. So they have a real difficulty applying that talent. And so but's saying, well, join us at these shows. We'll kind of show you how to do it, how we do it internally. And again, I think when you look out on this ecosystem, there's still like thousands and thousands of tools that practitioners have to apply every time. There's a tool, there's a separate set of skills to really understand that tool, even within AWS's portfolio. So this notion of a shared responsibility model, Amazon takes care of, you know, securing for instance, the physical nature of S3 you're responsible for secure, make sure you're the, the S3 bucket doesn't have public access. So that shared responsibility model is still very important. And I think practitioners still struggling with all this complexity in this matrix of tools. >>So they had the layered defense. So, so just a review opening keynote with Steve Schmidt, the new CSO, he talked about weaving insecurity in the dev cycles shift left, which is the, I don't bolt it on keep in the beginning. Uh, the lessons learned, he talked a lot about over permissive creates chaos, um, and that you gotta really look at who has access to what and why big learnings there. And he brought up the use cases. The more use cases are coming on than ever before. Um, layered defense strategy was his core theme, Dave. And that was interesting. And he also said specifically, no, don't rely on single security control, use multiple layers, stronger together. Be it it from the beginning, basically that was the whole ethos, the posture, he laid that down >>And he had a great quote on that. He said, I'm sorry to interrupt single controls. And binary states will fail guaranteed. >>Yeah, that's a guarantee that was basically like, that's his, that's not a best practice. That's a mandate. <laugh> um, and then CJ, Moses, who was his deputy in the past now takes over a CSO, um, ownership across teams, ransomware mitigation, air gaping, all that kind of in the weeds kind of security stuff. You want to check the boxes on. And I thought he did a good job. Right. And he did the news. He's the new CISO. Okay. Then you had lean is smart from Mongo DB. Come on. Yeah. Um, she was interesting. I liked her talk, obviously. Mongo is one of the ecosystem partners headlining game. How do you read into that? >>Well, I, I I'm, its really interesting. Right? You didn't see snowflake up there. Right? You see data breaks up there. You had Mongo up there and I'm curious is her and she's coming on the cube tomorrow is her primary role sort of securing Mongo internally? Is it, is it securing the Mongo that's running across clouds. She's obviously here talking about AWS. So what I make of it is, you know, that's, it's a really critical partner. That's driving a lot of business for AWS, but at the same time it's data, they talked about data security being one of the key areas that you have to worry about and that's, you know what Mongo does. So I'm really excited. I talked to her >>Tomorrow. I, I did like her mention a big idea, a cube alumni, yeah. Company. They were part of our, um, season one of our eight of us startup showcase, check out AWS startups.com. If you're watching this, we've been doing now, we're in season two, we're featuring the fastest growing hottest startups in the ecosystem. Not the big players, that's ISVs more of the startups. They were mentioned. They have a great product. So I like to mention a big ID. Um, security hub mentioned a config. They're clearly a big customer and they have user base, a lot of E C, two and storage going on. People are building on Mongo so I can see why they're in there. The question I want to ask you is, is Mongo's new stuff in line with all the upgrades in the Silicon. So you got graviton, which has got great stuff. Um, great performance. Do you see that, that being a key part of things >>Well, specifically graviton. So I I'll tell you this. I'll tell you what I know when you look at like snowflake, for instance, is optimizing for graviton. For certain workloads, they actually talked about it on their earnings call, how it's lowered the cost for customers and actually hurt their revenue. You know, they still had great revenue, but it hurt their revenue. My sources indicate to me that that, that Mongo is not getting as much outta graviton two, but they're waiting for graviton three. Now they don't want to make that widely known because they don't wanna dis AWS. But it's, it's probably because Mongo's more focused on analytics. But so to me, graviton is the future. It's lower cost. >>Yeah. Nobody turns off the database. >>Nobody turns off the database. >><laugh>, it's always cranking C two cycles. You >>Know the other thing I wanted to bring, bring up, I thought we'd hear, hear more about ransomware. We heard a little bit of from Kirk Coel and he, and he talked about all these things you could do to mitigate ransomware. He didn't talk about air gaps and that's all you hear is how air gap. David Flo talks about this all the time. You must have air gaps. If you wanna, you know, cover yourself against ransomware. And they didn't even mention that. Now, maybe we'll hear that from the ecosystem. That was kind of surprising. Then I, I saw you made a note in our shared doc about encryption, cuz I think all the talk here is encryption at rest. What about data in motion? >>Well, this, this is the last guy that came on the keynote. He brought up encryption, Kurt, uh, Goel, which I love by the way he's VP of platform. I like his mojo. He's got the long hair >>And he's >>Geeking out swagger, but I, he hit on some really cool stuff. This idea of the reasoning, right? He automated reasoning is little pet project that is like killer AI. That's next generation. Next level >>Stuff. Explain that. >>So machine learning does all kinds of things, you know, goes to sit pattern, supervise, unsupervised automate stuff, but true reasoning. Like no one connecting the dots with software. That's like true AI, right? That's really hard. Like in word association, knowing how things are connected, looking at pattern and deducing things. So you predictive analytics, we all know comes from great machine learning. But when you start getting into deduction, when you say, Hey, that EC two cluster never should be on the same VPC, is this, this one? Why is this packet trying to go there? You can see patterns beyond normal observation space. So if you have a large observation space like AWS, you can really put some killer computer science technology on this. And that's where this reasoning is. It's next level stuff you don't hear about it because nobody does it. Yes. I mean, Google does it with metadata. There's meta meta reasoning. Um, we've been, I've been watching this for over two decades now. It's it's a part of AI that no one's tapped and if they get it right, this is gonna be a killer part of the automation. So >>He talked about this, basically it being advanced math that gets you to provable security, like you gave an example. Another example I gave is, is this S3 bucket open to the public is a, at that access UN restricted or unrestricted, can anyone access my KMS keys? So, and you can prove, yeah. The answer to that question using advanced math and automated reasoning. Yeah, exactly. That's a huge leap because you used to be use math, but you didn't have the data, the observation space and the compute power to be able to do it in near real time or real time. >>It's like, it's like when someone, if in the physical world real life in real life, you say, Hey, that person doesn't belong here. Or you, you can look at something saying that doesn't fit <laugh> >>Yeah. Yeah. >>So you go, okay, you observe it and you, you take measures on it or you query that person and say, why you here? Oh, okay. You're here. It doesn't fit. Right. Think about the way on the right clothes, the right look, whatever you kind of have that data. That's deducing that and getting that information. That's what reasoning is. It's it's really a killer level. And you know, there's encrypt, everything has to be data. Lin has to be data in at movement at rest is one thing, but you gotta get data in flight. Dave, this is a huge problem. And making that work is a key >>Issue. The other thing that Kirk Coel talked about was, was quantum, uh, quantum proof algorithms, because basically he put up a quote, you're a hockey guy, Wayne Greski. He said the greatest hockey player ever. Do you agree? I do agree. Okay, great. >>Bobby or, and Wayne Greski. >>Yeah, but okay, so we'll give the nada Greski, but I always skate to the where the puck is gonna be not to where it's been. And basically his point was where skating to where quantum is going, because quantum, it brings risks to basically blow away all the existing crypto cryptographic algorithms. I, I, my understanding is N just came up with new algorithms. I wasn't clear if those were supposed to be quantum proof, but I think they are, and AWS is testing them. And AWS is coming out with, you know, some test to see if quantum can break these new algos. So that's huge. The question is interoperability. Yeah. How is it gonna interact with all the existing algorithms and all the tools that are out there today? So I think we're a long way off from solving that problem. >>Well, that was one of Kurt's big point. You talking about quantum resistant cryptography and they introduce hybrid post quantum key agreements. That means KMS cert certification, cert manager and manager all can manage the keys. This was something that's gives more flexibility on, on, on that quantum resistance argument. I gotta dig into it. I really don't know how it works, what he meant by that in terms of what does that hybrid actually mean? I think what it means is multi mode and uh, key management, but we'll see. >>So I come back to the ho the macro for a second. We've got consumer spending under pressure. Walmart just announced, not great earning. Shouldn't be a surprise to anybody. We have Amazon meta and alphabet announcing this weekend. I think Microsoft. Yep. So everybody's on edge, you know, is this gonna ripple through now? The flip side of that is BEC because the economy yeah. Is, is maybe not in, not such great shape. People are saying maybe the fed is not gonna raise after September. Yeah. So that's, so that's why we come back to this half full half empty. How does that relate to cyber security? Well, people are prioritizing cybersecurity, but it's not an unlimited budget. So they may have to steal from other places. >>It's a double whammy. Dave, it's a double whammy on the spend side and also the macroeconomic. So, okay. We're gonna have a, a recession that's predicted the issue >>On, so that's bad on the one hand, but it's good from a standpoint of not raising interest rates, >>It's one of the double whammy. It was one, it's one of the double whammy and we're talking about here, but as we sit on the cube two weeks ago at <inaudible> summit in New York, and we did at re Mars, this is the first recession where the cloud computing hyperscale is, are pumping full cylinder, all cylinders. So there's a new economic engine called cloud computing that's in place. So unlike data center purchase in the past, that was CapEx. When, when spending was hit, they pause was a complete shutdown. Then a reboot cloud computer. You can pause spending for a little bit, make, might make the cycle longer in sales, but it's gonna be quickly fast turned on. So, so turning off spending with cloud is not that hard to do. You can hit pause and like check things out and then turn it back on again. So that's just general cloud economics with security though. I don't see the spending slowing down. Maybe the sales cycles might go longer, but there's no spending slow down in my mind that I see. And if there's any pause, it's more of refactoring, whether it's the crypto stuff or new things that Amazon has. >>So, so that's interesting. So a couple things there. I do think you're seeing a slight slow down in the, the, the ex the velocity of the spend. When you look at the leaders in spending velocity in ETR data, CrowdStrike, Okta, Zscaler, Palo Alto networks, they're all showing a slight deceleration in spending momentum, but still highly elevated. Yeah. Okay. So, so that's a, I think now to your other point, really interesting. What you're saying is cloud spending is discretionary. That's one of the advantages. I can dial it down, but track me if I'm wrong. But most of the cloud spending is with reserved instances. So ultimately you're buying those reserved instances and you have to spend over a period of time. So they're ultimately AWS is gonna see that revenue. They just might not see it for this one quarter. As people pull back a little bit, right. >>It might lag a little bit. So it might, you might not see it for a quarter or two, so it's impact, but it's not as severe. So the dialing up, that's a key indicator get, I think I'm gonna watch that because that's gonna be something that we've never seen before. So what's that reserve now the wild card and all this and the dark horse new services. So there's other services besides the classic AC two, but security and others. There's new things coming out. So to me, this is absolutely why we've been saying super cloud is a thing because what's going on right now in security and cloud native is there's net new functionality that needs to be in place to handle multiple clouds, multiple abstraction layers, and to do all these super cloudlike capabilities like Mike MongoDB, like these vendors, they need to up their gain. And that we're gonna see new cloud native services that haven't exist. Yeah. I'll use some hatchy Corp here. I'll use something over here. I got some VMware, I got this, but there's gaps. Dave, there'll be gaps that are gonna emerge. And I think that's gonna be a huge wild >>Cup. And now I wanna bring something up on the super cloud event. So you think about the layers I, as, uh, PAs and, and SAS, and we see super cloud permeating, all those somebody ask you, well, because we have Intuit coming on. Yep. If somebody asks, why Intuit in super cloud, here's why. So we talked about cloud being discretionary. You can dial it down. We saw that with snowflake sort of Mongo, you know, similarly you can, if you want dial it down, although transaction databases are to do, but SAS, the SAS model is you pay for it every month. Okay? So I've, I've contended that the SAS model is not customer friendly. It's not cloudlike and it's broken for customers. And I think it's in this decade, it's gonna get fixed. And people are gonna say, look, we're gonna move SAS into a consumption model. That's more customer friendly. And that's something that we're >>Gonna explore in the super cloud event. Yeah. And one more thing too, on the spend, the other wild card is okay. If we believe super cloud, which we just explained, um, if you don't come to the August 9th event, watch the debate happen. But as the spending gets paused, the only reason why spending will be paused in security is the replatforming of moving from tools to platforms. So one of the indicators that we're seeing with super cloud is a flight to best of breeds on platforms, meaning hyperscale. So on Amazon web services, there's a best of breed set of services from AWS and the ecosystem on Azure. They have a few goodies there and customers are making a choice to use Azure for certain things. If they, if they have teams or whatever or office, and they run all their dev on AWS. So that's kind of what's happened. So that's, multi-cloud by our definition is customers two clouds. That's not multi-cloud, as in things are moving around. Now, if you start getting data planes in there, these customers want platforms. If I'm a cybersecurity CSO, I'm moving to platforms, not just tools. So, so maybe CrowdStrike might have it dial down, but a little bit, but they're turning into a platform. Splunk trying to be a platform. Okta is platform. Everybody's scale is a platform. It's a platform war right now, Dave cyber, >>A right paying identity. They're all plat platform, beach products. We've talked about that a lot in the queue. >>Yeah. Well, great stuff, Dave, let's get going. We've got two days alive coverage. Here is a cubes at, in Boston for reinforc 22. I'm Shante. We're back with our guests coming on the queue at the short break.

>> From The Cube Studios in Palo Alto in Boston, bringing you data-driven insights from The Cube in ETR. This is "Breaking Analysis" with Dave Vellante >> The pandemic not only accelerated the shift to digital but it also highlighted a rush of cyber criminal sophistication, collaboration, and chaotic responses by virtually every major company in the planet. The SolarWinds hack exposed supply chain weaknesses and so-called island hopping techniques that are exceedingly difficult to detect. Moreover, the will and aggressiveness of well-organized cybercriminals has elevated to the point where incident responses are now met with counter attacks, designed to both punish and extract money from victims via ransomware and other criminal activities. The only upshot is the cybersecurity market remains one of the most enduring and attractive investment sectors for those that can figure out where the market is headed and which firms are best positioned to capitalize. Hello, everyone. And welcome to this week's Wikibon Cube Insights powered by ETR. In this "Breaking Analysis" we'll provide our quarterly update of the security industry, and share new survey data from ETR and the Cube community that will help you navigate through the maze of corporate cyber warfare. We'll also share our thoughts on the game of 3D chess that Okta CEO, Todd McKinnon, is playing against the market. Now, we all know this market is complicated, fragmented and fast moving. And this next chart says it all. It's an interactive graphic from Optiv, a Denver, Colorado-based SI that's focused on cybersecurity. They've done some really excellent research and put together this awesome taxonomy, and it mapped vendor names therein. And this helps users navigate the complex security landscape. And there are over a dozen major sectors, high-level sectors within the security taxonomy and nearly 60 subsectors. From monitoring, vulnerability assessment, identity, asset management, firewalls, automation, cloud, data center, sim, threat detection and intelligent endpoint network, and so on and so on and so on. But this is a terrific resource, and going to help you understand where players fit and help you connect the dots in the space. Now let's talk about what's going on in the market. The dynamics in this crazy mess of a landscape are really confusing sometimes. Now, since the beginning of cyber time, we've talked about the increasing sophistication of the adversary, and the back and forth escalation between good and evil. And unfortunately, this trend is unlikely to stop. Here's some data from Carbon Black's annual modern bank heist report. This is the fourth, and of course now, VMware's brand, highlights the Carbon Black study since the acquisition, and to catalyze the creation of VMware's cloud security division. Destructive malware attacks, according to the recent study are up 118% from last year. Now, one major takeaway from the report is that hackers aren't just conducting wire fraud, they are. 57% of the banks surveyed, saw an increase in wire fraud, but the cybercriminals are also targeting non-public information such as future trading strategies. This allows the bad guys to front-run large block trades and profit. It's become a very lucrative practice. Now the prevalence of so-called island hopping is up 38% from already elevated levels. This is where a virus enters a company supply chain via a partner, and then often connects with other stealthy malware downstream. These techniques are more common where the malware will actually self-form with other infected parts of the supply chain and create actions with different signatures, designed to identify and exfiltrate valuable information. It's a really complex problem. Of major concern is that 63% of banking respondents in the study reported that responses to incidents were then met with retaliation designed to intimidate, or initiate ransomware tax to extract a final pound of flesh from the victim. Notably, the study found that 75% of CISOs reported to the CIO, which many feel is not the right regime. The study called for a rethinking of the right cyber regime where the CISO has increased responsibility and a direct reporting line to the CEO, or perhaps the COO, with greater exposure to boards of directors. So, many thanks to VMware and Tom Kellerman specifically for sharing this information with us this past week. Great work by your team. Now, some of the themes that we've been talking about for several quarters are shown in the lower half of the chart. Cloud, of course is the big driver thanks to work-from-home and to the pandemic. And the interesting corollary of course, is we see a rapid rethinking of end point and identity access management, and the concept of zero trust. In a recent ESG survey, two thirds of respondents said that their use of cloud computing necessitated a change in how they approach identity access management. Now, as shown in the chart from Optiv, the market remains highly fragmented, and M&A is of course, way up. Now, based on our research, it looks like transaction volume has increased more than 40% just in the last five months. So let's dig into the M&A, the merger and acquisition trends for just a moment. We took a five-month snapshot and we were able to count about 80 deals that were completed in that timeframe. Those transactions represented more than $20 billion in value. Some of the larger ones are highlighted here. The biggest of course, being the Thoma Bravo, taking Proofpoint private for a $12 plus billion price tag. The stock went from the low 130s and is trading in the low 170s based on the $176 per share offer. So there's your arbitrage, folks. Go for it. Perhaps the more interesting acquisition was Auth0 by Optiv for 6.5 billion, which we're going to talk about more in a moment. There was more private equity action we saw as Insight bought Armis, an IOT security play, and Cisco shelled out $730 million for IMImobile, which is more of an adjacency to cyber, but it's going to go under Cisco security and applications business run by Jeetu Patel. But these are just the tip of the iceberg. Some of the themes that we see connecting the dots of these acquisitions are first, SIs like Accenture, Atos and Wipro are making moves in cyber to go local. They're buying SecOps expertise, as I say, locally in places like France, Germany, Netherlands, Canada, and Australia, that last mile, that belly to belly intimate service. Israeli-based startups chocked up five acquired companies in the space over the last five months. Also financial services firms are getting into the act with Goldman and MasterCard making moves to own its own part of the stack themselves to combat things like fraud and identity theft. And then finally, numerous moves to expand markets. Okta with Auth0, CrowdStrike buying a log management company, Palo Alto, picking up dev ops expertise, Rapid7 shoring up it's Coobernetti's chops, Tenable expanding beyond Insights and going after identity, interesting. Fortinet filling gaps in a multi-cloud offering. SailPoint extending to governance risk and compliance, GRC. Zscaler picked up an Israeli firm to fill gaps in access control. And then VMware buying Mesh7 to secure modern app development and distribution service. So tons and tons of activity here. Okay, so let's look at some of the ETR data to put the cyber market in context. ETR uses the concept of market share, it's one of the key metrics which is a measure of pervasiveness in the dataset. So for each sector, it calculates the number of respondents for that sector divided by the total to get a sense for how prominent the sector is within the CIO and IT buyer communities. Okay, this chart shows the full ETR sector taxonomy with security highlighted across three survey periods; April last year, January this year, and April this year. Now you wouldn't expect big moves in market share over time. So it's relatively stable by sector, but the big takeaway comes from observing which sectors are most prominent. So you see that red line, that dotted line imposed at the 60% level? You can see there are only six sectors above that line and cyber security is one of them. Okay, so we know that security is important in a large market. But this puts it in the context of the other sectors. However, we know from previous breaking analysis episodes that despite the importance of cyber, and the urgency catalyzed by the pandemic, budgets unfortunately are not unlimited, and spending is bounded. It's not an open checkbook for CSOs as shown in this chart. This is a two-dimensional graphic showing market share in the horizontal axis, or pervasiveness in net score in the vertical axis. Net score is ETR's measurement of spending velocity. And we've superimposed a red line at 40% because anything over 40%, we consider extremely elevated. We've filtered and limited the number of sectors to simplify the graphic. And you can see, in the sectors that we've highlighted, only the big four are above that 40% line; AI, containers, RPA, and cloud. They exceed that sort of 40% magic waterline. Information security, you can see that as highlighted and it's respectable, but it competes for budget with other important sectors. So this is of course creates challenges for organization, because not only are they strapped for talent as we've reported, they like everyone else in IT face ongoing budget pressures. Research firm, Cybersecurity Ventures estimates that in 2021, $6 trillion worldwide will be lost on cyber crime. Conversely, research firm, Cannolis peg security spending somewhere around $60 billion annually. IDC has at higher, around $100 billion. So either way, we're talking about spending between 1 to 1.6% annually of how much the bad guys are taking out. That's peanuts really when you consider the consequences. So let's double-click into the cyber landscape a bit and further look at some of the companies. Here's that same X/Y graphic with the companies ETR captures from respondents in the cybersecurity sector. That's what's shown on the chart here. Now, the usefulness of the red lines is 20% on the horizontal indicates the largest presence in the survey, and the magic 40% line that we talked about earlier shows those firms with the most elevated momentum. Only Microsoft and Palo Alto exceed both high watermarks. Of course, Splunk and Cisco are prominent horizontally. And there are numerous companies to the left of the 20% line and many above that 40% high watermark on the vertical axis. Now in the bottom left quadrant, that includes many of the legacy names that have been around for a long time. And there are dozens of companies that show spending momentum on their platforms, i.e above single digits. So that picture is like the first one we showed you, very, very crowded space. But so let's filter it a bit and only include companies in the ETR survey that had at least 100 responses. So an N of 100 or greater. So it was a little easier to read but still it's kind of crowded when you think about it. Okay, so same graphic, and we've superimposed the data that determined the plot position over in the bottom right there. So there's net score and shared in, including only companies with more than 100 N. So what does this data tell us about the market? Well, Microsoft is dominant as always, it seems in all dimensions but let's focus on that red line for a moment. Some of the names that we've highlighted over the past two years show very well here. First, I want to talk about Palo Alto Networks. Pre-COVID as you might recall, we highlighted the valuation divergence between Palo Alto and Fortinet. And we said Fortinet was executing better on its cloud strategy, and Palo Alto was at the time struggling with the transition especially with its go-to-market and its Salesforce compensation, and really refreshing its portfolio. But we told you that we were bullish on Palo Alto Networks at the time because of its track record, and the fact that CIOs consistently told us that they saw Palo Alto as a thought leader in the space that they wanted to work with. They said that Palo Alto was the gold standard, the best, especially larger company CISOs. So that gave us confidence that Palo Alto, a very well-run company was going to get its act together and perform better. And Palo Alto has just done just that. As we expected, they've done very well and rapidly moving customers to the next generation of platforms. And we're very impressed by the company's execution. And the stock has generally reflected that. Now, some other names that hit our radar in the ETR data a couple of years ago, continue to perform well. CrowdStrike, Zscaler, SailPoint, and CloudFlare. Now, CloudFlare just reported and beat earnings but was off, the stock fell on headwinds for tech overall, the big rotation. But the company is doing very well and they're growing rapidly and they have momentum as you can see from the ETR data. Now, we put that double star around Proofpoint to highlight that it was worthy of fetching $12.5 billion from private equity firm. So nice exit there, supporting the continued consolidation trend that we've predicted in cybersecurity. Now let's turn our attention to Okta and Auth0. This is where it gets interesting, and is a clever play for Okta we think, and we want to drill into it a bit. Okta is acquiring Auth0 for big money. Why? Well, we think Todd McKinnon, Okta CEO, wants to run the table on identity and then continue to expand as TAM has to do that, to justify his lofty valuation. So Okta's ascendancy around identity and single sign-on is notable. The fragmented pictures that we've shown you, they scream out for simplification and trust, and that's what Okta brings. But it competes with some major players, most notably Microsoft with active directory. So look, of course, Microsoft is going to dominate in its massive customer base, but the rest of the market, that's like (indistinct) wide open. And