(bright upbeat music) >> Welcome, everyone, to this Cube conversation. It's part of our season two, episode four of the ongoing AWS Startup Showcase Series. Today's theme, "Cybersecurity: Detect and Protect Against Threats." I'm your host, Lisa Martin. I've got one of our alumni back with us. Rakesh Narasimhan joins me, President and CEO of Anitian. Rakesh, it's great to have you back on the program. >> Thank you very much. Pleasure to be here. >> So some congratulations are in order. I see that Anitian was recently awarded nine global InfoSec awards at RSA conference just this year including couple great titles here hot company and security company of the year. Talk to the audience who knows Anitian what is it doing to enable and empower the digital transformation for enterprises that are, I mean, we've been talking about the acceleration of digital transformation. How is Anitian an enabler of that? >> Thank you again for the opportunity. I think the big change that we brought to the table in Anitian is really what is typically a very manual, complex time consuming and quite expensive process. We've just brought software innovations to it and really that's customers who are trying to do compliance or security in the cloud which just provide a platform that basically accelerates a customer's application migration to cloud. And so that ability is the software innovation that we were able to bring to the space and that just wasn't there before. And so we're just happy that we took the opportunity to innovate there and just bring it to the customers. >> So let's now talk to and address those AWS customers. When you're talking to prospects, existing AWS customers what do you say are the differentiators that makes Anitian so unique when in AWS. >> That's a great question. I think the biggest innovation, the biggest thing that we bring to the table is really an acceleration and timeline and completion of their application. So if you're a customer and you're trying to get into a new market for compliance, for example or you're trying to basically get a new application up and running in a secure environment in either one of those cases, we have a product offering a platform offering that enables you to quickly get up and running and get to production. And that's been the reason why we've enjoyed enormous success in the marketplace in the AWS customer base. >> One of the areas where I see that an Anitian has been very successful is in helping cloud software vendors get FedRAMP compliance and be able to access what is a huge federal market. How are you able to do that? >> Yeah, I think the big thing that we focused on was you have a complete class of SaaS vendors out there who provide enormous innovation that they bring to the marketplace but the government market in general has not been able to participate in it because it again, like I said, it's very complex. It takes time and it's very expensive. And so we focused on that opportunity to really make it easier for all these cloud service providers to be able to bring their innovations to the government market, for example, with FedRAMP and so we help with the automation and the acceleration with our platform offering on top of cloud providers like AWS, and that enables the SaaS provider to offer that opportunity that hitherto is not available to now make it available in the government marketplace. And that's a huge buyer, if you will their budgets are huge. They're still buying even on a downturn in the market even as commercial vendors, who look at that, that market everybody's nervous about it. But if you look at the government market they have budget, they're buying and that needs to be provided to the install base. And so we help make that happen. >> How does that make you unique from a competitive perspective to be able to accelerate veteran for AWS customers in particular? >> I think the biggest issue has always been three things, right? It's complex, it's time consuming but most importantly, how quickly can a company make their software innovations available to a large market has always been sort of the challenge especially in the federal market. So we basically pre-engineering a platform taking care of all the requirements of the standard in compliance and security and then essentially help the customer bring that innovation on top of the AWS environment and making that available to the customers and record time. That's the reason why we're able to enjoy the success. Historically, the space has been very very focused on a lot of consulting folks really providing consulting on an hourly basis. We thought of actually bringing a software oriented approach just like people buy email, they buy service and then all the innovations that come along with it for the subscription that you pay. It's a very similar concept we brought to this space prior to this, either people did it themselves or they hired a lot of consulting folks to tell them what to do. And that could take a long time and then not just time and expense but every single time they made a change they would still, again, have to go redo all that work. We just brought a platform approach which is well understood by now in the industry you pay a subscription, you buy a platform and all the innovations come along for them. So that's huge productivity, time to market but most importantly it enables them to achieve their revenue goals because they're trying to get to market and service the customer, right? So we help them accomplish that in record time. >> So you are really impacting your customer's bottom line. You've been very successful in helping AWS public sector customers to accelerate FedRAMP. As you talked about FedRAMP compliance how are you now switching gears to focus on the AWS commercial customers and even enterprise DevOps teams to be able to accelerate cloud application security? >> Yeah, I think, again we started from a place of humility, if you will. You know, there's a lot of vendors a lot of folks make a lot of claims. We wanted to make sure that we first we're very good at doing something. And that's something was really go after the federal market and the success we achieved in that marketplace had a few insights for ourselves which was people really struggle in all kinds of environments, not just public sector. And what we found is that commercial customers are also trying to go to cloud. They're also dealing with the issues of security in securing their environments. And it's really the DevOps and DevSecOps folks on whom this burden falls. And they have to answer to so many different constituencies in an enterprise company. And so we time and time again while we did the work in FedRAMP we learned that, you know it's not just about compliance. It's also about securing on a base of standards. So how could we provide the same pre-engineered environment for DevOps and DevSecops teams to be able to run that environment for their applications that became an 'aha' for us because we were running into it all the time in the public sector side. So we went and talked to a few customers and said, 'Hey, how about we do the same thing on the commercial side for you?' And I wish I could take credit for this but it's actually not true. It's actually customers who came to us and said, 'Hey you did this really well for us in public sector side. Could you provide the same thing for us in the commercial side?' where it's not about all the documentation and all the audits and things that happen on the compliance side of the house. I just want you to provide an environment so that our DevOps teams could just operate in that environment and Devs can work on it. Can you do that? And we'll pay you. And that was born really our idea of secure cloud enterprise. Our primary offering historically has been secure cloud compliance with a compliance business if you will, where people could go into market and have a completely new market to go after. Whereas in the enterprise side we brought those innovations, those learnings and brought it to a commercial market. And so that's the new product, if you will, that we're launching to service that customer base, if you will. >> So if I'm an AWS customer when do I know it's time to contact Anitian and say, 'Guys we need help and we think you're the right ones to help us accelerate.' >> Yeah, I think it's re really straightforward if you are a customer commercial SaaS vendor, if you will, that runs an AWS and you want to go after a new market then you come to us and we can help you quickly get to all the compliance standards so that you can go sell in the government marketplace. That's an offering we already have, or you are a a brand new company and B2B company and you're developing an application and you want a pre-engineered environment that passes all the security standards so that you don't have to worry about it. You have a subscription to AWS and you have a subscription to us. And then that basically provides you a secure environment in which you can start developing your applications and start developing, deploying them much like your DevOps cycle would work. So we provide that basis already for you. So if you're a customer on the B2B side and you're going to cloud to get your applications to the marketplace on AWS, we're a great solution for you to actually have that engineered platform in place already. So those are the two areas where you can contact us and we can help you out. >> And talk to me about when you are in customer conversations especially as we've had such challenging times the last couple of years, how have those customer conversations changed and evolved? Are you seeing an acceleration up the C-suite stack? Is this a key priority for the CEO and his or her team? >> Yeah, I think it's a phenomenal point. I think security's always been top of mind for folks, not just the C-suite, but in boardrooms as well. But you know, the key thing we found is that even in a down market, sometimes in the environment that is playing out in the macro environment. I think the thing that has not changed is people are still trying to figure out how to make their dollar go further. And how do I get a better return on investment? So if