(theme music) >> Okay, welcome back everyone, theCUBE's live coverage here in Boston, Massachusetts for AWS re:Inforce '22. Big show for ground security, Amazon re:Invent's coming up. That's the big event of all time for AWS. re:MARS was another one, re:Inforce, the re:Shows, they call them, theCUBE's got you covered. I'm John Furrier, host of theCUBE with Dave Vellante, who's in an analyst session right now. He'll be back shortly. We've got 2 great guests from an amazing company, HackerOne, been on theCUBE many times, (mumbles) Marten Mickos, of course, a big time, (mumbles) We got two great guests. Sean Ryan, Sr. Principal Product Marketing Manager Will Kapcio, Senior Sales Engineer. Gents, welcome to theCUBE. >> Thanks for having us John. >> So Marten's been on many times, he's such a character. He's such a legend. >> Yeah. >> Your company has had great traction, great community, just this phenomenal example of community meets technology and problem solver. >> Yeah. >> He's been part of that organization. Here at re:Inforce they're just kind of getting wind of it now, right? You hear an open, teamwork, breaking down the silos, a big theme is this whole idea of open community, but yet be hardcore with the security. It's been a big part of the re:Inforce. What do you guys think of the show so far? >> Loving it. Partly too, we're both local here in the Boston area. So the commute was pretty nice. (everyone laughs) And the heat wave broke the other day so that's wonderful, but yeah, great show. It's good to be back in person doing this kind of stuff and just, it's really lively. You get a lot of good energy. We've had a bunch of people stopping by trying to learn what we're all about and so, it's really fun. Great show so far. >> And you guys have a great company. Take a minute to explain for the folks who may not know HackerOne. Tell them what you guys do real quick in one minute. >> Okay, the quick elevator pitch. (chuckles) So really we're making the internet safer using a community of ethical hackers. And so our platform enables that so we can skill match the best talent that's out there around the world to help find all the vulnerabilities that your company needs to discover. So you can plug those holes and keep yourself safe. >> So in an era of a talent gap, Will, you know the technologies out there, but sometimes the skills are not there. So you guys can feel the void kind of a crowdsourced vibe, right? >> Yeah, exactly. If you're trying to build a security program, and apply defense in depth, we offer a terrific way to engage additional security talent either because you can't hire enough or your team is simply overloaded, too much to do, so. >> Hackers like to be a little bit, white hat hackers like to be independent, might want some flexibility in their schedule, live around the world. >> Yes. No question for hackers that do it full time, that do it part-time and then everything in between. >> Well, you guys are in the middle here with some real products. So talk about what's going on here. How vulnerable are the surface areas in organizations that you're seeing? >> Yeah, probably more so than you would think. So we ran a survey earlier this year, 800 security and IT professionals across North America and Europe. And one of the findings from that survey was that nearly a third, actually over a third, 37% of the attack surfaces, not secured. Some of it's not even known. They don't know what they don't know. They just have this entire area. And you can imagine, I mean there's a lot of reasons you know, real legitimate reasons that this happens. One of those really being that we don't know what we don't know. We haven't scanned our attack surface. >> And also it's about a decade of no perimeter anymore. >> Yes. >> Welcome to the cloud. >> For sure. Absolutely. And people are moving quick, right? You know, the Cloud perfect example. Cloud people are building new applications on top of these new underlying configurations happening on a constant basis. Acquisitions, you know, that's just a fast moving thing. Nobody can keep track of it. There's a lot of different skill sets you need you know. And yeah, skill shortage out there too. As we talked about. >> What's the attacker solution you guys have? You guys have this HackerOne attack resistance component, what's that about? >> That's right. So that is to solve what we call the attack resistance gap. So that area that's not protected, hasn't been secured, on top of just not knowing what those assets are, or how vulnerable they are. The other thing that happens is people are sort of doing status quo testing, or they're not able to keep up with effective testing. So scanners are great. They can catch common vulnerabilities, but they're not going to catch those really hard to find vulnerabilities. The thing that the really sophisticated attackers are going to go after. >> Yeah. >> So we use... This large community that we have of ethical hackers around the world to be able to skill match them and get them doing bug bounties, doing pen tests, really bulletproofing the organization, and helping them risk-rank what they find. >> Yeah. >> Triage these, do the retesting, you know, get it very secure. So that's how we do it on a high level. Will, you might have a-- >> Yeah. I mean there's a tremendous amount of automation out there, right? But you can't quite at least not yet replace critical thinking. >> Yeah. >> From smart security minds. So HackerOne has a number of solutions where we can apply those minds in different ways at different parts of the software life cycle at different cadences, to fit our customers' needs, to fit their security needs, and make sure that there's more complete human coverage throughout their software lifecycle, and not just automation. >> Yeah. I think that's a great point, Will and Sean, because you think about open source is like not only grown significantly, it's like's it is the software industry. If you believe that, which I do. Open source is there it's all software free. The integration is creating a DevOps movement that's going the whole level. So Devs are doing great. They're pumping out codes. In fact, I heard a quote here on theCUBE earlier this morning from the CTO Sequence Security that said: "Shift left but shield right." So shifting left is build your security into the code, but still you got to have a shield. You guys have this shielding capability with your attack module management service. So you now you got the Devs thinking: "I got to get better security native" So but they're pumping out so much code. >> Yep. >> There's more use cases, so there's going to be code reviews needed for stuff that she said, "What is this? We got to code review new stuff. A developer created something." >> Yes. >> I mean, that's what happened. That's what's going on everywhere, right? >> Exactly. We often hear that for every 100 developers, you've got one security professional. (John laughs) You know, talk about skill shortage that's just not sustainable. How are you going to keep up with that? >> Yeah. >> So-- >> Your phone is ringing off the hook. There's no phones anymore, but like technically-- >> Yeah, yeah, exactly. So, you know, yeah, you need to go external find some experts who can help you figure that out, and keep up with that cadence, you know keeps going and going. >> So, HackerOne. I love the ethical thing. I mean, you know, I'm a big fan. Everyone who watches theCUBE knows I'm a big fan of Marten and your company, but it's not just bug bounties that you do. That's just people think of, they see that in the news. "Oh, I made a million dollars from saving Microsoft teams from being exploited" or something like that, or weird things big numbers. But you do more than that. There's code reviews, there's assessments, like a variety of different things, right? >> Yes, exactly. Exactly. >> What are the hottest areas? >> Yeah, I mean, that's exactly why we coined the term, Attack Resistance Management really is to help describe all those areas that we cover, so you're right, bug bounty is our flagship product. It's what we're best known for. And it's a terrific solution. But on top of that, we're able to layer things like vulnerability disclosure, pen testing and code review. >> Pen test is actually really important-- >> Attack surface management, you know, a whole suite of complimentary offerings to help you engage these hackers in new and interesting ways. >> Yeah. >> The bug bounty is very popular because it's fun. >> Yeah. >> I mean if your going to work on something... It's fun for the hackers but the white hat hackers, the companies they can see where's my bugs it's the fear of missing out and the fear of getting screwed over. That's the biggest driver, right, you Know-- >> Yes, definitely and we now have a product called assets. So this is attack surface management. And what we're able to do with that is bring that in leverage the ethical hackers to risk-rank. What's your assets out there? How vulnerable are these? What's critical? Feed that in, and then you know, as Will was saying we've got all kinds of different testing options. Sometimes bug bounty continuous that works. Sometimes you want pen test, you know, you want it bound. >> Well, the thing about the thing about the pen test, well the soccer report, Amazon's got soccer reports but pen test is a moving train. >> Yeah >> Cause if you're pushing new code, you got to pen test it all the time. It's not a one and done. >> Exactly. >> You got to keep it running. Just one and run, right? >> You can't do the old school penetration test once a year, big monolithic thing. You know, this is just a check the box for compliances like, no, you need to be focusing this on the assets that you're releasing, which are constantly changing. And doing ongoing smaller cadences of pen testing. >> I had someone at a conference had a few cocktails in them, confessed to me, that they forged a pen test report. >> Oh man. >> Wow! (everyone laughs) >> Because he's like, "Oh! It was three months ago. Don't Worry about it." Like, but a lot can happen in three months. No, this is reality, they are like, "I can't turn it around fast enough" They had an Apsec review... >> Yeah. >> In their company and... >> And that's it. >> I mean, I'm not saying everyone's doing bad behavior, but like people can look the other way that creates more vulnerabilities. >> It can happen. And even just that time space. Let's say you're only doing a pen test once a year or once every two years. That's a long time. It's a lot of dwell time, you can have an attacker inside mulling around your network. >> All right. So we get a big service here. This one, AWS, we're here at re:Inforce the trend that you see Amazon getting closer to the ecosystem, lot more integration. How are you guys taking HackerOne's attack surface area product management software, closer to Amazon? What's going involved? Because at the end of the day they're enabling a lot of value and their partners are growing and becoming platforms within of themselves. What is the connection with Amazon? Keeping those apps running? How do you guys do that? >> Yeah. So we've got a specific assessment type for AWS. So... On the one hand, we're bringing in the right group of ethical hack hackers who are AWS certified. They have the right skillset, we're matching them. We've got the right assessment type for them to be able to track against and find the right vulnerabilities, report on those. So this is our pen test offering geared particularly towards the AWS platform. And then we also have an AWS security hub integration. So if customers are using the AWS security hub, we can plug into that, feed that information. And that gets more to it, the defense and depth for your AWS. >> And you guys verify all the ethical hackers? Everything's verified? >> Oh yes, absolutely. Fully. >> Yep. So they're verified for their pen testing experience, and skills and of course their AWS skills in particular. And their work experience, making sure that it's long enough that it's good, background check, the whole nine, so. >> How far has Amazon come from your perspective, over the past few years with the security partnerships? I mean their services have grown every year. I mean, every Amazon re:Invent, thousands of new announcements, new services. I mean if they update the DNS server, it's a new thing. Right? So like everything's happening. >> Yeah. >> What's different now? >> It's great to see. I mean, you look around at how many different types of security solutions there are here how many different types of partners, and it just shows you that defense in depth again, it's a really critical thing. Been a wonderful partner for us. I mean that, they're a big fan of us. They tell us that all the time. >> Yeah, 'cause the customers use you. >> Cause they're customers too. Right. Exactly. Exactly. But no, it's, it's been great. So we're looking at, we've got some things on the roadmap, some continued integrations that we look forward to doing with AWS, but you know, again it's a great powerful platform. It gives customers a lot of freedom, but with that freedom comes the responsibility that's needed to actually-- >> Will, what's your take? We hear hybrid security keys, management systems, announced today, encrypt everything, don't have over permissive environments. Obviously they're talking about more platform and that type of stuff >> Absolutely. My take would be, I think our own partnership with the AWS security team is great evidence that they're thinking about the right things. We worked within conjunction with them to develop our pen test methodology. So that combined for proprietary HackerOne platform data and findings across all of our customers that are common issues found in AWS environments with their own knowledge and their own experiences from the AWS security team directly. So it's a pretty powerful checklist that we're able to run through on some of these customers and make sure that all of the most common miss-configurations and such are covered. >> Yeah. They're highly motivated to do that. 'Cause they get blamed for the S3 buckets being kept open. It's not even their fault. >> Right. (crosstalk) >> We got hack over in Amazon. Amazon's terrible! >> Yeah. You know, one of the things we like to talk about is the fact that, you know, cloud is really about automation, right? >> Yeah. >> Yep. >> But you can't automate that human ingenuity the skills that come with an actual human who has the experience and the know how to fix these things. >> It's a lot going on in Amazon. It's always been kind of like, you just described earlier in theCUBE. An erector set, not Lego blocks yet, but still kind of, you still got to build it. It's getting better in the Lego model, but there are challenges in protecting cloud, Will. I mean this is a big part of protecting cloud platforms like AWS. What are some of those challenges? >> I think some of the challenges are the ephemeral nature of the cloud can really result in developers, and you know really business units across an organization spinning up assets that IT or security don't know about. And so that's where things like HackerOne assets in those attack surface management style solutions come into play, trying to identify those assets proactively and make sure that they're receiving some sort of attention from the security team whether it's automated or manual or ideally both. >> You guys got a good solution. So how about the partnership? We got one minute left. Talk about your partnership with AWS. You guys are certified in their security group, with their team and marketplace, right? Talk about some of those things. >> Yeah, we've been in marketplace over a year. We've had that the specific solution that I mentioned the App Pen test for AWS in place and integrated with security hub for some time now. There's some other stats that we could probably share around the ethical hackers that we have working on that. We have a number of certified AWS hackers, who again they have the right skill set for AWS, and they've been a great partner. We are very focused on continuing to work with them, and build out some new offerings going forward. >> Well, you guys have done a great job. Will, tell your team congratulations on the tech side, on the product side, very strong community. You guys had a lot of success. Congratulations! And thanks for sharing on theCUBE, appreciate it. >> Thanks for having us John. >> Thank you for your time-- We're here at re:Inforce where all the access tab is open, it's team oriented, we got cloud scale, data, encryption on everything. Big news coming out of re:Inforce, well, theCUBE's got it covered here. I'm John Furrier, your host. Thanks for watching. We'll be right back with more coverage after this short break. (theme music)

