>> Narrator: Live from San Francisco It's theCUBE. Covering RSA Conference 2020, San Francisco. Brought to you by Silicon Angled Media >> Hi everyone, welcome to theCUBE's coverage here at RSA Conference 2020. I'm John Furrier, host of theCUBE We're on the floor getting all the data, sharing it with you here, Cube coverage. Got the best new generation shift happening as cloud computing goes to the whole other level. Multi-cloud, hybrid cloud changing the game. You're seeing the companies transition from an on-premises to cloud architecture. This is forcing all the companies to change. So a new generation of security is here and we've got a great guest, so a hot start-up. Masha Sedova, co-founder of Elevate Security. Welcome to theCUBE, thanks for joining us. >> Thank you so much for having me, John. >> So the next generation in what will be a multi-generational security paradigm, is kind of happening right now with the beginning of, we're seeing the transition, Palo Alto Networks announced earnings yesterday down 13% after hours because of the shift to the cloud. Now I think they're going to do well, they're well positioned, but it highlights this next generation security. You guys are a hot start-up, Elevate Security. What is the sea change? What is going on with security? What is this next generation paradigm about? >> Yeah, so it's interesting that you talk about this as next generation. In some ways, I see this as a two-prong move between, yes, we're moving more into the cloud but we're also going back to our roots. We're figuring out how to do asset management right, we're figuring out how to do patching right, and for the first time, we're figuring how to do the human element right. And that's what where we come in. >> You know, the disruption of these new shifts, it also kind of hits like this, the old expression, 'same wine, new bottle', all this, but it's a data problem. Security has always been a data problem, and we've seen some learnings around data. Visualization, wrangling, there's a lot of best practices around there. You guys are trying to change the security paradigm by incorporating a data-centric view with changing the behavior of the humans and the machines and kind of making it easier to manage. Could you share what you guys are doing? What's the vision for Elevate? >> Yeah, so we believe and we've seen, from our experience being practitioners, you can't change what you can't measure. If you don't have visibility, you don't know where you're going. And that's probably been one of the biggest pain-point in the security awareness space traditionally. We just roll out training and hope it works. And it doesn't, which is why human error is a huge source of our breaches. But we keep rolling out the same one-size fits all approach without wanting to measure or, being able to. So, we've decided to turn the problem on its head and we use existing data sets that most organizations who have a baseline level of maturity already have in place. Your end point protections, your DLP solutions, your proxies, your email security gateways and using that to understand what your employees are doing on the network to see if user generated incidents are getting better over time or getting worse. And using that as the instrumentation and the level of visibility into understanding how you should be orchestrating your program in this space. >> You know, that's a great point. I was just having a conversation last night at one of the cocktail parties here around RSA and we were debating on, we talk about the kind of breaches, you mentioned breaches, well there's the pure breach where I'm going to attack and penetrate the well fortified network. But then there's just human error, an S3 bucket laying open or some configuration problem. I guess it's not really a breach, it's kind of an open door so the kind of notion of a breach is multifold. How do you see that, because again, human error, insider threats or human error, these are enabling the hackers. >> Yeah >> This is not new. >> Yeah. >> How bad is the problem? >> It depends on what report you read. The biggest number I've seen so far is something like 95% of breaches have human error. But I honestly, I couldn't tell you what the 5% that don't include it because if you go far enough back, it's because a patch wasn't applied and there is a human being involved there because there is vulnerability in code, that's probably a secure coding practice when you're a development organization. Maybe it's a process that wasn't followed or even created in the first place. There's a human being at the core of every one of these breaches and, it needs to be addressed as holistically as our technologies and our processes right now in the space. >> The evolution of human intelligence augmented by machines will certainly help. >> That's it, yeah. >> I mean, I've got to ask you, obviously you're well-funded. Costanova Ventures well known in the enterprise space, Greg Sands and the team there, really strong, but you guys entered the market, why? I mean you guys, you and your founder both at Salesforce.com. Salesforce gurus doing a lot of work there. Obviously you've seen the large scale, first wave of the cloud. >> Yeah >> Why do the start-up? What was the problem statement you guys were going after? >> So, my co-founder and I both came from the world of being practitioners and we saw how limited the space was and actually changing human behavior, I was given some animated PowerPoints, said use this to keep the Russians out of your network, which is a practical joke unless your job