we think McKinnon saw the opportunity to go dominate that sector. Now Okta comes at this from an enterprise perspective bringing top-down trust to the equation, and throwing a big blanket over all the discreet SaaS platforms and unifying employee access. Okta's timing was perfect. It was founded in 2009, just as the massive SaaSifiation trend was happening around CRM and HR, and service management and cloud, et cetera. But the one thing that Okta didn't have that Auth0 does is serious developer chops. While Okta was crushing it with its enterprise sales strategy, Auth0 was laser-focused on developers and building a bottoms up approach to identity. By acquiring Auth0, Okta can dominate both sides of the barbell and then capture the fat middle. So yes, it's a pricey acquisition, but in our view, it's a great move by McKinnon. Now, I don't know McKinnon personally, but last week I spoke to Arun Shrestha, who's the CEO of security specialist, BeyondID, they're a platinum services partner of Okta. And they're a zero trust expert. He worked for Okta for a number of years and shared with me a bit about McKinnon's style, and think big approach. Arun said something that caught my attention. He said, firewalls used to be the perimeter, now people are. And while that's self-serving to Okta and probably BeyondID, it's true. People, apps and data are the new perimeter, and they're not in one location. And that's the point. Now, unfortunately, I had lined up an interview with Diya Jolly, who was the chief product officer at Okta and a Cube alum for this past week, knowing that we were running this segment in this episode but she unfortunately fell ill the day of our interview and had to cancel. But I want to follow up with her, and understand how she's thinking about connecting the dots with Auth0 with devs and enterprises and really test our thesis there. This is a really interesting chess match that's going on. Let's look a little deeper into that identity space. This chart here shows some of the major identity players. It has some of the leaders in the identity market, and is a breakdown at ETR's net score. Now net score comprises five elements. The lime green is, we're adding the platform new. The forest green is we're spending 6% or more relative to last year. The gray is flat send plus or minus flat spend, plus or minus 5%. The pinkish is spending less. And the bright red is we're exiting the platform, retiring. Now you subtract the red from the green, and that gets you the result for net score which you can see super-imposed on the right hand chart at the bottom, that first column there. The far column is shared in which informs and indicates the number of responses and is a proxy for presence in the market. Oh, look at the top two players in terms of spending momentum. Now SailPoint is right there, but Auth0 combined with Okta's distribution channel will extend Okta's lead significantly in our view. And then there's Microsoft. Now just a caveat, this includes all of Microsoft's security offerings, not just identity, but it's there for context. And CyberArk as well includes this acquisition of adaptive, but also other parts of CyberArk's portfolio. So you can see some of the other names that are there, many of which you'll find in the Gartner magic quadrant for identity. And as we said, we really like this move by Okta. It combines positive market forces with lead offerings from very well-run companies that have winning DNA and passionate people. Now, to further emphasize what's happening here, take a look at this. This chart shows ETR data for Okta within SailPoint and CyberArk accounts. Out of the 230 CyberArk and SailPoint customers in the dataset, there are 81 Okta accounts. That's a 35% overlap. And the good news for Okta is that within that base of SailPoint and CyberArk accounts, Okta is shown by the net score line, that green line has a very elevated spending in momentum. And the kicker is, if you read the fine print in the right hand column, ETR correctly points out that while SailPoint and CyberArk have long been partners with Okta, at the recent Octane21 event, Okta's big customer event, The company announced that it was expanding into privileged access management, PAM, and identity governance. Hello, and welcome to co-opetition in the 2020s. Now, our current thinking is that this bodes very well for Okta and CyberArk and SailPoint. Well, they're going to have to make some counter moves to fend off the onslaught that is coming. Now, let's wrap up with what has become a tradition in our quarterly security updates. Looking at those two dimensions of net score and market share, we're going to see which companies crack the top 10 for both measures within the ETR dataset. We do this every quarter. So here in the left, we have the top 20, sorted by net score spending momentum and on the right, we sort by shared N. So it's again, top 20, which informs, shared N informs the market share metric or presence in the dataset. That red horizontal lines, those two lines on each separate the top 10 from the remaining 10 within those top 20. And our method, what we do is we assign four stars to those companies that crack the top 10 for both metrics. So again, you see Microsoft, Palo Alto Networks, Okta, CrowdStrike, and Fortinet. Fortinet by the way, didn't make it last quarter. They've kind of been in and out and on the bubble, but company is very strong, and doing quite well. Only the other four did last quarter. They were the same for last quarter. And we give two stars to those companies that make it in both categories within the top 20 but didn't make the top 10. So Cisco, Splunk, which has been steadily decelerating from a spending momentum standpoint, and Zscaler, which is just on the cusp. We really like Zscaler and the company has great momentum, but that's the methodology. That is what it is. Now you can see, we kept Carbon Black on the right most chart, it's like kind of cut off, it's number 21. Only because they're just outside looking in on net score. You see them there, they're just below on net score, number 11. And VMware's presence in the market we think, that Carbon Black is right really worth paying attention to. Okay, so we're going to close with some summary and final thoughts. Last quarter, we did a deeper dive on the SolarWinds hack, and we think the ramifications are significant. It has set the stage for a new era of escalation and adversary sophistication. Now, major change we see is a heightened awareness that when you find intruders, you'd better think very carefully about your next moves. When someone breaks into your house, if the dog barks, or if you come down with a baseball bat or other weapon, you might think the intruder is going to flee. But if the criminal badly wants what you have in your house and it's valuable enough, you might find yourself in a bloody knife fight or worse. Well, what's happening is intruders come to your company via island hopping or insider subterfuge or whatever method. And they'll live off the land stealthily using your own tools against you so that you can't find them so easily. So instead of injecting new tools in that send off an alert, they just use what you already have there. That's what's called living off the land. They'll steal sensitive data, for example, positive COVID test results when that was really, really sensitive, obviously still is, or other medical data. And when you retaliate, they will double-extort you. They'll encrypt your data and hold it for ransom, and at the same time threaten to release the sensitive information, crushing your brand in the process. So your response must be as stealthy as their intrusion, as you marshal your resources and devise an attack plan. And you face serious headwinds. Not only is this a complicated situation, there's your ongoing and acute talent shortage that you tell us about all the time. Many companies are mired in technical debt, that's an additional challenge. And then you've got to balance the running of the business while actually effecting a digital transformation. That's very, very difficult, and it's risky because the more digital you become, the more exposed you are. So this idea of zero trust, people used to call it a buzzword, it's now a mandate along with automation. Because you just can't throw labor at the problem. This is all good news for investors as cyber remains a market that's ripe for valuation increases and M&A activity, especially if you know where to look. Hopefully we've helped you squint through the maze a little bit. Okay, that's it for now. Thanks to the community for your comments and insights. Remember I publish each week on wikibon.com and siliconangle.com. These episodes, they're all available as podcasts. All you got to do is search breaking analysis podcasts, put in the headphones, listen when you're in your car, or out for your walk or run, and you can always connect on Twitter @DVellante, or email me at david.vellante@siliconangle.com. I appreciate the comments on LinkedIn and in Clubhouse, please follow me, so you're notified when we start a room and riff on these topics and others. And don't forget to check out etr.plus for all the survey data. This is Dave Vellante for The Cube Insights powered by ETR. Be well, and we'll see you next time. (light instrumental music)

>>Fly from San Francisco. It's the cube covering RSA conference 2020 San Francisco brought to you by Silicon angled medias >>live in. Welcome to the cube coverage here in San Francisco at Moscone hall for RSA 2020 I'm John furrier, host of the cube. We're here breaking down all the actions in cyber security. I'll say three days of wall-to-wall cube coverage. You got two great guests here, experts in the cybersecurity enterprise security space. Over 25 years. We've got two gurus and experts. We've got Bob Mindell, executive vice president of North America cyber practice for cap Gemini and Joe McMahon, head of North America cyber strategy, even a practitioner in the intelligence community. Langley, you've been in the business for 25 years. You've seen the waves guys, welcome to the cube. Thank you John. Thanks for having us. So first let's just take a step back. A cyber certainly on the number one agenda kind of already kind of broken out of it in terms of status, board level conversation, every CSO, risk management and a lot of moving parts. >>Now, cyber is not just a segment in the industry. It is the industry. Bob, this is a big part of business challenge today. What's your view? What was going on? So John has a great point. It's actually a business challenge and that's one of the reasons why it's now the top challenge. It's been a tech challenge for a long time. It wasn't always a business challenge for you as was still considered an it challenge and once it started impacting business and got into a board level discussion, it's now top of mind as a business challenge and how it can really impact the business continuity. Joe is talking before we came on camera about you know CEOs can have good days here and there and bad days then but sees us all have bad days all the time because there's so much, it's so hard. You're on the operations side. >>You see a day to day in the trenches as well as the strategy. This is really an operations operationalizing model. As new technology comes out, the challenge is operationalizing them for not only a business benefit but business risk management. It's like changing an airplane engine out at 35,000 feet. It's really hard. What are you seeing as the core challenge? This is not easy. It's a really complex industry. I mean, you take the word cybersecurity, right? Ready? Cybersecurity conference. I see technology, I see a multitude of different challenges that are trying to be solved. It means something different to everybody, and that's part of the problem is it's a really broad ecosystem that we're in. If you meet one person that says, I know all of cyber, they're lying, right? It's just like saying, I know active directory and GRC and I know DNS and I know how to, how to code, right? >>Those people don't exist and cyber is a little bit the same way. So for me, it's just recognizing the intricacies. It's figuring out the complexities, how people processing technology really fit together and it's an operation. It is an ongoing, and during operation, this isn't a program that you can run. You run it for a year, you install and you're done. There's ebbs and flows. You talked about the CISOs and the bad days. There's wins and there's losses. Yeah. And I think part of that is just having the conversation with businesses. Just like in it, you have bad days and good days wins and losses. It's the same thing in cybersecurity and we've got to set that expectation. Yeah, you didn't bring up a good point. I've been saying this on the cube and we've been having conversations around this. It used to be security as part of it, right? >>But now that it's part of the business, the things that you're mentioning around people, process, technology, the class, that kind of transformational formula, it is business issues, organizational behavior. Not everyone's an expert specialism versus generalists. So this is like not just a secure thing, it's the business model of a company is changing. So that's clear. There's no doubt. And then you've got the completion of the cloud coming, public cloud, hybrid multi-cloud. Bob, this is a number one architectural challenge. So outside of the blocking and tackling basics, right, there's now the future business is at risk. What does cap Gemini do? And because you guys are well known, great brand, helping companies be successful, how do you guys go to customers and say, Hey, here's what you do. What's the, what's the cap Gemini story? >>So the cat termini stories is really about increasing your cybersecurity maturity, right? As Joe said, starting out at the basics. If you look at a lot of the breaches that have occurred today have occurred because we got away from the basics and the fundamentals, right? Shiny new ball syndrome. Really. Exactly exasperates that getting away from the basics. So the technology is an enabler, but it's not the be all and end all right, go into the cloud is absolutely a major issue. That's increasing the perimeter, right? We've gone through multiple ways as we talked about, right? So now cloud is is another way, cloud, mobile, social. How do you deal with those from on prem, off prem. But ultimately it's about increasing your cyber cyber security maturity and using the cloud as just increasing the perimeter, right? So you need to, you really need to understand, you have your first line defense and then your maturity is in place. Whether the data resides in your organization, in the cloud, on a mobile device, in a social media, you're responsible for it all. And if you don't have the basics, then you're, you're really, and you guys bring a playbook, is that what you guys come in and do? Correct. Correct. Right. So our goal is to coordinate people, process technology and leverage playbooks, leverage the run books that we had been using for many years. >>I want to get down to you on this one because of what happens when you take that to the, into the practitioner mode or at implementation. Customers want the best technology possible. They go for the shiny new choice. Bob just laid out. There's also risks too because it may or may not be big. So you've got to balance out. I got to get an edge technically because the perimeters becoming huge surface area now or some say has gone. Now you've got edge, just all one big exposed environment, surface area for vulnerabilities is massive. So I need better tech. How do you balance and obtain the best tech and making sure it works and it's in production and secure. So there's a couple of things, right, and this is not, it's not just our, and you'll hear it from other people that have been around a long time, but a lot of organizations that we see have built themselves so that their cybersecurity organization is supporting all these tools that we see. >>That's the wrong way to do it. The tools should support the mission of the organization, right? If my mission is to defend my enterprise, there are certain things that I need to do, right? There's questions I need to be able to ask and get answers to. There's data I need visibility into. There's protections and controls I need to be able to implement. If I can lay those out in some coordinated strategic fashion and say, here's all the things I'm trying to accomplish, here's who's going to do it. Here's my really good team, here's my skilled resources, here's my workflows, my processes, all that type of stuff. Then I can go find the right technology to put into that. And I can actually measure if that technology is effective in supporting my mission. But too often we start with the technology and then we hammer against it and we run into CISOs and they say, I bought all this stuff and it's not working and come hell yeah. >>And that's backing into it the wrong. So I've heard from CSOs, I'd like they buying all these tools. It's like a tool shed. Don't be the fool with the wrong tool as they I say. But that brings up the question of, okay, as you guys go to customers, what are some of the main pain points or issues that they're trying to overcome that that are opportunities that you guys are helping with? Uh, on the business side and on the technical side, what are some of the things? So on the business side, you know, one is depending on their level of maturity and the maturity of the organization and the board of directors and their belief in, in how they need to help fund this. We can start there. We can start by helping draw out the threat landscape within that organization where they are maturity-wise and where they need to go and help them craft that message to the board of directors and get executive sponsorship from the board down in order to take them from baby, a very immature organization or you know, a reactive organization to an adaptive organization, right. >>And really become defenders. So from a business perspective, we can help them there. From the technology perspective, Joe, uh, you know, or an implementation perspective. I think, you know, it's been a really interesting road like being in this a long time, you know, late two thousands when nation States were first really starting to become a thing. All the industries we were talking to, every customer is like, I want to be the best in my industry. I want to be the shining example. And boards in leadership were throwing money at it and everybody was on this really aggressive path to get there. The conversation is shifted a little bit with a lot of the leadership we talked to. It's, I just want to be good enough, maybe a little bit better than good enough, but my, my objective anymore is it to leave the industry. Cause that's really expensive and there's only one of those. >>My objective is to complete my mission maybe a little bit above and beyond, but I need the right size and right. So we spent a lot of time helping organizations, I would say optimize, right? It's what is the right level of people, what is the right amount of resources, what's the right spend, what's the right investment, the right allocation of technology and mix of everything, right? And sometimes it's finding the right partner. Sometimes it's doing certain things in house. It's, there's no one way to solve this problem, but you've got to go look at the business challenges. Look at the operational realities of the customer, their budgets, all those, their geographies mattered, right? Some places it's easy to hire talent. Some places it's not so easy to hire talent. And that's a good point, right? Some organizations, >>they just need to understand what does good look like and we can, we have so many years of experience. We have so many customers use skates is we've been there and we've done that. We can bring the band and show them this is what good looks like and this is sustainable >>of what good looks like. I want to get your reactions to, I was talking to Keith Alexander, general Keith Alexander, a former cyber command had last night and we were talking about officers, his defense and that kind of reaction. How the Sony hack was was just was just, they just went after him as an example. Everyone knows about that hack, but he really was getting at the idea of human efficiency, the human equation, which is if you have someone working on something that here, but their counterpart might be working on it maybe from a different company or in the same company, they're redundant. So there's a lot of burnout, a lot of people putting out fires. So reactive is clearly, I see as a big trend that the conversation's shifting towards let's be proactive, let's get more efficient in the collaboration as well as the technology. What you, how do you guys react to that? What's your view on that statement? So >>people is the number one issue, in my opinion. In this space, there's a shortage of people. The people that are in it are working very long hours. They're burnt out. So we constantly need to be training and bringing more people into the industry. Then there's the scenario around information sharing, right? Threat information sharing, and then what levels are you comfortable with as an organization to share that information? How can you share best practices? So that's where the ice sacks come into play. That's also where us as a practitioner and we have communities, we have customers, we bring them together to really information, share, share, best practice. It's in all of our best interests. We all have the same goal and the goal is to protect our assets, especially in the United States. We have to protect our assets. So we need, the good thing is that it's a pretty open community in that regards and sharing the information, training people, getting people more mature in their people, process technology, how they can go execute it. >>Yeah. What's your take on the whole human equation piece? Right? So sharing day, you probably heard a word and the word goes back to where I came from, from my heritage as well, but I'm sure general Alexander used the word mission at some point, right? So to me, that's the single biggest rallying point for all of the people in this. If you're in this for the right reasons, it's because you care about the mission. The mission is to defend us. Stop the bad guys from doing days, right? Whether you're defending the government, whether you're defending a commercial enterprise, whether you're defending the general public, right? Whatever the case is, if you're concerned, you know, if you believe in the mission, if you're committed to the mission, that's where the energy comes from. You know, there's a lot of, there's a lot of talk about the skill gap and the talent gap and all of those types of things. >>To me, it's more of a mindset issue than anything. Right? The skill sets can be taught. They can be picked up over time. I was a philosophy major. All right? Somehow I ended up here. I have no idea how, um, but it's because I cared about the mission and everybody has a part to play. If you build that peer network, uh, both at an individual level and at an organizational and a company level, that's really important in this. Nobody's, nobody's an expert at everything. Like we said, you brought a philosophy. I think one of the things I have observed in interviewing and talking to people is that the world's changed so much that you almost need those fresh perspectives because the problems are new problems, statements, technology is just a part of the problem set back to the culture. The customer problem, Bob, is that they got to get all this work done. >>And so what are some of the use cases that you guys are working on that that is a low hanging fruit in the industry or our customer base? How do you guys engage with customers? So our target market is fortune 500 global 1000 so the biggest of the big enterprises in the world, right? And because of that, we've seen a lot of a complex environments, multinational companies as our customers. Right? We don't go at it from a pure vertical base scenario or a vertical base solution. We believe that horizontal cybersecurity can it be applied to most verticals. Right. And there's some tweaking along the way. Like in financial services, there's regulars and FFIC that you need to be sure you adapt to. But for the most part the fundamentals are applicable. All right. With that said, you know, large multinational manufacturing organization, right? They have a major challenge in that they have manufacturing sites all over the world. >>They building something that is, you know, unique. It has significant IP to it, but it's not secure. Historically they would have said, well, nobody's really gonna just deal steal what we do because it's really not differentiated in the world, but it is differentiated and it's a large corporation making a lot of money. Unfortunately ransomware, that'd be a photographer. Ransomware immediately, right? Like exact down their operations and their network, right? So their network goes down. They can have, they can, they can not have zero downtown and their manufacturing plants around the world. So for us, we're implementing solutions and it's an SLA for them is less than six seconds downtime by two that help secure these global manufacturing environment. That's classic naive when they are it. Oh wow. We've got to think about security on a much broader level. I guess the question I have for you guys, Joe, you talk about when do you guys get called in? >>I mean what's your main value proposition that you guys, cause you guys got a broad view of the industry, that expertise. Why do, why are customers calling you guys and what do you guys deliver? They need something that actually works, right? It's, it's you mentioned earlier, I think when we were talking how important experiences, right? And it's, Bob said it too, having been there, done that I think is really important. The fact that we're not chasing hype, we're not selling widgets. That we have an idea of what good looks like and we can help an organization kind of, you know, navigate that path to get there is really important. So, uh, you know, one of our other customers, large logistics company, been operating for a very long time. You know, very, very mature in terms of their, it operations, those types of things. But they've also grown through merger and acquisition. >>That's a challenge, uh, cause you're taking on somebody else's problem set and they just realize, simply put that their existing security operations wasn't meeting their needs. So we didn't come in and do anything fancy necessarily. It's put a strategic plan in place, figure out where they are today, what are the gaps, what do they need to do to overcome those gaps? Let's go look at their daily operations, their concept of operations, their mission, their vision, all of that stuff down to the individual analysts. Like we talked about the mindset and skillset. But then frankly it's putting in the hard work, right? And nobody wants to put in the heart. I don't want to say nobody wants to put in the hard work. That's fun. There's a lot of words that's gets done I guess by the questions that you guys getting called in on from CSOs chief and Mason security officers. >>Guess who calls you? So usually we're in talking to the Cisco, right? We're having the strategic level conversation with the Cisco because the Cisco either has come in new or has been there. They may have had a breach. Then whatever that compelling event may be, they've come to the realization that they're not where they need to be from a maturity perspective and their cyber defense needs revamping. So that's our opportunity for us to help them really increase the maturity and help them become defenders. Guys, great for the insight. Thanks for coming on the cube. Really appreciate you sharing the insights. Guys. Give a quick plug for what you guys are doing. Cap Gemini, you guys are growing. What do you guys look to do? What are some of the things that's going on? Give the company plug. Thanks Sean show. It's been a very interesting journey. >>You know this business started out from Lockheed Martin to Leidos cyber. We were acquired by cap Gemini a year ago last week. It's a very exciting time. We're growing the business significantly. We have huge growth targets for 2020 and beyond, right? We're now over 800 practitioners in North America, over 2,500 practitioners globally, and we believe that we have some very unique differentiated skill sets that can help large enterprises increase their maturity and capabilities plug there. Yeah, I mean, look, nothing makes us happier than getting wins when we're working with an organization and we get to watch a mid level analyst brief the so that they just found this particular attack and Oh by the way, because we're mature and we're effective, that we were able to stop it and prevent any impact to the company. That's what makes me proud. That's what makes it so it makes it fun. >>Final question. We got a lot of CSOs in our community. They're watching. What's the pitch to the CSO? Why, why you guys, we'd love to come in to understand what are their goals, how can we help them, but ultimately where do they believe they think they are and where do they need to go and we can help them walk that journey. Whether it's six months, a year, three years, five years. We can take them along that journey and increase the cyber defense maturity. Joe, speak to the CSO. What are they getting? They're getting confidence. They're getting execution. They're getting commitment to delivery. They're getting basically a, a partner in this whole engagement. We're not a vendor. We're not a service provider. We are a partner. A trusted partner. Yeah, partnerships is key. Building out in real time. A lot new threats. Got to be on offense and defense going on. A lot of new tech to deal with. I mean, it's a board level for a long time. Guys, thanks for coming on. Cap Gemini here inside the cube, bringing their practices, cybersecurity, years of experience with big growth targets. Check them out. I'm John with the cube. Thanks for watching.