(music) >> Hi, welcome to today's session of the CUBE's presentation of the AWS STARTUP SHOWCASE. New breakthroughs in DevOps, Data Analytics and Cloud Management Tools. This segment features HackerOne for DevOps. I'm Lisa Martin, and I am joined by Alex Rice, the founder and CTO of HackerOne. Alex, welcome to the program. >> Thank you for having me. >> Alex and I are going to spend the next 20 minutes or so talking about strengthening cloud application security with HackerOne. I want to go ahead Alex, and start you founded HackerOne back in 2012. Talk to me about, why you founded it? What were the glaring obvious gaps in the market? >> So I, I started out with the software development engineering background before moving into security about halfway through my career. And one of the things that's always bothered me about the security industry is how unreliable our feedback loops are. We only ever really get quality software by having as many, many points of feedback as possible in there from customer surveys and analytics and monitoring. And the security industry has just been really spotty about that. So when I was running the product security team for, for Facebook for a number of years, one of the surprising things that we did, that ended up being one of the best feedback loops we had, we just said to the, to the, the world hackers out there, if you find a vulnerability, find a security flaw, find something that we missed, we'll reward you for it. And we were really blown away with what very creative folks all across the world came back with. And so this concept of inviting outside friendly hackers to point out your flaws in exchange for compensation, ends up being a very valuable tool for any engineering team and any, any security team, particularly those that are adapting to more modern, faster agile environments. >> Right? Like DevOps. So you've amassed a community of over 1.2 million good actors, ethical hackers as you say. How do you vet those folks since there's so many nefarious actors out there? >> It's a great question what we start with. The bulk of the programs that we run on HackerOne are public. They're open to the world. There are organizations like Facebook and GM and the department of defense that say to anybody out there, if you find something that we've missed, we want to know about it. So it doesn't, you're not giving the hackers any special permissions or access that they wouldn't normally have. You're, you're inviting them to collaborate with you. From there we learned a lot about the hackers skillsets and demeanor and their track record to then vet them for more private or targeted programs. So while there are these public programs, that is where those million hackers originate from that list is, is vetted and filtered down for more private engagements. Because most folks building technology, they don't need a million hackers to help them out. They need 10 of the right hackers on their team at the right time. And vetting them and matching those hackers to the right challenges is, is a core part of what we try to do here at HackerOne. >> One of the things that we talk a lot about on this program is, you know, the last five years, this shortage, the cybersecurity skills gap. Is, is HackerOne's answer to that? These 1.2 million ethical hackers who can find those vulnerabilities that are open vectors for criminals to exploit. >> It's part of it. It's very much a part of it. My personal hypothesis about this on a big part of why we have such a glaring skills gap is because we've tried to separate it out from core engineering and DevOps principles. The most secure products out there, the ones that hopefully you trust and we all use regularly. Security is a core part of their engineering practices. It's a core part of their DevOps practices and the skillset overlaps dramatically there. And so we've had a lot more success in involving the core DevOps and engineering teams in security practices and really doing it as, as any other component of, of quality software development. And the challenge of that is that you're not going to find everything that you need in a single job description. If you're building a modern application or deploying modern infrastructure, the diversity of skill sets that you need is just staggering. And if you try to apply the old employment model of, okay, I need a security expert on this application. I need an expert in AWS and Kubernetes and RDS, and queuing systems and encryption for my and database security and account takeover. You quickly realize that it's just impossible for every organization that needs all that expertise to hire somebody with all that expertise. So our, our approach and what we try to do is to make sure that the core teams own responsibility for that security, but they're able to tap experts when they need them at, at, in a model that is really much more acclimated to how modern software is built. >> Got it. Okay. Interesting. Talk to me about the HackerOne security platform. Let's kind of dissect that. >> Absolutely. So there's a, there's a few different types of programs that we run for customers. At our, at its hard. There are public programs that we refer to as, as vulnerability disclosure programs. This is usually a security ad, it could be as simple as a security ad for a email address report vulnerabilities. That's really just an invitation to the world out there that says. Hey, we, our application is available to the public and you as a member of the public, if you find a security issue that we should be aware of, we'd like to hear about it. And it's incredible the amount of value that software teams receive just from asking, this putting that invitation out there. Then in parallel with those, for the organizations that are looking for more talented, a deeper dive we've run bug bounty programs, which is a very similar flavor, but the, our engineering and software teams will post bounties for the specific types of issues that they care about. Meaning if you can find a way to compromise user data, or if you can get access to our infrastructure, we'll reward $5,000 or $10,000. And you're specifically asking people to help you find things that will align with your goals and protect your customers. And then the, the third model that we do are our security assessments. These are a very targeted point in time assessments. They're not ongoing commitments. There are when a DevOps team is deploying a new application or releasing a new architecture or running new infrastructure, when they need a very targeted set of expertise for a constrained timeline to fit into their release processes, we can run assessments of matching just a small number of factors to what you care about and tie all that into your to release process. >> Okay. Let's talk about now, we know, one of the things that we've seen in the last 18 months as this massive acceleration to digital, we've seen a much more cloud adoption and really lifelines. Zoom, Netflix, for example, being these lifelines. As more organizations are moving to the cloud, we think, well, maybe risks are getting higher. With respect to customers that are moving to AWS. How does hacker one security platform help? >> The potential of technology. If it wasn't clear before the pandemic started, it should be clear to everybody now, like it is, it's unbelievable the positive impact it's able to have on our lives. And at the same time, most people don't trust technology. We as a technology industry have done a poor job of earning the public's trust that the technology that many of their lives are starting to depend upon is as trustworthy as they needed to be. And that's not a new challenge. Like as long as we've been developing software, there have been bugs, there have been security problems, but it's really amplified it both with the pace of development and just how accessible that's becoming to that to the world. And so in, in prior development models where we were releasing software, much more infrequently, where it was deployed in very controlled environments and accessible only to specific people who happen to be in a physical location or had a particular corporate account, that's all starting to change. Software is being released so much faster at a, at a pace that their traditional security models were already struggling to keep up with. And now are just completely, completely outclass. That's the trend number one that's changed. It's just the speed at which we have to apply. Security is, is unprecedented in this new world. And then at the same time, the access has just gone through the roof, the way of operating a modern business and surfing modern customers dictates that we have to meet them where they are wherever they are in the world, which means the adversaries have the same level of access that we're now affording to our, to our customers. So for our financial services customers that have gone completely remote access in the, in the last year, that's a whole range of attack surface. It wasn't accessible for many of them are using cloud systems to do that. Our healthcare customers that previously a tech service, it was only accessible when you were actually in the hospital is now open in large parts of the public and has many many more private conversations than it did before. And it's more than anything else that realization that we need this technology to be always on accessible anywhere in the world and trusted because people need to trust it. Like their lives depend on it. Literally has, has really changed how we need to look at this challenge. >> Yeah. That speed at which the attack surface is just spreading. And I was looking at some cybersecurity data in the last week or so, and there's really no signs of it slowing down. We saw this, the rapid shift to remote work a year and a half ago, remote learning. And we've got obviously we're in this hybrid world now where, you know, companies are in hybrid cloud, we're in this hybrid workforce of some remote, some homes, some doing both back and forth with that attack surface spreading. Give me an idea of some of the customers that you guys are working with to help them with HackerOne secure their AWS environments. >> Yeah. Our customer base really follows technology adoption trends. All of our early customers were, were tech companies that are kind of the ones that pioneered this model. Facebook, Google, Microsoft, Twitter, Uber were the, the early tech companies that quickly over the first ones to realize that the traditional approach to security model was just insufficient for a new cloud forward environment. Behind them you'll find technological, technology leaders in every industry. It's hard to just talk about the tech industry today. When you look at any industry out there, you can find one or two examples of very technology forward companies. On the finance side, customers like Goldman Sachs and Capital One. They really view themselves as technology companies these days. They're not finished service organizations or banking organizations, they're first and foremost technology companies. They were the first, some of the first to adopt this, this model. On the military side, the department of defense was one of the first organizations to do this cause they've long had, they're both one of the most traditional organizations out there. They've always had innovation arms to adapting practices like this. The automobile industry was a little bit early on the technology adoption trend. As consumers started relying on and demanding more technology in their vehicles. They were one of the early adopters of, of a practice here. And in the more recent years, the line has just completely gone away. We don't really use what we were engaging with a customer you don't really even ask. Are you, what's your, what's your digital strategy? or do you have a technology team? or are you developing first party applications? Do you use any cloud services? The answer to it is just is it's yes. So much more often than it's not. I think there's the safe assumption in 2021 is if you're, if you're doing business, you are probably have a software engineering team, you are probably deploying on the cloud. And if you're not, you're probably not going to be doing business in the, in the next decade. >> Right. That's, that's going to be a big differentiator, but you bring up a good point that every you can, you can almost say every company these days is a tech company or needs to become a tech powered company, a data-driven company. That is critical to especially organizations in this climate being able to pivot continuously as our world is changing. I want you to walk us through Alex, some of the HackerOne assessments that folks can do specifically in the AWS environment. >> For specifically for AWS, what we found is there's a category of AWS and we're really a cloud customers that want the always on security feedback loops that come from bounty programs. And so we, we've had that offering for quite a while of folks that want a feedback, no matter when it happens, because they're continuously received releasing applications. But then increasingly one of the use cases that we discovered was folks were in the midst of moving new applications to AWS, almost on a, on a weekly or monthly cadence. And they need needed a security testing cycle that would keep pace with that. Particularly folks that are ongoing any type of cloud migration or lifted shift of their, of their applications. And so we, we rolled out at AWS tailored specific version of our security assessment product. You can get it in the AWS marketplace as well, that lets you spin up a targeted security assessment on demand through the, through your native AWS tooling, whenever you need it. And the most common use case being this, we plan to open up access to this application next week. We'd love to have some hackers kicking the tires on it this week before the whole world has the opportunity to do that. All of those findings are then integrated back into Rietta U.S security hub, and tailored in a way that is meant for the DevOps teams and engineering teams that are deploying to, to be able to tell us what's going on. We're not asking folks to, to break out into specific security workflows. We really fundamentally believe that security accessible to DevOps teams is, is what's needed to keep us all moving fast and ship trustworthy now applications in the cloud. >> Is that at all a facilitator, you know, when we talk about DevOps folks, security folks, Devsecops. We talk about sort of the, the cultural shift and developers needing the DevOps folks need to be focusing on getting applications out at speed, security folks, developers, you know, we don't want to have to have security responsibilities. Are you helping to facilitate some of those? >> Yeah. We are, and it is more of a personal opinion here, but as someone who's worked on on many engineering teams and built multiple application and product security teams, the strongest ones in the industry, the lines between the product team and the product security team or the DevOps team or the security team are non-existent, those experts exist on to. I hate terms like Devsecops. We, it's necessary to, to approach things, but like if you're going to have a term like DevSecOps, you need to expand it to like DevQaSec in for ops. And it's just, you can't possibly capture every skillset and the critical aspect of quality software development in, in a short little acronym like that. And to me, DevSecOps just feels like a, an attempt by the industry to get invited to a party that nobody wants them at. And I really think we have to rewire our thinking. And if you have a, a development and an operations team, which are the two core functions there that doesn't take hands-on responsibility for the security of what they're developing and operating you're in trouble. Right? The more you try to outsource that to another team, another set of expertise, the worst you're going to be. There's a, there's a analogy that I draw to this that is a little bit of a poor analogy, but it, if it works well for me. For those of us that have been around in software engineering for, for long enough, there was a huge push in the early two thousands to build quality assurance processes across the board. Like everyone was investing in QA and building our QA teams. And every study across the board showed quality just tank after people invested millions in QA and quality assurance. And when, when you dig into it, it's intuitive, right? Like as soon as you can say. Oh, thank goodness quality is now somebody else's job. I've got, there's a dedicated team that can think about quality and deal with quality. Quality goes away. And security follows the exact same paradigm. Modern software is too complex, too interconnected, to be able to expect somebody else to completely do it for you. And so we really try to consult our customers on you should be thinking about organizational structures and responsibility, major SIGs that ensure developers and operations have the seat at the table in the security of the product. And then the challenge is how do we get the right people onto those teams? How do we get the right experience to them versus bolting it on with another acronym in the middle? >> I love your opinion there. In terms of facilitating that the latter part of what you just spoke, how are you finding those conversations within customers going? Is this now, I mean, think about it from a security perspective, it's going up to the board level imperative. Are you finding, especially in the last 18 months that your conversations with organizations are changing as that escalates up the chain? >> They are, but we also take a very pragmatic approach to this. I give you a very, a, a fairly, a personal opinion there on how to do it. The reality is most organizations aren't structured that way. They have a DevOps team, they have a security team, and the two are often in somewhat of an adversarial relationship. And, and we, we certainly work within those environments. You certainly can have a mature security program in an environment like that. It's not like there's one silver bullet to solve it, but we do work closely with our customers to try to bring down those walls. And increasingly technology leaders are engaged and hands-on, and are looking for ways to make this better. Five years ago, the CSO, The Chief Information Security Officer was almost always our main buyer, and our main point of contact. Is much, much more common now to see VPs of engineering, CIO's, CTOs have direct line responsibility for, security teams. And I think we're starting to see the early shifts of work structures that reflect that. If you have a DevOps team and you have a security team, that's responsible for the security of what the DevOps team is doing, and they are reporting to the same executive where there are major points of bureaucracy and politics between them. Every executive we talked to feels that, they lived through an experience like that, and they're motivated to start bringing those balls down. >> They've been through that pain and know the imperative give up getting alignment. So we've talked a lot in the last minute here. So I'm curious, we talked a lot about what HackerOne is doing, what you're doing for the AWS community, what's in it for your customers, but I'd love to understand just really quickly what's in it for the hackers? I do understand that you guys have more ethical hackers than black hats out there are out there, they're new assistants, which is good to know. But, what's in it? You know, from a bounty perspective for the hackers that work with you. >> We believe we're creating meaningful economic opportunity for, for hackers out there. We've had over a dozen hackers that have made a million dollars on the platform helping customers. But more importantly, it maps to how you want to develop your skillset. As hackers, a big part of the cyber security workforce challenge is these unrealistic job expectations that require every security engineer to be a Jack of all trades and work across 10 different product teams and master all of these skills. Whereas this model allows hackers to specialize. You can be a specialist in a very particular piece of technology and apply that specialization across everyone that depends upon it, and focus on what you can do best without dealing with the office politics or the unrealistic job expectations of what's needed in a modern school professional. It's one of the most painful things about the security community is you'll, you'll look at junior entry-level job descriptions for security engineers that already require five years of experience and expertise in 10 different technologies, which is just it's unrealistic. You're you're not going to find it. You don't want to, to be that individual. But it's also, it's back to what we were talking about earlier. It's trying to ask to find unicorns for roles that are just not in line with how modern software is built. And so I think for that, for the hacker community, what we hope we're doing is we hope we're creating meaningful economic opportunity. We're also hope we're enabling folks to develop and contribute to society with their skills in a way that they would like to. >> Awesome. Alex, thank you so much for joining me today, giving me kind of a background on what HackerOne's doing, what you're doing for AWS, the opportunities what's in it for me as a customer, what's in it for me as an ethical hacker. It's been great having you on the program. >> Thank you very much. Take care. >> This has been our coverage of the AWS startup showcase new breakthroughs in DevOps, data analytics and cloud management tools for Alex Rice. I'm Lisa Martin. Thanks for watching. (music)