you look at our compliance business that growth is all about that market is growing. There's still opportunity, and people are still having budgets and spending. So commercial companies are still trying to figure out how can I extend my market reach into new markets? So that's an area that the C-suite is really interested in. Funny enough, you would think in the cyber world it's a CSOs who are the ones who actually are looking for solutions from us that certainly an audience but CEOs and CROs are the folks who really clamor for our solution because it is their ability to enter a new market and go after a new budget that can grow their business and have an ROI pretty quickly. That's the ability for them to make that decision. So it's very pertinent to their buying behavior that we have aligned ourselves to very simply put by engaging us. They get to go after a new market to establish a new line of revenue they didn't have before. So that's always interesting to any C-suite member as you can imagine. And that's the compliance side. >> Absolutely establishing new revenue streams is huge and that's a big competitive differentiator. We've seen a lot of customers that weren't able in any industry to do that during the challenging pandemic times. And that is a game changer for organizations across industries. >> Exactly, exactly. And wishing that play out, not just on that side, but even on the commercial side where people are also trying to figure out how do I basically make sure it's pre-done so that it's one less thing for me to have to worry about so that I can be more productive. I can get to market pretty quickly which means I can, again, deliver to my customers quickly which means revenue for them as well. So we are the security business, but really if you notice we're solving a business problem for our customers and we're aligned to their ROI so that it's relatively easier for them to make a decision. They certainly get security in compliance but the bigger benefit for them is to grow their business itself. So we are trying to accelerate that momentum for them. >> That's critical, and I'm sure your customers really appreciate the impact that you're having on their growth, their ability to deliver to what I can only presume is their demanding customers. As one of the things I know that's been in short supply the last couple of years, is patience and tolerance. Is there Rakesh a customer story that you think really articulates the value of what Anitian is delivering? Maybe a favorite customer story that you mentioned when you're giving talks? >> Sure, sure. We really have a very customer base across the landscape. If you think about our compliance business, Smartsheet is a great example who partnered early. They were not even in the cloud before. And then that's a great example with AWS where the three of us work together to offer Smartsheet the collaboration software public SaaS company, if you will, who really established themselves and differentiated themselves in the marketplace by offering that on AWS. And we helped them accomplish their FedRAMP itself not just for once, but you know they've been great customers of ours multiple renewals over the years and every single year that the business that they get on the federal sizes increased because of the work that they did first with us. And so, you know, we've look for more opportunities with them, certainly on that part. And increasingly we start thinking about where else can we help them grow? Because typically most customers have a thing to solve on a compliance standard, but it turns out that the compliance journey is, you know some companies are trying to do Socto to be able to even sell. Then you want to do electronic commerce. You might have to do PCI or you want to sell under the federal government. You'll have to do FedRAMP and FedRAMP has moderate, high but depending on the customers you have, including DOD and once you get to DOD, they'll ask for IL4 and IL5. So these are different compliance regimes. If you will think of them as a journey and we want to be the company that provides a seamless progression for customers as they're on that journey so that we can actually deliver something of value. We're not interested in nickel and diamond customers and charging them by the hour, we're a platform player. We want to make sure that they use it to basically get their ROI and growth happening. And we just take care of the hard part of making sure that they're in compliance, right? And similarly, we're bringing the same idea like Smartsheet. I told you about to a commercial marketplace of customers who can do the same thing for commercial apps in the cloud. And so that gives us a very clean way for customers to really become not just productive, but satisfy their customers quickly and hence grow their business. And we celebrate that collaboration and all of that happens because of AWS and our ability to focus on those customers >> Sounds like a great partnership and definite synergy there on I know, and, you know as well, how customer obsessed in their own words AWS. Speaking of customers one more question for you in terms of being on that journey that compliance journey, which isn't a destination, right? It's probably a zigzaggy path. Do you work with customers that both haven't started the process to FedRAMP plans or those that maybe have with a competitor are running into roadblocks? Are those both routes to market for you? >> Yeah, we interestingly enough historically we used to see a lot of folks who have tried to do it themselves and found it hard or for a variety of reasons they just gave up. And so they would come to us. We have also examples of customers who have tried to go down the consulting path and has not worked and come to us so that it's sort of a broken project. We start from there, but a majority of our business is people who've gotten a contract from one of the agencies. Then they're like, 'oh now what!' We need to get this done before September. And so what's the quickest way to get there. And generally that's where we can help you because we are the best, fastest way to get there. And so we get that mix of customers people who have already tried hasn't worked out people who have tried with other folks hasn't worked out, but a majority of the folks are people who don't even know, you know how to go about doing it, but they know they have to do it in order for them to keep the customer that they've won one of the agencies, if you will. So that has given us a very healthy perspective on how to help customers of different kinds in that journey. The other thing is, you know, we've grown tremendously in the last couple of years. And the other thing we learned is every customer is different. And we tried to bring a very common approach to addressing this problem. Even though customers come in all shapes and forms we have startup companies in, you know early forms of maturity. And we have like really iconic, you know unicorn companies who we've helped go through FedRAMP. So the gamut is large, but you know we're learning a lot by doing this. And I think that's the key thing for me. I want our company to be one that is growing with innovation, but at the same time keeping flexibility in our approach so that we are not just learning new things, we're delivering on the harder problems our customers are facing. Cause I think that's where software innovation can really play a big differentiating role. And that's the reason why I always enjoyed being at Anitian and growing the business and keeping the company really, fast moving and innovative. >> Speaking of being fast moving and innovative here we are coming up on the fourth quarter of calendar year 22, what's next for Anitian? What are some of the exciting things that have you pumped up? Have you mojo going for what's next for the rest of the year? >> Yeah, I think a big portion of my enthusiasm for the company and the road ahead is I think it's rare if you look at the industry, oftentimes you see companies that start out with a single solution and then are able to grow from there. One of the best advantages Anitian has is this platform centric approach to do compliance on the journey I talked about. So if you think about that journey every customer that is going to cloud has this challenge that, they either have to comply do a bunch of standards, one or many. And then how do I do that in a platform approach in a common way so that I don't have to worry about it. I play a subscription and I am just protected by that. And I actually get the marketplace. So that's a tremendous journey we are on. We've only done a few of them and we have a whole new set of compliance standards coming on our platform. So that's one way, look forward to that. The other one I'm really looking forward to is the commercial customers. There's a huge opportunity for people to really know that they're sitting on top of a very secure environment in AWS. And how do I quickly propel myself into the marketplace so that I can be differentiated. I can get to market quickly but I can also make sure my innovations are getting to the marketplace as a customer, right? So I think I'm really excited about the things we are bringing to market just not just this year, but next year early next year on the compliance side, as well as the commercial side, that'll actually differentiate us and make it a lasting part of a customer's journey. And that's, I think the best thing you can hope for building a lasting company where your innovations are powering the productivity of your customers in a meaningful manner. And I always feel proud of the team. You mentioned the awards, but honestly more than anything else, we've put together a great team. And the team does a tremendous job with a very good ecosystem of partners. And our humility is it's not just us it's the ecosystem together. And the partnership with Amazon that helps us be the company we are able to be. We live in really story times and we're lucky to be part of this opportunity if you will. >> Yeah better together. That ecosystem is incredibly powerful. Thank you so much Rakesh for talking about what's going on at Anition, how you're helping customers, accelerate FedRAMP compliance, what you're doing in the commercial space and how you're helping your customers really improve their bottom line. We thank you so much for partnering with the Cube for season two, episode four of the AWS startup showcase. >> My pleasure. Thank you very much. >> And we want to thank you for watching but keep it right here for more action on the Cube which as you know, is your leader in tech coverage. I'm Lisa Martin. See you next time. (lively music)