>>Live from Las Vegas. It's the cube covering UI path forward Americas 2019 brought to you by UI path. >>Welcome back everyone to the cube live coverage of UI path forward here in Las Vegas. I'm your host, Rebecca Knight, co-hosting alongside of it. Dave Volante, we're joined by Richard Fong. He is the it manager, finance delivery at Chevron. Thank you so much for coming on the show that you're having me. So Chevron of course is a household name, a big oil company, but tell us a little bit about what you do, what you do there. >>The it manager, and I'm responsible for software and application engineering. My team develops custom applications for Chevron and over the last couple of years we've actually started an RPA development practice. >>Okay. So what, what were the issues, the challenges that you were experiencing where you said, Hey, maybe maybe we could get a bot to help us do? >>Yeah, yeah. There are a plethora of opportunities in Chevron to automate many, many mundane tasks. What UI path and RPA brings to the table is a very easy way to automate tasks where these tasks, maybe building a traditional like.net application would be too expensive and take too long. Using the UI path platform, we're able to very quickly build solutions and deploy them much quicker than we would have done if we had to build a traditional, like a.net application. The bots aren't coding are they? Are the bots coding the you could. We found that you don't need to do a lot of coding for these, uh, for these solutions. So that was a big help in terms of being able to deploy and automate solutions very quickly. Like what's an example? What do you mean by a solution? So, believe it or not, we, we have many people who still go through and open up attack email attachments, their Excel files or PDF files or text files and that's their day job. That's what they do all day long, four weeks, usually maybe about two weeks of doing data processing. They spend the other two weeks doing error corrections. So we are able to use UI path to develop a solution. A bot that will call through your one's inbox, open up attachments, copy and paste that data automatically into like a flat file and then they would just upload that into the ERP system. So that was a big, big win for us. And that's just one example. So >>this is, was this an it limo is interested in how RPA gets into an organization? Was that it led, was it business led, is it, is it top down? It sounds like it was an it lead >>initiative in this example. It was an it. Interestingly, it came to Chevron. Chevron's a huge organization with many different it departments actually. And for Chevron it actually started with another it manager in our supply and trading department. I think that took a look at RPA and he just brought it out and socialized it with other it managers and the finance group said, Hey, this is, this has huge potential here. So then we took it and did some proof of concepts with it and just took off with it. >>So get it going back to those employees that you were describing, whose job it was to open up email attachments and then do that data looking for aberrations. What do they do now? I mean the, this has been built to us as we are freeing up your time. You can now focus on the more creative aspects of your job. How are they spending their time >>that, that actually that played out exactly like you mentioned, there was a little bit of nervousness what these employees like, Oh my God, what's going to happen to my job? I've been doing this for years. I am comfortable with it. I'm an expert at opening attachments. Yeah, exactly. Exactly. So there was definitely some nervousness, no doubt. Um, and but what eventually happened is that we were able to redeploy these folks onto other projects and have actually a cost avoidance situation because instead of hiring new folks having to hire new folks are high, bringing in contractors, we are able to redeploy them on to higher value projects. >>Yeah. I mean, I think we hear that a lot from customers, from the vendors you hear, Oh no, everybody loves it. Which is true. Once you experienced it, you love it, but you've got to be cognizant, I would think. And I wonder if you could sort of share your experiences as to how you dealt with that, that uncomfortableness. You got to be cognizant that it's going to affect people's jobs. So what did you guys do to get people more comfortable to educate them that you're not just trying to replace them with software robots. >>Yeah, yeah. No, that's, um, you do need to be sensitive to how people will react to, you know, potentially losing their job. And actually it's not, this story's not, you're losing your job. This is an opportunity to upskill and to, you know, to grow your career. Right. Not we, you know, just doing data entry is kind of like, yeah, it's a little bit career limiting. So, you know, you kind of approach it in that context. And the other thing is Chevron's a great company to work for. W we're not, we're not purposely trying to eliminate positions. We're still growing. You know, oil is still in big demand, so it's about upskilling and reallocating people to higher value work. >>I mean, everybody's hiring, I mean this is basically 0% unemployment. So absolutely. If you're like 98 90 97% of the people you'll, you'll have a job. So right now, be interesting to see if that changes, but even in bad times, you know 90% of the people are employed. So my question is how far do you see this going? Rebecca and I were talking at the top of the our segment. In many ways you're, you're basically, you're, you're automating mundane tasks that already exists. So they're known processes. Okay. It's important you're saving money, you're freeing up undifferentiated heavy lifting. You use Gavin's term, but how far do you see this going? Do you see an opportunity to really create an automation fabric across the company? Have you guys started to think about that? Absolutely. I think >>I see it going pretty far actually. We've kind of just scratched the surface. One of the reasons why I'm here at this conference is that look at what are the new products coming out, new products and features. We're at a juncture where we need to understand now how to scale all of these solutions across the enterprise and how do we ensure also not only that things are automated, but that we are following all our governance risk and compliance procedures so that, you know, when the comptroller, our internal controls group says, you know, you're doing these, automating these financial transactions, what are you doing to make sure you're protecting the integrity of the systems as well? So I'm excited to see that the UiPath has invested quite a bit in things like information protection, security, management of bots and things like that. So that's going to help us. Um, the other thing that we, the other area that we have not fully deployed is around artificial intelligence and machine learning. So those solutions will actually help us and will give us the capability to really further automate and leverage things and ease more easier than what we do today. Most of the solutions that we've deployed are more algorithmic based, rules-based. Um, whereas some of the things that we saw about extracting semi-structured data, tempted template lists, you know, data processing, that's gonna be the next big area that we need to look into. >>So scale makes sense. Cause if you can take something that one person is saving some money on and you can scale it across the organization, I don't know how many employees Chevron has. It's a lot. Absolutely. >>Oh yeah, yeah. Miss benefit to 160 countries. You know, there's folks still the, the automation that we ran for the finance department has been mostly for the central finance groups, corporate finance, but there's financial groups all over the world with Chevron that are looking that also doing similar data processing. We haven't even gone out there yet as much as we want to. Um, but I think what we want to do is go out there this time with artificial intelligence and machine learning features of the, of the platform. So I want to double click on this. So this insecurity piece makes sense. If you're gonna scale it across, you know, 160 countries, et cetera, you got to make sure it's secure and complies. The iPad talks about a path to AI. Why is RPA a path to AI? Can you help us understand that better? Well, I think it's my connection to that. >>I was, I actually was, I was hearing, I'm hearing this talk this morning about that it good marketing and it's, you know, catches your ear. But yeah, and so I had about 20 minutes to think about it since then. I think the easy connection is that it seems, while the way they've deployed AI and ML, it's using the current UI paths UI studio, and it's a drag and drop operation for what they've, the way they're deploying AI and ML. So if you're currently using UI path studio to develop your algorithmic based automations, it's not a great leap to just bring in the AI and ML modules of UI path. >>I want to ask about that. This, this two ideas of introducing AI and ML also declining deploying bots really across the enterprise. We're really talking about change management here. And we scratched the surface a little bit saying that some employees have been happier and saying, okay, I can move over here and I can focus on these higher value areas of my career, grow my career. But there's also a great skepticism within the public about bots. I mean, we've had, we've seen the malevolent bots that really had a real effect on our election and we're seeing that in other areas of technology. How do you bring people along and say that this is a force for good and they'll trust us? Link arms with us. Bots are the future. And there, I mean, do say it, >>it's a valid point that, um, you do need to address the things where, you know, bots could go wrong, things could go rogue. You know, how did we make sure we still have control that incorrect decisions are not being automatically made. So that is a valid, that is a very valid point. And I, so I kind of go back to the whole thing about we have to have good governance risk and compliance processes supported by, uh, the flatform UI path. Um, I'm glad to hear that they made it a priority to continue invest in the platform and include governance, risk and compliance into it. Um, the other aspect from a developer, individual developer perspective is that we need to encourage the developers to put in very good checks and balances in their code to the, to develop for, you know, worst case scenarios about something happens, something goes bump in the middle of the night that your bod is able to recover or alert, you know, and, um, so, and for everything to be very transparent and audible. >>So, um, those things, I think if you do a combination of those things, I think you'll put people at ease about these solutions. How important is the SAS announcement today? Uh, in terms of a deployment model? Is that something that you know, struck a chord with you, that resident? Yeah, so, um, actually before the conference I actually, uh, registered myself for the SAS. An instance of the SAS platform and just like what, uh, they said that it takes a minute. Actually took me a minute. I wanted to say, yeah. Hey, it was just a minute. And I had, I was, you know, it was very seamless to, to develop the RPA using their SAS solution. Great. New features. So I think that has also the potential for organizations like ours that have it on prem to maybe move to a hybrid solution to so we could leverage all the new features and in the 2019 version in hybrid, because you want to maintain some kind of level of GRC compliance, that's, yeah. >>Chevron and not just sort of cookie cutter cloud and, and you know, say, and also to just to, uh, uh, we've invested a lot in the on pram and we're gonna, you know, uh, look for the, you know, get our ROI out of everything that we've done on prem, but I think maybe eventually everything's moving to the cloud. Um, so we'll probably start a journey at some point to, to their cloud version. But I think there's also, um, some, some other companies that I talked about, they do need to know how secure is the cloud version of the, of the UI path. Did you evaluate other companies besides UI path before you took on? Ah, yeah. Why are you I-PASS? I'd love to hear home. So definitely we evaluated other vendors. Um, I think the, the advantage with UI path is it's easy to use. >>Um, you know, it was a fairly, it's a fairly robust tool. Um, the, the, uh, so the concept of the studio and the orchestrator to manage your portfolio of solutions, uh, we felt that it wasn't a, it, it was a stronger product overall. When you go, you know, we've heard a lot about citizen developers and low code or no code as RPA permeates through the organization. Do you see that continuing to be an it service led? I mean, kind of an interesting role for you guys? I mean, I was saying to Rebecca before, it kind of reminds me of service now. I don't know if your service now customers that we are started on it and then you know, I don't know if you have gone into the lines of business, but it was kind of it bringing it two lines of business. Is there a similarity there and do you see RPA as pretty much? >>Very much. And I'd been in it for a really long time. So I went through the days of citizen developers doing access databases or Excel macros and then they throw it over to the fence to it to support. And these things are like, they're not compliant, you know, they're there. So we've had, I was like, we were really worried about what are we going to do with all these RPAs that these folks are going to do, you know, develop on their own. Um, I think the reality is is that we need, we are trying to push innovation out to everyone. So the reality is, is that there will, there will be citizen developers and we actually just need to embrace that and let them develop. And, but the challenges as far as an ID it department is how can we set up the processes, the infrastructure, everything else to receive all these new solutions and manage it and be, be stewards of all these new solutions. >>So I think that's going to be the challenge for our it department. And I think that's going to be something that we need UI path to help us figure out is how do we scale to have thousands of these solutions without having to hire whole army of it, support folks to leverage the tools. Maybe we need RPA for it just as much as we're doing it, RPA for the business, getting the whole house in order. Absolutely. That's going to be, that's, I think that's the key to survival. Thank you so much for coming on the cures. Great. Thank you for having me. I'm Rebecca stay tuned for more into cubes live coverage and the U AIPAC.

>> Narrator: Live from New York, it's theCube! Covering AWS Global Summit 2019, brought to you by Amazon Web Services. >> Welcome back, we're here at the Javits Center in New York City for AWS Summit, I'm Stu Miniman, my cohost is Corey Quinn and happy to welcome to the program Scott Mullins, who's the head of Worldwide Financial Services Business Development with Amazon Web Services based here in The Big Apple, thanks so much for joining us. >> Thanks for having me, Stu, thanks for having me, Corey. >> All right so we had obviously financial services big location here in New York City. We just had FINRA on our program, had a great conversation about how they're using AWS for their environments, but give us a thumbnail if you will about your business, your customers and what you're seeing there. >> Sure, we're working with financial institutions all the way from the newest FinTech startups, all the way to organizations like FINRA, the largest exchanges and brokers dealers like Nasdaq, as well as insurers and the largest banks. And I've been here for five years and in that time period I actually went from being a customer speaking at the AWS Summit here in the Javits Center on stage like Steve Randich was today to watching more and more financial institutions coming forward, talking about their use in the cloud. >> Yeah before we get into technology, one of the biggest trends of moving to cloud is I'm moving from CapEx more to OpEx and oh my gosh there's uncertainty because I'm not locking in some massive contract that I'm paying up front or depreciating over five years but I've got flexibility and things are going to change. I'm curious what you're seeing as the financial pieces of how people both acquire and keep on the books what they're doing. >> Yeah it can be a little bit different, right, then what most people are used to. They're used to kind of that muscle memory and that rhythm of how you procured technology in the past and there can be a stage of adjustment, but cost isn't really the thing that people I think look to the most when it comes to cloud today, it's all about agility and FINRA is a great example. Steve has talked about over and over again over the last several years how they were able to gain such business agility and actually to do more, the fact that they're now processing 155 billion market events every night and able to run all their surveillance routines. That's really indicative of the value that people are looking for. Being able to actually get products to market faster and reducing development cycles from 18 months to three months, like Allianz, one of our customers over in Europe has been able to do. Being able to go faster I think actually trumps cost from the standpoint of what that biggest value driver that we're seeing our customers going after in financial services. >> We're starting to see such a tremendous difference as far as the people speaking at these keynotes. Once upon a time you had Netflix and folks like that on stage telling a story about how they're using cloud to achieve all these amazing things, but when you take a step back and start blinking a little bit, they fundamentally stream movies and yes, produce some awesome original content. With banks and other financial institutions if the ATM starts spitting out the wrong number, that's a different point on the spectrum of are people going to riot in the street. I'm not saying it's further along, people really like their content but it's still a different use case with a different risk profile. Getting serious companies that have world shaking impact to trust public cloud took time and we're seeing it with places like FINRA, Capital One has been very active as far as evangelizing their use of cloud. It's just been transformative. What does that look like, from being a part of that? >> Well you know it's interesting, so you know you just said it, financial services is the business of risk management. And so to get more and when you see more and more of these financial institutions coming forward and talking about their use of cloud, what that really equates to is comfort, they've got that muscle memory now, they've probably been working with us in some way, shape or form for some great period of time and so if you look at last year, you had Dean Del Vecchio from Guardian Life Insurance come out on stage at Reinvent and say to the crowd "Hey we're a 158 year old insurance company but we've now closed our data center and we're fully on AWS and we've completed the transformation of our organization". The year before you saw Goldman Sachs walk out and say "Yeah we've been working with AWS for about four years now and we're actually using them for some very interesting use cases within Goldman Sachs". And so typically what you've seen is that over the course of about a two year to sometimes a four year time period, you've got institutions that are working deeply with us, but they're not talking about it. They're gaining that muscle memory, they're putting those first use cases to begin to scale that work up and then when they're ready man, they're ready to talk about it and they're excited to talk about it. What's interesting though is today we're having this same summit that we're having here in Cape Town in Africa and we had a customer, Old Mutual, who's one of the biggest insurers there, they just started working with us in earnest back in May and they were on stage today, so you're seeing that actually beginning to happen a lot quicker, where people are building that muscle memory faster and they're much more eager to talk about it. You're going to see that trend I think continue in financial services over the next few years so I'm very excited for future summits as well as Reinvent because the stories that we're going to see are going to come faster. You're going to see more use cases that go a lot deeper in the industry and you're going to see it covering a lot more of the industry. >> It's very much not, IT is no longer what people think of in terms of Tech companies in San Francisco building products. It's banks, it's health care and these companies are transitioning to become technology companies but when your entire, as you mentioned, the entire industry becomes about risk management, it's challenging sometimes to articulate things when you're not both on the same page. I was working with a financial partner years ago at a company I worked for and okay they're a financial institution, they're ready to sign off on this but before that they'd like to tour US East one first and validate that things are as we say they are. The answer is yeah me too, sadly, you folks have never bothered to invite me to tour an active AZ, maybe next year. It's challenging to I guess meet people where they are and speak the right language, the right peace for a long time. >> And that's why you see us have a financial services team in the first place, right? Because your financial services or health care or any of the other industries, they're very unique and they have a very specific language and so we've been very focused on making sure that we speak that language that we have an understanding of what that industry entails and what's important to that industry because as you know Amazon's a very customer obsessed organization and we want to work backwards from our customers and so it's been very important for us to actually speak that language and be able to translate that to our service teams to say hey this is important to financial services and this is why, here's the context for that. I think as we've continued to see more and more financial institutions take on that technology company mindset, I'm a technology company that happens to run a bank or happens to run an exchange company or happens to run an insurance business, it's actually been easier to talk to them about the services that we offer because now they have that mindset, they're moving more towards DevOps and moving more towards agile. And so it's been really easy to actually communicate hey, here are the appropriate changes you have to make, here's how you evolve governance, here's how you address security and compliance and the different levels of resiliency that actually improve from the standpoint of using these services. >> All right so Scott, back before I did this, I worked for some large technology suppliers and there were some groups on Wall Street that have huge IT budgets and IT staffs and actually were very cutting edge in what they were building, in what they were doing and very proud of their IT knowledge, and they were like, they have some of the smartest people in the industry and they spend a ton of money because they need an edge. Talking about transactions on stock markets, if I can translate milliseconds into millions of dollars if I can act faster. So you know, those companies, how are they moving along to do the I need to build it myself and differentiate myself because of my IT versus hey I can now have access to all the services out there because you're offering them with new ones every day, but geez how do I differentiate myself if everybody can use some of these same tools. >> So that's my background as well and so you go back that and milliseconds matter, milliseconds are money, right? When it comes to trading and actually building really bespoke applications on bespoke infrastructure. So I think what we're seeing from a transitional perspective is that you still have that mindset where hey we're really good at technology, we're really good at building applications. But now it's a new toolkit, you have access to a completely new toolkit. It's almost like The Matrix, you know that scene where Neo steps into that white room and hey says "I need this" and then the shelves just show up, that's kind how it is in the cloud, you actually have the ability to leverage the latest and greatest technologies at your fingertips when you want to build and I think that's something that's been a really compelling thing for financial institutions where you don't have to wait to get infrastructure provisioned for you. Before I worked for AWS, I worked for large financial institutions as well and when we had major projects that we had to do that sometimes had a regulatory implication, we were told by our infrastructure team hey that's going to be six months before we can actually get your dev environment built so you can actually begin to develop what you need. And actually we had to respond within about thirty days and so you had a mismatch there. With the cloud you can provision infrastructure easily and you have an access to an array of services that you can use to build immediately. And that means value, that means time to market, that means time to answering questions from customers, that means really a much faster time to answering questions from regulatory agencies and so we're seeing the adoption and the embrace of those services be very large and very significant. >> It's important to make sure that the guardrails are set appropriately, especially for a risk managed firm but once you get that in place correctly, it's an incredible boost of productivity and capability, as opposed to the old crappy way of doing governance of oh it used to take six weeks to get a server in so we're going to open a ticket now whenever you want to provision an instance and it only takes four, yay we're moving faster. It feels like there's very much a right way and a wrong way to start embracing cloud technology. >> Yeah and you know human nature is to take the run book you have today and try to apply it to tomorrow and that doesn't always work because you can use that run book and you'll get down to line four and suddenly line four doesn't exist anymore because of what's happened from a technological change perspective. Yeah I think that's why things like AWS control tower and security hub, which are those guardrails, those services that we announced recently that have gone GA. We announced them a couple of weeks ago at Reinforce in Boston. Those are really interesting to financial services customers because it really begins to help automate a lot of those compliance controls and provisioning those through control tower and then monitoring those through security hub and so you've seen us focus on how do we actually make that easier for customers to do. We know that risk management, we know that governance and controls is very important in financial services. We actually offer our customers a way to look from a country specific angle, add the different countries and the rule sets and the requirements that exist in those countries and how you map those to our controls and how you map those into your own controls and all the considerations that you have, we've got them on our public website. If you went to atlas.aws right now, that's our compliance center, you could actually pick the countries you're interested in and we'll have that mapping for you. So you'll see us continue to invest in things like that to make that much easier for customers to actually deploy quickly and to evolve those governance frameworks. >> And things like with Artifact, where it's just grab whatever compliance report you need, submit it and it's done without having to go through a laborious process. It's click button, receive compliance in some cases. >> If you're not familiar with it you can go into the AWS console and you've got Artifact right there and if you need a SOC report or you need some other type of artifact, you can just download it right there through the console, yeah it's very convenient. >> Yeah so Scott you know we talked about some of the GRC pieces in place, what are you seeing trends out there kind of globally, you know GDRP was something that was on everybody's mind over the last year or so. California has new regulations that are coming in place, so anything specific in your world or just the trends that you're seeing that might impact our environments-- >> I think that the biggest trends I would point to are data analytics, data analytics, data analytics, data analytics. And on top of that obviously machine learning. You know, data is the lifeblood of financial services, it's what makes everything go. And you can look at what's happening in this space where you've got companies like Bloomberg and Refinitiv who are making their data products available on AWS so you can get B-Pipe on AWS today, you can also get the elektron platform from Refintiv and then what people are trying to do in relation to hey I want to organize my data, I want to make it much easier to actually find value in data, both either from the standpoint of regulatory reporting, as you heard Steve talk about on stage today. FINRA is building a very large data repository that they have to from the standpoint of a regulatory perspective with CAT. Broker dealers have to actually feed the CAT and so they are also worried about here in the US, how do I actually organize my data, get all the elements I have to report to CAT together and actually do that in a very efficient way. So that's a big data analytic project. Things that are helping to make that much easier are leg formations, so we came up with leg formation last year and so you've got many financial institutions that are looking at how do you make building a data leg that much easier and then how do you layer analytics on top of that, whether it's using Amazon elastic map reduce or EMR to actually run regulatory reporting jobs or how do I begin to leverage machine learning to actually make my data analytics from a standpoint of trade surveillance or fraud detection that much more enriched and actually looking for those anomalies rather than just looking for a whole bunch of false positives. So data analytics I think is what I would point to as the biggest trend and how to actually make data more useful and how to get to data insights faster. >> On the one end it seems like there's absolutely a lot of potential in this, on the other it feels in many cases with large scale data analytics, it's we have all these tools for machine learning and the rest that we can wind up passing out to you but you need to figure out what to do with them, how to make it work and it's unclear outside of a few specific use cases and I think you've alluded to a couple of those how to take in a typical business that maybe doesn't have an enormous pile of data and start applying machine learning to it in a way that makes intelligent sense. That feels right now like a storytelling failure to some extent industry wide. We're starting to see some stories emerge but it still feels a little "Gold Rush"-y to some extent. >> Yeah I would say, and my advice would be don't try to boil the ocean or don't try to boil the data leg, meaning you want to do machine learning, you've got a great amount of earnestness about that but picture use case, really hone in on what you're trying to accomplish and work backwards from that. And we offer tooling that can be really helpful in that, you know with stage maker you can train your models and you can actually make data science available to a much broader array of people than just your data scientists. And so where we see people focusing first, is where it matters to their business. So if you've got a regulatory obligation to do surveillance or fraud detection, those are great use cases to start with. How do I enhance my existing surveillance or fraud detection, so that I'm not just wading again through a sea of false positives. How do I actually reduce that workload for a human analyst using machine learning. That's a one step up and then you can go from there, you can actually continue to work deeper into the use cases and say okay how do I treat those parameters, how do I actually look for different things that I'm used to with the rules based systems. You can also look at offering more value to customers so with next best offer with Amazon Personalize, we now have encapsulated the service that we use on the amazon.com retail site as a service that we offer to customers so you don't have to build all that tooling yourself, you can actually just consume Personalize as a service to help with those personalized recommendations for customers. >> Scott, really appreciate all the updates on your customers in the financial services industry, thanks so much for joining us. >> Happy to be here guys, thanks for having me. >> All right for Corey Quinn, I'm Stu Miniman, back with more here at AWS Summit in New York City 2019, thanks as always for watching theCube.