(soft electronic music) >> Well, it's good to have you here as we continue our series of CUBE Conversations in the AWS Startup Showcase. Today, our focus is on HackerOne and the CEO of HackerOne, Mårten Mickos joins us. Mårten, thanks for being with us, we appreciate the time. Good to see you here, on theCUBE, today. >> Thanks for inviting me, John. >> Let's talk about HackerOne, the global, digital security leader. You are taking care of everybody's worst digital nightmares these days and so congratulations on that front, but I know you've got your hands full. Let's go back for those who are watching that don't know a lot about your history and just tell us about the origination, about how you gathered this stable of hackers, if you will, for good, ethical hacking, we might call that, and how that began and where that path has led you. >> Yes, thank you, John. You mentioned it already, you said the worst nightmare. The worst nightmare we all now have is that we get hacked. We all have to worry as consumers, companies, governments that criminals will break into our system. And then when you start thinking rational think, okay, if the worst nightmare is a cyber crime and getting breached, what is then a medication potent enough to rise to that same level? What can stop your software vulnerabilities from being exploited by criminals? And the world has built a lot of testing software, procedures, scanners, all kinds of things to get there, but none have risen to the level of true criminal activity. But then this movement of ethical hacking has people with the same skill and same passion, and same ability to come from the outside and break in except one difference, they have good intent. So we have a collection, a community of all the ethical hackers in the world, over a million of them, who are all ready to go in and in a way, think the bad and do the good. So they approach your system as if they were attacking you and when they find a hole, they tell you and you can fix it. And it turns out that there's no other way of finding all the ways in which a bad guy could break in. You could do all the other things and you should do all the testing and scanning and whatnot, but it won't rise to that same level, it won't find all the vulnerabilities, it won't think as expansively as a criminal will think. But the ethical hackers do and they are unstoppable. And there are many more ethical hackers than are bad hackers in the world. We have 1.2 million in our community, that's more than there are black hats or criminal hackers in the whole world. >> Yeah, that's an incredible number. I mean, 1.2 million-- >> And growing. >> Ethical hackers. >> And growing. >> How did you go about building that community and vetting that community, right? Because there has to be some kind of credential that you bring to the table, some kind of expertise. So how do you know that everybody in that 1.2 million, which again, just a phenomenal number is of the same cloth, if you will, of good intent and willing to help? >> They would never sign up if they didn't have good intent because we know about them, we can see where they came from. So if you're a criminal, you would never voluntarily give away such information about yourself. So we know their intent. They're, of course, varying in terms of skill and drive and passion and abilities, so we have a ranking system where we can learn about their skills and we test them, so we can, out of that giant community, find the ones who are truly outstanding. Because like in any endeavor in life, some are just natural talent, some work hard to become the top talent, and most of us are just regular, mediocre players in whatever sports we are in, like, like I am. But we have, we managed to find the most talented hackers in the whole world and through sort of a social competition we cause them to learn more, get better, and just better and better. And, and here's the other dimension. So the first dimension is that we have to have a cure that is as strong, as potent as the risk so we have to find vulnerabilities at the same level as criminals will find. Well our hackers will do that. The second thing is it's a moving target. Whatever you learned in cybersecurity yesterday may already be outdated. Whatever technology you are, you are catching up with may already be different than it was yesterday. But thanks to our giant community, we have this sort of evolution inside of the community where new talent is always coming in with new skill and replacing the old ones. So as a hacker, of course, you compete with all your other friendly hackers to be the best, but one day you'll get beaten by a new guy, a new person, a new hacker who has figured out the new technology. And that's how we stay current. Like we, there's no risk of the knowledge being outdated or stagnated because the people revolve in this community and it's always the freshest, most accurate, current talent that's being deployed in our programs. >> Yeah, we've had a lot of conversations with cybersecurity experts over the years here, on theCUBE and generally there's been a theme of, I wouldn't say resignation, that's too strong. I'd say almost acceptance that there are going to be challenges and sometimes bad guys win. Sometimes vulnerabilities are, do yield results, you know, will ill intent. So how do you match the skill level on your side with the skill level and the motivation of the criminal actors on the other side and keep up with that? Because there's great financial motivation on that, on the bad side, you know, in order to, ransomware, you know, a great example of that. But how do you continue to fortify the hackers on your side to match that motivation that is so deeply embedded on the ill side? >> You brought up many good points, so let me start from the backend of them. So first of all, when we say that it's very lucrative to do cyber crime, I don't think it is lucrative for the actual doers. Like in ransomware, a lot of monies is changing hands, but I think it ends up in, ends up in very few hands. So a lot of the technical cyber criminals who are conducting it are probably not making much money. In opposition of this, in our ethical hacking community, we already have 14 hackers who have earned more than a million dollars by working on our programs. That is a lot of money. It's a lot of money even for criminals. If you are enlisted by a nefarious government or other nefarious organization to work for them, they don't necessarily pay you well, but working as a white hat, you can earn much, much more. So I do think the economics is rigged the right way, especially as human beings inherently want to do good. And they are ready to do good even if their pay is much lower. Now, the pay isn't lower, but even if it were, the propensity to do good, it overpowers the likelihood of somebody becoming a criminal. So, so as we, as long as we work together and pool our defenses, we'll be much stronger than any criminals. >> So, so let, if you would, let's turn the page then to you've established the talent pool, very deep, great bench. You've got a lot of people doing really good work. So let's talk about the work they are doing in terms of vulnerabilities that they're sighting, whether it's app security, cloud security, whatever the case may be. What, generally, what are you finding? What are you seeing, like where are the mistakes being made generally in your client base? What kinds of things are you pinpointing to them that you're finding through your work that they can shore up and build those defenses a little stronger? >> Broadly speaking, when you look at the industry today, every organization is undergoing digital transformation, and some do it from a primitive standpoint, some are already running on software. But there's a digital transformation going on, most organizations are moving workloads to the cloud, to a public cloud. When that happens, the nature of your application workload changes, the nature of the threat changes, and the possibilities for mistakes will be different. When you deploy workloads on a public cloud, you may have configuration issues, you may leave secrets in public repositories, there are new threats that come to you. But at the same time, it's a more uniform space because everybody's running on the same cloud and the cloud, itself, is secure. So we have devised specific services for those who run on cloud, where we go in and say, we know AWS, we know Google Cloud, we know Microsoft Azure. We will find the specific, typical vulnerabilities that you have there and we'll tell you about them so you can fix them. And then you get a much stronger cyber defense because the, the world of vulnerabilities is known to us, we've trained our hackers in identifying them. When we find them with one company, we learn, and we can look for the same in some other company. So the pace of learning is much faster in our system and that's how we can bring companies to a higher level of security when they're on the public cloud than they were before. So actually, like when you said many are resigned in front of the situation, the ship is already turning. It's important to look the threats in the eye and be unafraid of it, and just meet it, but we don't have to be resigned anymore. We have the powers in the cloud vendors, in the ethical hacking community, in software automation to now build proper systems that are broadly speaking, very secure. >> So, so how do you? >> Yes. >> How, how do we, when you look at the ransomware incidents that continue to occur, and yet I, and, and that, you know, it frightens a lot of people in the corporate world, municipal, public sector and private citizens even, right? But, but you sound, if I hearing you right, a little more optimistic, that we're getting to be a little more adept at security, if you will, and of sighting vulnerabilities and finding these loopholes and whatever. So you're not as pessimistic as, as some might be. You're thinking that perhaps we are starting to turn the corner a little bit and maybe some of these things that have been big threats are being somewhat more mitigated now? >> Well, I believe that whether you think you can fight cyber crime or not, you are correct, meaning you must have a belief of the power that you have with your other defenders. And today, we can create a defense that's strong enough. Nobody's 100% safe, ever. You can take any vaccinations you like, you may still get the, the virus. So like, as a metaphor, it's the same with software. You can never get 100% safety, but you can get much better than you were before. And you do it step by step with boring, small steps. It's not, there's no silver bullet. There's nothing that in one change will make you secure. But if you, every day fix one little thing, soon, you are more secure than your competitors and soon you are among the most secure in the industry. >> So, you know, Mårten, it is almost, I think about the old saying, "If you can't beat 'em, join 'em." This is like, if you can't beat them, have them join you. Right? >> No, it is if you can't beat them, keep beating them, keep beating at them. Like, criminal activity is very bad. The nefarious actors that are out there, there's nothing good with them. And whether they are operating voluntarily or mandated by somebody who has power over them, it's really, really bad. But, but in terms of numbers of people, they are already in a minority. They have vast resources, they have as technical resources and skills, but we have more people lined up on the defense and pooled defense will always overpower an asymmetric threat. >> Well, it's a great story what HackerOne has done in just a very short period of time over the past seven, eight years. It's important work, it's vital work and you're doing it very well. And so thanks for being with us here, on theCUBE and we wish you all the best down the road, too. >> We want the companies to do well, that's when we do well and they are very secure. So thank you very much, John. This was a wonderful conversation. >> I appreciate the time. Mårten Mickos joining us, the CEO of HackerOne. You've been watching a CUBE Conversation part of the AWS Startup Showcase. (soft electronic music)

>> Woman's Voice: From the CUBE studios in Palo Alto in Boston, connecting with thought leaders all around the world, this is a CUBE conversation. >> Hey, welcome back already. Jeff Rick here, with theCUBE. We're having Palo Alto studios, during these kind of crazy times and really taking a moment with the time that we have to reach out to some of the leaders in our community, to give us some insight, to give us some advice, to share their knowledge about some of the things that are going on and some of the specific challenges that really the coronavirus and the COVID 19 situation are causing for all of us. So, we're really excited to have a CUBE alumni, haven't talked to him for a couple of years. Joining us from his house, he's Marten Mickos, the CEO of Hacker One. Marten, great to see you. >> Good to see you, Jeff. Good to be back. Thank you. >> So first off, just a quick check in. How are you doing? How things going at Hacker One? How's the team doing? How are you guys kind of getting through this time of difficulty? >> Well, we are fortunate in our company that we have a business that may be doing even better in these times, because we do security don't need to go into the office and we do it in a distributed way. And so, all of that is wonderful for the company. We do have our first positive case of COVID 19 in the company. He is now fully recovered after a few weeks. He's back at work. So, it means it came pretty close to us and we have others who might be in the danger zone. But overall, we are doing very well and paying a lot of attention on health and staying safe and working from home and making sure we don't take risk because these are serious things that we shouldn't play with. >> Yes. Well, I'm glad to hear that, that person is recovering. And I think April is the month of six degrees of separation where all of us are going to know someone or someone who knows someone who's got this thing, is it? The curves, unfortunately, are still going up in the United States. So, I don't think that's going to change. But, on a lighter note, one of the reasons I wanted to reach out to you is you've got a long history of working with distributed companies. This COVID thing is kind of a forcing function around work from home and it never fails to amaze me how many people are on their first Zoom, and they don't even know what WebEx is, and they've never heard of Skype. And I think we get spoiled in the tech world. We use these tools all the time. But this is a forcing function. It's at the grade schools, the middle schools, the high schools, besides just regular companies. So, when you were running MySQL, back in the day, you had a distributed company, not only across buildings, but across oceans and continents. So, I wonder if you can share kind of, did that start that way? Did you move into that way? Kind of what are some of the early days as you move from everybody in the office to more of a distributed network? >> Yeah, it did start that way at MySQL back in Scandinavia. And I joined. There were 12 people, everybody working from home. The CTO lived just half an hour away from me, but we never saw each other. I worked from home, he worked from home. And I remember when I as the new CEO said that, hey, we will need an office. We need a headquarters where we can have meetings and archives or contracts and stuff. And he said, no office, over my dead body. It will kill the company culture. That was the view >> Why! >> Of the founder. >> That is so progressive. Where did that view come from, Cause that is certainly was not the kind of standard thinking. >> It was weird. It was back in, that was the year 2000, and they had developed a way of working with open source contributors all over the world, over email and IRC back then, which is a predecessor to slack you could say. And they just developed that method of working together and making sure everything is digital, everything is written down. You are honest and forthright in writing as well. So it worked beautifully and they didn't like offices. We ended up having offices and we had many people working from the office but there was nowhere, at no time was it more than 30% of our headcount of about 500 people who work from an office. 70% work from home in 32 different countries across 16 time zones. >> Wow, that's very, very distributed. So, in getting ready for this, I saw some other interviews that you've done and some other conversations on the topic. And one of the things that you brought up that I think is really topical is that this is really more of a mental challenge than really a physical challenge. The tools are there, we have internet, we're very fortunate that way. Didn't have these things in 2000, like we do today. But you talked about the mental challenge, both from a leadership perspective, as well as maybe from the employee perspective. I wonder if you can dig into that a little deeper as you kind of look at your peers that are treading into unchartered waters, if you will. >> Well, I think it's a transition where you become one with the media, like with your laptop or whatever you're looking at and you sort of you invest yourself in what you have in front of you and you give off all of yourself into it. Just like, if somebody is taking a portrait of you with a camera, you have to sort of love the camera and show yourself to the camera for the portrait to be really, really good. Like that's what great photographers do. They get you to open up, even though it's a machine and not another human being. And we have to develop this skill digitally to sit in front of a laptop or a phone or something, and be our whole genuine selves, showing all dimensions and aspects of our personality. Because we don't realize it but when you go to an office, people are paying attention to how you walk, where you stop, what you look like, whether you look angry or happy, whether you look tired or not, when you go to the restroom, when you don't, like who knows all these things that people pay attention to that give away how you feel and how you are. And then somebody may come and say, Hey, Jeff seems to be in a bad mood today or Jeff seems to be in a good mood today. And those are vital functions of a group that works together. So, you must allow the digital world to have the same. You have to bring that part of yourself into the digital reality and sort of open up. And people make the mistake that they just bring their professional selves. They just say, okay, what's the task? What's the work? Let's agree on something, let's listen to everybody. And they don't reserve room for the social side and showing who you are. Because people won't ultimately trust you until they know that you are a human being and you have weaknesses and vulnerabilities and you can be silly and sometimes you look good, and sometimes you don't look good, and sometimes you are to your advantage, and sometimes you aren't. And until you have covered the whole range of your own expressions, you're not believable. >> Yeah. Another topic that came up is measurement, right? In KPIs, and how do you measure people's performance? It wasn't that long ago that Ginni Rometty at IBM came out and said, we don't want remote workers anymore. We want everybody to come check into the office. Well, that's changed a little bit. But, you mentioned that, we're so used to measuring things the way that we've always measured in the past. Are they there at eight? Do they stay till five or six? Do they look busy, as opposed to really focusing on outputs? And you talked about really shifting your mindset with a distributed workforce to make sure you're focusing on the right outcomes, not necessarily focusing on the things that maybe, as you said, as much as subconsciously, you're paying attention to as much as anything. >> It's so easy to fake it in an office. >> I love that. >> You go in there, you look busy and people think you're amazing. But when you work from home, the only thing you have to show for is your work