>>Hey everyone. Welcome back to the cube. Lisa Martin, with Dave ante. We're here in Las Vegas with snowflake at the snowflake summit 22. This is the fourth annual there's close to 10,000 people here. Lots going on. Customers, partners, analysts, cross media, everyone talking about all of this news. We've got a couple of guests joining us. We're gonna unpack snow park. Torston grabs the director of product management at snowflake and Joe. No NTY AI and MDM architect at Allegis group. Guys. Welcome to the program. Thank >>You so much for having >>Us. Isn't it great to be back in person? It is. >>Oh, wonderful. Yes, it >>Is. Indeed. Joe, talk to us a little bit about Allegis group. What do you do? And then tell us a little bit about your role specifically. >>Well, Allegis group is a collection of OPCA operating companies that do staffing. We're one of the biggest staffing companies in north America. We have a presence in AMEA and in the APAC region. So we work to find people jobs, and we help get 'em staffed and we help companies find people and we help individuals find >>People incredibly important these days, excuse me, incredibly important. These days. It is >>Very, it very is right >>There. Tell me a little bit about your role. You are the AI and MDM architect. You wear a lot of hats. >>Okay. So I'm a architect and I support both of those verticals within the company. So I work, I have a set of engineers and data scientists that work with me on the AI side, and we build data science models and solutions that help support what the company wants to do, right? So we build it to make business business processes faster and more streamlined. And we really see snow park and Python helping us to accelerate that and accelerate that delivery. So we're very excited about it. >>Explain snow park for, for people. I mean, I look at it as this, this wonderful sandbox. You can bring your own developer tools in, but, but explain in your words what it >>Is. Yeah. So we got interested in, in snow park because increasingly the feedback was that everybody wants to interact with snowflake through SQL. There are other languages that they would prefer to use, including Java Scala and of course, Python. Right? So then this led down to the, our, our work into snow park where we're building an infrastructure that allows us to host other languages natively on the snowflake compute platform. And now here, what we're, what we just announced is snow park for Python in public preview. So now you have the ability to natively run Python code on snowflake and benefit from the thousands of packages and libraries that the open source community around Python has contributed over the years. And that's a huge benefit for data scientists. It is ML practitioners and data engineers, because those are the, the languages and packages that are popular with them. So yeah, we very much look forward to working with the likes of you and other data scientists and, and data engineers around the Python ecosystem. >>Yeah. And, and snow park helps reduce the architectural footprint and it makes the data pipelines a little easier and less complex. We have a, we had a pipeline and it works on DMV data. And we converted that entire pipeline from Python, running on a VM to directly running down on snowflake. Right. We were able to eliminate code because you don't have to worry about multi threading, right? Because we can just set the warehouse size through a task, no more multi threading, throw that code away. Don't need to do it anymore. Right. We get the same results, but the architecture to run that pipeline gets immensely easier because it's a store procedure that's already there. And implementing that calling to that store procedure is very easy. The architecture that we use today uses six different components just to be able to run that Python code on a VM within our ecosystem to make sure that it runs on time and is scheduled and all of that. Right. But with snowflake, with snowflake and snow park and snowflake Python, it's two components. It's the store procedure and our ETL tool calling it. >>Okay. So you've simplified that, that stack. Yes. And, and eliminated all the other stuff that you had to do that now Snowflake's doing, am I correct? That you're actually taking the application development stack and the analytics stack and bringing them together? Are they merging? >>I don't know. I think in a way I'm not real sure how I would answer that question to be quite honest. I think with stream lit, there's a little bit of application that's gonna be down there. So you could maybe start to say that I'd have to see how that carries out and what we do and what we produce to really give you an answer to that. But yeah, maybe in a >>Little bit. Well, the reason I asked you is because you talk, we always talk about injecting data into apps, injecting machine intelligence and ML and AI into apps, but there are two separate stacks today. Aren't they >>Certainly the two are getting closer >>To Python Python. It gets a little better. Explain that, >>Explain, explain how >>That I just like in the keynote, right? The other day was SRE. When she showed her sample application, you can start to see that cuz you can do some data pipelining and data building and then throw that into a training module within Python, right down inside a snowflake and have it sitting there. Then you can use something like stream lit to, to expose it to your users. Right? We were talking about that the other day, about how do you get an ML and AI, after you have it running in front of people, we have a model right now that is a Mo a predictive and prescriptive model of one of our top KPIs. Right. And right now we can show it to everybody in the company, but it's through a Jupyter notebook. How do I deliver it? How do I get it in the front of people? So they can use it well with what we saw was streamlet, right? It's a perfect match. And then we can compile it. It's right down there on snowflake. And it's completely easier time to delivery to production because since it's already part of snowflake, there's no architectural review, right. As long as the code passes code review, and it's not poorly written code and isn't using a library that's dangerous, right. It's a simple deployment to production. So because it's encapsulated inside of that snowflake environment, we have approval to just use it. However we see fit. >>It's very, so that code delivery, that code review has to occur irrespective of, you know, not always whatever you're running it on. Okay. So I get that. And, and, but you, it's a frictionless environment you're saying, right. What would you have had to do prior to snowflake that you don't have to do now? >>Well, one, it's a longer review process to allow me to push the solution into production, right. Because I have to explain to my InfoSec people, right? My other it's not >>Trusted. >>Well, well don't use that word. No. Right? It got, there are checks and balances in everything that we do, >>It has to be verified. And >>That's all, it's, it's part of the, the, what I like to call the good bureaucracy, right? Those processes are in place to help all of us stay protected. >>It's the checklist. Yeah. That you >>Gotta go to. >>That's all it is. It's like fly on a plane. You, >>But that checklist gets smaller. And sometimes it's just one box now with, with Python through snow park, running down on the snowflake platform. And that's, that's the real advantage because we can do things faster. Right? We can do things easier, right? We're doing some mathematical data science right now and we're doing it through SQL, but Python will open that up much easier and allow us to deliver faster and more accurate results and easier not to mention, we're gonna try to bolt on the hybrid tables to that afterwards. >>Oh, we had talk about that. So can you, and I don't, I don't need an exact metric, but when you say faster talking 10% faster, 20% faster, 50% path >>Faster, it really depends on the solution. >>Well, gimme a range of, of the worst case, best case. >>I, I really don't have that. I don't, I wish I did. I wish I had that for you, but I really don't have >>It. I mean, obviously it's meaningful. I mean, if >>It is meaningful, it >>Has a business impact. It'll >>Be FA I think what it will do is it will speed up our work inside of our iterations. So we can then, you know, look at the code sooner. Right. And evaluate it sooner, measure it sooner, measure it faster. >>So is it fair to say that as a result, you can do more. Yeah. That's to, >>We be able do more well, and it will enable more of our people because they're used to working in Python. >>Can you talk a little bit about, from an enablement perspective, let's go up the stack to the folks at Allegis who are on the front lines, helping people get jobs. What are some of the benefits that having snow park for Python under the hood, how does it facilitate them being able to get access to data, to deliver what they need to, to their clients? >>Well, I think what we would use snowflake for a Python for there is when we're building them tools to let them know whether or not a user or a piece of talent is already within our system. Right. Things like that. Right. That's how we would leverage that. But again, it's also new. We're still figuring out what solutions we would move to Python. We are, we have some targeted, like we're, I have developers that are waiting for this and they're, and they're in private preview. Now they're playing around with it. They're ready to start using it. They're ready to start doing some analytical work on it, to get some of our analytical work out of, out of GCP. Right. Because that's where it