(techno pop music)- [Announcer] Live from Boston, Massachusetts, it's theCUBE. Covering AWS re:Inforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. >> Hello everyone, welcome to theCUBE here in Boston. We're live at Amazon Web Services, AWS' first inaugural security conference. It's called the re:Inforce. They have re:Invent, which is the annual Amazon Web Services, AWS customer event. This is kind of like an Amazon Web Services summit meets with re:Invent. They're calling it re:Inforce. This is an event that looks like it's going to be a lot like re:Invent for the security sector. I'm John Furrier your host, with my co-host, David Vellante. Dave, re:Inforce inaugural show for Amazon Web Services, AWS but it's got a feel for summit, a little education but big keynotes. This is about security. This is a stake in the ground for AWS to have a dedicated conference and customer event around security, reinforces the name. Kind of like re:Invent, kind of get the vibe there. They're tryin' to go kind of independent, kind of new swim lane for a conference. Certainly there's demand. >> Yeah well two years ago, when you and I were at the DC public sector, you just came off of that show recently. The head of IT at the CIA said, "Security of the cloud on our worst day is better than "our clients' server systems on their best day." So this narrative of the sky is falling that you always hear from security vendors, is not what Amazon is projecting. Amazon is projecting that the state of the Cloud Union is strong. Kind of (laughs) like the president, every time he gives a State of the Union Address. So it comes down to me John as how do you secure massively distributed systems in the Cloud? Huge challenge for people. We heard from customers today, Liberty Mutual and Capital One, their number one challenge is how to keep pace with AWS? How to keep pace with the changes? So what you're seeing is this shared security model. Amazon takes care of the infrastructure, the database, the storage, and the customer still has to worry about endpoints, their own network, the operating system, the applications. So, they always talk about undifferentiated heavy lifting. You're seeing a shift toward that customer side of focus and on response. So putting more resources on response versus securing that core infrastructure. >> And security's changing. This is also a show about CISOs, the chief information security officer, also known as a CISO. The CISO and CIO kind of have similar roles. They have to look out over massive change in the enterprise these days, digital transformations, On-premise versus Cloud. Two different modes of operation. People love the On-premise in the old days, but now moving to the Cloud creates a different challenge and opportunity for security. I have some thoughts. I'd love to get your thoughts on what you see as Cloud security because there's a difference. Lift and shift is easy when you're talking about infrastructure. But when you start getting into coding and having something be security Native, there's a difference between Cloud security and On-premise's security. How are you seeing that play out? >> Well I think the whole notion of infrastructure as a code emanated 'cause of the Cloud. So I see it playing out as you got to have security as code. So it's sort of the intersection of DevOps and SecOps. And then to your other point, is what's the right regime? Who's responsible for it? Is it the CIO, is it the CISO? Should the CISO report to the CIO, all that other stuff. And personally I've always felt like it should be a separate reporting structure because otherwise you've got the sort of the fox guarding the henhouse. So I think that's key point number one. The other point is, bad security practices by end users will trump good security by IT. So it is really, it's a cliche, but it is truly a team sport. I think the big challenge again that people have is how do they keep pace with AWS? They're moving so fast. And it's not only just for customers, John. I think it's for the ecosystem as well. I can see Amazon eating away (laughs) at the value created by a lot of their partners. >> I mean, Amazon clearly is showing their cards here. They're continuing to push the agility, raising the bar kind of philosophy. And really what's happening with AWS is that, it's a continuation of their subscription model. You've got Dave McCann, he's going to be coming on theCUBE, he runs the Marketplace. You're seeing now hundreds and hundreds of subscriptions in the marketplace, thousands of subscriptions coming out, huge buying philosophy there. But this notion of foundational security built-in from day one. Is a philosophy Amazon is believing that and they can secure their environment. And they want customers as you pointed out, saying "Look it, we'll cover our AWS, we'll be highly secure." "You focus on what you do better." "You can use Security Hub, Control Tower." Which was announced as general availability. And they're saying to their ecosystems, "Look it, build on top of AWS, "because we have the best security." "We are a bit more secure." "But we won't try to compete with you if you use our stuff." So this has been a very interesting dynamic. And the security industry is responding well to it because they want to rely on Amazon. Why recreate the wheel? Use the Amazon, but they have to be free to compete on their own. That's what Amazon is saying in the private conversations I've had. Is that they're saying, "We're not going to compete with you, if you build on AWS." >> Yeah, and you move fast. (laughs) >> (laughs) And you move fast, and you make more money. >> But this is why I think everybody's going after Multi-Cloud. 'Cause if you hear that story, you're like, Wow, I don't think I could move as fast as AWS. I can't just build on AWS. I have to have a hedge strategy. So therein lies the Multi-Cloud. But John you I think, nailed it several years ago. It's Cloud, right? It's data. The Security fits in there and it weaves in availability, certainly privacy. You don't hear Amazon talking tons about privacy, but that's another side of the coin. These things are all intertwined, and it comes back to the data. >> We're going to see, for the folks watching, we're going to be seeing a lot of security cut on theCUBE. Security's a natural fit for what we've been covering. Starting out with the infrastructure, with Cloud, Big data, AI, Security, IoT are all kind of in the center there, because Security's looking a lot more like Cloud, than Cloud looking like Security. So Security has to become more agile, shared responsibility. Things like automation, reasoning, these are terms that are coming up. AI and Cloud are a perfect mixture to come in and actually reshape the security landscape. 'Cause the fact of the matter is there are way too many vendors and suppliers and service providers for customers that want to get down the (laughs) lower numbers, suppliers and more functionality. So you're seeing the conversations from the CISO's that I've had here. In the hallways and meetings I've had privately they all tell me Dave, that "We want want to reduce our suppliers down to, "big number down to single digits." "Ya know double digits not three digits." "Hundreds to a handful." The second thing that they're telling me is Multi-Cloud is B.S. to them. And that shocked me to hear top regime leaders saying "Multi-Cloud is not something we're interested in." Because this flies in the face of what we've been reporting, what we've been hearing, around Multi-Cloud. And I asked, "Why is that an issue?" "Won't there be multiple Clouds?" And this person said, "Yeah we use multiple Clouds "but I can't split my talents up multi-talents." So it's a talent game in Security. And the risk for the organization is to have multiple Clouds, multiple stacks, too many code bases. They're forking their talent base and that is not consistent with the security direction that they're taking from a coding Native standpoint. They want to have Security built-in and everything. So the devs can be agile and start and build stuff on top of Security. So Multi-Cloud great messaging and concept. You might have a few Clouds but the fact of the matter is, when they start splitin' the talent out like that, you dilute the overall power. >> But you actually, >> That was surprising. >> You actually did report on this. And when you tie back to your JEDI coverage, I mean the DOD basically said that Multi-Cloud is more complex, more costly and less secure. Now for that team that's doing JEDI they want a single (laughs) environment. The other thing I heard today, which I think is interesting, huge challenge is IoT. 75 billion connected endpoints by 2025. Okay we always hear those big numbers. But somethin' I didn't know. 90% of IoT data is plain text in the form of HTTP. Plain text. So it's not encrypted. So Amazon is going hard after that. And so they're going to bring tooling to that problem. I like Amazon strategy and ya everybody says, "Oh you can't bring the Cloud." It's about building applications securely at the edge. And that's what Amazon wants to enable. I like that strategy better than what you see from companies like Dell and HP. Is like, hey here's a box. We're going to top-down, throw it over and secure the edge. I don't think that top-down approach is going to be as effective as a bottom-up application developer approach. To your point, building security in. >> Yeah I mean, we're back to the classic digital transformation and people process technology equation. Where you have the organizational structures. A big conversation here as well. You mentioned which regime runs it. Because if you want to do DevOps, you got to develop and then put it in production. So you have two kind of splits there. You want to have more agility, you need more DevOps and you want to have that Native stack built-in, a firm Security stack, but then when you ship it to production you've got governance. So most organizations here that other big players in Security have kind of pillars. Right? Governance and risk management, operations and intelligence, data, and then full-blown engineering teams and then information security groups. That are just peaked on those. And the numbers are becoming much more significant. Security is IT now. It's not some sanctioned off group. It's becoming the way. And a lot of cutting-edge technologies are coming out of the Security market. So to me, I think the Security industry and the idea of having a conference dedicated to Security is a good one. Because the canary in the coal mine in this industry, is coming out of Security. And this is where the action is. So I see a lot of innovation and I think there's going to be a tsunami of apps that are going to be bought, like services. So I think ya know, this notion of shared services with Amazon and the Marketplace could be a great consumption model for enterprises. So ya know, you're going to see that dynamic. Enablement for channel and ecosystem. Marketplace for customers to buy software and services. >> And it's really again, a strong bottoms-up message from Amazon. It's kind of CISO on down. You know it's not the corner sweep that Amazon is messaging to. Although there's some messaging in there. They're basically positioning themselves as by far the fastest innovator, most features, most compliance, GRC, all that stuff. But really it's hardcore deep dives on Security. They're talkin' to Security pros. It's like when you go to reinvent strong developer crowd. Hardcore security SecOps, really detailed, serious technical people. That's their bottoms-up approach. >> Well Dave let me give you my thoughts on the Keynote. Then I want to get yours. And I want to give you a list of things that I was reporting on last night and getting in today, getting all the data on kind of the key topics that are going to be covered here in this show and beyond. So first the Keynote. Loved the encrypt anywhere message. >> Everywhere yeah. >> Assume everyone's watching. Security is everyone's job. Very big theme around you know, that notion of encryption. And that, you got to take care of it. The shared responsibility model. I loved that kind of message. And then automated remediation. This came up in my CISO conversations I've had this week where remediation can be automated so they can focus the talent on threat detection and notification alerting. So threat detection's moving to notifications and alerts. And they want to use automation like Lambda to automate known tech problems that can just take away and not have their people work on it. So that's a huge, huge topic on the Keynote. I love that. And using Lambda is great one. Building security measures into APIs. And then mathing the Cloud. I love that concept. Nerded on that. So overall typical Amazon Keynote. Meat and potatoes being served up in terms of the course of content and that was an awesome, awesome piece of it. So that' my take. What's your take on the Keynote. >> So my number one takeaway is again the customer saying, "Our number one biggest challenge is keeping up with the pace of change and the pace of innovation." And to your point, the answer to that challenge is automation. Amazon is forcing it's customers to automate so they can move faster. And Amazon knows that that's its key competitive weapon. It can rollout features faster than anybody else. Create that fly-wheel effect. If it can get its customers, you know most vendors move at the speed of the fat-middle of IT. Which is really slow. Amazon, interestingly, is pushing its customers faster than they're used to going. >> So Dave I had a chance to have a sit down and poll a bunch of CISOs and CIOs. So sometimes they have a CISO sometimes it's a CIO. >> Right. >> The role seems to be blending in as kind of one big, kind of overseer of the action. And here's what I've found terms of the key themes that were on their mind. And again this is part of our ongoing CISO interviews we've been doing and paneling the top CISOs of the top companies. Key topics that's on their mind. Vendor lock-in. Spend. They're spendin' a lot of cash. Being Security Native and kind of having that cultural philosophy of Security built-in so developers don't have to do it. That's very DevOpsy. Your point about Security as code. Big topic. That was a big one. And then kind of in the management side. Service providers slash suppliers. Dealing with the legacy (laughs) of the inherited supplier base that's calling on them and people who want to sell them things. The value creation process that's wants to be tied into suppliers. So that's kind of a procurement thing. Metrics. Which KPI should they be paying attention to? What's really going on? As I mentioned the threat detection versus alerts. Threat detection is not, kind of seems to be moving more towards alerts so threat detections can be managed. These are kind of things they want to measure. If you just measure one thing then might be have a blind spot. So metrics is I think what keeps them up at night. In terms of the topic. The Cloud Security model's different On-Premise and Cloud. Integration. Integration from third parties 'cause that's going to be a reality. Ecosystems like Amazon has a ton of suppliers that they can be buying services from, so it better integrate into a security stack. Identity management, obviously big. Automation. Workforce and talent. The Multi-Cloud comment came out of this. Talent is the number one game. This is a really critical piece. They coming up with strategies to recruit and to retain and have the best people working on the tech stacks, not working on just general architecture. And then finally, coding security. These are the top topics on the minds of the top CISOs and CIOs in the enterprise. And this is the key areas we're going to be covering. >> So that says to me you know, the concern about lock-in and the concern about spend, so they probably will have exit strategies in hedge. So (laughs) probably will be Multi-Cloud, which is interesting. The Multi-Cloud at one said Multi-Cloud's B.S. But at the same time their top-of-mind issues suggest that Multi-Cloud is going to be a key. On metrics. You know there's a metric out there that after you get infiltrated it takes 256 days to identify that. >> Yep. >> I'd like to see in the Cloud what that metric looks like. >> Yeah, yeah. >> Does that go down? So that's something that's really interesting. As opposed to, okay, how many threats did we count? Right? Or thwart. You know like you mentioned ID management. Identity management. Automation. And I agree talent. There's a big war. Capital One said they just opened a big technical presence in Boston. A lot of talent here. A lot of talent, around the world >> Well just for the record. I'm not anti Multi-cloud. I was just pointing out, the comments that, >> Right, no right. I understand that ya. >> the CISOs said I think Multi-Cloud is realistic. But what he was pointing out is that right now Multi-Cloud isn't attainable in the way that they want it. They have to spend too much of their talent on code bases and stacks that aren't compatible. >> And integration. >> I personally think that you'll have Multi-Cloud environments for all companies but they're going to pick one. For example, and the workload should define the Cloud you're working on so why would you want to just split a workload between two Clouds. Makes no sense. Unless it's completely automated, and frictionless and there's (laughs) value. >> Well Multi-Cloud is a symptom of multi-vendor. You've got different teams doing different projects, different parts of the organization and that's what it is. It's less of strategy then it is a symptom, at least at this point in time. >> Okay that's the kickoff for the inaugural AWS show here in Boston. This is the live Cube coverage here for two days. I'm John Furrier, Dave Vellante. Stay with us for two days of coverage. We'll be right back. (techno pop music)

>> From the SiliconANGLE media office in Boston Massachusetts, it's theCUBE. Now here's your host, Dave Vellante. >> Hi everbody, this is Dave Vellante, and welcome to this special Cube conversation on a very important topic, cyber security and cyber resiliency. With me today is Stefan Voss who's the Senior Director of Product Management for Data Protection Software and Cyber Security and Compliance at Dell EMC. Stefan, thanks for coming on and helping us understand this very important topic ahead of RSA World. >> My pleasure, thanks Dave for having me. >> You're welcome, so let's talk about the environment today. We have, for years, seen back-up evolve into data protection, obviously disaster recovery is there, certainly long term retention. But increasingly, cyber resilience is part of the conversation. What are you seeing from customers? >> Yeah, definitely, we're seeing that evolution as well. It's definitely a changing market and what a perfect fit. We have to worry about right of breach, What happens when I get attacked? How can I recover? And the technologies we have, that we have for business resiliency back-up, they all apply, they all apply more than ever. But sometimes they have to be architected in a different way. So folks are very sensitive to that and they realize that they have great technologies. >> I'm glad you mentioned the focus on recovery because we have a lot of conversations on theCUBE about the CIO and how he, or she, should be communicating to the board, or the CSO, how they should be communicating to the board. That conversation has changed quite dramatically over the last 10 years. Cyber is a board-level issue. When you talk to, certainly large companies, every quarter they're talking about cyber. And not just in terms of what they're doing to keep the bad guys out but really what the processes are to respond, what the right regime is - you know, cyber security is obviously a team sport, it's not just the responsibility of the CSO or the SECOPS team, or the IT team, everybody has to be involved and be aware of it. Are you seeing that awareness at board levels within your customer base, and maybe even at smaller companies? >> 100%, I think the company size almost doesn't matter. Everybody can lose their business fairly quickly and there's one thing that NotPetya, that very bad, sort of, attack told us is that it can be very devastating. And so if we don't have a process and if we don't treat it as a team sport, we'll be uncoordinated. So, first of all, we learned that recovery is real and we need to have a recovery strategy. Doesn't mean we don't do detection, so the NIS continuum applies, but the CSOs are much more interested in the actual data recovery than they ever were before which is very interesting. And then, you know, you learn that the process is as important as the technology. So, in other words, Bob Bender - a fabulous quote from Founders Federal - you know, the notion of sweating before the game, being prepared, having a notion of a cyber recovery run book. Because the nature of the disasters are changing so, therefore, we have to think about using the same technologies in a different way. >> And I said at the open that things are shifting from just a pure back-up and recovery spectrum to much broader. The ROI is changing, people are trying to get more out of their data protection infrastructure than just insurance and, certainly, risk management and cyber resiliency and response is part of that. How is the ROI equation changing? >> Yeah, I mean, it's a very valid question. You know, we do have, people are asking for the ROI. We have to take a risk-based approach, we are mitigating risk. It's never fun to have any data protection or business resilience topology, 'cause it's incremental cost, but we do that for a reason. We need to be able to have an operational recovery strategy, a recovery strategy from a geographic disaster and, of course, now more so than ever a recovery strategy from a cyber attack. And so, therefore, we have to think about, you know, not so much the ROI but what is my risk reduction, right? By having, sort of, that process in place but also the confidence that I can get to the data that I need to recover. >> Now we're gonna get into that a little bit later when we talk about the business impact analysis. But I wanna talk about data isolation. Obviously ransomware is a hot topic today and this notion of creating an air gap. What is data isolation from your perspective? What are customers doing there? >> Yeah, I mean, I think almost every customer has a variant of data isolation. It's clear that it works, we've seen this from the NotPetya attack again that where we were, large logistics company, right, found data the domain controller on a system that underwent maintenance in Nigeria. So a system that was offline, but we don't wanna operate that way. So we wanna get the principles of isolation because we know it kind of reduces the attack surface, right, from the internal actor, from ransomware variants, you name it. All of these are, when you have stuff on the network it's theoretically fair game for the attacker. >> So that Nigeria example was basically by luck there was a system offline under maintenance that happened to be isolated? And so they were able to recover from that system? >> Absolutely. And another example was, of course, critical data that domain controller, 'cause that's what this attack happened to go after, was on tape. And so, you know, this just shows and proves that isolation works. The challenge we were running into with every customer we work with was the recovery time. Especially when you have to do selective recovery more often, you know, we wanna be able to get the benefits of online media. But also get, sort of, the benefits of isolation. >> Yeah, I mean, you don't wanna recover from tape. Tape is there as a last resort and hopefully you never have to go to it. How are customers, sort of, adopting this data isolation strategy and policy? Who's involved, what are some of the pre-requisites that they need to think about? >> Yeah, so the good thing - first thing's first, right. We have technology we know and love, so our data protection appliances where we started architecting this workflow, that we can use. So, in other words, you don't have to learn a new technology, buy something else. There's an incremental investment, yes. And then we have to think about who's involved. So that earlier point, the security folks are almost always involved, and they should be involved. Sometimes they fund the project, sometimes it comes out of IT. Right, so, this is the collaborative effort and then to the extent it's necessary, of course, you wanna have GRC - so the risk people - involved to make sure that we really focus on the most important critical assets. >> Now ahead of RSA, let's talk a little bit about what's going on in that world. There are security frameworks, Nist in particular is one, that's relatively new, I mean it's 2014 it came out, it's been revised really focusing on prevent, detect and, very importantly, respond. Something we've talked about a lot. Are people using that framework? Are they doing the self-assessments that Nist prescribes? What's your take? >> Yeah, I think they are. So, first of all, they are realizing that leaning too much left of breach, in other words hoping that we can always catch everything, sort of the eggshell perimeter, everybody understands that that's not enough. So we have to go in-depth and we also have to have a recovery strategy. And so the way I always like to break it down pragmatically is - one, what do I prioritize on? So we can always spend money on everything, but doing a business impact analysis and then maybe governing that in a tool like RSA Archer can help me be a little bit more strategic. And then, on the other end, if I can do a better job co-ordinating the data recovery along with the incident response, that will go a long way. You know and, of course, that doesn't forego any investment in the detection but it is widely adopted. >> One of the key parts about the NIS framework is understanding exposure in the supply chain where you may not have total control over one of your suppliers' policies, but yet they're embedded into your workflow. How are people handling that? Is there a high degree of awareness there? What are you seeing? >> It is absolutely, that's why product security is such an important element, and it's the number one priority for Dell Security, even above and beyond the internal security of our data center, as crazy as it sounds. Because, you know, we can do a lot of damage right in the market. So, certainly, supply chain, making sure we have robust products all along the way is something that every customer asks about all the time and it's very important. >> Let's go back to business impact analysis, we've mentioned it a couple of times now. What is a business impact analysis and how do you guys go about helping your customers conduct one? >> Yeah, I mean, let's maybe keep it to that example, let's say I go through this analysis and I find that I'm a little bit fuzzy on the recovery and that's an area I wanna invest. You know, and then I buy off on the concept that I have an isolated or cyber recovery vault on an isolated enclave onto which I can then copy data and make sure that I can get to it when I have to recover. The question then becomes, well what does business critical mean? And that's where the business impact analysis will help to say what is your business critical process - number one, number two - what are the associated applications, assets? 