results. So, it becomes much more objective. And of course, you have to create metrics that can be tracked in a way that others can understand what you're doing. But it actually makes it more straightforward because you can't fake it. >> Right. >> The only thing you can be measured by is what you're actually producing. >> It's got to be interesting when we come out of this, right? Cause there's a lot of psychology done around habits and how things become habits. And the way things become habits is you do them for a while, in sequence repeatedly and then that becomes kind of part of your routine. And before, even here at theCUBE, right? Remote interviews were probably, I don't know, 5% of our total output. And now they're going to be 100% for the foreseeable future. So, as you look at kind of people that are new to this, world of remote learning and remote working, it's going to be wild after they do this for a couple weeks hopefully get into the habit, to then, as you said in some prior things, this becomes the new normal and go into the office is the once every so often, when we actually have to have a big team meeting or some specific events. So you think this is going to probably be that tipping point till this becomes the new normal. >> I do think so. I think it will flip so that now, you may think that you and I are having a virtual conversation and it would be a real conversation, if we were in the same room. That will flip. Soon, this will be the real conversation. And if we meet in person, then it's an anomaly, and that's the virtual thing. >> Right. >> Because most of the time, we will connect like this and we will figure out ways to understand each other and know whether we can trust each other and sort of all these things will evolve on the digital side. And there's no reason why they wouldn't. >> Right. >> Other than the reluctance of human beings to change their behavior. >> Inertia is a powerful thing. So let's say >> As they say that, first we form habits, then habits form us. >> There you go. >> And that's how it happens. You create some habit and then you become prisoner of that habit. If you create that and you can't get rid of it. But you just have to force yourself out of it. >> Right, and this is a forcing function, like none other in terms of this whole world. >> Exactly. >> So, shifting gears a little bit to kind of your day job, beyond just leading but actually worrying about security. RSA was the last big show we went to, late January, early February. All about security, Hacker One's all about security. I would imagine now that everybody's working from home and the pressure on bringing your own devices and we're seeing all this funny stuff about Zoom. It's the greatest thing since sliced bread. And now of course everybody's jumping on all of the vulnerabilities, etc. What are you seeing in kind of the hacker world and security world as this huge shift has moved to people working from home and remote schools, etc. >> Well, it's clear that society now has to work from home and figure out distributed ways of getting education or work done. And as a result, criminality will go there as well. So we have to protect ourselves well. The first of the problems is, how do you protect yourself when you work from home? So then you talk about VPNs and how do you handle credentials and authentication and multi factor authentication to make sure that the connection is authentic and protected. So, that's the first one. The first order challenge that we have right now going on. But on a little bit longer scale, we are seeing now companies deciding to start using cloud services even more than before, because they realize that this could come back as evasion like, we are having now, could come back and you will again be at home. And then they say, how do we build our software and ICT infrastructure, such that we are not needed in the office? And the answer is move to the cloud. And when you move to the cloud, you again, the security posture changes somewhat. You don't have to worry about network security anymore, but you do have to worry much more about app sec, application security. So, whatever happens here, they are useful transitions, but they will put demands on security teams and business leaders to re-evaluate what they spend money on in security. We are very fortunate at Hacker One to be on the winning side here. Our services are exactly for this distributed virtual digital world. So, we are needed even more every day more and more because things are going online. But companies will need to rethink those things and stop spending on things that don't make sense anymore. >> Yeah. It is just wild, right? How this forcing function is really making everybody evaluate things a little bit closer and pushing them through that inertia that before you could kind of put it off, put it off, put it off. You can't put it off anymore. Time's now. >> Right. >> Yeah. >> Well, we had a similar like when Y2K happened. We also had a hard limit, and we had to get stuff done. Now it's coming in a different way, sort of the punishment came without announcement, but we are in a similar crunch to get it done. And we will. >> Yeah. But, it will be difficult and it will put a lot of strain to people under the systems. But I do believe it's doable. >> Good. So, I want to shift gears one last time. We talked really about open source. >> Right. >> You've built your career on open source. My SQL was obviously open source and got bought by Sun eventually now, part of Oracle's portfolio then you did Eucalyptus. That was open source, right? Eventually got bought by hp. And now Hacker One, you're using really a network of hackers all over the world, to really help deliver the service. I'm just curious to get your take on the role of open source. It's been such a creative force for development. It's been such a creative force for kind of moving technology forward. How do you see it playing out now? What's the role of open source? Are you seeing projects? Are you seeing people rallying around, bringing the power of data and analytics and cloud to this problem? Cause to me, there's clearly a human toll of people being sick. But it's also a big data problem in terms of resource allocation, trying to sequence this thing and accelerate vaccine development. There's a lot of kind of big data, opportunities here to attack this thing. >> I think open source is even bigger now than it used to be. And it is a very powerful example of the fact that no matter how much we are threatened that we feel like we have to hunker down and isolate ourselves from others and foreign groups or people are dangerous. In reality, the biggest accomplishments in society are always about collaboration by large groups of really intelligent driven people. Because software is eating the world, open source is eating the world. And today, if you don't use open source software, you're just plain stupid. So, it has really taken over the whole world. And it is now enabling all these new innovations and initiatives that we didn't do before in big data, collecting big data, analyzing data. We see it in the whole area of DNA medicine, where the researchers are sharing their findings with everybody. And that's very much like open source software. They don't call it open source software, but the mechanisms are the same. Everybody is doing it for their own good, but by sharing it, they multiply the value of what they did, and it speeds up innovation, so that it outperforms anything done in a closed laboratory or a closed source company. So it's wonderful to have been part of the open source revolution because it is spawning so many other initiatives and phenomena on a societal level. And this is just the beginning. It will go into politics, it will go into news, it will go into the assessment of fake news. Reddit is completely self moderate. They don't hire the moderators. The moderators are provided by the community and they self moderate. And understanding how to self govern, self moderate, at very large scale. That's the key to success in many areas. So, open source software is enormous and yet, it's just one little part of the whole world of community driven innovation. >> Right. Such a great lesson though, because, as we think back to kind of the last kind of national rally around say, World War Two, where Kaiser started building ships, and Ford was building airplanes. And we've got some of that going on with with Elon Musk, and people building respirators and some of these physical things, but there's this whole kind of software and big data, AI, machine learning thing that's happening on the background, around the genome and in the vaccine development that's not quite as visible, but really such an important part of this battle that we haven't seen. And then, of course, the other place is no place to hide. The fact that this is happening all over the globe, at the same time to everyone, regardless of your religion, your politics, your geography. It's really a unique moment in time. Hopefully one that we're not going to... >> It could be our best hope against Coronavirus. The fact that the scientists are right now working together and sharing their findings, quickly going from one test to the next and figuring out what works. And mankind hasn't had that capacity before. But now we do. So, we can't know whether it will take a long time or a short time, but at least we are getting all the resources to bear and we put them together and people share. >> Right. >> Which is what's driving the innovation here. >> Right, Martin. I guess, just a last kind of topic before I let you go, kind of circling fully back to leadership. One of the comments you talked about, about these types of times really favoring the bold. I really liked that line that is, don't be scared. It's really an opportunity for the people who have it together and are making the right priorities, to shine and to really kind of rise above the fray. I wonder if you can share a little bit more your thoughts about that from a leadership point of view. It's a time of challenge, but it's really also a time of opportunity. >> I think it's exactly like you said. It's like the Stockdale paradox. Admiral Stockdale who was a prisoner of war, over seven years, and was tortured during those years. Every day, he decided to, on one hand, be ready to face any brutal reality he might face, but on the other hand, never give up hope that one day, he will come out and have no regrets, not looking back and be a free man again. And that's exactly what happened. Of course, we are not in as dire situation as he was, but society has a similar situation. That we must have the courage to face the exact brutality of and the reality of coronavirus right now, without thinking that we won't come out of it. We will absolutely come out of it. And we will come out of it with innovations and new models that will outshine whatever we had before. And we must be able to maintain this duality of, okay, I'm ready to face the reality and I'm ready to be in isolation, I'm ready to use a face mask, whatever it takes. But also, I will never give up hope about what will come once we come out of this. And with that mindset, as a company, as a family, an individual human being or a society, you can get through any problem. And this is what Admiral Stockdale taught us through his experience, and by sharing it with everybody. >> Well, Marten. Thank you for sharing that story, and thank you for sharing your experience and kind of your point of view. We really appreciate it. These are tough times and it's great to be able to look out to the leaders and to kind of share the burden, if you will, and hear from smart folks that have a point of view. So, thank you very much for your time. Best to your employee. Glad that person is recovering. And as you said, we will get through this and we'll come out stronger the other side. Thanks a lot. >> Absolutely. Thank you, Jeff. Good chatting with you. >> All right, thanks Marten. Jeff Rick here, signing off from the Palo Alto studios from the CUBE. Thanks for watching. We'll see you next time. (soft music) (soft music)

(upbeat music) >> From theCube Studios in Palo Alto in Boston, bringing you data driven insights from theCube and ETR. This is Breaking Analysis with Dave Vellante. >> While by no means a safe haven, the cybersecurity sector has outpaced the broader tech market by a meaningful margin, that is up until very recently. Cybersecurity remains the number one technology priority for the C-suite, but as we've previously reported the CISO's budget has constraints just like other technology investments. Recent trends show that economic headwinds have elongated sales cycles, pushed deals into future quarters, and just like other tech initiatives, are pacing cybersecurity investments and breaking them into smaller chunks. Hello and welcome to this week's Wikibon Cube Insights powered by ETR. In this Breaking Analysis we explain how cybersecurity trends are reverting to the mean and tracking more closely with other technology investments. We'll make a couple of valuation comparisons to show the magnitude of the challenge and which cyber firms are feeling the heat, which aren't. There are some exceptions. We'll then show the latest survey data from ETR to quantify the contraction in spending momentum and close with a glimpse of the landscape of emerging cybersecurity companies, the private companies that could be ripe for acquisition, consolidation, or disruptive to the broader market. First, let's take a look at the recent patterns for cyber stocks relative to the broader tech market as a benchmark, as an indicator. Here's a year to date comparison of the bug ETF, which comprises a basket of cyber security names, and we compare that with the tech heavy NASDAQ composite. Notice that on April 13th of this year the cyber ETF was actually in positive territory while the NAS was down nearly 14%. Now by August 16th, the green turned red for cyber stocks but they still meaningfully outpaced the broader tech market by more than 950 basis points as of December 2nd that Delta had contracted. As you can see, the cyber ETF is now down nearly 25%, year to date, while the NASDAQ is down 27% and change. Now take a look at just how far a few of the high profile cybersecurity names have fallen. Here are six security firms that we've been tracking closely since before the pandemic. We've been, you know, tracking dozens but let's just take a look at this data and the subset. We show for comparison the S&P 500 and the NASDAQ, again, just for reference, they're both up since right before the pandemic. They're up relative to right before the pandemic, and then during the pandemic the S&P shot up more than 40%, relative to its pre pandemic level, around February is what we're using for the pre pandemic level, and the NASDAQ peaked at around 65% higher than that February level. They're now down 85% and 71% of their previous. So they're at 85% and 71% respectively from their pandemic highs. You compare that to these six companies, Splunk, which was and still is working through a transition is well below its pre pandemic market value and 44, it's 44% of its pre pandemic high as of last Friday. Palo Alto Networks is the most interesting here, in that it had been facing challenges prior to the pandemic related to a pivot to the Cloud which we reported on at the time. But as we said at that time we believe the company would sort out its Cloud transition, and its go to market challenges, and sales compensation issues, which it did as you can see. And its valuation jumped from 24 billion prior to Covid to 56 billion, and it's holding 93% of its peak value. Its revenue run rate is now over 6 billion with a healthy growth rate of 24% expected for the next quarter. Similarly, Fortinet has done relatively well holding 71% of its peak Covid value, with a healthy 34% revenue guide for the coming quarter. Now, Okta has been the biggest disappointment, a darling of the pandemic Okta's communication snafu, with what was actually a pretty benign hack combined with difficulty absorbing its 7 billion off zero acquisition, knocked the company off track. Its valuation has dropped by 35 billion since its peak during the pandemic, and that's after a nice beat and bounce back quarter just announced by Okta. Now, in our view Okta remains a viable long-term leader in identity. However, its recent fiscal 24 revenue guide was exceedingly conservative at around 16% growth. So either the company is sandbagging, or has such poor visibility that it wants to be like super cautious or maybe it's actually seeing a dramatic slowdown in its business momentum. After all, this is a company that not long ago was putting up 50% plus revenue growth rates. So it's one that bears close watching. CrowdStrike is another big name that we've been talking about on Breaking Analysis for quite some time. It like Okta has led the industry in a key ETR performance indicator that measures customer spending momentum. Just last week, CrowdStrike announced revenue increased more than 50% but new ARR was soft and the company guided conservatively. Not surprisingly, the stock got absolutely crushed as CrowdStrike blamed tepid demand from smaller and midsize firms. Many analysts believe that competition from Microsoft was one factor along with cautious spending amongst those midsize and smaller customers. Notably, large customers remain active. So we'll see if this is a longer term trend or an anomaly. Zscaler is another company in the space that we've reported having great customer spending momentum from the ETR data. But even though the company beat expectations for its recent quarter, like other companies its Outlook was conservative. So other than Palo Alto, and to a lesser extent Fortinet, these companies and others that we're not showing here are feeling the economic pinch and it shows in the compression of value. CrowdStrike, for example, had a 70 billion valuation at one point during the pandemic Zscaler top 50 billion, Okta 45 billion. Now, having said that Palo Alto Networks, Fortinet, CrowdStrike, and Zscaler are all still trading well above their pre pandemic levels that we tracked back in February of 2020. All right, let's go now back to ETR'S January survey and take a look at how much things have changed since the beginning of the year. Remember, this is obviously pre Ukraine, and pre all the concerns about the economic headwinds but here's an X Y graph that shows a net score, or spending momentum on the y-axis, and market presence on the x-axis. The red dotted line at 40% on the vertical indicates a highly elevated net score. Anything above that we think is, you know, super elevated. Now, we filtered the data here to show only those companies with more than 50 responses in the ETR survey. Still really crowded. Note that there were around 20 companies above that red 40% mark, which is a very, you know, high number. It's a, it's a crowded market, but lots of companies with, you know, positive momentum. Now let's jump ahead to the most recent October survey and take a look at what, what's happening. Same graphic plotting, spending momentum, and market presence, and look at the number of companies above that red line and how it's been squashed. It's really compressing, it's still a crowded market, it's still, you know, plenty of green, but the number of companies above 40% that, that key mark has gone from around 20 firms down to about five or six. And it speaks to that compression and IT spending, and of course the elongated sales cycles pushing deals