is right now. Right. But all the data's in snowflake and it just, but we need to move that down now and take the data outta the data wasn't in snowflake before. So there, so the dashboards are up in GCP, but now that we've moved all of that data down in, down in the snowflake, the team that did that, those analytical dashboards, they want to use Python because that's the way it's written right now. So it's an easier transformation, an easier migration off of GCP and get us into snow, doing everything in snowflake, which is what we want. >>So you're saying you're doing the visualization in GCP. Is that righting? >>It's just some dashboarding. That's all, >>Not even visualization. You won't even give for. You won't even give me that. Okay. Okay. But >>Cause it's not visualization. It's just some D boardings of numbers and percentages and things like that. It's no graphic >>And it doesn't make sense to run that in snowflake, in GCP, you could just move it into AWS or, or >>No, we, what we'll be able to do now is all that data before was in GCP and all that Python code was running in GCP. We've moved all that data outta GCP, and now it's in snowflake and now we're gonna work on taking those Python scripts that we thought we were gonna have to rewrite differently. Right. Because Python, wasn't available now that Python's available, we have an easier way of getting those dashboards back out to our people. >>Okay. But you're taking it outta GCP, putting it to snowflake where anywhere, >>Well, the, so we'll build the, we'll build those, those, those dashboards. And they'll actually be, they'll be displayed through Tableau, which is our enterprise >>Tool for that. Yeah. Sure. Okay. And then when you operationalize it it'll go. >>But the idea is it's an easier pathway for us to migrate our code, our existing code it's in Python, down into snowflake, have it run against snowflake. Right. And because all the data's there >>Because it's not a, not a going out and coming back in, it's all integrated. >>We want, we, we want our people working on the data in snowflake. We want, that's our data platform. That's where we want our analytics done. Right. We don't want, we don't want, 'em done in other places. We when get all that data down and we've, we've over our data cloud journey, we've worked really hard to move all of that data. We use out of existing systems on prem, and now we're attacking our, the data that's in GCP and making sure it's down. And it's not a lot of data. And we, we fixed it with one data. Pipeline exposes all that data down on, down in snowflake now. And we're just migrating our code down to work against the snowflake platform, which is what we want. >>Why are you excited about hybrid tables? What's what, what, what's the >>Potential hybrid tables I'm excited about? Because we, so some of the data science that we do inside of snowflake produces a set of results and there recommendations, well, we have to get those recommendations back to our people back into our, our talent management system. And there's just some delays. There's about an hour delay of delivering that data back to that team. Well, with hybrid tables, I can just write it to the hybrid table. And that hybrid table can be directly accessed from our talent management system, be for the recruiters and for the hiring managers, to be able to see those recommendations and near real time. And that that's the value. >>Yep. We learned that access to real time. Data it in recent years is no longer a nice to have. It's like a huge competitive differentiator for every industry, including yours guys. Thank you for joining David me on the program, talking about snow park for Python. What that announcement means, how Allegis is leveraging the technology. We look forward to hearing what comes when it's GA >>Yeah. We're looking forward to, to it. Nice >>Guys. Great. All right guys. Thank you for our guests and Dave ante. I'm Lisa Martin. You're watching the cubes coverage of snowflake summit 22 stick around. We'll be right back with our next guest.

(upbeat music) >> Welcome back. We're winding down theCUBE's coverage of Red Hat Summit 2022. We're here at the Seaport in Boston. It's been two days of a little different Red Hat Summit. We're used to eight, 9,000 people. It's much smaller event this year, fewer developers or actually in terms of the mix, a lot more suits this year, which is kind of interesting to see that evolution and a big virtual audience. And I love the way, the keynotes we've noticed are a lot tighter. They're pithy, on time, they're not keeping us in the hall for three hours. So we appreciate that kind of catering to the virtual audience. Dave Vellante here with my co-host, Paul Gillin. As to say things are winding down, there was an analyst event here today, that's ended, but luckily we have Jim Mercer here as a research director at IDC. He's going to share maybe some of the learnings from that event today and this event overall, we're going to talk about DevSecOps. And Kirsten Newcomer is director of security, product management and hybrid platforms at Red Hat. Folks, welcome. >> Thank you. >> Thank you. >> Great to see you. >> Great to be here. >> Security's everywhere, right? You and I have spoken about the supply chain hacks, we've done some sort of interesting work around that and reporting around that. I feel like SolarWinds created a new awareness. You see these moments, it's Stuxnet, or WannaCry and now is SolarWinds very insidious, but security, Red Hat, it's everywhere in your portfolio. Maybe talk about the strategy. >> Sure, absolutely. We feel strongly that it's really important that security be something that is managed in a holistic way present throughout the application stack, starting with the operating system and also throughout the life cycle, which is partly where DevSecOps comes in. So Red Hat has kind of had a long history here, right? Think SELinux and Red Hat Enterprise Linux for mandatory access control. That's been a key component of securing containers in a Kubernetes environment. SELinux has demonstrated the ability to prevent or mitigate container escapes to the file system. And we just have continued to work up the stack as we go, our acquisition of stack rocks a little over a year ago, now known as Red Hat Advanced Cluster Security, gives us the opportunity to really deliver on that DevSecOps component. So Kubernetes native security solution with the ability to both help shift security left for the developers by integrating in the supply chain, but also providing a SecOps perspective for the operations and the security team and feeding information between the two to really try and do that closed infinity loop and then an additional investment more recently in sigstore and some technologies. >> Interesting. >> Yeah, is interesting. >> Go ahead. >> But Shift Left, explain to people what you mean by Shift Left for people might not be familiar with that term. >> Fair enough. For many, many years, right, IT security has been something that's largely been part of an operations environment and not something that developers tended to need to be engaged in with the exception of say source code static analysis tools. We started to see vulnerability management tools get added, but even then they tend to come after the application has been built. And I even ran a few years ago, I ran into a customer who said my security team won't let me get this information early. So Shift Left is all about making sure that there are security gates in the app dev process and information provided to the developer as early as possible. In fact, even in the IDE, Red Hat code ready dependency analytics does that, so that the developers are part of the solution and don't have to wait and get their apps stalled just before it's ready to go into deployment. >> Thank you. You've also been advocating for supply chain security, software supply chain. First of all, explain what a software supply chain is and then, what is unique about the security needs of that environment? >> Sure. And the SolarWinds example, as Dave said, really kind of has raised awareness around this. So just like we use the term supply chain, most people given kind of what's been happening with the pandemic, they've started hearing that term a lot more than they used to, right? So there's a supply chain to get your groceries, to the grocery store, food to the grocery store. There's a supply chain for manufacturing, where do the parts come for the laptops that we're all using, right? And where do they get assembled? Software has a supply chain also, right? So for years and even more so now, developers have been including open source components into the applications they build. So some of the supplies for the applications, the components of those applications, they can come from anywhere in the world. They can come from a wide range of open source projects. Developers are adding their custom code to that. All of this needs to be built together, delivered together and so when we think about a supply chain and the SolarWinds hack, right, there are a couple of elements of supply chain security that are particularly key. The executive order from May of last year, I think was partly in direct response to the SolarWinds hack. And it calls out that we need a software bill of materials. Now again, in manufacturing that's something folks are used to, I actually had the opportunity to contribute to the software package data exchange format, SPDX when it was first started, I've lost track of when that was. But an S-bomb is all about saying, what are all of those components that I'm delivering in my solution? It might be an application layer. It might be the host operating system layer, but at every layer. And if I know what's in what I'm delivering, I have the opportunity to learn more information about those components to track where does Log4Shell, right? When the Log4j or Spring4Shell, which followed shortly thereafter. When those hit, how do I find out which solutions that I'm running have the vulnerable components in them and where are they? The software bill of materials helps with that but you also have to know where, right. And that's the