is on the line, so I took a huge step back and I said, there are other fields that have figured this out. Behavioral science being one of them, they use positive reinforcement, gamification, marketing and advertisements have figured out how to engage the human element, just look around the RSA floor, and there's so many learnings of how we make decisions as human beings that can be applied into changing people's behaviors in security. So that's what we did. >> And what was the behavior you're trying to change? >> Yeah, so the top one's always that our attackers are getting into organizations, so, reducing phishing click-throughs an obvious one, increasing reporting rates, reducing malware infection rates, improving sensitive data handling, all of which have ties back to, as I was mentioning earlier, security data sources. So, we get to map those and use that data to then drive behavior change that's rooted in concepts like social proof, how are you doing compared to your peers? We make dinner decisions on that and Amazon buying decisions on that, why not influence security like that? >> So building some intelligence into the system, is there a particular market you're targeting? I mean, here people like to talk in segments, is there a certain market that you guys are targeting? >> Yeah, so the amazing thing about this is, and probably no surprise, the human element is a ubiquitous problem. We are in over a dozen different industries and we've seen this approach work across all of those industries because human beings make the same mistakes, no matter what kind of company they're in. We really work well with larger enterprises. We work well with larger enterprises because they tend to have the data sets that really provides insights into human behavior. >> And what's the business model you guys envision happening with your service product? >> We sell to enterprises and security, the CISO and the package as a whole, gives them the tools to have the voice internally in their organization We sell to Fortune 1000 companies, >> So it's a SAAS service? >> Yeah, SAAS service, yeah. >> And so what's the technology secret sauce? (laughing) >> Um, that's a great question but really, our expertise is understanding what information people need at what time and under what circumstances, that best changes their behavior. So we really are content diagnostic, we are much more about the engine that understands what content needs to be presented to whom and why. So that everyone is getting only the information they need, they understand why they need it and they don't need anything extra-superfluous to their... >> Okay, so I was saying on theCUBE, my last event was at, CIO's can have good days and bad days. They have good days, CISOs really have good days, many will say bad days, >> Masha: Yeah, it's a hard job. >> So how do I know I need the Elevate Solution? What problem do I have, what's in it for me? What do I get out of it? When do I know when to engage with you guys? >> I take a look at how many user generated incidents your (mumbles) responding to, and I would imagine it is a large majority of them. We've seen, while we were working at Salesforce and across our current customers, close to a 40% reduction rate in user generated incidents, which clearly correlates to time spent on much more useful things than cleaning up mistakes. It's also one of the biggest ROI's you can get for the cheapest investment. By investing a little bit in your organization now, the impact you have in your culture and investing in the future decision, the future mistakes that never get made, are actually untold, the benefit of that is untold. >> So you're really kind of coming in as a holistic, kind of a security data plane if you will, aggregating the data points, making a visualization in human component. >> You've got it. >> Now, what's the human touchpoint? Is it a dashboard? Is it notifications? Personalization? How is the benefit rendered for the customer? >> So we give security teams and CSOs a dashboard that maps their organization's strengths and weaknesses. But for every employee, we give personalized, tailored feedback. Right now it shows up in an email that they get on an ongoing basis. We also have one that we tailor for executives, so the executive gets one for their department and we create an executive leaderboard that compares their performance to fellow peers and I'll tell you, execs love to win, so we've seen immense change from that move alone. >> Well, impressive pedigree on your entrepreneurial background, I see Salesforce has really kind of, I consider real first generation cloud before cloud actually happened, and there's a lot of learn, it was always an Apple case, now it's AWS, but it's it's own cloud as we all know, what are the learnings that you saw from Salesforce that you said hey, I'm going to connect those dots to the new opportunity? What's the real key there? >> So, I had two major aha's that I've been sharing with my work since. One, it's not what people know, but it's what they do that matters, and if you can sit with a moment and think about that, you realize it's not more training, because people might actually know the information, but they just choose not to do it. How many people smoke, and they still know it kills them? They think that it doesn't apply to them, same thing with security. I know what I need to do, I'm just not incentivized to do it, so there's a huge motivation factor that needs to be addressed. That's one thing that I don't see a lot of other players on the market doing and one thing we just