out, taking them in smaller chunks. I can't tell you how many conversations with customers I had, at last week at Reinvent underscoring this exact same trend. The buyers are getting pressure from their CFOs to slow things down, do more with less and, and, and prioritize projects to those that absolutely are critical to driving revenue or cutting costs. And that's rippling through all sectors, including cyber. Now, let's do a bit more playing around with the ETR data and take a look at those companies with more than a hundred citations in the survey this quarter. So N, greater than or equal to a hundred. Now remember the followers of Breaking Analysis know that each quarter we take a look at those, what we call four star security firms. That is, those are the, that are in, that hit the top 10 for both spending momentum, net score, and the N, the mentions in the survey, the presence, the pervasiveness in the survey, and that's what we show here. The left most chart is sorted by spending momentum or net score, and the right hand chart by shared N, or the number of mentions in the survey, that pervasiveness metric. that solid red line denotes the cutoff point at the top 10. And you'll note we've actually cut it off at 11 to account for Auth 0, which is now part of Okta, and is going through a go to market transition, you know, with the company, they're kind of restructuring sales so they can take advantage of that. So starting on the left with spending momentum, again, net score, Microsoft leads all vendors, typical Microsoft, very prominent, although it hadn't always done so, it, for a while, CrowdStrike and Okta were, were taking the top spot, now it's Microsoft. CrowdStrike, still always near the top, but note that CyberArk and Cloudflare have cracked the top five in Okta, which as I just said was consistently at the top, has dropped well off its previous highs. You'll notice that Palo Alto Network Palo Alto Networks with a 38% net score, just below that magic 40% number, is healthy, especially as you look over to the right hand chart. Take a look at Palo Alto with an N of 395. It is the largest of the independent pure play security firms, and has a very healthy net score, although one caution is that net score has dropped considerably since the beginning of the year, which is the case for most of the top 10 names. The only exception is Fortinet, they're the only ones that saw an increase since January in spending momentum as ETR measures it. Now this brings us to the four star security firms, that is those that hit the top 10 in both net score on the left hand side and market presence on the right hand side. So it's Microsoft, Palo Alto, CrowdStrike, Okta, still there even not accounting for a Auth 0, just Okta on its own. If you put in Auth 0, it's, it's even stronger. Adding then in Fortinet and Zscaler. So Microsoft, Palo Alto, CrowdStrike, Okta, Fortinet, and Zscaler. And as we've mentioned since January, only Fortinet has shown an increase in net score since, since that time, again, since the January survey. Now again, this talks to the compression in spending. Now one of the big themes we hear constantly in cybersecurity is the market is overcrowded. Everybody talks about that, me included. The implication there, is there's a lot of room for consolidation and that consolidation can come in the form of M&A, or it can come in the form of people consolidating onto a single platform, and retiring some other vendors, and getting rid of duplicate vendors. We're hearing that as a big theme as well. Now, as we saw in the previous, previous chart, this is a very crowded market and we've seen lots of consolidation in 2022, in the form of M&A. Literally hundreds of M&A deals, with some of the largest companies going private. SailPoint, KnowBe4, Barracuda, Mandiant, Fedora, these are multi billion dollar acquisitions, or at least billion dollars and up, and many of them multi-billion, for these companies, and hundreds more acquisitions in the cyberspace, now less you think the pond is overfished, here's a chart from ETR of emerging tech companies in the cyber security industry. This data comes from ETR's Emerging Technologies Survey, ETS, which is this diamond in a rough that I found a couple quarters ago, and it's ripe with companies that are candidates for M&A. Many would've liked, many of these companies would've liked to, gotten to the public markets during the pandemic, but they, you know, couldn't get there. They weren't ready. So the graph, you know, similar to the previous one, but different, it shows net sentiment on the vertical axis and that's a measurement of, of, of intent to adopt against a mind share on the X axis, which measures, measures the awareness of the vendor in the community. So this is specifically a survey that ETR goes out and, and, and fields only to track those emerging tech companies that are private companies. Now, some of the standouts in Mindshare, are OneTrust, BeyondTrust, Tanium and Endpoint, Net Scope, which we've talked about in previous Breaking Analysis. 1Password, which has been acquisitive on its own. In identity, the managed security service provider, Arctic Wolf Network, a company we've also covered, we've had their CEO on. We've talked about MSSPs as a real trend, particularly in small and medium sized business, we'll come back to that, Sneek, you know, kind of high flyer in both app security and containers, and you can just see the number of companies in the space this huge and it just keeps growing. Now, just to make it a bit easier on the eyes we filtered the data on these companies with with those, and isolated on those with more than a hundred responses only within the survey. And that's what we show here. Some of the names that we just mentioned are a bit easier to see, but these are the ones that really stand out in ERT, ETS, survey of private companies, OneTrust, BeyondTrust, Taniam, Netscope, which is in Cloud, 1Password, Arctic Wolf, Sneek, BitSight, SecurityScorecard, HackerOne, Code42, and Exabeam, and Sim. All of these hit the ETS survey with more than a hundred responses by, by the IT practitioners. Okay, so these firms, you know, maybe they do some M&A on their own. We've seen that with Sneek, as I said, with 1Password has been inquisitive, as have others. Now these companies with the larger footprint, these private companies, will likely be candidate for both buying companies and eventually going public when the markets settle down a bit. So again, no shortage of players to affect consolidation, both buyers and sellers. Okay, so let's finish with some key questions that we're watching. CrowdStrike in particular on its earnings calls cited softness from smaller buyers. Is that because these smaller buyers have stopped adopting? If so, are they more at risk, or are they tactically moving toward the easy button, aka, Microsoft's good enough approach. What does that mean for the market if smaller company cohorts continue to soften? How about MSSPs? Will companies continue to outsource, or pause on on that, as well as try to free up, to try to free up some budget? Adam Celiski at Reinvent last week said, "If you want to save money the Cloud's the best place to do it." Is the cloud the best place to save money in cyber? Well, it would seem that way from the standpoint of controlling budgets with lots of, lots of optionality. You could dial up and dial down services, you know, or does the Cloud add another layer of complexity that has to be understood and managed by Devs, for example? Now, consolidation should favor the likes of Palo Alto and CrowdStrike, cause they're platform players, and some of the larger players as well, like Cisco, how about IBM and of course Microsoft. Will that happen? And how will economic uncertainty impact the risk equation, a particular concern is increase of tax on vulnerable sectors of the population, like the elderly. How will companies and governments protect them from scams? And finally, how many cybersecurity companies can actually remain independent in the slingshot economy? In so many ways the market is still strong, it's just that expectations got ahead of themselves, and now as earnings forecast come, come, come down and come down to earth, it's going to basically come down to who can execute, generate cash, and keep enough runway to get through the knothole. And the one certainty is nobody really knows how tight that knothole really is. All right, let's call it a wrap. Next week we dive deeper into Palo Alto Networks, and take a look at how and why that company has held up so well and what to expect at Ignite, Palo Alto's big user conference coming up later this month in Las Vegas. We'll be there with theCube. Okay, many thanks to Alex Myerson on production and manages the podcast, Ken Schiffman as well, as our newest edition to our Boston studio. Great to have you Ken. Kristin Martin and Cheryl Knight help get the word out on social media and in our newsletters. And Rob Hof is our EIC over at Silicon Angle. He does some great editing for us. Thank you to all. Remember these episodes are all available as podcasts. Wherever you listen, just search Breaking Analysis podcast. I publish each week on wikibond.com and siliconangle.com, or you can email me directly David.vellante@siliconangle.com or DM me @DVellante, or comment on our LinkedIn posts. Please do checkout etr.ai, they got the best survey data in the enterprise tech business. This is Dave Vellante for theCube Insights powered by ETR. Thanks for watching, and we'll see you next time on Breaking Analysis. (upbeat music)

>> Announcer: From theCUBE Studios in Palo Alto and Boston, connecting with thought leaders all around the world, this is a CUBE conversation. >> Hey, welcome back, everybody. Jeff Frick with theCUBE. We're in our Palo Alto Studios on this kind of continuing leadership series that we've put together. Reaching out to the community for tips and tricks on kind of getting through what is, this kind of ongoing COVID crisis and situation as it continues to go weeks and weeks and weeks. And I'm really excited to have one of my favorite members of our community, is Nick Mehta, the CEO of Gainsight. Had the real pleasure of interviewing him a couple times and had to get him on. So Nick, thanks for taking some time out of your very busy day to join us. >> Jeff, honored to be here, thank you. >> Pleasure, so let's just jump into it. One of the reasons I wanted to get you on, is that Gainsight has been a distributed company from the beginning, and so I think the COVID, suddenly everyone got this work from home order, there was no prep, there was no planning, it's like this light switch digital transformation moment. So love to hear from someone who's been doing it for awhile. What are some of the lessons? How should people think about running a distributed company? >> Yeah, it's really interesting, Jeff, 'cause we are just by happenstance, from the beginning, distributed where we have, our first two offices were St. Louis and Hyderabad, India. So two places you cannot get there through one flight. So, you have to figure out how to collaborate asynchronously and then over time, we have offices in the Bay Area. We have tons of people that work from home. And so we try to tell people we don't have a headquarters. The headquarters is wherever you are, wherever you live and wherever you want to work. And so we've always been super flexible about come in to the office if you want, don't come in, et cetera. So different than some companies in that respect. And because of that, pre-COVID, we always a very heavy video culture, lots of video conferencing. Even if some people were in an office, there's always somebody else dialing in. One benefit we got from that is you never had to miss your kids' stuff or your family things. I would go to my daughter's performance in the middle of the day and know I can just dial into a call on the way there. And so we always had that. But what's amazing is now we're all on a level playing field, there's nobody in our office. And I got to say, this is, in some ways, even better 'cause I feel like when you're the person dialed in, and a lot of people are in a room, you probably had that experience, and it feels like you're kind of not on the same playing field, right? Hard to hear the jokes or the comments and you might not feel like you're totally in crowd, so to speak, right? But now everyone's just at their computer, sitting there in a chair all day doing these Zooms and it does feel like it's equalizing a little bit. And what it's caused us to do is say, hey, what are ways we can all recreate that community from home? So as an example, every 7:45 a.m. every day, we have a Zoom call that's just pure joy and fun. Trivia, pets, kids. The employees' kids announce people's birthdays and the weather. And so these ways we've been able to integrate our home and our work that we never could before, it's really powerful. It's a tough situation overall, and we feel for all the people affected. But even in tough situations, there are silver linings, and we're finding 'em. >> Yeah, it's funny, we just had Darren Murph on the other day. I don't know if you know Darren. He is the head of Remote Work at GitLab, and he-- >> Oh, yeah. >> And he talked about kind of the social norms. And one of the instances that he brought up was, back in the day when you had some people in the office, some people joining via remote, that it is this kind of disharmony because they're very different situations. So one of his suggestions was have everybody join via their laptop, even if they're sitting at their desk, right? So, as you said, you get kind of this level playing field. And the other thing which dovetails off what you just said is he always wanted executives to have a forcing function to work from home for an extended period of time, so they got to understand what it's all about. And it's not only looking through a little laptop or this or that, but it's also the distractions of the kids and the dogs and whatever else is happening around the house. So it is wild how this forcing function has really driven it. And his kind of takeaway is, as we, like say, move from can we get it into cloud to cloud first? And does it work on mobile to mobile first? >> Now it's really-- >> Yeah. >> It's really remote first. And if you-- >> Remote first. >> A remote first attitude about it and kind of turn it on it's head, it's why shouldn't it be remote versus can it be remote? It really changes the conversation and the dynamic of the whole situation. >> I love that. And just, GitLab, by the way, has been a true inspiration 'cause they are the most remote, remote company. And they share so much, I love what you said. As just two examples of reacting to what you said, pre-COVID, we always wanted to keep a level playing field. So we actually moved our all-hands meetings to be instead of being broadcast from one room, and you're kind of seeing this small screen with all these people, we all just were at computers presenting. And so everyone's on a level playing field. So I thought what GitLab said is great. And then the other point, I think post-COVID we have learned is the kids and the dogs aren't distractions, they're part of our life. And so embracing those and saying, hey, I see that kid in the background, bring them onto the screen. Even during work meetings, even customer meetings, you know? And I'm seeing, I'm on a customer meeting and the customer's bringing their kids onto the screen and it's kind of breaking this artificial wall between who we are at home and who we are at work 'cause we're human beings all throughout. At Gainsight, we talk about a human first approach to business and we've never been more human as a world than we are right now. >> Love it, love it. So another, get your thoughts on, is this whole idea of measurement and productivity at home. And it's really, I have to say, disturbing to see some of the new product announcements that are coming out in terms of people basically snoopin' on people. Whether it's trackin' how many hours of Zoom calls they're on, or how often are they in the VPN, or having their camera flip on every so many minutes or something. We had Marten Mickos on, who's now the CEO of HackerOne. He was CEO at MySQL years ago before it went to Sun and he had the great line, he said, it's so easy to fake it at the office, but when you're at home and you're only output is your deliverable, it makes it a lot easier. So I wonder if you can share some of your thoughts in terms of kind of managing output, setting expectations, to get people to get their work done. And then, as you see some of these new tools for people that are just entering this thing, it's just not right (chuckles). >> Yeah, I agree with you and Marten. I'm a huge fan of Marten, as well, I totally agree with both of it. And I think there's an older approach to work, which is more like a factory. It's like you got to see how many widgets you're processing and you got to micromanage and you got to monitoring and inspecting. Look, I don't run a factory, so maybe there are places where that model makes sense. So I'm not going to speak for every leader, but I could say if you're in a world where your job is information, services, software, where the value is the people and their knowledge, managing them that way is a losing battle. I go back to, some folks probably know, this famous TED Talk by Dan Pink on basically what motivates people. And in these knowledge worker jobs, it's autonomy, mastery and purpose. So autonomy, we have the freedom to do what we want. Mastery, we feel like we're getting better at jobs. And purpose, which is I have a why behind what I do. And I think, take that time you spend on your micromanagement and your Zoom, analyzing the Zoom sessions, and spend it on inspiring your team, on the purpose. Spend it on enabling your team in terms of mastery. Spend it on taking away barriers so they have more autonomy. I think you'll get way more out of your team. >> Yeah, I agree. I think it's, as Darren said, again, he's like, well, would you trust your people if you're on the fourth floor and they're on the sixth? So just-- >> Yeah, exactly. >> If you don't trust your people, you got to bigger issue than worrying about how many hours they're on Zoom, which is not the most productive use of time. >> People waste so much time in the office, and getting to the office. And by the way, I'm not saying that it's wrong, it's fine too. But it's not like the office is just unfettered productivity all the time, that's a total myth. >> Yes, so let's shift gears a little bit and talk about events. So, obviously, the CUBE's in the event business. We've had to flip completely 'cause all the events are, well, they're all going digital for sure, and/or postponing it or canceling. So we've had to flip and do all dial-ins and there's a whole lot of stuff about asynchronous. But for you, I think it's interesting because as a distributed company, you had Gainsight Pulse as that moment to bring people together physically. You're in the same boat as everybody else, physical is not an option this year. So how are you approaching Gainsight Pulse, both because it's a switch from what you've done in the past, but you at least had the benefit of being in a distributed world? So you probably have a lot of advantages over people that have never done this before. >> Yeah, that's a really interesting, insightful observation. So just for a context, Pulse is an event we do every year to bring together the customer success community. 