Ops side. I feel like I missed a piece of your question. >> No, it's not a silver bullet though, to your point and Log4j very widely used, but let's bring Jim into the conversation. So Jim, we've been talking about some of these trends, what's your focus area of research? What are you seeing as some of the mega trends in this space? >> I mean, I focus in DevOps and DevSecOps and it's interesting just talking about trends. Kirsten was mentioning the open source and if you look back five, six, seven years ago and you went to any major financial institution, you asked them if they use an open source. Oh, no. >> True. >> We don't use that, right. We wrote it all here. It's all from our developers-- >> Witchcraft. >> Yeah, right, exactly. But the reality is, they probably use a little open source back then but they didn't realize it. >> It's exactly true. >> However, today, not only are they not on versed to open source, they're seeking it out, right. So we have survey data that kind of indicates... A survey that was run kind of in late 2021 that shows that 70% of those who responded said that within the next two years 90% of their applications will be made up of open source. In other words, the content of an application, 10% will be written by themselves and 90% will come from other sources. So we're seeing these more kind of composite applications. Not, everybody's kind of, if you will, at that 90%, but applications are much more composite than they were before. So I'm pulling in pieces, but I'm taking the innovation of the community. So I not only have the innovation of my developers, but I can expand that. I can take the innovation to the community and bring that in and do things much quicker. I can also not have my developers worry about things that, maybe just kind of common stuff that's out there that might have already been written. In other words, just focus on the business logic, don't focus on, how to get orders or how to move widgets and those types of things that everybody does 'cause that's out there in open source. I'll just take that, right. I'll take it, somebody's perfected it, better than I'll ever do. I'll take that in and then I'll just focus and build my business logic on top of that. So open source has been a boom for growth. And I think we've heard a little bit of that (Kirsten laughs) in the last two days-- >> In the Keynotes. >> From Red Hat, right. But talking about the software bill of materials, and then you think about now I taking all that stuff in, I have my first level open source that I took in, it's called it component A. But behind component A is all these transitive dependencies. In other words, open source also uses open source, right? So there's this kind of this, if you will, web or nest, if you want to call it that, of transitive dependencies that need to be understood. And if I have five, six layers deep, I have a vulnerability in another component and I'm over here. Well, guess what? I picked up that vulnerability, right. Even though I didn't explicitly go for that component. So that's where understanding that software bill of materials is really important. I like to explain it as, during the pandemic, we've all experienced, there was all this contact tracing. It was a term where all came to mind. The software bill of materials is like the contact tracing for your open source, right. >> Good analogy. >> Anything that I've come in contact with, just because I came in contact with it, even though I didn't explicitly go looking for COVID, if you will, I got it, right. So in the same regard, that's how I do the contact tracing for my software. >> That 90% figure is really striking. 90% open source use is really striking, considering that it wasn't that long ago that one of the wraps on open source was it's insecure because anybody can see the code, therefore anybody can see the vulnerabilities. What changed? >> I'll say that, what changed is kind of first, the understanding that I can leapfrog and innovate with open source, right? There's more open source content out there. So as organizations had to digitally transform themselves and we've all heard the terminology around, well, hey, with the pandemic, we've leapfrog up five years of digital transformation or something along those lines, right? Open source is part of what helps those teams to do that type of leapfrog and do that type of innovation. You had to develop all of that natively, it just takes too long, or you might not have the talent to do it, right. And to find that talent to do it. So it kind of gives you that benefit. The interesting thing about what you mentioned there was, now we're hearing about all these vulnerabilities, right, in open source, that we need to contend with because the bad guys realize that I'm taking a lot of open source and they're saying, geez, that's a great way to get myself into applications. If I get myself into this one open source component, I'll get into thousands or more applications. So it's a fast path into the supply chain. And that's why it's so important that you understand where your vulnerabilities are in the software-- >> I think the visibility cuts two ways though. So when people say, it's insecure because it's visible. In fact, actually the visibility helps with security. The reality that I can go see the code, that there is a community working on finding and fixing vulnerabilities in that code. Whereas in code that is not open source it's a little bit more security by obscurity, which isn't really security. And there could well be vulnerabilities that a good hacker is going to find, but are not disclosed. So one of the other things we feel strongly about at Red Hat, frankly, is if there is a CVE that affects our code, we disclose that publicly, we have a public CVE database. And it's actually really important to us that we share that, we think we share way more information about issues in our code than most other users or consumers of open source and we work that through the broad community as well. And then also for our enterprise customers, if an issue needs to be fixed, we don't just fix it in the most recent version of the open source. We will backport that fix. And one of the challenges, if you're only addressing the most recent version, that may not be well tested, it might have other bugs, it might have other issues. When we backport a security vulnerability fix, we're able to do that to a stable version, give the customers the benefit of all the testing and use that's gone on while also fixing. >> Kirsten, can you talk about the announcements 'cause everybody's wondering, okay, now what do I do about this? What technology is there to help me? Obviously this framework, you got to follow the right processes, skill sets, all that, not to dismiss that, that's the most important part, but the announcements that you made at Red Hat Summit and how does the StackRox acquisition fit into those? >> Sure. So in particular, if we stick with DevSecOps a minute, but again, I'll do. Again for me, DevSecOps is the full life cycle and many people think of it as just that Shift Left piece. But for me, it's the whole thing. So StackRox ACS has had the ability to integrate into the CI/CD pipeline before we bought them. That continues. They don't just assess for vulnerabilities, but also for application misconfigurations, excess proof requests and helm charts, deployment YAML. So kind of the big, there are two sort of major things in the DevSecOps angle of the announcement or the supply chain angle of the announcement, which is the investment that we've been making in sigstore, signing, getting integrity of the components, the elements you're deploying is important. I have been asked for years about the ability to sign container images. The reality is that the signing technology and Red Hat signs everything we ship and always have, but the signing technology wasn't designed to be used in a CI/CD pipeline and sigstore is explicitly designed for that use case to make it easy for developers, as well as you can back it with full CO, you can back it with an OIDC based signing, keyless signing, throw away the key. Or if you want that enterprise CA, you can have that backing there too. >> And you can establish that as a protocol where you must. >> You can, right. So our pattern-- >> So that would've helped with SolarWinds. >> Absolutely. >> Because they were putting in malware and then taking it out, seeing what happened. My question was, could sigstore help? I always evaluate now everything and I'm not a security expert, but would this have helped with SolarWinds? A lot of times the answer is no. >> It's a combination. So a combination of sigstore integrated with Tekton Chains. So we ship Tekton, which is a Kubernetes supply chain pipeline. As OpenShift pipelines, we added chains to that. Chains allows you to attest every step in your pipeline. And you're doing that attestation by signing those steps so that you can validate that those steps have not changed. And in fact, the folks at SolarWinds are using Tekton Chains. They did a great talk in October at KubeCon North America on the changes they've made to their supply chain. So they're using both Tekton Chains and sigstore as part of their updated pipeline. Our pattern will allow our customers to deploy OpenShift, advanced cluster manager, advanced cluster security and Quay with security gates in place. And that include a pipeline built on Tekton with Tekton Chains there to sign those steps in the pipeline to enable signing of the code that's moving through that pipeline to store that signature in Quay and to validate the image signature upon deployment with advanced cluster security. >> So Jim, your perspective on this, Red Hat's, I mean, you care about security, security's everywhere, but you're not a security company. You follow security companies. There's like far too many of them. CISOs all say my number one challenge is lack of talent, but I have all these tools to deal with. You see new emerging companies that are doing pretty well. And then you see a company that's highly respected, like an Okta screw up the communications on a pretty benign hack. Actually, when you peel the onion on that, it's