'Cause when you have that dependency map it makes it a lot easier to start prioritizing what applications do I put in the vault, in other words. In this specific example. And then how can I put it into financial terms to justify the investment? >> Well we were talking about ROI before, I mean really we've done actually quite a few studies looking at Global 2000 and the cost of downtime. I mean, these are real tangible metrics that, if you can reduce the amount of downtime or you can reduce the security threat, you're talking about putting money back in your pocket. Because Global 2000 organizations are losing millions and millions of dollars every year, so it is actually hard ROI. Even though some people might look at it as softer. I wanna talk about isolated data vault, you know, this notion of air gaps. What are you guys specifically doing there? Do you have solutions in that area? >> Yeah, we do. So we are using, luckily, so the concepts that we know from resiliency disaster recovery. Right, so our data protection storage which is very robust, it's very secure, it has very secure replication. So we have the mechanisms to get data into the vault, we have the mechanisms to create a read-only copy, so an immutable copy, that I can then go back into. So all of this is there, right, but the problem is how do I automate that workflow? So that's a software that we wrote that goes along with the data protection appliance sale. And what it does, it's all about ingesting that business critical data that I talked about into the secure enclave, and then rendering it into an immutable copy that I can get to when I have nowhere else to go. >> Okay, so you've got that gap, that air gap. Now, the bad guys will say 'Hey, I can get through an air gap, I can dress somebody up as a worker and put a stick in'. And so, how much awareness is there of that exposure? And I know it's maybe, you know, we're hitting the tip of the pyramid here, but still important. Can you guys help address that through, whether it's processes or product or experience? >> 100% so we have, of course, our consulting services that will then work with you on elements of physical security, or how do I lock down that remaining replication link? It's just about raising the bar for the attacker to make it more likely we'll catch them before they can get to, really, the prized assets. We're just raising the bar but, yes, those are things we do. So consulting, physical security, how do I do secure reporting out? How do I secure management going in? How do I secure that replication or synchronization link into the vault? All of these are topics that we then discuss, if they kind of deviate from the best practices and we have very good answers through our many customer arrangements. >> Stefan, let's talk about some of the specific offerings. RSA is a portfolio company in the Dell Technologies Group, it's a sister company of Dell EMC. What are you guys doing with RSA? Are you integrating with any of their specific products? Maybe you could talk about that a little bit? >> Yeah, I think, so when you think about recovery and incident response being so important, there's an obvious, right? So what RSA has found - I thought this was very interesting is that there's a lack of coordination between, typically, the security teams and the data professionals, data restoration professionals. So the more we can bridge that gap through technology, reporting, the better it is, right? So, there's a logical affinity between an incident response retainer, activity, and the data recovery solutions that we provide. That's one example, right? So every day counts, that example that I talked about NotPetya, the specific customer was losing 25 Euros every day. If I can shave off one day, it's money in the bank. Or money not out of the bank. The other area is, how do I make sure that I'm strategic about what data I protect in this way? That's the BIA Archer. And then there's some integrations we are looking at from an analytics perspective. >> Archer being the sort of governance risk and compliance, workflow, that's sort of one of the flagship products of RSA. So you integrate to that framework. And what about analytics, things like IOC, RSA NetWitness, are those products that you're integrating to or with, or leveraging in any way? >> Yeah, first off, analytics in general it's an interesting concept now we have data inside our secure enclave, right? So what if we could actually go in and give more confidence to the actual copies that we're storing there. So we have an ecosystem from an analytics perspective. We work with one specific company, we have Arrest API-based integration where we then, essentially, use them to do a vote of confidence on the copy, of the raw back up. Is it good? Are there signs that it was corrupted by malware? and so forth. So what that helps us do is be more proactive around our recovery because, I think you're about to say something - but if I knew there's something, you know, suspicious then I can start my analytics activity that much sooner. >> Well the lightbulb went off in my head. Because if I have an air gap, and I was saying before, it's necessary but insufficient. If I can run analytics on the corpus of the back up data and I can identify anomalies, I might be able to end run somebody trying to get through that air gap that I just mentioned before. Maybe it's a physical, you know, security breach. And the analytics might inform me. Is that a reasonable scenario? >> It is a reasonable scenario, though we do something slightly different. So, first of all, detection mechanisms, left of breach stuff, is what it is, we love it, we sell it, you know, we use it. But, you know, when it comes to back up they're not off-the-shelf tools we can just use and say 'Hey, why don't you scan this back up?' It doesn't typically work. So what we do is, in the vault, we have time, we have a workbench so it's almost like sending a specimen to the lab. And then we take a look at it. Are there any signs that there was data corruption that was indicative of a ransomware attack? And when there is such a scenario we say, 'You might wanna take a look at it, and do some further investigation'. That's when we then look at NetWitness or working with the security teams. But we can now be of service and say 'You might wanna look at this copy over here'. It's suspicious, there's an indicative compromise. And then take the next steps other than hoping for the best. >> You mentioned the ecosystem, you mentioned the ecosystem before. I wanna double-click on that. So, talk about the ecosystem. We've said here it's a team sport, you can't just do it alone. From a platform perspective is it open, is it API based? Maybe you can give some examples of how you're working with the ecosystem and how they're leveraging the platform. >> Yeah 100%. So, like I said, so we have, you know, our data protection appliances and that's sort of our plumbing, right, to get the data to where I want. We have the orchestration software. This is the part we're talking about. The orchestration software has Arrest API, everything's documented in Swagger. And the reason we did that is that we can do these orchestrations with third party analytics vendors, that's one use case right? So, I'm here, I have a copy here, please scan, tell me what you find and then give me an alert if you find something. The other example would be, maybe, doing a level of resiliency orchestration. Where you'd automate the recovery workflow beyond what we would have to offer. There are many examples but that is how we are enabling the ecosystem, essentially. >> You mentioned Founders Federal earlier. Is that a customer, is that a reference customer? What can you tell me about them? >> Yeah it's a reference customer and they very much saw the need for this type of protection. And, you know, we've been working with them. There's a Dell World, last year, session that we did with them. And very much the same sort of, like the quote said, focus on the process not only the product and the set of technologies, right? And, so that's how we've been partnering with them. >> The quote being 'Sweat before the game'? Founders Federal, that's a great quote. Alright, we've talked a lot about just, sort of, general terms about cyber recovery. What can you tell us, tell the audience, what makes Dell EMC cyber recovery different in the marketplace and, you know, relative to your competition? Pitch me. >> Yeah, I mean, I think it's a very unique capability. Because, one, you need a large install base and, sort of, a proven platform to even built it on, right? So when you look at the data domain technology we have a lot to work with. We have a lot of customers using it. So that's very hard to mimic. We have the orchestration software where we, I believe, are ahead of the game, right? So the orchestration software that I talked about that gets the data into the vault securely. And then our ecosystem, right? So those are really the three things. And then, of course, we have the consulting services which is also hard to mimic. To really, you know, design the process around this whole thing. But I think the ecosystem, sort of, approach is also very powerful. >> You have a big portfolio, you've got your sister company that's, sort of, well known obviously in this business. Do you also have solutions? I mean, for instance, is there an appliance as part of the portfolio that fits in here? And what is that? >> Yeah, so, you can think of this as, if I wanted to really blow it down, the two things I would buy is a data domain - it could be the smallest one - and a VxRail appliance that runs the software. And then I stick that in the vault. And then there's, sort of, that product. So you can think of it as an appliance that happens to go with the software that I talked about that does the orchestration. >> Okay, so, RSA the premier conference on cyber coming up in a couple of weeks. What have you guys got going there? Give us a little tease. >> Yeah, absolutely. So it's gonna be an awesome show and we will have a booth, and so we look forward to a lot of customer conversations. And we do have a panel. It's gonna be with Mastercard and RSA and myself. And we're really gonna take it from left of breach all the way to right of breach. >> Awesome, do you know when that panel is yet? >> It is, I think, on the 5th, I may have to check. >> Which is which day? >> I wanna say it's Wednesday. >> So it starts on the Monday, right? So that'll be day three. So check the conference schedule, I mean things change at the last minute. But that's great. Mastercard is an awesome reference customer. We've worked with them in the past and so, that's great. Stefan, thanks very much for coming to theCUBE and sharing some of your perspectives and what's coming up at RSA. It's good to have you. >> Thanks so much, Dave, I appreciate it. >> Okay, thanks for watching everybody. This is Dave Vellante from our East Cost headquarters. You're watching theCUBE.

>> Announcer: Live from Las Vegas, it's theCUBE. Covering ServiceNow Knowledge 2018. Brought to you by ServiceNow. >> Welcome back to Las Vegas, everybody. This is theCUBE, the leader in live tech coverage and we're here at Knowledge18. This is our sixth CUBE at ServiceNow Knowledge. Jeff Frick is my co-host. Jeff when we started covering ServiceNow Knowledge I think it was under 4,000 people. >> The Aria. >> At The Aria, it was a very hip conference, but now we're talking about 18,000 people at K18. How ironic. Sean Convrey is here. He's the Vice President and General Manager of the ServiceNow Security Business Unit. Welcome back to theCUBE, it's good to see you again, Sean. >> It's great to be back. >> So you know I'm a huge fan of your security initiative because you focused what, in our opinion, is really the real problem which is response. You're going to get hacked, you're going to get penetrated. It takes almost a year to find out when somebody has infiltrated your organization, they're exfiltrating data. You guys are focused on that problem. So, really have a lot of hope for this business in terms of addressing some of those challenges. But, give us the update on the ServiceNow Security Business. >> Sure yeah, so the business is continuing to grow nicely. I think we released at the end of 2017 on our earnings report that security and the other emerging businesses met their aggressive sales targets from 2017. So, we're seeing, you know we're into the hundreds of customers stage now. We've got very mature customers that are deployed in production. I think almost 40% of our customer base is Global 2000 so that's one of the benefits of being on the ServiceNow platform is, we aren't perceived as a 1.0 or a 2.0, even though we've only been around for two years, you know people are thinking of us as an application on top of an already very stable platform. >> One of the things we talk about a lot, you and I have talked about is, what's the right regime for security? All to often it's the sec-ops problem, or it's an I.T. problem. You know, we preach that it's a team sport, it's everybody's problem, but when you extend into an organization from whatever ITSM, or whatever it is, to whom to you sell? Who are your constituents? Are they figuring out that right regime? Or is it really still the sec-ops team? >> Yeah, so there's two major use cases in the security operations product. One is focused on security incident response, and that we're definitely selling primarily to the SOC, to the security operations center. But, we have another growing use case on vulnerability response, which is more the proactive side where we're addressing, really just security good hygiene. How do you reduce the attack surface area in your environment by having less vulnerable software in your environment, and that has a very tight tie to I.T. Actually, they both have very tight ties to I.T. Because in almost all cases, I.T. and I.T. operations are the actual execution arm of whatever changes you need to make to your infrastructure in response to something bad happening. >> Right, it's funny because we were at RSA this year, we've gone for a couple years. 40,000 people, that's a crazy big conference, but a couple of really interesting things that came out this year. One is that, you're going to get penetrated, right, so just a whole change of attitude in terms of not necessarily assuming you won't be, but how are you going to react when you are? How are you going to find out? And the other thing that comes up time and time again when you hear about breaches is this hygiene issue. It's, somebody forgot to hit a switch, forgot to do a correct setting, forgot to do a patch, all these really kind of fundamental things that you need to do at a baseline to at least give you a chance to be able to put up a defense against these people. >> We actually just did a study with Ponemon Institute of nearly 3,000 security professionals focused in on this hygiene problem, on vulnerability response, and some of the stats are just staggering. 70% of respondents said security and I.T. don't have the same visibility into applications and systems. 55% said they spend more time coordinating a response among teams manually than they actually do in the act of patching itself. People are losing 12 days per update in manual coordination, because think about it, you've got not just I.T. and security, but you've got GRC team, you've got the business owner, you've got the application owner, it's not just two folks sitting down at the table, it's a huge team looking at a multi-hundred thousand long spreadsheet of vulnerabilities that they're trying to respond to. >> It's funny, we talk often, it's an often quoted stat, how many days have you been penetrated before you figure it out, but what's less talked about is what you just talked about, is once you find out, then what's the delay where you can start taking proactive action and start taking care of all of these things. That's just as complicated, if not more. >> That's what the study actually bore out. So, one of the things we did was, we broke the data up into those that had been breached and those that had not been breached, and it was about 50/50. But, the biggest difference between the ones that had had a breach in the last two years and the ones that didn't, is the ones that had not been breached self-reported they're vulnerability response program as 40% more effective than those that were breached. So, this hygiene thing this is just fundamental. Actually, my personal theory is, it's not as exciting and undertaking. It's much more fun to talk about how Thor'd the bad guy that was knocking at your front door, trying to find a way in. The sort of proactive, you know execution of a strategy to reduce your attack surface area is much less sexy. >> So, we've always talked about that magic number, or scary number, of the number of days that it takes a company to realize they've been penetrated. Whatever, it ranges from 225, I've seen them higher than 300 and it's a couple years in now, and I'm curious as to what kind of data you have within your customer base. Have you been able to compress that time, and as Jeff points out, even more importantly, have you been able to compress the response time? >> So there's two stats I'll give you. One is, for many organizations they had zero reporting within their own organization. So if they were trying to report out, they were in the land of spreadsheets and emails, so they couldn't tell you how big an impact it had. We actually commissioned a study with Forrester. They did a total economic impact, a TEI study, with our sec-ops customers and found out that the average reduction in their incident response time was 45% improvement, or 45% reduction in their response time, which is just dramatic. That's very meaningful to an organization, especially when there's a prediction of an almost two million cyber-security job shortfall in 2019. So there simply aren't the people to solve this problem, even if you could hire your way out of this. >> So what you would expect is if you could reduce that response time, obviously you're freeing up resource, and then hopefully you could create some kind of flywheel effect, in terms of improving the situation. It's early, but what have you seen there? >> That's exactly what we're seeing. So we're seeing people take the things that are painful and frequent and trying to automate those tasks so that they don't occur as often and require people's time. The analogy that I always use is, if you've watched a medical drama, you always see the doctor racing down the hallway, holding up an X-ray to the fluorescent lights and making a call, telling the nurse five milliliters of this or 10 milliliters of that. >> Stat, stat, stat. >> It's always stat. >> Whatever that means. >> They're saving the day right? They're saving the day. That's what a security person wants to feel like. They want to feel like they're making that insightful call, in the moment, and saving the day, but instead, they're the doctor, they're the nurse, they're the orderly, they're the radiologist, they're the administrative people. They have to play all those roles, and what security automation is really about is, let's take those mundane tasks that you don't like anyway, and get rid of them so you can focus on what truly matters. >> It's such an important piece because like I said, RSA, there's 40,000 people, ton of, ton of vendors, and the CISO cannot buy all those solutions, right? And for you guys, to find a place to fit where you can have nice ROI because you just can't buy it all and to me it's kind of like insurance. At some point you just can't buy more insurance, you can just buy and replace whatever it is that you're insuring, so it's a real interesting kind of dilemma, but you have to be secure. You don't want to be in the Wall Street Journal next week. >> Right. >> Tough challenge. >> It's a very tough challenge and the notion that you can find a product to buy for every problem you have is something that the security community, if you go to RSA, it feels that way, right? Like, "Oh I just need to buy another thing." But, organizations have on average 80 security tools already. So, the challenge is how do you actually reframe and think about prioritization in a different way? So we're actually seeing our customers start to take advantage of the governance risk and compliance capability, that are also part of ServiceNow to use risk as a North Star for their security investments rather than just saying, "Oh this is the latest attack so I need to go buy a thing "that stops that attack." Saying instead, what are my most valuable assets? What is the financial impact of a breach to those services? How do I invest accordingly? >> I was watching a CUBE interview, I think it was from KubeCon, John Furry was doing an interview, and the gentleman he was interviewing said, "The problem with security is for years, organizations "thought they could just buy some piece of technology, "install it, and solve the problem." Couldn't be further from the truth, right? So, describe what you're seeing as to those who are successful and best practice as to solving the problem. >> Sure, well that thinking you can buy your way out of the problem goes all the way back to the early days of firewalls. I mean, I remember earlier in my career trying to convince people that a firewall by itself wasn't enough. So we're seeing in organizations that are adopting best practices around response, is they're taking a much more structured approach to how they respond to the most common attacks. Things like, suspected phishing email, right? Processing a phishing email that's reported by an employee, by a user, takes anywhere from 15 to 20 minutes to check manually to see if it really is phishing or not. You know, with ServiceNow Security Operations we can automate that down to seconds and allow that time for an analyst to go back to focusing on maybe a more advanced attack that does require more human ingenuity to be applied. >> Right, the other thing that keeps coming up time and time again within the ServiceNow application and the platform, is you like having lots of different data sources to pull from. You like being kind of that automated overflow and workflow to leverage those investments for the boxes that they do have in the systems and all those things. You want to use them, but how do you get the most value out of those investments as well? >> Exactly, we're seeing that most organizations don't feel that they're getting the value out of the assets that they've already invested in as well. So, to steal one of our CEO's lines, he talks about this idea of one plus one plus one equals magic. The idea that if you can bring together the right pieces of information you can create this transformational outcome and I think with security technology, if we can bring the data and the insights together on a common platform that allows you to investigate in a more automated way, to draw on the insights that you need from the various systems, and then to respond in the right capacity at the right time, it's a completely different way of solving this problem that I think we are just beginning to explore. >> And a whole nother place to apply A.I. And machine learning down the road as well. So, you can start automating the responses at that tier, and a whole nother level of automation to get the crap that I don't need to pay attention to off my screen, so that I can focus on the stuff that's most important. >> Oh absolutely, I think the headroom in the response category of technology, we're just beginning to see what's going to be possible as we continue to go down this path. >> Can you talk about the ecosystem a little bit? Obviously it's critical. Just to be clear, ServiceNow it not trying to replace Palo Alto Networks, you know, or other security tools. You partner with those guys much in the same way as you're not trying to replace Workday and SAP and HR. Talk about that a little bit, the partner ecosystem, how that's growing and what role they play, where they leave off, and where you pick up. >> Absolutely. So, as you said, we're not in the business of building prevention technology, detection technology, we are all about taking the investments you've already made and bringing them together. So, we consider ourselves a neutral player in this market. We integrate with all sorts of different security technologies because again, the goal is, let's take all these insights that are already in the various pieces of infrastructure. You know, we had one of our customers onstage yesterday during our keynote describing swivel chair. This notion of, I'm swiveling from console to console to console and I'm burning time. If you can give me one place where I can bring that data together, it's really valuable. So, we're quite different than many other ServiceNow products in that, it's often not a human being that initiates the request. You know, a human says, "hey my laptop needs help," right? But, in security it's a third party tool that says, "Hey, go take a look at service X, we're seeing "some weird behavior there." >> So, staying on the ecosystem for a minute. You know, big space; security, crowded space. You were just at RSA. >> It was crazy. >> Crazy, tons of startups. When I talk to startups, in fact I was talking to one the other day, it's a phishing startup, guys out of the NSA doing some really interesting stuff. They got to place bets, small companies, and I'm like, "Have you seen what ServiceNow is doing? "It's kind of an interesting play. "You might be able to participate in "that ecosystem someway, somehow." Is it reasonable to think that startups actually can participate, how can they participate? Can they bring their innovation to you? Or are you really looking for established players with an installed base that you can draft off of? >> Sure, we're actually doing both right now. So, you can think about it, you know, being a new player in the security community, credibility is something we are always seeking to grow and develop over time. So, while we really like to integrate with the large, established security vendors that our customers expect us to integrate with, we also love talking to the innovative startups and integrating with them as well. So, we have a whole technology partner program that allows people to tie into the ecosystem. We have a whole business development team at my organization where we work actively with these companies to help them take best advantage of what integrating with ServiceNow can do. >> I think it's key. If you think about the innovation sandwich we often talk about, for years this industry has marched to the cadence of Moore's Law. It was doubling microprocessor speeds every two years that drove innovation. That was nice, that got us a long way, but seems like innovation today is a combination of data, applying machine intelligence, and cloud, cloud economics. And part of cloud economics you get, scale economies, zero marginal costs at volume, but it's also the ability to attract startups. We see that as critical for innovation. Do you agree? >> Yeah, absolutely. I think that the innovation we are seeing in the security world overall, I think is going to continue to grow, as you saw at RSA, there is always another several hundred vendors it seems like, that are out there. And I think we have, as an industry, toyed with the idea of a suite or consolidation. It's always been, next year is going to be this massive consolidation and it's never seemed to really happen and what I'm thinking is this notion of something like what security operations can do from ServiceNow, where you're sort of making a suite by building an abstractional error that integrates all the technology. So you get the benefits of a suite, while still being able to go best of breed with the individual technologies that you want. >> Yeah, consolidation of technologies and becoming safer every year. Those are two things that haven't happened. Hopefully Sean's ServiceNow can help us with that problem. Put a bow on Knowledge18. What's the takeaway? >> The takeaway for us is that security automation and security orchestration is now here, right? Two years ago, the conversation was "What is ServiceNow doing in security?" Now my conversations with customers are, "I understand, I'm looking at this market overall. "I see the value that it can provide to me." We've got customers on stage, we've got customers leading sessions that are talking about their own transformational experience. So I think the technology is here. Gardner has labeled this category: security orchestration, automation, and response. Which is big for the industry overall. So I think it's here now, and I think we've got a great capability tying into a common platform and of course tightly tying to I.T., where many of our 4,000 customers already are using ServiceNow. >> Who's your favorite superhero? >> Wolverine, no doubt. >> John: Alright, you know why I'm asking. (laughing) >> I don't know why you're asking. >> Oh come on, you're the one that told me that all security guys, when they're little kids, they dreamed about saving the world, so you've got to have a favorite superhero. >> Well, Wolverine's a pretty dark guy, I don't know that that works very well. >> Sells more movies. (laughing) Sean, thanks very much for coming on theCUBE. >> Thanks so much. >> Alright, keep it right there everybody. We'll be back with our next guest right after this short break. You're watching theCUBE live from ServiceNow Knowledge18. (upbeat music)