'Cause, as you observed, there is value in coming together. And so this is not just for our employees, this is for all the customer success people, and actually increasingly product management people out there, coming together around this common goal of driving success for your customers. And it started in 2013 with 300 people, and last year, we had 5,000 people at our event in San Francisco. We had similar events in London and Sydney. And so it's a big deal. And there's a lot of value to coming together physically. But obviously, that's not possible now, nor is it advisable. And we said, okay, how do we convert this and not lose what's special about Pulse? And leverage, like you said, Jeff, the fact that we're good at distributed stuff in general. And so we created what we call Pulse Everywhere. We didn't want to call it Pulse Virtual or something like that, Pulse Webinar, because we didn't want to set the bar as just like, oh, my virtual event, my webinar. This is something different. And we called it Everywhere, 'cause it's Pulse wherever you are. And we joke, it's in your house, it's in your backyard, it's on the peloton, it's walking the dog. You could be wherever you are and join Pulse this year, May 13th and 14th. And what's amazing is last year we had 5,000 people in person, this year we already have 13,000 people registered as of the end of April. And so we'll probably have more than three times the number of people at Pulse Everywhere. And we're really bringing that physical event concept into the virtual, literally with, instead of a puppy pit, where you're in a physical event, you'll bring puppies often, we have a puppy cam where you can see the puppies. We're not giving up on all of our silly music videos and jokes and we actually ship cameras and high-end equipment to all the speakers' houses. So they're going to have a very nice digital experience, our attendees are. It's not going to be like watching a video conference call. It's going to be like watching a TV show, one much like what you try to do here, right? And so we have this amazing experience for all of our presenters and then for the audience. And we're really trying to say how do we make it so it feels like you're in this really connected community? You just happen to not be able to shake people's hands. So it's coming up in a few weeks. It's a big experiment, but we're excited about it. >> There's so many conversations, and we jumped in right away, when this was all going down, what defines a digital event? And like you, I don't like the word virtual. There's nothing fake or virtual. To me, virtual's second to life. And kind of-- >> Yeah. >> Video game world. And like you, we did, it can't be a webinar, right? And so, if you really kind of get into the attributes of what is a webinar? It's generally a one-way communication for a significant portion of the allocated time and you kind of get your questions in and hopefully they take 'em, right? It's not a truly kind of engaged process. That said, as you said, to have the opportunity to separate creation, distribution and consumption of the content, now opens up all types of opportunity. And that's before you get into the benefits of the democratization, as you said, we're seeing that with a lot of the clients we work with. Their registration numbers are giant. >> Totally. >> Because-- >> You're not traveling to spend money, yeah. >> It'll be curious to see what the conversion is and I don't know we have a lot of data there. But, such a democratizing opportunity. And then, you have people that are trying to force, as Ben Nelson said on, you know Ben from Minerva, right? A car is not a mechanical horse, they're trying to force this new thing into this old paradigm and have people sit for, I saw one today, 24 hours, in front of their laptop. It's like a challenge. And it's like, no, no, no. Have your rally moment, have your fun stuff, have your kind of your one-to-many, but really there's so much opportunity for many-to-many. >> Many-to-many. >> Make all the content out there, yeah. >> We've created this concept in this Pulse Everywhere event called Tribes. And the idea is that when you go to an event, the goal is actually partially content, but a lot of times it's connection. And so in any given big event, there's lots of little communities out there and you want to meet people "like you". Might be people in a similar phase of their career, a similar type of company, in our case, it could be companies in certain industry. And so these Tribes in our kind of Pulse Everywhere experience, let people break out into their own tribes, and then kind of basically chat with each other throughout the event. And so it's not the exact same thing as having a drink with people, but at least a little bit more of that serendipitous conversation. >> Right, no, it's different and I think that's really the message, right? It's different, it's not the same. But there's a lot of stuff you can do that you can't do in the physical way, so quit focusing on what you can't do and embrace what you can. So that's great. And good luck on the event. Again, give the plug for it. >> Yeah, it's May 13th and 14th. If you go to gainsightpulse.com you can sign up, and it's basically anything related to driving better success for your customers, better retention, less churn, and better product experience. It's a great event to learn. >> Awesome, so I want to shift gears one more time and really talk about leadership. That's really kind of the focus of this series that we've been doing. And tough times call for great leadership. And it's really an opportunity for great leaders to show their stuff and let the rest of us learn. You have a really fantastic style. You know I'm a huge fan, we're social media buddies. But you're very personable and you're very, kind of human, I guess, is really the best word, in your communications. You've got ton of frequency, ton of variety. But really, most of it has kind of this human thread. I wonder if you can share kind of your philosophy behind social, 'cause I think a lot of leaders are afraid of it. I think they're afraid that there is reward for saying something stupid is not worth the benefit of saying okay things. And I think also a lot of leaders are afraid of showing some frailty, showing some emotion. Maybe you're a little bit scared, maybe we don't have all the answers. And yet you've really, you're not afraid at all. And I think it's really shines in the leadership activities and behaviors and things you do day in and day out. So how do you think about it? What's your strategy? >> Yeah, it's really interesting you ask, Jeff, because I'm in a group of CEOs that get together on a regular basis, and I'm going to be leading a session on social media for CEOs. And honestly, when I was putting it together, I was like, it's 2020, does that still need to exist? But somehow, there is this barrier. And I'll talk more about it, but I think the barrier isn't just about social media, it's just about how a CEO wants to present herself or himself into the world. And I think, to me, the three things to ask yourself are, first of all, why? Why do you want to be on social media? Why do you want to communicate to the outside? You should have a why. Hopefully you enjoy it, but also you're connecting from a business perspective with your customers. And for us, it's been a huge benefit to really be able to connect with our customers. And then, who are you targeting? So, I actually think an important thing to think about is it's okay to have a micro-audience. I don't have millions of Twitter followers like Lady Gaga, but within the world of SaaS and customer success and retention, I probably have a decent number. And that means I can really connect with my own specific audience. And then, what. So, the what is really interesting 'cause I think there's a lot of non-obvious things about, it's not just about your business. So I can tweet about customer success or retention and I do, but also the, what, about you as an individual, what's happening in your family? What's happening in the broader industry, in my case of SaaS? What's happening in the world of leading through COVID-19? All the questions you've asked, Jeff, are in this lens. And then that gets you to the final which is the, how. And I think the, how, is the most important. It's basically whether you can embrace the idea of being vulnerable. There's a famous TED Talk by Brene Brown. She talks about vulnerability is the greatest superpower for leaders. I think the reason a lot of people have a hard time on social media, is they have a hard time really being vulnerable. And just saying, look, I'm just a human being just like all of you. I'm a privileged human being. I have a lot of things that luckily kind of came my way, but I'm just a human being. I get scared, I get anxious, I get lonely, all those things. Just like all of you, you know. And really being able to take off your armor of, oh, I'm a CEO. And then when you do that, you are more human. And it's like, this goes back to this concept of human first business. There's no work persona and home persona, there's just you. And I think it's surprising when you start doing it, and I started maybe seven, eight, nine years ago, it's like, wow, the world wants more human leaders. They want you to just be yourself, to talk about your challenges. I had the kids, when we got to 13,000 registrations for Pulse Everywhere, they pied me in the face. And the world wants to see CEOs being pied in the face. Probably that one, for sure, that's a guaranteed crowd pleaser. CEOs being pied in the face. But they want to see what you're into outside of work and the pop culture you're into. And they want to see the silly things that you're doing. They want you to be human. And so I think if you're willing to be vulnerable, which takes some bravery, it can really, really pay off for your business, but I think also for you as a person. >> Yeah, yeah. I think it's so insightful. And I think people are afraid of it for the wrong reasons, 'cause it is actually going to help people, it's going to help your own employees, as well, get to know you better. >> Totally, they love it. >> And you touched on another concept that I think is so important that I think a lot of people miss as we go from kind of the old broadcast world to more narrow casting, which is touching your audience and developing your relationship with your audience. So we have a concept here at theCUBE that one is greater than 1% of 100. Why go with the old broadcast model and just spray and you hope you have these really ridiculously low conversion rates to get to that person that you're trying to get to, versus just identifying that person and reaching out directly to those people, and having a direct engagement and a relative conversation within the people that care. And it's not everybody, but, as you said, within the population that cares about it it's meaningful and they get some value out of it. So it's a really kind of different strategy. So-- >> I love that. >> You're always get a lot of stuff out, but you are super prolific. So you got a bunch of projects that are just hitting today. So as we're getting ready to sit down, I see you just have a book came out. So tell us a little bit about the book that just came out. >> Sure, yeah, it's funny. I need to get my physical copy too at my home. I've got so a few, just for context. Five years ago, we released this first book on "Customer Success" which you can kind of see here. It's surprising really, really popular in this world of SaaS and customer success and it ties, Jeff, to what you just said which is, you don't need to be the book that everyone in the world reads, you need to be the book that everyone in your world reads. And so this book turned out to be that. Thousands of company management teams and CEOs in software and SaaS read it. And so, originally when this came out, it was just kind of an introduction to what we call customer success. Basically, how do you retain your customers for the long-term? How do you get them more value? And how do you get them to use more of what they've bought and eventually spend more money with you? And that's a mega-trend that's happening. We decided that we needed an update. So this second book is called "Customer Success Economy." It just came out, literally today. And it's available on Amazon. And it's about the idea that customer success started in tech companies, but it's now gone into many, many industries, like healthcare, manufacturing, services. And it started with a specific team called the customer success management team. But now it's affecting how companies build products, how they sell, how they market. So it's sort of this book is kind of a handbook for management teams on how to apply customer success to your whole business and we call it "Customer Success Economy" 'cause we do think the future of the economy isn't about marketing and selling transactional products, but it's about making sure what your customers are buying is actually delivering value for them, right? That's better for the world, but it's also just necessary 'cause your customers have the power now. You and I have the power to decide how to transport ourselves, whether it's buying a car or rideshare, in the old world when we could leave our house. And we have the power to decide how we're going to stay in a city, whether it's a hotel or Airbnb or whatever. And so customers have the power now, and if you're not driving success, you're not going to be able to keep those customers. And so "Customer Success Economy" is all about that. >> Yeah, and for people that aren't familiar with Gainsight, obviously, there's lots of resources that they can go. They should go to the show in a couple weeks, but also, I think, the interview that we did at PagerDuty, I think you really laid out kind of a great definition of what customer success is. And it's not CRM, it has nothing to do with CRM. CRM is tracking leads and tracking ops. It's not customer success. So, people can also check that. But I want to shift gears again a little bit because one, you also have your blog, MehtaPhysical, that came out. And you just came out again recently with a new post. I don't know when you, you must have a army of helper writers, but you talk about something that is really top of mind right now. And everyone that we get on theCUBE, especially big companies that have the benefit of a balance sheet with a few bucks in it, say we want to help our customers, we want to help our people be safe, obviously, that's first. But we also want to help our customers. But nobody ever really says what exactly does that mean? And it's pretty interesting. You lay out a bunch of things that are happening in the SaaS world, but I jumped on, I think it's number 10 of your list, which is how to think about helping your customers. And you give some real specific kind of guidance and guidelines and definitions, if you will, of how do you help our customers through these tough times. >> Yeah, so I'll summarize for the folks listening. One of the things we observed is, in this terrible tough times right now, your customers are in very different situations. And for simplicity, we thought about three categories. So the companies that we call category one, which are unfortunately, adversely affected by this terrible crisis, but also by the shutdown itself, and that's hotels, restaurants, airlines, and you can put other folks in that example. What do those customers need? Well, they probably need some financial relief. And you have to figure out what you're going to do there and that's a hard decision. And they also just need empathy. It's not easy and the stress level they have is massive. Then you've got, on the other extremes, a small number of your customers might be doing great despite this crisis or maybe even because of it, because they make video conferencing technology or remote work technology, or they make stuff for virtual or telemedicine. And those folks actually are likely to be super busy because they're just trying to keep up with the demand. So what they need from you is time and help. And then you got the people in between. Most companies, right, where there may be a mix of some things going well, some don't. And so what we recommended is think about your strategy, not just inside out, what you want, but outside in, what those clients need. And so as an example, you might think about in that first category, financial relief. The second category, the companies in the middle, they may need, they may not be willing to spend more money, but they may want to do more stuff. So maybe you unlock your product, make it available, so they can use everything in your suite for a while. And maybe in that third category, they're wiling to spend money, but they're just really busy. So maybe you offer services for them or things to help them as they scale. >> Yeah, so before I let you go, I just want to get your reaction to one more great leader. And as you can tell, I love great leaders and studying great leaders. Back when I was in business school we had Dave Pottruck, who at that time was the CEO of Schwab, come and speak and he's a phenomenal speaker and if you ever get a chance to see him speak. And at that point in time, Schwab had to reinvent their business with online trading and basically kill their call-in brokerage for online brokerage, and I think that they had a fixed price of 19.99, whatever it was. This was back in the late 90s. But he was a phenomenal speaker. And we finished and he had a small dinner with a group of people, and we just said, David, you are a phenomenal speaker, why, how, why're you so good? And he goes, you know, it's really pretty simple. As a CEO, I have one job. It's to communicate. And I have three constituencies. I kind of have the street and the market, I have my internal people, and then I have my customers and my ecosystem. And so he said, I, and he's a wrestler, he said, you know I treated it like wrestling. I hired a coach, I practiced my moves, I did it over and over, and I embraced it as a skill and it just showed so brightly. And it's such a contrast to people that get wrapped around the axle with their ego, or whatever. And I think you're such a shiny example of someone who over communicates, arguably, in terms of getting the message out, getting people on board, and letting people know what you're all about, what the priorities are, and where you're going. And it's such a sheer, or such a bright contrast to the people that don't do that that I think is so refreshing. And you do it in a fun and novel and in your own personal way. >> That's awesome to hear that story. He's a inspirational leader, and I've studied him, for sure. But I hadn't heard this specific story, and I totally agree with you. Communication is not something you're born with. Honestly, you might know this, Jeff, or not, as a kid, I was super lonely. I didn't really have any friends and I was one of those kids who just didn't fit in. So I was not the one they would pick to be on stage in front of thousands of people or anything else. But you just do it over and over again and you try to get better and you find, I think a big thing is finding your own voice, your own style. I'm not a super formal style, I try to be very human and authentic. And so finding your style that works for you, I agree, it's completely learnable. >> Yeah, well, Nick, thank you. Thanks for taking a few minutes. I'm sure you're super, super busy getting ready for the show in a couple weeks. But it's always great to catch up and really appreciate you taking some time to share your thoughts and insights with us. >> Thank you, Jeff, it's an honor. >> All right, he's Nick Mehta, I'm Jeff Frick. You're watching theCUBE. Thanks for watching, we'll see you next time. (soft music)