just this mess (chuckles) and it doesn't seem like it's going to get any simpler. Maybe the answer is companies like Red Hat kind of absorbing that and taking care of it. What do you see there? I mean, maybe it's great for business 'cause you've got so many companies. >> There's a lot of companies and there's certainly a lot of innovation out there and unique ways to make security easier, right. I mean, one of the keys here is to be able to make security easier for developers, right. One of the challenges with adopting DevSecOps is if DevSecOps creates a lot of friction in the process, it's hard to really... I can do it once, but I can't keep doing that and get the same kind of velocity. So I need to take the friction out of the process. And one of the challenges a lot of organizations have, and I've heard this from the development side, but I've also heard it from the InfoSec side, right. Because I take inquiry for people on InfoSec, and they're like, how do I get these developers to do what I want? And part of the challenge they have is like, I got these teams using these tools. I got those teams using those tools. And it's a similar challenge that we saw on DevOps where there's just too many, if you will, too many dang tools, right. So that is a challenge for organizations is, they're trying to kind of normalize the tools. Interestingly, we did a survey, I think around last August or something. And one of the questions was around, where do you want your security? Where do you want to get your DevSecOps security from, do you want to get it from individual vendors? Or do you want to get it from like, your platforms that you're using and deploying changes in Kubernetes. >> Great question. What did they say? >> The majority of them, they're hoping they can get it built into the platform. That's really what they want. And you see a lot of the security vendors are trying to build security platforms. Like we're not just assess tool, we're desk, we're this, whatever. And they're building platforms to kind of be that end-to-end security platform, trying to solve that problem, right, to make it easier to kind of consume the product overall, without a bunch of individual tools along the way. But certainly tool sprawl is definitely a challenge out there. Just one other point around the sigstore stuff which I love. Because that goes back to the supply chain and talking about digital providence, right. Understanding where things... How do I validate that what I gave you is what you thought it was, right. And what I like about it with Tekton Chains is because there's a couple things. Well, first of all, I don't want to just sign things after I built the binary. Well, I mean, I do want to sign it, but I want to just sign things once, right. Because all through the process, I think of it as a manufacturing plant, right. I'm making automobiles. If I check the quality of the automobile at one stage and I don't check it to the other, things have changed, right. How do I know that I did something wasn't compromised, right. So with sigstore kind of tied in with Tekton Chains, kind of gives me that view. And the other aspect I like it about is, this kind of transparency in the log, right-- >> The report component. >> Exactly. So I can see what was going on. So there is some this kind of like public scrutiny, like if something bad happened, you could go back and see what happened there and it wasn't as you were expected. >> As with most discussions on this topic, we could go for an hour because it's really important. And thank you guys for coming on and sharing your perspectives, the data. >> Our pleasure. >> And keep up the good work. Kirsten, it's on you. >> Thanks so much. >> The IDC survey said it, they want it in platforms. You're up. >> (laughs) That's right. >> All right. Good luck to both you. >> Thank you both so much. >> All right. And thank you for watching. We're back to wrap right after this short break. This is Dave Vellante for Paul Gill. You're watching theCUBE. (upbeat music)

>>Welcome back to the cosmopolitan in Las Vegas. Lisa Martin here at Coupa inspire 2022 with a couple thousand people here. And I got to tell you it's really great to be back in person, done a wheelchair. Join three next, the SVP of product strategy and innovation at Cooper. Donna, welcome to the program. >>Thank you so much. It is great to be here and it's great to be live, but yet >>It is great to be alive. Again. I feel like I'm exhaling for the first time in a long time. >>I know, right. It's just so wonderful. I want >>To talk a little bit about you you've been a Cooper for a long time since it was just a baby startup, a little >>Baby >>Lady that also had a lot of leadership roles, product strategy, marketing, a customer experience, professional services. I also read that you have 12 software patent. I do. I love that. >>I know it's been one of the most amazing things that Coupa, which is this ability to be creative and innovate and then get your item patented. It's wonderful. >>Talk to me about, obviously the last two years have been so interesting, shall we say dynamic challenging? And we were talking before we went live that we haven't. The key bus had been that Coupa inspire, inspire hasn't happened since 2019 and it's almost three years ago. Talk to me about the last 10 years I Cooper and the massive acceleration I'm Rob was saying this morning in the keynote 3.3 trillion under spend under management almost at a trillion a year run rate. Yeah, >>We have huge. The numbers have just started to really become a fly wheel, right? More customers more spend. And really now having this big data repository of $3.3 trillion and the ability to apply AI to that data. But it really has been a journey. Um, when I joined about 11 years ago, now we had this vision, the vision was always a data centric model where we can apply AI to that data and create intelligence. And now we're finally at a volume of data where we can, we can anonymize the data and we can create insights at a level that we just were not able to do 10 years ago. >>One of the things that we've learned, I think fairly recently is that every company has to be a data company regardless of industry. Even I, I, I think about that, like my grocery store has to be a data company. Sure. There's no more, it'd be nice. If we had a data strategy, it would be nice if we actually could glean insights from our data that's table stakes, that's business critical that's differentiating. >>Absolutely. And I think, you know, I think what's really interesting in an enterprise software is that as a SAS provider, although we may host the systems, we don't actually own our customer's data. We need to actually have permission to usage of the data. And that was one of the things that Cooper did very early on, about 10 years ago, where we started working with our customers and really building that permission to use into the contracts themselves. And that has really created now this motion of having data that we can now consume and use where a lot of businesses in enterprise software had not really thought about the notion of permission to use and having data available to them. >>That's the power of the community, right? And that's one of the things that clearly sets Cooper apart from its competition. >>Yes, indeed. We have spent so many years on creating this model of how does the community and how does community.ai help each individual customer become more efficient, save more and also do good for the planet in a way that has just never been able to do, if that company was doing it alone by themselves. >>Speaking of good for the planet, let's talk about ESG, your customer conversations. ESG is broad. >>How >>Are customers approaching the topic of it to bring it in as a strategic initiative? Okay. >>You know, I think this is a really great question. So what happened about a few years ago is our customers sat down with us and we said to ourselves, if we were going to make every dollar more sustainable, more inclusive that we're spending, what would we need to do? What would that be? The places within a spend function that you could improve the outcome of that dollar to be more sustainable and inclusive. And we broke it down into so many different features. And over the last three years, we've developed, delivered over 80 different features now available in our BSM sustainable BSM toolkit that our customers can configure Coupa to impact their ESG goals positively. >>So BSM can be a facilitator of ESG or an accelerator, or >>It's definitely an accelerator. And one of the things we're trying to do is democratize the ability to do good, right? So oftentimes the larger organizations are able to invest people into these problems. Well now smaller and smaller organizations are expected to comply with government regulations. How do these businesses do it? They can do it with technology like Kupa. >>Got it. Okay. One of the things I was looking at in my prep for the event was a recent survey that Cooper did just in February. It's just a couple of months ago, 800 decision makers, >>Um, >>Who have overview or responsibility for the supply chain and businesses with over a thousand employees. And this was global. What are some of the improvements that businesses, what did you find that they want to make with respect to ESG? >>You know, I think there was a really great survey that showed businesses, have the intent they want to do good, but the problem is the act secretion of it. How do they actually make it happen? And technology systems have largely failed them or have only looked at a part of the problem without looking at the whole problem. I can give you an example, please >>Do >>So in the scope three emissions, which is on everyone's mind right now, how are we going to comply with scope three emissions? At first on the surface, it looks like a reporting problem. Oh, I'll just create a report. But the real problem is data related the data itself that these organizations have on what they purchased and who they purchased it from is terrible. And so if your data's bad, your report to the government is going to be terrible, right? So you have to look at the problem holistically