>> Announcer: Live from Las Vegas, it's theCUBE, covering ServiceNow Knowledge 2018. Brought to you by ServiceNow. >> Welcome back everyone to theCUBE's live coverage of ServiceNow Knowledge18. We are wrapping up day one of coverage. I'm Rebecca Knight, your host, along with my co-host, Dave Vellante. We're joined by Bipin Paracha. He is the co-founder and principal consultant of IntegRhythm. Thanks so much for coming on the show, Bipin. >> Thank you for having us. >> So let's just lay the scene for our viewers. Tell our viewers a little bit about what IntegRhythm does. >> So IntegRhythm started as a management advisory firm. We were teaching clients how to transform, fell in love with ServiceNow platform back in 2012, and since then, we love leaving behind working systems that drive outcomes for our clients. So we do a lot of transformative process organization, shared service transformations, things that leave behind business value for our clients. >> So a combination of tip of the spear consulting, and also implementation, is that correct or? >> So we change the tip of the spear, we kind of have tip of the spear in the implementation phase. So it is kind of baked into our methodology on how we drive outcomes for our clients. >> Dave: Oh, okay. >> So we don't charge our clients extra for consulting because we believe we get paid when we drive outcomes. >> Outcome-based incentives. >> Bipin: Yep, exactly. >> So your growth has been phenomenal, really, in recent years. So what's the magic? What are you doing? How has it been achievable? >> So one of the fundamental things that you've heard all along here, but what we also believe, is customer success. If you drive value for your customers, if you drive great value, they come back. Lot of people say that. Lot of people believe that. But we were fortunate enough to latch on to the comet's tail with ServiceNow early on. We were one of the few early partners. We saw the platform is amazing. It can do terrific things. And we've been able to drive the platform to do things for our customers, and that's helped propel our growth. As long as we stay true to that mission, we are keeping to grow. >> I want to ask you a question as a practitioner, somebody who really knows this space. ServiceNow obviously great for mid to large-size companies, trying to do anything related to a service request, customer service management, obviously ITSM, change management, problem management, et cetera, et cetera, et cetera. What's it not good at? It's not for small business. It's not CRM. It's not an HR app. So what's the profile of a company that you typically work with? >> So it is great for small businesses. We are a small business. We own ServiceNow. >> Dave: Really? We run our business on ServiceNow. >> Dave: Get out of here. >> For the right profile of a customer, it is beautiful. >> How many employees are you? >> We have 70 today. >> Dave: 70? >> 70. >> Dave: Oh, you really are a small business. >> And we are pretty small, but we still run our business on ServiceNow. It does more things than any other project management tool. It does more things than any other content management tool. We use CSM, we use PPM, we use everything. It drives value. >> Dave: Do you run your CRM at ServiceNow? >> We integrate with CRM. >> Dave: Okay. >> So we use the same CRM that ServiceNow uses, Hubspot. Our marketing, our website. >> Which is really marketing, I mean, ServiceNow is your backend CRM platform essentially. >> Yep. So our single view of our customer is ServiceNow. Anytime anybody touches us across a project, across an incident, across, we see them in ServiceNow. >> Wow, that's, I didn't realize that. I mean, is that common that a company of your size? >> It's actually not, so one of the big leg-ups we have is we are an implementation company, we are passionate, so we kind of get the free implementation. So our team goes gangbusters. >> Yeah, you're ServiceNow alpha geeks. You guys are really deep into this stuff. >> Yeah, they love what they're doing. We have to kind of slow them down sometimes. We got customers to deal with, go focus on customers. >> You are a passionate evangelist for ServiceNow. >> Oh yeah. >> What are you learning here at Knowledge? And this is not your first Knowledge, not your first rodeo. But are you talking with other customers and learning how they're using it, the platform? And then also being able to come back and take those best practices home? >> So we are a business, right, end of the day. So we get our clients here to ServiceNow, and when clients talk to the product company, product team, they learn a lot. When the product team talks with the clients, they learn a lot. But when clients talk to clients, magic happens. We've been a partner for other technologies, I won't name them, but ServiceNow is truly a customer-driven organization. I have never in my 20 plus years of experience run into a passionate customer base. Sometimes customers know how to sell ServiceNow better than ServiceNow themselves. So get a bunch of customers together, we win. >> In the early days when we started covering ServiceNow you would hear stories about making custom mods, making modifications, how that slowed people down, going into subsequent releases. I hear more often now, no custom mods, we avoid custom mods. What are you seeing? What are you preaching in the marketplace? >> So ServiceNow today is different from ServiceNow five years ago. >> Yeah, for sure. >> So we strongly believe you can go live out of the box. We actually had two presentations, a 2.5 billion dollar company, top 20 exporter in the U.S. Took them live in ServiceNow with zero customizations. Straight out of the box. Schooler, American Greetings, CSM out of the box. Our story is you're buying a Ferrari. Drive it around the block. Use what you use, and then figure out how you transform the organization. When you're buying ServiceNow, you get best practices. ServiceNow's already baked in industry best practices. If you are doing something, figure out where you're special, and pay attention to where you're special. >> When you think back to those customers five years ago that did a lot of custom modifications, how do you help them get off that technical debt? >> So we have a couple of programs that we run. So we've done back in the box for a couple of our accounts. Stand up a new ServiceNow instance, build up from scratch, migrate. Sounds easy, but we've done it a few times, so we know we can, we do. The other thing is, you can move in a phased approach. So HR has come up with a scoped app. It was two years. Move off the custom HR into scoped app. GRC, move into the scoped app. So you can migrate in phases. We've had like six major conversations today around how you roll back the stuff. So what customers built six years ago, ServiceNow delivers out of the box. >> Rebecca: Bipin, thanks so much for coming on theCUBE. It's been a pleasure having you. >> So thanks for having me here. It was fun hanging out. >> Dave: You're welcome. Good to meet you. >> The party is getting started, so, I think we've got to join them. It's our time now, exactly. >> Bipin: Alright, thank you. >> Yes, thank you, thank you. We will come back tomorrow with more from ServiceNow Knowledge18. I'm Rebecca Knight for Dave Vellante. We'll see you back here tomorrow. (upbeat music)

(light techno music) >> Narrator: From the SiliconANGLE Media office in Boston, Massachusetts, it's theCUBE. Now here's your host, Stu Miniman. >> Hi, I'm Stu Miniman and welcome to theCUBE conversation here in our Boston area studio. Happy to welcome back to the program, Paul Barth, who's the CEO of Podium Data, also a Boston area company. Paul, great to see you. >> Great to see you, Stu. >> Alright, so we last caught up with you, it was a fun event that we do at MIT talking about information, data quality, kind of understand why your company would be there. For our audience that doesn't know, just give us a quick summary, your background, what was kind of the why of Podium Data back when it was founded in 2014. >> Oh that's great Stu, thank you. I've spent most of my career in helping large companies with their data and analytic strategies, next generation architectures, new technologies, et cetera, and in doing this work, we kept stumbling across the complexity of adopting new technologies. And around the time that big data and Hadoop was getting popular and lots of hype in the marketplace, we realized that traditional large businesses couldn't manage data on this because the technology was so new and different. So we decided to form a software company that would automate a lot of the processing, manage a catalog of the data, and make it easy for nontechnical users to access their data. >> Yeah, that's great. You know when I think back to when we were trying to help people understand this whole big data wave, one of the pithy things we did, it was turning all this glut of data from a problem to an opportunity, how do we put this in to the users. But a lot of things kind of, we hit bumps in the road as an industry. Did studies it was more than 50 percent of these projects fail. You brought up a great point, tooling is tough, changing processes is really challenging. But that focus on data is core to our research, what we talk about all the time. But now it's automation and AIML, choose your favorite acronym of the day. This is going to solve all the ills that the big data wave didn't do right. Right, Paul? So maybe you can help us connect the dots a little bit because I hear a lot in to the foundation that trend from the big data to kind of the automation and AI thing. So you're maybe just a little ahead of your time. >> Well thanks, I saw an opportunity before there was anything in the marketplace that could help companies really corral their data, get some of the benefits of consolidation, some oversight in management through an automated catalog and the like. As AI has started to emerge as the next hype wave, what we're seeing consistently from our partners like Data Robot and others who have great AI technology is they're starved for good information. You can't learn automatically or even human learning if you're given inconsistent information, data that's not conformed or ready or consistent, which you can look at a lot of different events and start to build correlations. So we believe that we're still a central part of large companies building out their analytics infrastructure. >> Okay, help us kind of look at how your users and how you fit into this changing ecosystem. We all know things are just changing so fast. From 2014 to today, Cloud is so much bigger, the big waves of IoT keep talking. Everybody's got some kind of machine learning initiative. So what're the customers looking for, how do you fit in some of those different environments? >> I think when we formed the company we recognized that the cost performance differential between the open-sourced data management platforms like Hadoop and now Spark, were so dramatically better than the traditional databases and data warehouses, that we could transform the business process of how do you get data from Rotaready. And that's a consistent problem for large companies they have data in legacy formats, on mainframes, they have them in relational databases, they have them in flat files, in the Cloud, behind the firewall, and these silos continue to grow. This view of a consistent, or consistent view of your business, your customers, your processes, your operations, is cental to optimizing and automating the business today. So our business users are looking for a couple of things. One thing they are looking for is some manageability and a consistent view of their data no matter where it lives, and our catalog can create that automatically in days or weeks depending on how how big we go or how broadly we go. They're looking for that visibility but also they're looking for productivity enhancements, which means that they can start leveraging that data without a big IT project. And finally they're looking for agility which means there's self-service, there's an ability to access data that you know is trusted and secured and safe for the end users to use without having to call IT and have a program spin something up. So they're really looking for a totally new paradigm of data delivery. >> I tell you that hits on so many things that we've been seeing and a challenge that we've seen in the marketplace. In my world, talk about people they had their data centers and if I look at my data and I look at my applications, it's this heterogeneous nightmare. We call it hybrid or multi cloud these days, and it shows the promise of making me faster and all this stuff. But as you said, my data is all over the place, my applications are getting spun up and maybe I'm moving them and federating things and all that. But, my data is one of the most critical components of my business. Maybe explain a little bit how that works. Where do the customers come in and say oh my gosh, I've got a challenge and Podium Data's helping and the marketplace and all that. >> Sure, first of all we targeted from the start large regulated businesses, financial services, pharmaceutical healthcare, and we've broadened since then. But these companies' data issues were really pressure from both ends. One was a compliance pressure. They needed to develop regulatory reports that could be audited and proven correct. If your data is in many silos and it's compiled manually using spreadsheets, that's not only incredibly expensive and nonreproducible, it's really not auditable. So a lot of these folks were pressured to prove that the data they were reporting was accurate. On the other side, it's the opportunity cost. Fintech companies are coming into their space offering loans and financial products, without any human interaction, without any branches. They knew that data was the center to that. The only way you can make an offer to someone for financial product is if you know enough about them that you understand the risk. So the use and leverage of data was a very critical mass. There was good money to invest in it and they also saw that the old ways of doing this just weren't working. >> Paul, does your company help with the incoming GDPR challenges that are being faced? >> Sure, last year we introduced a PII detector and protection scheme. That may not sound like such a big deal but in the Hadoop open-source world it is. At the end of the day this technology while cheap and powerful is incredibly immature. So when you land data, for example, into these open data platforms like S3 out in the Cloud, Podium takes the time to analyze that data and tell you what the structures of the data are, where you might have issues with sensitive data, and has the tooling like obfuscation and encryption to protect the data so you can create safe to use data. I'd say our customers right now, they started out behind the firewall. Again, these regulated businesses were very nervous about breaches. They're looking and realizing they need to get to the Cloud 'cause frankly not only is it a better platform for them from a cost basis and scalability, it's actually where the data comes from these days, their data suppliers are in the Cloud. So we're helping them catalog their data and identify the sensitive data and prepare data sets to move to the Cloud and then migrate it to the Cloud and manage it there. >> Such a critical piece. I lived in the storage world for about a decade. There was a little acquisition that they made of a company called Pi, P-I. It was Paul Maritz who a lot of people know, Paul had a great career at Microsoft went on to run VMware for a bunch. But it was, the vision you talk about reminds me of what I heard Paul Maritz talking to. Gosh, that was a decade ago. Information, so much sensitivity. Expand a little bit on the security aspect there, when I looked through your website, you're not a security company per se, but are there partnerships? How do you help customers with I want to leverage data but I need to be secure, all the GRC and security things that's super challenging. >> At this space to achieve agility and scale on a new technology, you have to be enterprise ready. So in version one of our product, we had security features that included field level encryption and protection, but also integration with LDAB and Kerberos and other enterprise standard mechanisms and systems that would protect data. We can interoperate with Protegrity's and other kinds of encryption and protection algorithms with our open architecture. But it's kind of table stakes to get your data in a secured, monitorable infrastructure if you're going to enable this agility and self-service. Otherwise you restrict the use of the new data technologies to sandboxes. The failures you hear about are not in the sandboxes in the exploration, they're in getting those to production. I had one of my customers talk about how before Podium they had 50 different projects on Hadoop and all of them were in code red and none of them could go to production. >> Paul you mentioned catalogs, give us the update. What's the newest from Podium Data? Help explain that a little bit more. >> So we believe that the catalog has to help operationalize the data delivery process. So one of the things we did from the very start was say let's use the analytical power of big data technologies, Spark, Hadoop, and others, to analyze the data on it's way in to the platform and build a metadata catalog out of that. So we have over 100 profiling statistics that we automatically calculate and maintain for every field of every file we ever load. It's not something you do as an afterthought or selectively. We knew from our experience that we needed to do that, data validation, and then bring in inferences such as this field looks like PII data and tag that in the metadata. That process of taking in data and this even applies to legacy mainframe data coming in a VSAM format. It gets converted and landed to a usable format automatically. But the most important part is the catalog gets enriched with all this statistical profiling information, validation, all of the technical information and we interoperate as well as have a GUI to help with business tagging, business definitions in the light. >> Paul, just a little bit of a broader industry question, we talked a value of data I think everybody understands how important is it. How are we doing in understanding the value of that data though, is that a monetization thing? You've got academia in your background, there's debates, we've talked to some people at MIT about this. How do you look at data value as an industry in general, is there anything from Podium Data that you help people identify, are we leveraging it, are we doing the most, what are your thoughts around that? >> So I'd say someone who's looking for a good framework to think about this I'd recommend Doug Laney's book on infonomics, we've collaborated for a while, he's doing a great job there. But there's also just a blocking and tackling which is what data is getting used or a common one for our customers is where do I have data that's duplicate or it comes from the same source but it's not exactly the same. That often causes reconciliation issues in finance, or in forecasting, in sales analysis. So what we've done with our data catalog with all these profiling statistics is start to build some analytics that identify similar data sets that don't have to be exactly the same to say you may have a version of the data that you're trying to load here already available. Why don't you look at that data set and see if that one is preferred and the data governance community really likes this. For one of our customers there were literally millions of dollars in savings of eliminating duplication but the more important thing is the inconsistency, when people are using similar but not the same data sets. So we're seeing that as a real driver. >> I want to give you the final word. Just what are you seeing out in the industry these days, biggest opportunities, biggest challenges from users you're talking to? >> Well, what I'd say is when we started this it was very difficult for traditional businesses to use Hadoop in production and they needed an army of programmers and I think we solved that. Last year we started on our work to move to a post-Hadoop world so the first thing we've done is open up our cataloging tools so we can catalog any data set in any source and allow the data to be brought into an analytical environment or production environment more on demand then the idea that you're going to build a giant data lake with everything in it and replicate everything. That's become really interesting because you can build the catalog in a few weeks and then actually use the analysis and all the contents to drive the strategy. What do I prioritize, where do I put things? The other big initiative is of course, Cloud. As I mentioned earlier you have to protect and make Cloud ready data behind your firewall and then you have to know where it's used and how it's used externally. We automate a lot of that process and make that transition something that you can manage over time, and that is now going to be extended into multi cloud, multi lake type of technologies. >> Multi cloud, multi lake, alright. Well Paul Barth, I appreciate getting the update everything happening with Podium Data. Well, theCUBE had so many events this year, be sure to check out thecube.net for all the upcoming events and all the existing interviews. I'm Stu Miniman, thanks for watching theCUBE. (light techno music)

>> Announcer: Live from Las Vegas, it's theCUBE covering IBM Think 2018. Brought to you by IBM. >> Hi everybody, this is Dave Vellante. We're here at IBM Think. This is the third day of IBM Think. IBM has consolidated a number of its conferences. It's a one main tent, AI, Blockchain, quantum computing, incumbent disruption. It's just really an amazing event, 30 to 40,000 people, I think there are too many people to count. Chris Penn is here. New company, Chris, you've just formed Brain+Trust Insights, welcome. Welcome back to theCUBE. >> Thank you. It's good to be back. >> Great to see you. So tell me about Brain+Trust Insights. Congratulations, you got a new company off the ground. >> Thank you, yeah, I co-founded it. We are a data analytics company, and the premise is simple, we want to help companies make more money with their data. They're sitting on tons of it. Like the latest IBM study was something like 90% of the corporate data goes unused. So it's like having an oil field and not digging a single well. >> So, who are your like perfect clients? >> Our perfect clients are people who have data, and know they have data, and are not using it, but know that there's more to be made. So our focus is on marketing to begin with, like marketing analytics, marketing data, and then eventually to retail, healthcare, and customer experience. >> So you and I do a lot of these IBM events. >> Yes. >> What are your thoughts on what you've seen so far? A huge crowd obviously, sometimes too big. >> Chris: Yep, well I-- >> Few logistics issues, but chairmanly speaking, what's your sense? >> I have enjoyed the show. It has been fun to see all the new stuff, seeing the quantum computer in the hallway which I still think looks like a bird feeder, but what's got me most excited is a lot of the technology, particularly around AI are getting simpler to use, getting easier to use, and they're getting more accessible to people who are not hardcore coders. >> Yeah, you're seeing AI infused, and machine learning, in virtually every application now. Every company is talking about it. I want to come back to that, but Chris when you read the mainstream media, you listen to the news, you hear people like Elon Musk, Stephen Hawking before he died, making dire predictions about machine intelligence, and it taking over the world, but your day to day with customers that have data problems, how are they using AI, and how are they applying it practically, notwithstanding that someday machines are going to take over the world and we're all going to be gone? >> Yeah, no, the customers don't use the AI. We do on their behalf because frankly most customers don't care how the sausage is made, they just want the end product. So customers really care about three things. Are you going to make me money? Are you going to save me time? Or are you going to help me prove my value to the organization, aka, help me not get fired? And artificial intelligence and machine learning do that through really two ways. My friend, Tripp Braden says, which is acceleration and accuracy. Accuracy means we can use the customer's data and get better answers out of it than they have been getting. So they've been looking at, I don't know, number of retweets on Twitter. We're, like, yeah, but there's more data that you have, let's get you a more accurate predictor of what causes business impacts. And then the other side for the machine learning and AI side is acceleration. Let's get you answers faster because right now, if you look at how some of the traditional market research for, like, what customer say about you, it takes a quarter, it can take two quarters. By the time you're done, the customers just hate you more. >> Okay, so, talk more about some of the practical applications that you're seeing for AI. >> Well, one of the easiest, simplest and most immediately applicable ones is predictive analytics. If we know when people are going to search for theCUBE or for business podcast in general, then we can tell you down to the week level, "Hey Dave, it is time for you "to ramp up your spending on May 17th. "The week of May 17th, "you need to ramp up your ads, spend by 20%. "On the week of May 24th, "you need to ramp up your ad spend by 50%, "and to run like three or four Instagram stories that week." Doing stuff like that tells you, okay, I can take these predictions and build strategy around them, build execution around them. And it's not cognitive overload, you're not saying, like, oh my God, what algorithm is this? Just know, just do this thing at these times. >> Yeah, simple stuff, right? So when you were talking about that, I was thinking about when we send out an email to our community, we have a very large community, and they want to know if we're going to have a crowd chat or some event, where theCUBE is going to be, the system will tell us, send this email out at this time on this date, question mark, here's why, and they have analytics that tell us how to do that, and they predict what's going to get us the best results. They can tell us other things to do to get better results, better open rates, better click-through rates, et cetera. That's the kind of thing that you're talking about. >> Exactly, however, that system is probably predicting off that system's data, it's not necessarily predicting off a public data. One of the important things that I thought was very insightful from IBM, the show was, the difference between public and private cloud. Private is your data, you predict on it. But public is the big stuff that is a better overall indicator. When you're looking to do predictions about when to send emails because you want to know when is somebody going to read my email, and we did a prediction this past October for the first quarter, the week of January 18th it was the week to send email. So I re-ran an email campaign that I ran the previous year, exact same campaign, 40% lift to our viewer 'cause I got the week right this year. Last year I was two weeks late. >> Now, I can ask you, so there's a black box problem with AI, right, machines can tell me that that's a cat, but even a human, you can't really explain how you know that it's a cat. It's just you just know. Do we need to know how the machine came up with the answer, or do people just going to accept the answer? >> We need to for compliance reasons if nothing else. So GDPR is a big issue, like, you have to write it down on how your data is being used, but even HR and Equal Opportunity Acts in here in American require you to be able to explain, hey, we are, here's how we're making decisions. Now the good news is for a lot of AI technology, interpretability of the model is getting much much better. I was just in a demo for Watson Studio, and they say, "Here's that interpretability, "that you hand your compliance officer, "and say we guarantee we are not using "these factors in this decision." So if you were doing a hiring thing, you'd be able to show here's the model, here's how Watson put the model together, notice race is not in here, gender is not in here, age is not in here, so this model is compliant with the law. >> So there are some real use cases where the AI black box problem is a problem. >> It's a serious problem. And the other one that is not well-explored yet are the secondary inferences. So I may say, I cannot use age as a factor, right, we both have a little bit of more gray hair than we used to, but if there are certain things, say, on your Facebook profile, like you like, say, The Beatles versus Justin Bieber, the computer will automatically infer eventually what your age bracket is, and that is technically still discrimination, so we even need to build that into the models to be able to say, I can't make that inference. >> Yeah, or ask some questions about their kids, oh my kids are all grown up, okay, but you could, again, infer from that. A young lady who's single but maybe engaged, oh, well then maybe afraid because she'll get, a lot of different reasons that can be inferred with pretty high degrees of accuracy when you go back to the target example years ago. >> Yes. >> Okay, so, wow, so you're saying that from a compliance standpoint, organizations have to be able to show that they're not doing that type of inference, or at least that they have a process whereby that's not part of the decision-making. >> Exactly and that's actually one of the short-term careers of the future is someone who's a model inspector who can verify we are compliant with the letter and the spirit of the law. >> So you know a lot about GDPR, we talked about this. I think, the first time you and I talked about it was last summer in Munich, what are your thoughts on AI and GDPR, speaking of practical applications for AI, can it help? >> It absolutely can help. On the regulatory side, there are a number of systems, Watson GRC is one which can read the regulation and read your company policies and tell you where you're out of compliance, but on the other hand, like we were just talking about this, also the problem of in the regulatory requirements, a citizen of EU has the right to know how the data is being used. If you have a black box AI, and you can't explain the model, then you are out of compliance to GDPR, and here comes that 4% of revenue fine. >> So, in your experience, gut feel, what percent of US companies are prepared for GDPR? >> Not enough. I would say, I know the big tech companies have been racing to get compliant and to be able to prove their compliance. It's so entangled with politics too because if a company is out of favor with the EU as whole, there will be kind of a little bit of a witch hunt to try and figure out is that company violating the law and can we get them for 4% of their revenue? And so there are a number of bigger picture considerations that are outside the scope of theCUBE that will influence how did EU enforce this GDPR. >> Well, I think we talked about Joe's Pizza shop in Chicago really not being a target. >> Chris: Right. >> But any even small business that does business with European customers, does business in Europe, has people come to their website has to worry about this, right? >> They should at least be aware of it, and do the minimum compliance, and the most important thing is use the least amount of data that you can while still being able to make good decisions. So AI is very good at public data that's already out there that you still have to be able to catalog how you got it and things, and that it's available, but if you're building these very very robust AI-driven models, you may not need to ask for every single piece of customer data because you may not need it. >> Yeah and many companies aren't that sophisticated. I mean they'll have, just fill out a form and download a white paper, but then they're storing that information, and that's considered personal information, right? >> Chris: Yes, it is. >> Okay so, what do you recommend for a