(digital music) >> Welcome, everyone. Donald Klein here with CUBE Conversations, coming to you from our studios at theCUBE, here in Palo Alto, California. And today I'm fortunate enough to be joined by Paul Makowski, CTO of PolySwarm. PolySwarm is a fascinating company that plays in the security space, but is also part of this emerging block chain and token economy. Welcome, Paul. >> Thank you, thank you for having me. >> Great, so why don't we just start and give everybody an understanding of what PolySwarm does and how you guys do it? >> Sure, so PolySwarm is a new effort (audio fading in and out) to try to fix the economics around how threat (missing audio) >> Donald: Okay. >> So, we see a lot of shortcomings with (audio fading in and out) I think it's more of a economic concern rather than (missing audio) (laughs) Rather than a concern regarding (missing audio) >> Donald: Okay. >> So, what PolySwarm is (missing audio) and change how (missing audio) >> Okay. >> So, it is a blockchain project (missing audio) will govern tomorrow's threat-intelligence base and perhaps, ideally, generate better incentives (missing audio) >> Okay, so, generally if I'm understanding right, you're playing in this threat-intelligence area, which is commonly know as bug-bounties. Correct, yeah? But you guys have kind of taken this in a new direction. Why don't you just explain to me kind of where this threat-intelligence distributed economy has been and where where you see it going in the future. >> Sure, so bug bounties are, we had spoke earlier about HackerOne, for example. Bug bounties are an effort to identify vulnerabilities, and open vulnerability reports to arbitrary people across the internet. And incentivize people to secure products on behalf of the product owner. >> So, I can be an independent developer, and I find a vulnerability in something, and I submit it to one of these platforms, and then I get paid or rewarded for this. >> Yeah, and so the likes of HackerOne is a player in the space that conducts these bug bounties on behalf of other enterprises. >> Donald: Got it. >> Large enterprises such as Google and Microsoft and Apple, even, run their own bug bounties directly. >> Donald: Interesting. >> But, there's also these centralized middle men, the likes of HackerOne. Now, PolySwarm is a little bit different. We've discussed perhaps distributing the bug bounty space, but what we're focusing on right now at PolySwarm 1.0 is really just determining whether or not files, URLs, network graphics are either malicious or benign. >> Donald: Interesting. >> There's this boolean determination to start with, and then we're going to expand from there to metadata concerning, perhaps, the malware family of an identified malicious file. And then from there we'd also like to get into the bug bounty space. >> Okay. >> So, by PolySwarm being a fully decentralized market, us, as Swarm Technologies, will not be the middle man. We will not be in the middle of these transactions. We think that is going to make everything a bit more efficient for all the players on the market. And will best offer precision reward to be both accurate and timely in threat-intelligence. >> Interesting, okay, alright so I want to talk to you just a little bit more, because not everybody out there may be fully familiar with how a kind of decentralized app works. Talk to us a little bit about how blockchain fits in, how smart contracts fit in, and maybe just a little about, like, if I were to work on the PolySwarm platform, would I set up my own smart contract? Would somebody set it up for me? How would that work? >> Great question. So, in general, we see smart contracts as a new way to literally program a market. And I think this concept is applicable to a lot of different spaces. My background and the PolySwarm team background is in information (missing audio). >> Donald: Okay. >> So, we're applying smart contracts and market design specifically to a problem area that we are experts in. >> Okay, and what kind of smart contracts are these? What platform are you running on? >> We're running on Ethereum. We had previously discussed possibly expanding to Bezos, although there are perhaps some reasons not to do that anymore right now. But yeah, on Ethereum, we've been publishing our proof of concept code for our smart contracts right now which is available on github.com/polyswarm. More directly to your question concerning developing applications that plug into our platform or plug in to any platform, we've also released a opensource framework called Perigord. Which is a framework for developing Ethereum distributed applications using Go, which is a language developed by Google. So, I hope that answers a little bit, but >> So, you're really pioneering this whole world of moving to a decentralized, distributed app framework. >> Yeah, so, we're not the first people in this space, but we are expanding the ease of development to the Go language space, away from strictly programming in JavaScript. A lot distributed applications today are programmed in JavaScript. And there's pros and cons to each language, but we're hoping to get the Go language engaged a little more. >> So, let's go back now around to the people that are going to be participating in this marketplace, right. You were talking about unlocking the economic potential that's latent out there. Talk a little bit more about that. >> Exactly, so we had a spoken a little bit ago about HackerOne, and one of the things that I think is really cool about HackerOne is the fact that it's offered globally. What makes that really cool is that HackerOne gets a lot of great submissions from people in locales that may not indigenously offer sufficient jobs for the amount of talent that the local economies are producing. So, that's a sort of latent talent. HackerOne is particularly popular in India, China, Eastern European countries, we'd like to also direct that talent toward solving the threatened intelligence problem, namely accurately and timely identifying threats in files or graphic files. So, we'd like to-- We are operating in a eight and a half billion dollar per year space, the antivirus space, and we'd like to unlock this latent talent to broaden what threats are detected and how effectively enterprises defend themselves through a crowdsourced contributed manner that will cover more of the threats. >> Interesting, and so why don't you just talk a little about URLs and why those are important. We've seen a lot of hacks in the news recently, people going to sign up for a token sale and then being rerouted to the wrong place, et cetera. So, talk about malicious URLs. I think that might be an interest for people. >> Sure, everyone is trying to determine what URLs are malicious. Google has built into Chrome their safe browsing program that's also present in Firefox, Microsoft in some equivalent. Everyone's trying to determine and prevent people from being phished. You mentioned there were a few ICOs in this space that unfortunately had their websites hacked and their Ethereum contribution address changed, the hackers made off with some money. What PolySwarm does at a base level is it creates a market for security experts, again, around the world, to effectively put their money where their mouth is and say I think to the tune of 10 Nectar, for example, Nectar is the name of the PolySwarm note, that this URL or this file is malicious or benign. And those funds are escrowed directly into the smart contracts that constitute PolySwarm. And at a later time, the security experts who are right, receive the escrowed rewards from the security experts who were wrong. So, it's this feedback loop. >> It sounds like participants are kind of betting on both sides of whether something's malicious or not? >> Yeah, in effect. Legally, I definitely wouldn't say betting. (laughs) But it's >> Donald: Fair enough. >> The correct answer is there, right? The way that PolySwarm works is and enterprise has a suspect file or URL and decides to swarm it and what they do on the backend for that is they can either directly post this file or URL to the network, the network being the Ethereum blockchain. Everyone that's watching it and is cognizant of PolySwarm will be aware that there's a suspect file that perhaps I want to decide whether or not it's malicious as a security expert. Again, around the world, security experts will make that decision. If this is a particular file that I think I have insight into, as a security expert, then I might put up a certain amount of Nectar because I believe it is one way or the other. The reason why I say it's more of a-- The correct answer is in the file, right? It is in fact either malicious or benign. But what PolySwarm's economic reward is both timeliness and accuracy in determining that mal intent, whether or not that file is (missing audio). >> Interesting. And so the use of the smart contract is pretty novel here, right? Because the smart contracts then execute and distribute the bounties directly to the participants based on answer, is that right? >> That's correct. And that's the real key part. That eliminates the middle man in this space. A lot of the talk around blockchain in general is about restlessness, about not having middle men. In PolySwarm the core smart contract, again which are on github.com/polyswarm, they are able to actually hold escrowed upon. Though we're not in the middle and those escrowed funds are release to people who effectively get it right through the cost of people who got it wrong. So, we think >> And this is all automated through the system? >> This is all automated through the system. If I could take a step back real quick here, some of the shortcomings we're trying to address in today's market are if you imagine a Venn diagram, there's a rectangle that has all of the different threats in this space and you have large circles that cover portions of the Venn diagram and those large circles are today's large antivirus companies. Those circles overlap substantially. And the reason for that is pretty straight forward. Did you hear about perhaps WannaCry? It was a ransomware-- >> Absolutely, absolutely. >> If you're an antivirus company and you're not cognizant, you're not detecting WannaCry, then it's real easy to write you off. But the difficulty there is on the backend what that incentivizes is a lot of security companies doing duplicated work trying to detect the same threat. So there's a little bit of a clumpiness, there's a little bit of overlap, in what they detect and further it's very difficult although we've been speaking with people at those companies. They're always interested in the latest threat and uniquely detecting things, but it's sometimes very difficult to make Dell's argument that hey I detect this esoteric family of power >> Donald: Malicious URL, or et cetera. >> Exactly and by the way you're also going to get hit with it. That's a very difficult argument. >> So, you're sort of addressing the under served areas, then, within security. >> Precisely, so the way that PolySwarm will look in that Venn diagram, is instead of large, mostly overlapping ovals, we'll have thousands of micro-engines written by security experts that each find their specialty. And that together this crowdsourced intelligence will cover more. >> Interesting, very good, very good, okay. So, just last question here. Talk around a little bit of the background. How did PolySwarm come together? I know you talked about Narf Industries, et cetera. Why don't you just give us a little of the background here? 'Cause it's impressive. >> Sure, so again my background, and the entire PolySwarm technical team's background, is information security. We also run and work for a computer security consultancy called Narf Industries. Our more public work has been for DARPA, as of late. There was a large competition that DARPA ran called the "Cyber Grand Challenge" that was the-- they were trying to create the autonomous equivalent of a human capture the flag competition, which is a hacking competition. Anyway, we helped develop the challenges for that program and otherwise helped in that phase. So that's a public-facing project. >> And you won part of that competition, is that correct? >> Yeah, so we weren't competing in DARPA's Cyber Grand Challenge, but in the human capture the flags, we have won those. All the members of the core PolySwarm, and also Narf Industries, technical team have won DEF CON's capture the flag competition at least once. And some of us have helped run that competition. That's considered the world series of hacking (laughs). So, that's our background, and we're also all we've all previously worked directly for the U.S. government, so we're very much embedded in the cutting edge of cyber security. And, finally, the last thing I'll say, is Narf was recently awarded a contract with the Department of Homeland Security for investigating how to build confidentiality controls into a blockchain environment. The Department of Homeland Security was concerned about identity management. They wanted to apply a blockchain phase. But part of that, is obviously, you want to protect people's private information. So, how do you do that phase that, by default, is purely public. >> Got it, okay look we're going to have to end there, but let me just say, we would be remiss without mentioning the fact that your ICO's starting. When's that going to happen? >> So, we have an ICO that's going to go live February 6. Right now, we're just trying to generate buzz, talking to great people like yourself. After that lead up to the ICO, we'd like to encourage people to check out our website at polyswarm.io, we have a Telegram group that's growing everyday. And, again, a large part of what we would be funded by this ICO to accomplish is building the community around using PolySwarm. Fortunately, again, this is our space. So, we know a lot of people in this space, but we're always happy to be meeting people, so we'd love for all your viewers to join the conversation and engage with us. Our DMs on Twitter are open, et cetera. >> Okay, we hope they do. Probably just want to make one final point is that you guys are actually publishing all your code on GitHub ahead of the ICO, right? That kind of makes you unique in a very difficult space. >> It, unfortunately, does make us unique. I wish more projects did do that. But, yes, we are publishing our code in advance of the token sale. PolySwarm, if you're familiar with the conversation between securities and utility tokens, PolySwarm is very much a utility token. People will grade Nectar, which is the name of our Token, for threat intelligence. And part of that is we want to have a usable ecosystem on day one when people buy tokens. We want to make sure that you're not investing in some future thing. Obviously we're going to improve on it, but it will be usable from day one (missing audio). >> Alright, fantastic, so thank you, Paul. I appreciate you coming in. Alright, well thanks, everyone. Thank you for watching. This is Donald Klein with CUBE Conversations coming to you from Palo Alto, California. Thank you for watching. (digital music)

(quiet jazz) >> Announcer: Live from Los Angeles, it's theCUBE covering Open Source Summit North America 2017. Brought to you by the Linux Foundation and Red Hat. (upbeat techno music) >> Okay, welcome back, everyone, live in Los Angeles to theCUBE's exclusive coverage of the Open Source Summit in North America, I'm John Furrier. My cohost, Steve Miniman. Our next guest is Jono Bacon, who is the founder of Jono Bacon Consulting in the community. A great talk here-- >> Jono: Thank you. >> at Open Source Summit. Great to see you. >> Yeah, thank you for having me on. >> Congratulation on all your recent success, on the personal and business side. Congratulations, great to see you. So, bottom line, Open Source Summit is kind of powered by the Linux Foundation, but pretty significant accomplishment and State of the Union, if you will, calling an Open Source Summit, big tent event. What's your view on this? How do you explain to folks watching? Is this a new event, is it a combination of multiple events, certainly a great, great big tent, >> Jono: Yeah. >> cross pollination. Whatever you want to call it. But what is this event about? Share your opinion. >> I think it's interesting, and I don't work for the Linux Foundation, but I've worked very closely with them for a number of years. And I think what we've been seeing is that in the earlier days of open source, there was, you know, the Linux foundation have played a fairly key role in certain specific areas. And in recent years, they've become a real center of gravity around open source in a variety of different areas, from automotive to cloud and beyond. And obviously there's a ton of events that are happening all over the world. And the open source thing I think is interesting because it's really an umbrella event that's got four other events that are part of it. So the event that I was running, which we launched this time around, was the Open Community Conference, which is kind of like one thread of this broader event. So one of the things I like about it is is different events from my experience draw different types of audiences. The Linux Foundation events have traditionally brought a lot of professionals who work in the industry. In a similar way, that happens at OSCON as well. But I like that the events kind of become a little bit more organized and diversified into those four areas. And I think what happens then is you get a greater bandwidth of content and discussions that go with that. >> I think it's an interesting point of these other streams, if you will, kind of going into the big tent event. It's got an ecosystem vibe to it, cause you don't want to lose the specialty of the topics and interest at the events that matter for the audiences on a content basis and face-to-face communications. But it's interesting that they're taking this approach because, when you look at it, the scale that's coming, in open source generally, categorically, if you put all of the code together, it's exponentially growing. >> Jono: Oh, yeah. >> So, there's a flood coming, there's a big open source flood of code coming. So, I think it's time to think architecturally about the dams and the rivers and the flows. To your point, this is a super important point in history. >> Oh, it's without question. And one of the things that's interesting to me is in my work as a consultant, when I help companies to build communities, it's broken into a few different layers. For example, so one is a technology layer, like which of the lego bricks that you're going to choose to put together, and how do you click them together in different ways? And that's where I think the LF has become a real center of gravity around what those projects are and how to integrate. But the other thing that we're starting to see more and more of is the formalization of the software development lifecycle, which is, it's not nearly just writing code anymore. It's about automated testing and continuous delivery and deployment, and all these different pieces. So I think we're seeing a formalization of the Lego bricks, but also the instructions for how you click them together. And that's really important if we're going to broaden out this bubble. Because this is a bubble that we're