solving the data problem before you get to the reporting problem. And that's what Coupa really specializes on. >>And the things I was also looking at in the survey was from an overall theme perspective that the availability and reliability of crucial supply chain data is preventing organizations from operationalizing, their corporate purpose with respect to ESG will Kupa solves that problem. >>Absolutely. >>Talk to me about that. >>Yeah. So let's talk about things like third-party risk management. When you are working in a supply chain, you need to know who your suppliers are, not just your suppliers, but their suppliers as well, tier two, tier three, tier four, or even beyond even. Um, and this is everything from anti-bribery and anti-corruption to InfoSec and GDPR and so many different government regulations on knowing who you're doing business with. And Coupa solves that problem of collecting that data from your third parties and then continually monitoring it and passing it into the different systems within your spend processes in order to make sure that the person that is making a decision, how's the data at their fingertips. >>That's critical. And you know, one of the things we've learned in the last two years is that everybody wants things now, instantaneously in real time, it's no longer, oh, that's great to have that. No, I, as a consumer, I want that in business. I want that every company has to be a data company, but if organizations can't be able to extract insights from that data and make smart decisions on it in real time, they're going to be out of business. >>Absolutely. The ability to be able to process data at the time you're making a decision, the best data possible at that moment is critical in order for these companies, really, it's a, it's an ability for this company to thrive and even survive. >>Absolutely. Nobody's going to want one thing, I think we know nobody's going to want less data slot more slowly as time goes on. It's always going to be more data faster, faster, fastest. >>Absolutely. And that's why this model at Kupa has really been formulated over the last 12 years of how do we collect the data across our customer community? How do we pull it together, normalize it, aggregate it, anonymize it, and create insights that are so powerful. Like what we're just announcing now is our ocean freight pricing >>Index. >>So we've collected all of the data from our customers that are sourcing ocean freight and we're taking that data and we're creating a market index for the pricing of ocean freight. So now within Coupa, you can actually see what's happening the price of ocean freight, and we're going to continue to add more and more services. As more data gets processed to Hooper. >>Talk to me about the customer influence and your role. You talk with customers a lot. It used to be on the road a lot. Obviously that's changed. Hopefully that's coming back, but let's talk about one of the things I always know when I, when I come to inspire, I always know I'm going to see a lot of customer logos. I'm going to feel a lot. And on the cube here from the voice of Coupa's customer, talk to me about some of the influence that your customers have been able to have in the last two years alone. >>Absolutely. So our philosophy at Coupa's, uh, none of us is as smart as all of us. And it really is the DNA of this company, the heart of the company. So when the pandemic hit, we just really said to ourselves, okay, how do we continue that collaboration and now a digital world? And that's what we did. We just pivoted really fast into a digital world, but the same volume, the same collaboration, the same conversations were happening with our customer community. And in the last year alone, we probably had over 400 customers over 90% of the features we delivered had customer input into those features. And the model continues around our customers, collaborating with us via the digital channels and our product owners, really working with them as a co innovation team. And not as, you know, product in a ivory tower somewhere. >>I like the co-innovation kind of team part, but it's really what you're describing is that flywheel that you mentioned a few minutes ago, that's really always been there at Coupa for very, very long time. And it's just getting faster and more efficient. And I would say in a nerdy way more, data-driven >>More data, data, data. I will talk data all day long. It's just wonderful. And even this ocean freight thing, I'll tell everyone 10 years ago, this was the dream to have enough data, to be able to create these types of supply chain insights that are just unparalleled. And now as the data continues to increase the next year's insights and the year after are going to just keep improving because as the data increases, the insights get better and in different categories, different ways. >>So when you're in those customer conversations with customers who maybe prospects, I'll say who aren't yet Coupa customers who ha who say Donna, I've got a, we've got a huge data problem. Where do they start? How do you advise them to be able to overcome that? So they can use the data, glean the insights in real time and be competitive? >>You know, the first thing I always say to our customers or prospective customers is start the journey and have conversations with Coupa as a partner and not as a vendor, the more that we can work together and say, help us understand your technology architecture, help us understand your pain points. Where are the, where are the parts of your business that are critically damaged that need us to prioritize. And then let us have a discussion for you as a company that we can make recommendations you based on other customers that have been like you and have those same pain points and then lay it out from that point of view. But it's, it's hard when it's a very, you know, classic old model of we're procurement and you're a vendor and we're going to silo it because what we see is a >>Lot of, >>Well, this is how we used to do it. So we're only asking you questions around how we used to do it. And now how the rest of the, not about how the rest of the community is doing it. So my advice would really be open up the doors, have a conversation, start as a partner, and then let's figure it out from there. >>Well, one of the things that came across in Rob keynote this morning was about Cooper, about we've got to get rid of the silos. Every organization in every industry cannot operate in a silo. And even, even Barbara Corcoran's keynote when she was talking about some of the best ideas. In fact, I think I saw a tweet from her the other day that said she doesn't think she's ever had a really great idea. They've always come from basically collaborating within a group. So not in a silo. >>Absolutely collaboration is key in everything we do. We, none of us is as smart as all of us. And it truly is a key point in technology. These silos that are happening in business that prevents the risk from properly be operationalized. So for example, the risk team may be aware that there is a supplier that has now gone onto a government watch list. Okay? But the payments team is not aware. So the payments team is still issuing payments to that vendor or new orders are going to that vendor or sourcing events. Coupa brings those silos together and says, instead, we're going to employ what we call suite synergy. And we're going to stop the transactions when the risk is increased, routed to the risk team for review before the money goes out the door. >>And how does I love sweet synergy? How does that resonate? Who are you talking to within customers? Are you talking to the C-suite? How does suite synergy resonate that far up the stack? Because the concept is clear. >>Yeah. It's about the collaboration for more value and protecting the brand. The, what the people we speak to are generally the CFO, the CPO, the chief procurement officer and the CIO. Those are generally, um, who we speak to. But increasingly we see the chief sustainability officer, the chief diversity officer, and especially from a notion of how do I not just report on my data? How do I improve it? How do I impact diversity by helping the person, making a spend decisions, giving them diverse options at the time they're doing that spend decision, instead of just reporting on it, throw it, >>Grow it, act on it, take the insights and actually make smart decisions faster. >>Absolutely. And before the money goes out the door, once the money goes out the door, you cannot influence it to be going to a diverse supplier it's already done. >>Right. So I know we're only on day one here. Last question for you is what are its great turnout? All the people behind us. It's great to hear that buzz of, of a conference environment. Once again, what are some of the things that you've heard today that really excite you about the direction that Cooper's going in? >>I think for me, it all started today. And yesterday, yesterday we are a community advisory boards. We had hundreds of customers that were meeting with us and it was just the sense of co-innovation being alive and well. So many customers today, I sat next to ADM, uh, one of our customers and they're working with us on supply chain collaboration and the next generation of supply chain collaboration. And it was just so wonderful to finally meet the people that we've been working with for so long in a digital world. >>That's right. It's always nice. When you look at badges, I know you put video conferencing for two years. You're >>Taller than I thought >>Exactly. I don't get that. I don't get that. You're taller than other >>Taller. No, I'm pretty >>Sure it's been great. Having you on the program, talking about the strategy, the innovation, the direction coop is going and what you've witnessed, the evolution of it in the last 10 years, we congratulate you on your success. And we just look forward to seeing Kupa, continue to evolve and mature. >>Thank you so much. It was wonderful to sit down with you today. Excellent. >>Good. I enjoyed it too. For Donna wheelchairs. I'm Lisa Martin. You're watching the cubes coverage of Cooper inspire 22 from Las Vegas. Thanks for watching.