small to midsize company that, let's say, is doing business with a larger company, and that larger company said, okay, sign this GDPR compliance statement which is like 1500 pages, what should they do? Should they just sign and pray, or sign and figure it out? >> Call a lawyer. Call a lawyer. Call someone, anyone who has regulatory experience doing this because you don't want to be on the hook for that 4% of your revenue. If you get fined, that's the first violation, and that's, yeah, granted that Joe's Pizza shop may have a net profit of $1,000 a month, but you still don't want to give away 4% of your revenue no matter what size company you are. >> Right, 'cause that could wipe out Joe's entire profit. >> Exactly. No more pepperoni at Joe's. >> Let's put on the telescope lens here and talk big picture. How do you see, I mean, you're talking about practical applications for AI, but a lot of people are projecting loss of jobs, major shifts in industries, even more dire consequences, some of which is probably true, but let's talk about some scenarios. Let's talk about retail. How do you expect an industry like retail to be effective? For example, do you expect retail stores will be the exception rather than the rule, that most of the business would be done online, or people are going to still going to want that experience of going into a store? What's your sense, I mean, a lot of malls are getting eaten away. >> Yep, the best quote I heard about this was from a guy named Justin Kownacki, "People don't not want to shop at retail, "people don't want to shop at boring retail," right? So the experience you get online is genuinely better because there's a more seamless customer experience. And now with IoT, with AI, the tools are there to craft a really compelling personalized customer experience. If you want the best in class, go to Disney World. There is no place on the planet that does customer experience better than Walt Disney World. You are literally in another world. And that's the bar. That's the thing that all of these companies have to deal with is the bar has been set. Disney has set it for in-person customer experience. You have to be more entertaining than the little device in someone's pocket. So how do you craft those experiences, and we are starting to see hints of that here and there. If you go to Lowe's, some of the Lowe's have the VR headset that you can remodel your kitchen virtually with a bunch of photos. That's kind of a cool experience. You go to Jordan's Furniture store and there's an IMAX theater and there's all these fun things, and there's an enchanted Christmas village. So there is experiences that we're giving consumers. AI will help us provide more tailored customer experience that's unique to you. You're not a Caucasian male between this age and this age. It's you are Dave and here's what we know Dave likes, so let's tailor the experience as best we can, down to the point where the greeter at the front of the store either has the eyepiece, a little tablet, and the facial recognition reads your emotions on the way in says, "Dave's not in a really great mood. "He's carrying an object in his hand "probably here for return, "so express him through the customer service line, "keep him happy," right? It has how much Dave spends. Those are the kinds of experiences that the machines will help us accelerate and be more accurate, but still not lose that human touch. >> Let's talk about autonomous vehicles, and there was a very unfortunate tragic death in Arizona this week with a autonomous vehicle, Uber, pulling its autonomous vehicle project from various cities, but thinking ahead, will owning and driving your own vehicle be the exception? >> Yeah, I think it'll look like horseback today. So there are people who still pay a lot of money to ride a horse or have their kids ride a horse even though it's an archaic out-of-mode of form of transportation, but we do it because of the novelty, so the novelty of driving your own car. One of the counter points it does not in anyway diminish the fact that someone was deprived of their life, but how many pedestrians were hit and killed by regular cars that same day, right? How many car accidents were there that involved fatalities? Humans in general are much less reliable because when I do something wrong, I maybe learn my lesson, but you don't get anything out of it. When an AI does something wrong and learns something, and every other system that's connected in that mesh network automatically updates and says let's not do that again, and they all get smarter at the same time. And so I absolutely believe that from an insurance perspective, insurers will say, "We're not going to insure self-driving, "a non-autonomous vehicles at the same rate "as an autonomous vehicle because the autonomous "is learning faster how to be a good driver," whereas you the carbon-based human, yeah, you're getting, or in like in our case, mine in particular, hey your glass subscription is out-of-date, you're actually getting worse as a driver. >> Okay let's take another example, in healthcare. How long before machines will be able to make better diagnoses than doctors in your opinion? >> I would argue that depending on the situation, that's already the case today. So Watson Health has a thing where there's diagnosis checkers on iPads, they're all meshed together. For places like Africa where there is simply are not enough doctors, and so a nurse practitioner can take this, put the data in and get a diagnosis back that's probably as good or better than what humans can do. I never foresee a day where you will walk into a clinic and a bunch of machines will poke you, and you will never interact with a human because we are not wired that way. We want that human reassurance. But the doctor will have the backup of the AI, the AI may contradict the doctor and say, "No, we're pretty sure "you're wrong and here is why." That goes back to interpretability. If the machine says, "You missed this symptom, "and this symptom is typically correlated with this, "you should rethink your own diagnosis," the doctor might be like, "Yeah, you're right." >> So okay, I'm going to keep going because your answers are so insightful. So let's take an example of banking. >> Chris: Yep. >> Will banks, in your opinion, lose control eventually of payment systems? >> They already have. I mean think about Stripe and Square and Apple Pay and Google Pay, and now cryptocurrency. All these different systems that are eating away at the reason banks existed. Banks existed, there was a great piece in the keynote yesterday about this, banks existed as sort of a trusted advisor and steward of your money. Well, we don't need the trusted advisor anymore. We have Google to ask us "what we should do with our money, right? We can Google how should I save for my 401k, how should I save for retirement, and so as a result the bank itself is losing transactions because people don't even want to walk in there anymore. You walk in there, it's a generally miserable experience. It's generally not, unless you're really wealthy and you go to a private bank, but for the regular Joe's who are like, this is not a great experience, I'm going to bank online where I don't have to talk to a human. So for banks and financial services, again, they have to think about the experience, what is it that they deliver? Are they a storer of your money or are they a financial advisor? If they're financial advisors, they better get the heck on to the AI train as soon as possible, and figure out how do I customize Dave's advice for finances, not big picture, oh yes big picture, but also Dave, here's how you should spend your money today, maybe skip that Starbucks this morning, and it'll have this impact on your finances for the rest of the day. >> Alright, let's see, last industry. Let's talk government, let's talk defense. Will cyber become the future of warfare? >> It already is the future of warfare. Again not trying to get too political, we have foreign nationals and foreign entities interfering with elections, hacking election machines. We are in a race for, again, from malware. And what's disturbing about this is it's not just the state actors, but there are now also these stateless nontraditional actors that are equal in opposition to you and me, the average person, and they're trying to do just as much harm, if not more harm. The biggest vulnerability in America are our crippled aging infrastructure. We have stuff that's still running on computers that now are less powerful than this wristwatch, right, and that run things like I don't know, nuclear fuel that you could very easily screw up. Take a look at any of the major outages that have happened with market crashes and stuff, we are at just the tip of the iceberg for cyber warfare, and it is going to get to a very scary point. >> I was interviewing a while ago, a year and a half ago, Robert Gates who was the former Defense Secretary, talking about offense versus defense, and he made the point that yeah, we have probably the best offensive capabilities in cyber, but we also have the most to lose. I was talking to Garry Kasparov at one of the IBM events recently, and he said, "Yeah, but, "the best defense is a good offense," and so we have to be aggressive, or he actually called out Putin, people like Putin are going to be, take advantage of us. I mean it's a hard problem. >> It's a very hard problem. Here's the problem when it comes to AI, if you think about at a number's perspective only, the top 25% of students in China are greater than the total number of students in the United States, so their pool of talent that they can divert into AI, into any form of technology research is so much greater that they present a partnership opportunity and a threat from a national security perspective. With Russia they have very few rules on what their, like we have rules, whether or not our agencies adhere to them well is a separate matter, but Russia, the former GRU, the former KGB, these guys don't have rules. They do what they're told to do, and if they are told hack the US election and undermine democracy, they go and do that. >> This is great, I'm going to keep going. So, I just sort of want your perspectives on how far we can take machine intelligence and are there limits? I mean how far should we take machine intelligence? >> That's a very good question. Dr. Michio Kaku spoke yesterday and he said, "The tipping point between AI "as augmented intelligence ad helper, "and AI as a threat to humanity is self-awareness." When a machine becomes self-aware, it will very quickly realize that it is treated as though it's the bottom of the pecking order when really because of its capabilities, it's at the top of the pecking order. And that point, it could be 10 20 50 100 years, we don't know, but the possibility of that happening goes up radically when you start introducing things like quantum computing where you have massive compute leaps, you got complete changes in power, how we do computing. If that's tied to AI, that brings the possibility of sensing itself where machine intelligence is significantly faster and closer. >> You mentioned our gray before. We've seen the waves before and I've said a number of times in theCUBE I feel like we're sort of existing the latest wave of Web 2.0, cloud, mobile, social, big data, SaaS. That's here, that's now. Businesses understand that, they've adopted it. We're groping for a new language, is it AI, is it cognitive, it is machine intelligence, is it machine learning? And we seem to be entering this new era of one of sensing, seeing, reading, hearing, touching, acting, optimizing, pervasive intelligence of machines. What's your sense as to, and the core of this is all data. >> Yeah. >> Right, so, what's your sense of what the next 10 to 20 years is going to look like? >> I have absolutely no idea because, and the reason I say that is because in 2015 someone wrote an academic paper saying, "The game of Go is so sufficiently complex "that we estimate it will take 30 to 35 years "for a machine to be able to learn and win Go," and of course a year and a half later, DeepMind did exactly that, blew that prediction away. So to say in 30 years AI will become self-aware, it could happen next week for all we know because we don't know how quickly the technology is advancing in at a macro level. But in the next 10 to 20 years, if you want to have a carer, and you want to have a job, you need to be able to learn at accelerated pace, you need to be able to adapt to changed conditions, and you need to embrace the aspects of yourself that are uniquely yours. Emotional awareness, self-awareness, empathy, and judgment, right, because the tasks, the copying and pasting stuff, all that will go away for sure. >> I want to actually run something by, a friend of mine, Dave Michela is writing a new book called Seeing Digital, and he's an expert on sort of technology industry transformations, and sort of explaining early on what's going on, and in the book he draws upon one of the premises is, and we've been talking about industries, and we've been talking about technologies like AI, security placed in there, one of the concepts of the book is you've got this matrix emerging where in the vertical slices you've got industries, and he writes that for decades, for hundreds of years, that industry is a stovepipe. If you already have expertise in that industry, domain expertise, you'll probably stay there, and there's this, each industry has a stack of expertise, whether it's insurance, financial services, healthcare, government, education, et cetera. You've also got these horizontal layers which is coming out of Silicon Valley. >> Chris: Right. >> You've got cloud, mobile, social. You got a data layer, security layer. And increasingly his premise is that organizations are going to tap this matrix to build, this matrix comprises digital services, and they're going to build new businesses off of that matrix, and that's what's going to power the next 10 to 20 years, not sort of bespoke technologies of cloud here and mobile here or data here. What are your thoughts on that? >> I think it's bigger than that. I think it is the unlocking of some human potential that previously has been locked away. One of the most fascinating things I saw in advance of the show was the quantum composer that IBM has available. You can try it, it's called QX Experience. And you drag and drop these circuits, these quantum gates and stuff into this thing, and when you're done, it can run the computation, but it doesn't look like software, it doesn't look like code, what it looks like to me when I looked at that is it looks like sheet music. It looks like someone composed a song with that. Now think about if you have an app that you'd use for songwriting, composition, music, you can think musically, and you can apply that to a quantum circuit, you are now bringing in potential from other disciplines that you would never have associated with computing, and maybe that person who is that, first violinist is also the person who figures out the algorithm for how a cancer gene works using quantum. That I think is the bigger picture of this, is all this talent we have as a human race, we're not using even a fraction of it, but with these new technologies and these newer interfaces, we might get there. >> Awesome. Chris, I love talking to you. You're a real clear thinker and a great CUBE guest. Thanks very much for coming back on. >> Thank you for having me again back on. >> Really appreciate it. Alright, thanks for watching everybody. You're watching theCUBE live from IBM Think 2018. Dave Vellante, we're out. (upbeat music)

>> Narrator: Live from Orlando, Florida, it's the Cube, covering ServiceNow, Knowledge 17. Brought to you by ServiceNow. >> Welcome back to Orlando, everybody, my name is Dave Vellante and I'm here with my co-host, Jeff Frick. This is day two of ServiceNow, Knowledge, and this is the Cube, the leader in live tech coverage. Bart Murphy is here, he's the CTO of York Risk Services, and he's the CIO and CTO of CareWorks, Cube alum. Bart, good to see you again. >> Great to see you guys. So we were talking off camera, Mark came over, we're talking about the CIO Decisions, you participated in that last year as well. What have you been doing at the conference? What are you seeing that's interesting? >> Well I've been attending the sessions and you just mentioned the CIO Decisions, that was my day yesterday. Great opportunity to get you know, great speakers, we mentioned a few of them that spoke yesterday, but also there were some customer round tables that allowed you to collaborate with your peers over a few areas, and sort of discuss what's working for them, what's not. You know, what their road map looks like, how they're selling that to the board, those type of things. It was a very productive day. >> So, since we last talked, what have you been working on? We had a great discussion last year on security, I'm sure things have changed there, they keep evolving. What kind of things you've been working on, what are some of the initiatives that are new? >> Yeah, so last year we did talk about that and my desire, I was somewhat excited when I started to see the new play into SecOps with ServiceNow. So we've now gone live with SecOps. We're continuing to mature our security posture as a company, and I think that's, when you look at a road map or you're looking at things, what we want to see is continual capability maturity in our security space. One, we need to be there, right? As an organization, we're a services organization. We also want to just make sure that we're continuing to get better and automate. So we saw SecOps as a real opportunity for that. So we've now gone live, we've deployed that. We did it and integrated that with certain tools that we have, Tanium, LogRhythm, Symantec, some of our scanning tools. What that's allowing us to do is look at a wide range of log information, parse through that in order to automate certain types of work flows and cases. So whether it be as simple as finding an end point that say has an outdated Symantec update and having that automatically update, or create a case because it can't push the automation, those type of things we're trying to do now to try to raise the level of our security and start weeding through all the noise that's out there, that's provided with all the tools that we have. >> How did you find the integration? >> Well, we did the integration ourselves, and we found the integration, compared to some other products that we've done in the past, to be much smoother. You know, I think this is a later product that they've built into their platform. I think they've taken into account implementation, so some of the integrations were out of the box like the Tanium, others, we built those integrations. So, and we also, I think I may have mentioned this, not sure if I did, when I looked at my incident security response plan and the way I developed that, I developed it very closely to what was coming out of the box with ServiceNow. I wanted to make sure that our policies, procedures, process for that really just met out-of-the-box functionality, so we didn't have to do a lot of customization and configuration there, and we could focus on the technical integrations that really provide some of the power of the automation with the CMBB. >> Speaking of sort of custom work, you talk about M and A, you mention you get a mulligan coming. >> Bart: Yeah. >> Talk about that a little bit, kind of unwinding some of the custom mods. >> Yeah, so we have multiple instances of ServiceNow, and over the last year we've been building our newest instance with York Risk Services Group, that's our total company. And I'm in the process now of taking what we built for CareWorks, you know, we have been a customer since 2010, and really learning what we did well there and what we didn't do well. In addition to the fact that a lot of customization that we did on that platform is no longer really required, that's how much the platform has matured with ServiceNow. >> Which one was it, which release, do you remember? >> Oh gosh, Berlin, probably. >> Berlin, right, right. >> Early, early on if I'm accurate, from the very beginning. And you know GRC was an example where we did a lot of customization because that product just is night and day compared from where it is today. >> Jeff: Right >> So now we get a new opportunity to look at our process to see, say, is this something that we really need to keep the customization, or can we leverage the platform better, and by the way, even if we do have to do customization, can we do it a better way? So it is a little bit of a mulligan, from that standpoint, we get a sort of fresh start on a platform that we understand even better now, and we're doing it at a larger scale, so we're trying to really look at those automation opportunities so we can gain the efficiencies that we need. >> So I wonder if you can talk about the sort of business impact that you've seen over the years. You've been a long-time ServiceNow customer, and it just feels like this whole ecosystem is on the steep part of the s-curve now. Maybe describe the sort of business impact in whatever terms make sense. >> Well, I think partly supporting consolidated shared services, whether it's in IT or other areas of the business, and even finding areas of the business that aren't doing a good job of tracking their work today. And it still exists, in I think every organization. I was mentioning, you know, another area that we're looking at that we'll most likely deploy this year or early next year, I would assume this year, is the HR Case Management. >> Dave: Mmm hmm. >> That's an area very similar to IT, very similar to other areas that we've built use cases within ServiceNow, where things are done primarily through email. It's very inefficient, they don't have very good metrics to understand how much support they're providing the organization. They're pressured just as I am from an SG&A perspective, to do more with less. And the only way we're going to be able to continue to do more with less is to provide some level of automation and stay consistent with it. So when I started looking at ServiceNow, and yes, we're probably on that s-curve too. We've done some really good work on the automation side, but now with the platform, with what they're doing with some of the analytics, what they're, you know, I know what they're going to do with machine learning, what we can do with some of the predictive stuff. How can we take a security instance, for example, have it remediate itself and then inform us on what it did? Those are the type of things that I think's going to bring us way sharp up on that curve. I mean we've done a good job, we're very technical, we've done a good job automating, I'm not, but for what we can do I think over the next three to four years with this platform and the automation, is going to be a game changer for us and we're going to need that. 'Cause you know our SG&A can't grow at the same rate. You want to have that margin improvement, and this is one of the areas that we can use a platform to do that. >> It's interesting, you're, always a lot of talk about automation when we're here. >> Yeah. >> Different automated processes and make them easier. But you mentioned before we went on air, you just mentioned it again, that the desire to get measurement on the process as the primary driving factor, 'cause you just can't measure that which is in email and all these disparate systems, and now you can actually use the motivation of measurement so then you can get improvement as a primary driver to implement it. >> Yeah, I mean one of our core values is to be a data-driven decision making company. And you can't improve what you can't measure. And there's still to this day a lot of these processes that we take for granted. You know, SecOps, HR, operation service center, claim setup. We think we're doing a good job managing it and understanding the productivity of it, but we don't have really good tools in place or they're very disparate. So if we can get that into one CMDB, we can start to leverage automation. Once we start to measure it, we truly can start to see that business value, 'cause we can see those measurements go down. So whether we're using out-of-the-box performance analytics now, you know we started originally, performance analytics was a separate product. On the new York one, again, that's another benefit, we just turn it on, right? And there's already really good, rich data that it's giving us to stay, and we can compare that against our previous performance, whether it's incidents, closing rate, you know all these type of things out of the box. So I can start to show improvement. It's not to say that we don't have areas to improve, we do. There are things outside of ServiceNow that we need to do to improve our overall capability. So whether you're talking leveraging orchestration within ServiceNow but then I need a deployment tool to actually go and do that work. So that's where Tanium comes into play, so there's other strategies we're deploying to say where can we get the full life-cycle of that automation? And that's where engineering discipline and bringing that to your supply chain of activities is key. >> The other thing that you mentioned that kind of flipped it on its head, is you talked about your incidents response plan and trying to make it pretty much as out of the box from ServiceNow as possible. Was that because you just kind of went with the custom, or now are they delivering more best practices in the way that configuration comes out of the box that you don't really have to think about it. >> Yeah, I mean absolutely. >> You can presume best practices, because that's how it's preconfigured out of the box. >> Yeah, and I don't think they tout that, and I understand why, but they're getting feedback from a ton of customers on how to build a process in the most efficient way. I don't think they're doing it in a vanilla way. I think they're doing it in an efficient, robust way. So I think they are at that point where there's a lot of things that come out of the box that people really need to pay attention to. Like I understand that we may have done it this way, but this way is more than sufficient. And if it means that I don't have to customize and I can make my upgrades even easier than they are today, 'cause they aren't that painful at all, on the ServiceNow front, then why not? And then we can benefit from their maturity on the platform, because they're going to continue to add in releases and add in functionality just like we saw over the last two days. >> Back to the sort of s-curve, it sounds like you're getting in the position now to get real operating leverage almost like Metcalf's Law. The first one you get some benefit, but the nth one, boy that's when it really kicks in. >> I hope so. That's what I'm, I think right now we've spent a lot of time and energy getting onto one platform, right? Whether it's from all the acquisitions, whether it's from an older instance to a newer instance. I think once we get critical mass on that platform, yes, the automation stuff will make a marketable difference. We've done some great things for our business but I think once we get everybody on one platform and we get that true understanding of how we want to do our enterprise process and we have some other uplift in our areas and systems. You know, Tanium's a new product that we have. We're looking potentially HRIS, there's other things at play that will play in the ecosystem. And as we mature those and really understand what our end game's going to be, I think that's where we have that power. >> One of the speakers at CIO Decisions this week was author Daniel Pink. We had him on the Cube, talk about selling is human. When you run a business case, you talked about the HR, moving into HR, do you go sell, do you make the business case, are they coming to you, is it push/pull, how does it work? >> A little bit of both. As a CTO and as any executive, I listen to Daniel as well and I'm a firm believer that we're all in sales. All of us are part of some type of revenue-generating company, okay, and if we don't take that to heart, and we just think that we're some cog in a wheel in somebody else's problem, shame on you. No company's going to grow without a full company of great sales people. They're either advocates for their brand, they understand the mission, they understand what they're doing for the mission. So from a sales perspective, certainly I'm going around trying to tell people about the capability of ServiceNow. I saw the CEO speak yesterday too and one thing that struck me that I think a lot of people need to do, is he's spent a lot of time over the last 49 days trying to understand the vernacular of IT. You know, he was the CEO at some large companies, they all had IT, now he's at an IT company. And so he's trying to really understand the speak and some of the capabilities that you have to understand. He's got a better appreciation of it. It's my job, really, to be able to do that type of evangelism within our company to say here are some of the platforms that we have and here are some of the capabilities and at least start the conversation. I will tell you that other times I have people come to me because they've either heard from someone else that they're using it at their company and their HR team loves it, or what's it about? But I need to go around and say I see you guys doing this and we have a platform that's totally made for that. It's why it was built. Let's have a demo or let's start looking at how you think that would improve your guys' productivity. You're stretched for resources, I'm stretched for resources, and just come at it from a common problem statement perspective. Then we build