really wanted to do as well. >> So it sounds like you guys are providing a vision around using sheet learning and AI and data synthesis wrangling and all that good stuff, to be an assistant, a personal assistant to security folks, because it sounds like you're trying to make their life easier, make better decisions. Sounds like you guys are trying to distract away all these signals, >> You're right. >> See what to pay attention to. >> And make it more relevant, yeah. Well think about what Fitbit did for your own personal fitness. It curates a personal relationship based on a whole bunch of data. How you're doing, goals you've set, and all of a sudden, a couple of miles walk leads to an immense lifestyle change. Same thing with security, yeah. >> That's interesting, I love the Fitbit analogy because if you think about the digital ecosystem of an enterprise, it used to be siloed, IT driven, now with digital, everything's connected so technically, you're instrumenting a lot of things for everything. >> Yeah. >> So the question's not so much instrumentation, it's what's happening when and contextually why. >> That's it, why, that's exactly it. Yeah, you totally got it. >> Okay. I got it. >> Yeah, I can see the light bulb. >> Okay, aha, ding ding. All right, so back to the customer pain point. You mentioned some data points around KPI's that they might or things that they might want to call you so it's incidents, what kind of incidents? When do I know I need to get you involved? Will you repeat those again? >> There's two places where it's a great time to involve. Now, because of the human element is, or think about this as an investment. If you do non-investor security culture, one way or another, you have security culture. It's either hurting you or it's helping you and by hurting you, people are choosing to forego investing security processes or secure cultures and you are just increasing your security debt. By stepping in to address that now, you are actually paying it forward. The second best time, is after you realize you should have done that. Post-breaches or post incidents, is a really great time to come in and look at your culture because people are willing to suspend their beliefs of what good behavior looks like, what's acceptable and when you look at an organization and their culture, it is most valuable after a time of crisis, public or otherwise, and that is a really great time to consider it. >> I think that human error is a huge thing, whether it's as trivial as leaving an S3 bucket open or whatever, I think it's going to get more acute with service meshes and cloud-native microservices. It's going to get much more dynamic and sometimes services can be stood up and torn down without any human knowledge, so there's a lot of blind spots potentially. This brings up the question of how does the collaboration piece, because one of the things about the security industry is, it's a community. Sharing data's important, having access to data, how do you think about that as the founder of a start-up that has a 20 mile steer to the future around data access, data diversity, blind spots, how do you look at that and how do you advise your clients to think about that? >> I've always been really pro data sharing. I think it's one of the things that has held us back as an industry, we're very siloed in this space, especially as it relates to human behavior. I have no idea, as a regular CISO of a company, if I am doing enough to protect my employees, is my phishing click (mumbles), are my malware download rates above normal, below or should I invest more, am I doing enough? How do I do compared to my peers and without sharing industry stats, we have no idea if we're investing enough or quite honestly, not enough in this space. And the second thing is, what are approaches that are most effective? So let's say I have a malware infection problem, which approach, is it this training? Is it a communication? Is it positive reinforcement, is it punishment? What is the most effective to leverage this type of output? What's the input output relation? And we're real excited to have shared data with Horizon Data Breach Report for the first time this year, to start giving back to the communities, specifically to help answer some of these questions. >> Well, I think you're onto something with this behavioral science intersection with human behavior and executive around security practices. I think it's going to be an awesome, thanks for sharing the insights, Miss Masha on theCUBE here. A quick plug for your company, (mumbles) you're funded, Series A funding, take us through the stats, you're hiring what kind of positions, give a plug to the company. >> So, Elevate Security, we're three years old. We have raised ten million to date. We're based in both Berkeley and Montreal and we're hiring sales reps on the west coast, a security product manager and any engineering talent really focused on building an awesome data warehouse infrastructure. So, please check out our website, www.elevatesecurity.com/careers for jobs. >> Two hot engineering markets, Berkeley I see poaching out of Cal, and also Montreal, >> Montreal, McGill and Monterey. >> You got that whole top belt of computer science up in Canada. >> Yeah. >> Well, congratulations. Thanks for coming on theCUBE, sharing your story. >> Thank you. >> Security kind of giving the next generation all kinds of new opportunities to make security better. Some CUBE coverage here in San Francisco, at the Moscone Center. I'm John Furrier, we'll be right back after this break. (upbeat music)