in right now. This is full of invariably tech companies talking about technology. But when we get into the bigger enterprises, when we get into non-tech into the-- >> John: Blocking and tackling, the realities are there. >> And there is so much nuance wrapped up in open source that it's alien to the people outside of this world, that we need to build that better interface for that. >> And that's just putting some hardening around either software or process that there's some comfort and reliability to the users. >> I'll give you one example. Like one company that I was working with, who were a large hardware company, fairly unfamiliar with open source. And one of the first questions they asked me was, "What does success look like? We know what all these options are, we see all the things that people are talking about, but we don't know how to determine what success is." And I think even just that, it seems like an obvious thing to the people in this room, but it's not obvious to a lot of people who are new to consumer technology this way. >> They want to see a finish line or some KPI that's says, we're done! >> Jono: Exactly! >> Shipped! >> And also because this is technology that's built by a broad diverse community of people, you then, a lot of these organizations then say, "So, what is my expected social responsibility here?" So, like how do I participate in this world that I'm broadly unfamiliar with? To me it's like a hip hop guy who's trying to join a metal band. You know? (John laughs) It works differently. >> It's completely different genres of developers and also environments. So, what's your advice to customers? Because they have to navigate because the mainstream adoption of Linux, obviously, and now new projects as they graduate or come to fruition will be deployed. So there is an ops, the DevOps certainly is a movement we're seeing, we can agree on. But now I got to put it into production. I'm a bank or I'm an enterprise. Hey, I got some guys that are monitoring. We're not that active, but we're happy to use it, be a user. How do you talk to that customer? >> Jono: Right. >> The way which I try to approach it is is to break it into a few different areas. The first thing is to first of all make sure that everybody's got the same sense of what the problem is that you want to solve. One of the things that was most transformative to me when I started consulting was it's amazing how many people think they're solving the same problem, but they're actually on a completely different grade of the same problem. So to me, what I like to do, is I like to define what I call a set of key themes which are these are the big rocks that we want to target in a time frame, six months or a year, or whatever it might be. Particularly with, when you're either doing community strategy or development, or you're doing a level of open source, it's fundamentally cross-functional. It involves marketing, engineering, product, there are executive stakeholder requirements, and then there's the people on the ground who are delivering those, so getting those themes in place I think is critical. But then to me what's important next, is to break a broader strategy down into smaller, consumable pieces. I think one of the things where a lot of companies get stuck is they're aware of these different Lego bricks that are available to them. They're aware of some optimizations in terms of workflow, but it's such a huge thing to bring into an organization that invariable is already got a very, very, stodgy or very specific culture that they've got to somewhat unseat. So to me, you need that combination of permissive, top-down approach, which is invariably your exec saying we see value in this, but then you need to break the strategy and the execution down into smaller manageable pieces that a team can wrap their head around. >> We talked to the Cisco guy, Ed, and he was, we were talking about DevNet, a huge developer community for Cisco. DevNet Create was kind of their cloud-native group that they've put together, great little skunk works, worked out great. But those are two languages. It's two worlds. The semantics of what they're saying is the same thing, but the translation is needed. This seems to be a common thread within the DevOps community now that the rubber hits the road, and people see the obvious benefits of what is true private cloud or cloud native. So, how do you go ahead? You provide like a dictionary, and say, "Hey, here's the translation. Okay, he really means that." I mean, are you being more herding the cats, being a translator, or is the client further along than that in your mind? >> It varies, it does vary from company to company. And a chunk of this, at least from my experience, is there is a significant translation layer. One of the things I talked about in my keynote on Monday was I see collaboration ... When I do community strategy, but fundamentally, it really is organizational design. It's just outside of a company in some cases, and sometimes inside of a company. In an organization, you'll have a set of stakeholders making decisions, and then the people who've got to execute on those decisions. And there is often a massive translation layer between them. I run a conference called the Community Leadership Summit each year at OSCON, and every year a couple hundred community managers come along, and I hear the same story from a lot of them, which is, I joined this company, I started building out, I started doing my work and my manager wasn't happy. And to me it's because the execs are defining value that they want to see, but it's not getting translated into tatics, and invariably a lot of the folks who are coming into it-- >> John: Where their ROI calculations are-- >> Yeah, a lot of that's-- >> They're not seeing a real answer. They don't know what success looks like. >> And they come in, and they don't necessarily have the strategic background to internalize that requirement into a place that they can move it forward. So, you get this kind of, this impedance mismatch. So, a big chunk of what I tend to do is to really try to understand what those requirements are and to work across the organization to try and-- >> John: You're doing architecture? Like what would be organizational behavior architecture in the wild, but also an arbiter to the managers. It's looking good, it's like you're trying to the score of the game. You're keeping-- >> Jono: And some days as well, as I'm sure anyone who's watching this, will have seen this with the companies they work with, this isn't rocket science. You know, what someone says they want, this is going to sound incredibly patronizing, it's not meant to, but when someone says what they want, invariably what they actually want is not that thing. So for example, I was working with a company a couple of months ago and they were saying, "We just want growth. We absolutely want to grow as quickly as we can." And when I dug into it with their CEO, what they really wanted was brand recognition and acceptance. And those are two very different challenges that you got to approach there. >> John: Stu, get a word in, I'm sorry if I've taken all of it. >> Yeah, John's passionate about community if you can't tell. The question I have for you is, building a community takes time, and things are changing faster than ever. How do you help people manage that pace of change versus I want results? It seems strategy is something that is for today, and we're changing often. So, how do you manage that give and take of growing yet breaking? >> It's a great question. And again, I think it varies. To me, there's some fundamental pieces that are involved in the way that I, and I take one approach and other people will take different approaches, I'm certainly not the only person who's doing this. The approach that I like to take is is we first of all need to treat communities as a journey. I think a lot of people think we have a product or a service, let's get people interested, and it's seen as a series of individual interactions with individual people. Whereas the way I like to look at it is when that person discovers your product, your service, your framework, whatever it may be, there's a journey from how they learn about it, how they go up an on-ramp to get something done, how you get people making their first contribution or how they derive their first piece of value, and then how you incentivize and reward them to keep them moving along the journey. So to me I look at it as this zoomed-out birds-eye view of this journey that I want to craft. And then I like to break that down into small bite-sized pieces that form the strategy. But the other thing is, and this varies depending on the company, is to what level of transparency and openness you need to communicate with different people. So, for example, one of the first things I do with inner source when people bring in open source principles inside a company is to make sure we have weekly reports going out and we're updating the stakeholders, more specifically, on a regular cadence. Because in that kind of environment where there's an existing enterprise, we all see these like digital transformation consultants come in-- >> Oh god, it's a total gravy train. They make the bookings and the billings. Reminds me of the old ERP deployments. Write a big fat check, and it'd be like, all these consultants come in and make all the cash. >> I think a lot of people look around thinking, alright, Lunchbox, you'll be here for a year. You'll be gone then, all right, and we'll go on to the next thing now our CEO cares about. So to me it's like-- >> John: Well, the consulting is being disrupted. It's interesting, you're a contrarian in your world because you have a consulting firm, but the old model things used to be the next gig is get that next consulting gig, so you worked not to actually put yourself out of a job, which is where the client wants to get. And that's where Agile and cloud has come in. It's interesting is, this is where the work product is. You know what success is in that model. You can come in and say, look, we did our work, everything. You've got a community that's vibrant. You got operational, they operationalized your value. >> Jono: Yep. >> You don't need me anymore, unless you want me. So, it's one of those kinds of conversations. Your thoughts? >> I agree. And it's interesting you mentioned Agile. One of the things that I've noticed as well, and I'm sure lots of not just consultants but people notice this as well is there are, I think there are broadly two types of people in the world. I think there's people who take a very kind of organic and somewhat animated approach to how they do things. And then there's some people who really need a roadmap. They need to follow a plan. I think a lot of people who are building organizational design or building communities default to we need to create a process and a workflow so people can follow that and we can have a sense of order. I don't think most people naturally want to work like that. I think there's a reason why people don't stick with to-do lists. It's because people like to have a more organic way of working. And a good example of this, in my mind, is Agile. Some people will take Agile to the nth degree with story points and epics and a lot of that kind of stuff-- >> You serve the process, the process doesn't serve the objective. I mean, it's the classic effectiveness model. But, I mean, that's the whole point. I mean, you could foreclose opportunities if you're too structured. But yet you got to have some boundaries, let the ball bounce around. So, you kind of want both. What is the ideal in your mind? >> In my mind, the approach that I'm a big fan is an approach called munsing, which was a story of, I forget his name, there's a story of a guy back in like the 50s. And he basically owned a TV factory. And what he'd do is he'd go up to like an engineer who's building one of these big, bulky old TVs, and he'd basically pull out components until it stopped working. And then he'd put that last component in so it would be the minimum level of components for it to work. Ended up saving the company a ton of money. I like to take the same approach process. What's the minimum level that you need that gives people the creativity to be successful in a predictable way? So, like with Agile, these epics and stories and things like that, I think a lot of that stuff is just there to deal with crappy product managers, like people who aren't very good at manning your project. No process is going to deal with someone who's not good at organizing. >> You need to bring to me the right level of the human ingredient and the process is what keeps people ticking over-- >> The other thing too that I find in that area is people kind of redefine, or they maybe mischaracterize what outcome is. Everyone's outcome driven. Love that word. (Jono laughs) It's all about the outcome. In this case, the TV's got to work with a less amount of moving parts. >> Jono: Right. >> That's the outcome. And so, outcomes can be bastardized if you will, could be really mangled in its definition. How do you work with clients on trying to really temper and set the expectations on what the outcome is? Cause the manager still wants to know what the outcome is going to be. So, do you reverse engineer from there? How do you tackle that? >> Jono: It's interesting. A big chunk of it for me is just being realistic. There is no minimum amount of work that needs to be put in to achieve any kind of community. I think you can build a tiny community with one person. However, depending on the requirements and the goals, there's just certain things you have to do. And there's certain time and resources that are required. And also just expectations. Like one of the expectations that some people wrestle with I think is, if you're building a community they're either inside your organization or outside, it's only going to succeed if a broader set of people participate. You know, we see this trend where you hire a community manager and that person lives in a forum or a slack channel to build out the community. Doesn't work. >> John: Yeah. >> Because the people in that community want access to other people. >> This value creation mindset in communities. Value has to be a group dynamic. This individual contributions, I get that. But the group dynamic is critical. Not just a message board moderator. I mean, that's basically what you're saying. >> Jono: Exactly. >> That's a message board. >> Nobody wants to deal with >> John: That's a tool. >> the interface of the thing you care about. And that's the community manager. So, a chunk of this then is a different mindset in how people operate. One of my clients is a company called HackerOne. I wrapped up work with them a little while ago, and their CEO is this guy called Mårten Mickos who-- >> John: Yeah, Mårten's great CUBE alumni. >> Phenomenal. For me, he's one of the people I most respect in our industry. >> John: He's a great strategic thinker, understands community, knows tech. Great guy >> Jono: Amazing. >> One of the things that he said when he joined HackerOne was I want everybody in this company to know a hacker. Everybody's got to know our audience. Everybody's got to understand the needs, the desires, the insecurities, the worries, the dynamics, otherwise we can't build a community. It's not just hiring a person to interface to that. That's one of the trickiest things because, again, it takes time. >> John: It's alignment to the audience. >> Right >> John: This is classic. >> Ingratiating in and actually being cool. Aligning with them >> Right. And if it's done well it's really rewarding because I think people who ordinarily wouldn't see the fruits of their labor. >> Well, Jono, I want to get your thoughts as we wrap up the segment here on what's exciting you about potential new things that are coming around the corner. Obviously, we see the promise of blockchain which could have a great big application for communities. We're doing some things with it now that we're testing in our community around trying to create these new value networks. Certainly, there's new tooling coming out. Things like theCUBE and content and communities. New things are coming. The growth is going to be here which is going to create great new opportunities. >> Jono: Yeah. >> What are you excited about as you want to navigate the community landscape? Because the thesis is more people are coming in, more rivers of distinct audiences are going to want specialty but yet the broad market ... What are you excited about the community opportunity? From compensation to interaction to culture. What's your thoughts? >> There's a few things I'll subdivide it into things that relate to my bread and butter which is communities and things just more broadly in technology. The one thing I'm really excited about communities is I feel like the value proposition has become well understood, is not just in open source but outside with Proctor & Gamble, H&R Block, Harley Davidson, all these examples. Where people see the value in doing this work and doing it well. And that's great because I think we're improving the state-of-the-art of how we do this. One of the reasons why I got into this was I want my career to leave a fingerprint on structured, predictable ways in which we can do this as opposed to seeming magic science that a lot of people seem to think community is. >> John: Or a series of one-offs that are not understood or can't be operationalized or leveraged in any way. >> Jono: Yeah, exactly. From a technology perspective, there's a bunch of things. I'm really excited about crowdsource security, things like HackerOne, Bugcrowd, Synack, things like that. I think there's a lot of excitement in my mind around bringing open source into financial services. I think that's an industry that's ripe to be disrupted which is a sentence I never thought I'd ever say. Ripe to be disrupted. (John laughs) And then I'm also really excited about the work that's going on obviously in A.I., but the intersection of A.I. with kind of like voice control. Obviously, things such as Google Home and Alexa, but also things like Mycroft. I think blockchain is interesting. It's kind of less interesting to me. It's not really something I've really been following very closely, but I think it is. I think it's pretty neat. But then also just the formalization of the end-to-end software development lifecycle and how we're seeing, you know, GitHub was transformative in technology for a lot of companies. And now we're seeing GitHub as one piece, and you've got continuous delivery and continuous deployment. And also, we manage ideas, the project manager, all that kind of stuff. >> I think there's a lot of transformative ideas coming. And I think it's super exciting. Congratulations on all the great work you're doing. >> Jono: Thank you. Appreciate it. >> I just think that the self-governing community model that's now becoming mainstream people are starting to figure out how to balance that with the command and control top down and hierarchy job definition specifics, and balancing that. I think the self-governing open source model certainly prove that. And communities as a working example of what you can operationalize. >> It's exciting. >> And crowdsourcing just takes it to the consumer level. >> Right. >> Okay, it's working there too. Okay, great job. Thanks for coming on. >> Thank you. >> John: Jono Bacon, >> John: Bacon Consulting. This is theCUBE. I'm John Furrier, Stu Miniman. More live coverage after this short break. (upbeat techno music)