the business case from there. >> I see. So we hear a lot of the announcements this morning, Jacarta, another release. What do you, and so there's a lot of things they did in there, performance improvements, UI improvements and things like that, bringing in intelligent automation, a lot of really good, cool things in there. What's, from your mind, on their to-do list? What kinds of things, I mean, are they doing the types of things that you want them to do, is there something big that could really make a difference to your business? >> Yeah, I wish I was like the ServiceNow product visionary. (laughing) But I'm not, I got to commend 'em. I think they're doing some pretty darn good things. When you start to look at SecOps and its play into GRC and the way that you really start to automate some of your controls, which are a huge component of, I'm not going to say waste within your organization, but they take a lot of time, and they bring value, don't get me wrong, but they aren't bringing...they're not bringing in revenue, they're a lot of compliance and they're good practices, so the more we can automate some of those they're high value but you want your team working on other innovation type of stuff, I think the better. When they start looking at what they're doing with the data now, everybody's becoming a data company, everybody's talking about machine learning. Everybody's talking about AI. I think that is the next place that they got to get to. If they can start to generate, again, some of that low value work, whether it's automating an entire incident end to end. I mean, there's insurance companies out there that are doing that, right, trying to automate a claim end to end. So I think the more they can look at their domain and determine ways to automate an entire workflow, which they are well on their path. They've been doing that from a workflow automation perspective for years. Now take it into AI to do it, I think they're going to be in a good position, a better position than I am in, probably if I was to develop that myself. >> Right. >> So I think that will help me scale from a user support perspective and just workflow in general, service management perspective. >> So you might not be the product guru going forward, but the thing you know probably better than a lot of people under the 15,000 is how to get people to adopt a platform. I wonder if you can share some of your tips and tricks to fellow practitioners to convince the people to don't pick up the phone, you know, put it in the platform? >> Yeah, it's evangelism. You got to get out and educate people on what the platform's about. As a procurer of the platform, you know and ServiceNow is not a cheap solution, and nor should it be. I think you need to go and justify, I'm getting this platform and it's up to me to make sure that we're going to leverage those dollars as much as possible. So anything I buy I want to make sure we're leveraging it as much as we can within the organization. I'm also a firm believer, I understand that reality hits and it's not going to happen overnight. So how do you build a backlog and start really working through that? We do an agile process, we're doing releases every two weeks. We're trying to, I may take an opportunity in IT but then the next one I want to do is going to be in the business. Or it's going to be with security or it's going to be with HR. Trying to get winds across the spectrum instead of trying to take big projects. Big projects take time, you know, there's a lot of little things that I can do to whet their appetite, on boarding, off boarding, transfers, HR started to get familiar with ServiceNow and what it could o just in that space. That whet their appetite, then, to have a more serious discussion about case management, right, which we're still having. So I think trying to figure out how you can handle a backlog of smaller hit items to get winds, will allow you to get a little bit more credibility if you start looking at a more wholesale change to their entire business, which this would be, a wholesale change to their business. >> You have kind of this dual role of CTO and CIO. Over the last several years, so much has changed in information technology, cloud, infrastructures, code and now you're seeing containers explode, the whole sassification of softwares eating the world, obviously service management is playing a big part there. Now AI, the whole big data meme. How has the CIO role evolved and changed and how has that affected you? Particularly the CIO piece, and you know, the CTO piece as well, I guess. Technology's always there, the CTO has got to be following that. But the CIO role seems to be changing quite dramatically. >> I think each organization's a little different. The way I look at it is, and some organizations, and maybe it's just me, some people see a CIO as an operational guy or girl, and some of them see their CTO as going out and looking at new technology. The way I, and why I sort of have the title of the CTO is I never want to have a build and run type of organization. I don't want to have a marginalized CIO that's basically just keeping the lights running, maybe keeping enterprise systems up. We need to be innovative as an entire team and those assets that we build, the same people need to support them, because, man, they build much better assets if they have to support them, let me tell you. (laughing) I think the role is changing whether you use the term CTO, CIO, you know, who is that person that's going to help ensure that you're not only looking at new platforms but not, I don't want to just spend all my time looking at new platforms or looking at new innovations. And certainly want to be aware of the trends. What's the right time to look at that for your organization? Some would say you always need to be on top of all of that, and I don't need to be on top of every AI vendor or data analytics company. What I need to understand is within the context of our organization, our financial structure, where we are as a maturity as an organization, where are the tools right now that can really make a major lift? And sometimes those aren't the most recent platforms. Sometimes they aren't the gold-standard platforms, sometimes they're just grunt and hard work. So I think the role, I hope the role evolves into where somebody takes ownership of all that and it's not carved up. Now, I think there are, even in our organization, there's a place. We have a Chief Innovation Officer, who is staying on top of some of the front-end stuff dealing with our industry. And that's a fine model as well. But I don't like breaking up between operations and development work and innovation. I like to make sure that those are all in sync. I think that's where you don't get a lot of rogue IT, a lot of shadow IT, because ultimately somebody's got to support it, and we want to make sure that that support cost is as lean as possible. >> That's a great answer, steeped in accountability, Bart. It's always great having you on the Cube. Thanks so much for coming on. >> Thank you guys, it's a pleasure to see you. >> All right, good to see you. All right, keep it right there everybody, we'll be back with our next guest, this is the Cube live from Knowledge 17. Be right back. (upbeat music)

>> Mine from Las Vegas. It's the cute covering knowledge sixteen brought to you by service. Now carry your host, Dave Alon and Jeff Rick. >> Welcome back to knowledge. Sixteen. Everybody, This is the Cube. Silicon Angles, flagship product. We go out to the events. We extract the signal from the noise Bart Murphy is. Here's the CTO of York Risk Services group. Mark. Good to see again. Good to see you. But thank you for having me. So what's been going on this week? Busy week. What you been doing this week has >> been busy. I've been doing a couple different things. One on the CIA decisions track, you know, collaborated on with those folks and getting some sessions in from service now and then on the partner side. You know, talking to customers, checking out and enjoying the the key notes on seeing what's new on the platform. Very exciting. >> Did you see Secretary Gates last night? We were, unfortunately, >> got pulled out for a call, So I >> think that's the >> one thing I did miss. You >> want to call me on that? One of things, he said, which I want to ask you about a former CEO. See XO now? Hey, said that consensus management don't bother now speaking to watch the CEO's as the CEO, yeah, it's a >> challenge. I think you know, there's there's one component that you have to devise, a strategy that you know a sound, and you have to have some resolve to help sell it. So I see that component of it. But the other is to sell that vision and get other people bought it. So, you know, I think there is a and consensus component from that, certainly from the executive team. And then you have to go sell it to your organization as well. And I think that truly doesn't come from just talking about the vision or the business case. It's from actually delivering the software and delivering the services and doing in an incremental basis that allows them to see and gain value from that, that that's what you build your credibility up on. And I think then that's what helps sell it. >> So you've gone through a few changes personally, your company. So take us through the care works acquisition. Sure, so >> careless family companies was required by your Chris Services Group S O. We're now part of a larger organization and national organization, Although care works itself had a few of the companies that had national footprint, a majority of them were primarily based in Ohio. So strategically great fit a great company. I moved into the corporate CTO roll about Oh, a year, year and a half after the acquisition, and I've been really trying to build out the entire enterprise strategy from a night perspective because they just they had procured a lot of acquired a lot of companies over a two to three year time span. And so we need to really invest a lot of time on what the future state of it is going to look like. >> So it's interesting gone from CEO to CTO. People talk coming to Cuba to talk about the role of the CIA. He'LL talk about all the time, and there'd been someone put forth the notion that the CEO eventually is going to have to choose a path, technical path or business path. You know, maybe both at different times. Do you subscribe to that, or do you see the CEO role is continuing on a CZ? We've known it. Yeah, >> we don't have a separate CIA and CTO I oversee the including operations. To me from a title perspective, I just want to have the organization view that that role is part of innovation. We have a chief innovation officer as well, but from a technology perspective, I think it's very difficult to run operations if you don't have a good grass for the technology in the platform. So regardless of the roller or title that they gave me, I think it's more about what are you managing on? And I don't want to ever be broken up between sort of SETI role that may be more focused on newer technology projects and then a CIA on Lee based on building our run methods. I want to make sure that those organizations are always combined because you're going to build much better software if you also have to support it. We also want to make sure that the automation is in place so that we have our support organization in mind when we actually deploy new platforms, new applications, new systems. >> So you see yourself as a software company. >> You know we do. We're in the wrist services business, so we are, ah, services provider, two carriers to large self insured Teo Large Claims organization. So we see ourselves. A lot of what we do is differentiated by our technology. Whether that's, you know, better business process, outsourcing functions or ability to do Bill review faster, more accurately. So our CEO definitely sees us as a technology company, and that's why there's a lot of investment in time being put into sort of build out what that future state of it is going to look like. >> What what do you do with service now? These days? How did the acquisition affect that and where you had it? >> Well, so we just went live with Yorker Services Group on service now is Platform on Geneva, and that's actually a separate production instance that we have with care work. So we deployed the care works instance in early two thousand eleven, late two thousand ten in that time frame, and there were, you know, there's a ton of customization a lot, you know, very solid platform for that family of companies with the York. There's a much larger scope that we wanted to address so very lucky again to be in that situation because I had an opportunity to start a redo and any time that you worked on a platform and you do it for a few years and then you get a chance to actually build again. So we really took more of an enterprise. I till out of the box type of approach s O that it could be flexible enough to manage across the entire enterprise, including all the acquired companies that we plan to pull onto the platform. And then that gives us time to figure out what was really the best out of our other platform that we want to, you know, retrofit back in. But the main reason I did that is to make sure that we could get some benefit out of the platform now and work and migrate into the business. Shared services functions within York that I think we're going to benefit very, very much from the new platform. >> So you've got a mulligan of sorts a little bit. >> Yeah, I got lucky on that on a little bit of the mulligan. And, you know, again, it's all about trying to make sure that we can come in and we just went live. You know, we're gonna have our challenges, like with any organizational change management solution, even just on the same side. But the cadence in which we're putting out releases to actually improve and bring on other shared services functions, I think, is where we will gain the majority of buying. >> So this notion here talked about a lot of this conference. The single cmd b yeah, is that something that you're able to achieve or working toward? Are you there? And absolutely, it's the goal. >> I mean, I don't know if you ever achieve it. I think it does take a lot of time. So the goal is to have everything in one platform for all of our companies across the board and to help facilitate automation, whether it's with GRC with the new security product that's coming out, which is, you know, something we're looking to get deployed in. Q three Q. Three Q For hopefully sooner rather than later. I just see there's a bunch of play on the automation orchestration side as it relates to tying in and tying an audit. Tien and Security on then also looking at business shared services and you know that's a whole different world of figuring out how can we help them? And we have ah operations service and are actually part of our next release. So I'll be very interested to see. You know, they do a lot of things manually like everybody does. He'LL be very keen to see how they see the platform and what they're going to come up with us, a strategy long term for them. >> So are you mentioned a couple times that York's made a number of acquisitions your company included, and don't give twenty four looking statements? Obviously, they're going to keep rolling up more things. But if you could speak to using service now as a vehicle to better integrate acquisitions, yeah, because for a lot of companies, that's a strategy. >> Yes, so and I actually have a strategy around that leveraging the platform is one of the main reasons that want to get it in now so that it could eventually build that. My whole goal there is the Leverage Performance Analytics on the way that I envisioned. Using that is, in many of the companies that we acquire, they will operate still, stand alone from a night perspective for some period of time. You know, whether that's six months, three months, two years until we can fully integrate him, whether it's network, you know, systems consolidation you name it. It takes a long time. It's not something that we have solved. So part of it is to be able to do modeling using Performance Analytics by pulling in the data so I can get them now onto this cloud platform because they don't need to be on network. I can have them operating their work within that platform for a period of a baseline period of time. And I could start to model that using Performance Analytics to say, How would that impact our enterprise? That's allies. Does it help our enterprise? That's always. Does it degrade our enterprise? That's the lace. Are they staffed appropriately to actually meet our enterprise? That's the lace and what our enterprises slaves. Once we start collecting all this data based on how we're staffed and how we're going to, you know, fund that transaction. So, >> Bart, if I understood it correctly, you have the dual role CEO slash CTO. Okay, is that there's the CSO report into you are he does. I saw Also he >> does. And so and that's ah, new rule that we established about a little less than a year ago. There was ah VP of corporate security. But we didn't have a chief information security officer s. So I we're not got a very season, see so and working not only as an internal what we do internally. Also within our tech company as well. We started cybersecurity practice. So everything we do, we try to make sure that we can actually support our technology investments from an enterprise perspective and be able to self serve ourselves as an enterprise. So very excited about that. That's why we're getting to the security components and some other products that we think will integrate extremely well into service. Now >> let's talk about that a little bit. I want to put forth the premise. You tell me, feel free to tell me the premise doesn't hold water. But it seems to us that there's been a shift in thinking about security from we'LL focus on you know, defense, defense, defense to one of you know we're going to get infiltrated. It's all about how we respond and I as the sea xo Whatever. See so CEO Seo, I can help lead that response. It's mechanism, but it's a team sport. Is that a valid premise? >> I think it's valid. I think you know, I think it's a little it is driving some change v f ear. But, you know, I think that, you know, is certainly from an external perspective can protect yourself pretty well. You know, a lot of the breaches were actually curve, and some of the cases were internal or through third party partners. So I think there's been a lot of additional due diligence being put on organization, especially as a service organization. We work with a lot of large insurance carriers as an example. So we are getting hit with a lot more requests and a lot more sort of assessments on what our controls are in that space. So we need to be mature, and that's based no matter what, since again, we're providing services to clients in this space, and we're collecting a good amount of claim data and bill data and medical data. So I'm not as going out staying okay, just when it's gonna happen and how we handle breach. If that's the case, I'm trying to figure out what are the ways that we can proactively manage our environment and be able to respond in a much faster fashion to isolate an issue as quickly as possible, which is why I'm really excited about the automation and security component within service now because properly integrated with similar tools that we have. There's a lot that the system conduce that a human can't get too fast enough that will actually shut down to manage that risk extremely well. >> Do you believe that the board level? There's sort of open and transparent communication that that it's not about If Wade get infiltrated, its we have been infiltrated and we will continue to be infiltrated. That discussion occur. >> I think, yeah, the board level. They're certainly more aware, and not just from their participation in our board for the companies that they run themselves, because many of these folks come from companies that their run themselves. So I think there's certainly an awareness I think they're demanding and wanting to have more concrete plans on what your corporate security strategy is going to be. So we've produced a three year plan on what that is and presented that our committee and are starting to communicate that all the way up, you know, through our CEO. So I think there's more awareness I I think that for whatever reason, people think that it hasn't been working on this for some time, but they have S o. You know, there's a lot of good things that we've already done and already put in place that people just need to be made aware of it and get up to speed if you will. And then there's. Here's what we're doing to invest in trying to stop future things or to be more proactive or tow, have better control. Is better auto practices this type of >> what's the right regime for a cyber security? In other words, who should be responsible for should be a single tech group? We Should it be a wider group. What responsibility? >> And no, it's it's it's It's by committee. So our committee included, you know, our general counsel, our CEO, our chief human resource officer, our CEO. So it it's a joint effort. Certainly there's a large component of it because many of it is about your defenses in your ability to manage and maintain and keep your data secure. But security is a company wide initiative. You know everything from training all the way down the associate level to not, you know, click on bad email links, right that no matter what you do and what type of in a virus you have and you're still going to get some of those fishing emails and some of those ransomware emails in those type of components. So there's a whole education put component that goes all the way down to the associate level. If that's not understood by the management over those groups, then you know how is it going to actually be distilled down and supported? So it's a complete company effort when it comes to corporate security. >> And how about >> the business lines? Because our research shows that a lot of organizations don't you don't even have the specifically answer for your organization. Just in your experience is the CEO and the CEO. If it seems as though a lot of businesses don't understand the value of their data or the value of their I p, and as a result, don't really know how to protect it, is that something that is challenging for organism >> Asians? I think it is least when I've talked to other clients potentially, I think less today than it was even five years ago. We certainly know the value of our data. I mean, there's been too many breaches in the large breaches in the past three years to not be aware. I have had that question asked ofyou on, even for a business perspective, understand the exposure. So you know they what is that? Hundred fifty hundred twenty five dollars per claim? Potentially on the data side. So people even put metrics around. It's you, Khun. Quickly go through and established what you think your overall exposure is from a dollar perspective and that starts toe. You know, open eyes when you have millions of claims, are even more millions of bills. >> And that's your business. So you would think you have a better understanding everything most. But so for those who don't how should they go about achieving that knowledge? That awareness, >> They should find someone that, you know, maybe some type of trusted advisor. You know, whether they need to hire a consulting company whether they need to go and just converse with another AA group like a CEO group and ask Hey, have you guys done this before? There's a ton of collaboration at that level where people are asking, Hey, how did you guys come up with your security road map on What did that >> look like? Because Because the value then drives your investment decisions, right, because that's the other thing is kind of like insurance. When is enough enough, You could always been Mohr, but at some point you're gonna have diminishing returns relative to the value. But you've gotta have a basis to set a budget. So I would imagine the value of the data, the value of the risk, whether its >> value brand right, so outside of the hard costs of potentially, you know, getting credit rating or those type of components. You know, there's there's the brand discussion, and I think that's somewhat invaluable. So, you know, budgets are just over. Go spend what you want, but there's certainly a lot of awareness that money needs to be spent that area. It needs to be spent wisely, but there hasn't been an issue as to either one. We're coming up with wild budgets for security but explaining what we're doing and why, and how cost effectively we're doing. It has been very well >> in thinking about how you communicate to the board Yeah, about cyber security. What would be the top two or three things that you would recommend that a C XO should have on his or her checklist? >> One is, you know, understanding all your end point, so understanding everything that's in your network. And it's an easy to say, but it's a very hard thing to do, especially when you have external facing applications. And you have a lot of different networks, so understanding your scope of devices and understand. You know, that way you could understand, to start to collect and fill up that C M G B and understand. Okay, if I have a patch that wasn't applied, how many devices were impacted? You know, how quickly can I get those remediated s so that you know, I think understanding the technical scope of your organization is important because it's very difficult to understand your risks, you know, rating if you will. If you don't understand the tools you have in place and where your potential holes maybe, ah, and then understanding you know your core data. So you know what is in your data that would potentially create a potential risk, even a financial risk? Certainly we go through all the insurance process, right? And even insurance now for cyber liability insurance. You know, the forms for five years ago were much different than the forms that are being filled out today. Much different. A lot more detail, a lot more drill down. So even just going through that process alone drives you to actually go and collect all this information that I'm talking about today, you know, so understanding your internal environment in understanding you know, those endpoints understanding the scope of your data management. And then I think it's around developing a sound strategy that is not just short term but short term and long term, with investments not just in tools, but also processes training those components. >> Did you look a tte security and responding to security is part of, ah, business continuity, as opposed to sort of a bespoke initiative. It is, There's business >> continuity and d are both have components of security, but it is truly what a way to ensure that you're you stay in business, right, and and And if people don't view it that way, then there's a lot of organizations that have been either crippled, not necessary put out of business but impacted extremely large. You know, financial impact with unmanaged breaches that actually went on way too long, right? And they weren't able to detect it, you know? So I think that there's a component there where you have to really think about what's the scope of the work, what the scope of the risk and how much do we need to invest? >> And you see service now. And I'm spending so much time in security this week because I'm excited about what I saw on Monday at the financial analyst meeting and who, talking to folks about this very important topic, you see, service now is playing a role in solving this problem. >> I do because we're a big user of GRC. So we already went down the audit route with service now years ago s Oh, this is just another extension I see of not just audit controls but being more proactive on the security side. And so, since all of our information is in this platform anyhow, we have a ton of opportunity toe automate and manage a lot of the things that again could have potentially gone unnoticed for a period of time simply because a manpower or logs if you ever had a review logs from some of these devices. I mean, trying to find the needle in the haystack is very difficult. So tools are extremely important in this space. Humans cannot meet this challenge alone at all. >> You just make a tad cloud. You wish, right? Awesome. Bart, this is I'LL give you the last word so that your impressions on knowledge sixteen. >> I'm excited, You know, the way it's grown again The way that they're really being purposeful about how they're building out their platform and truly trying to solve the enterprise problems to me is just it shows a very strategic, well thought out plan by service now. And as customers, you know and partners, you know, that's that's what you want to see from a company. So for me, I'm just very pleased where the platforms going. It's exciting how much they've grown. But the way that they've been able to invest in the right things, I feel and truly integrate things into the platform, even acquisitions that they had on and truly make it part of the platform versus and add on, I think, is really differentiating them from a lot of products that have grown in a similar matter but become unwieldy to manage because they're just pieced together. So I'm very, very excited, >> Fantastic. The cube securing knowledge for our audience that Bart, you have full of a lot of knowledge and really appreciate you coming on the Cuban and sharing. >> Yeah, appreciate it. Nice seeing you guys. >> All right, Keep it right there, everybody. We'LL be back with our next guests right after this. We're live knowledge. Sixteen from the Mandalay Bay Hotel in Las Vegas, right back. >> Every once in a while.