(upbeat music) >> Hello, welcome to theCUBE studios of Palo Alto California for RSA conference keynote coverage and conference coverage. I'm Sean for your host of theCUBE. We're breaking down the keynote of RSA day one kickoff. We had Mark Nunnikhoven, who's the distinguished cloud strategist at Lacework. Mark former cube alumni and expert and security has been on many times before, Mark great to see you. Thanks for coming on and helping me break down RSA conference 2021 virtual this year. Thanks for joining. >> Happy to be here. Thanks for having me John. >> You know, one of the things Mark about these security conferences is that interesting, RSA was the last conference we actually did interviews physically face to face and then the pandemic went down and it was a huge shutdown. So we're still virtual coming back to real life. So and they're virtual this year, so kind of a turn of events, but that was kind of the theme this year in the keynote. Changing the game on security, the script has been flipped, connectivity everywhere, security from day one being reinvented. Some people were holding onto the old way some people trying to get on there, on the future wave. Clearly you got the laggards and you've got the innovators all trying to kind of, you know, find their position. This has been obvious in this keynote. What's your take? >> Yeah and that was exactly it. They use that situation of being that last physical security conference, somewhat to their advantage to weave this theme of resiliency. And it's a message that we heard throughout the keynote. It's a message we're going to hear throughout the week. There's a number of talks that are tying back to this and it really hits at the core of what security aims to do. And I think aims is really the right word for it because we're not quite there yet. But it's about making sure that our technology is flexible that it expands and adapts to the situations because as we all know this year, you know basically upended everything we assumed about how our businesses were running, how our communities and society was running and we've all had to adapt. And that's what we saw at the keynote today was they acknowledged that and then woven into the message to drive that home for security providers. >> Yeah and to me one of the most notable backdrops to the entire thing was the fact that the RSA continues to operate from the sell out when Dell sold them for alright $2 billion to a consortium, private privately private equity company, Symphony Technology Group. So there they're operating now on their own. They're out in the wild, as you said, cybersecurity threats are ever increasing, the surface area has changed with cloud native. Basically RSA is a 3000 person startup basically now. So they've got secure ID, the old token business we all have anyone's had those IDs you know it's pretty solid, but now they've got to kind of put this event back together and mobile world Congress is right around the corner. They're going to try to actually have a physical event. So you have this pandemic problem of trying to get the word out and it's weird. It's kind of, I found it. It's hard to get your hands around all the news. >> It is. And it's, you know, we're definitely missing that element. You know, we've seen that throughout the year people have tried to adapt these events into a virtual format. We're missing those elements of those sorts of happenstance run-ins I know we've run into each other at a number of events just sort of in the hall, you get to catch up, but you know as part of those interactions, they're not just social but you also get a little more insight into the conference. Hey, you know, did you catch this great talk or are you going to go catch this thing later? And we're definitely missing that. And I don't think anyone's really nailed this virtual format yet. It's very difficult to wrap your head around like you said, I saw a tweet online from one InfoSec analyst today. It was pointed out, you know, there were 17 talks happening at the same time, which you know, in a physical thing you'd pick one and go to it in a virtual there's that temptation to kind of click across the channels. So even if you know what's going on it's hard to focus in these events. >> Yeah the one conference has got a really good I think virtual platform is Docker con, they have 48 panels, a lot of great stuff there. So that's one of more watching closest coming up on May 27. Check that one out. Let's get into this, let's get into the analysis. I really want to get your thoughts on this because you know, I thought the keynote was very upbeat. Clearly the realities are presenting it. Chuck Robbins, the CEO of Cisco there and you had a bunch of industry legends in there. So let's start with, let's start with what you thought of Rowan's keynote and then we'll jump into what Chuck Robbins was saying. >> Sure yeah. And I thought, Rohit, you know, at first I questioned cause he brought up and he said, I'm going to talk about tigers, airplanes and sewing machines. And you know, as a speaker myself, I said, okay, this is either really going to work out well or it's not going to work out at all. Unfortunately, you know, Rohit head is a professional he's a great speaker and it worked out. And so he tied these three examples. So it was tiger king for Netflix, at World War II, analyzing airplane damage and a great organization in India that pivoted from sewing into creating masks and other supplies for the pandemic. He wove those three examples through with resiliency and showed adaptation. And I thought it was really really well done first of all. But as a cloud guy, I was really excited as well that that first example was Netflix. And he was referencing a chaos monkey, which is a chaos engineering tool, which I don't think a lot of security people are exposed to. So we use it very often in cloud building where essentially this tool will purposely blow up things in your environment. So it will down services. It will cut your communications off because the idea is you need to figure out how to react to these things before they happen for real. And so getting keynote time for a tool like that a very modern cloud tool, I thought was absolutely fantastic. Even if that's, you know, not so well known or not a secret in the cloud world anymore, it's very commonly understood, but getting a security audience exposure to that was great. And so you know, Rohit is a pro and it was a good kickoff and yeah, very upbeat, a lot of high energy which was great for virtual keynote. Cause sometimes that's what's really missing is that energy. >> Yeah, we like Rohit too. He's got some, he's got charisma. He also has his hand on the pulse. I think the chaos monkey point you're making is as a great call out because it's been around the DevOps community. But what that really shows I think and puts an exclamation point around this industry right now is that DevSecOps is here and it's never going away and cloud native and certainly the pandemic has shown that cloud scale speed data and now distributed computing with the edge, 5G has been mentioned, as you said, this is a real deal. So this is DevOps. This is infrastructure as code and security is being reinvented in it. This is a killer theme and it's kind of a wake-up call. What's your reaction to that? what's your take? >> Yeah, it absolutely is a wake-up call and it actually blended really well into a Rohit second point, which was around using data. And I think, you know, having these messages put out to the, you know, what is the security conference for the year always, is really important because the rest of the business has moved forward and security teams have been a little hesitant there, we're a little behind the times compared to the rest of the business who are taking advantage of these cloud services, taking advantage of data being everywhere. So for security professionals to realize like hey there are tools that can make us better at our jobs and make us, you know, keep or help us keep pace with the business is absolutely critical because like you said, as much as you know I always cringe when I hear the term DevSecOps, it's important because security needs to be there. The reason I cringe is because I think security should be built into everything. But the challenge we have is that security teams are still a lot of us are still stuck in the past to sort of put our arms around something. And you know, if it's in that box, I'm good with it. And that just doesn't work in the cloud. We have better tools, we have better data. And that was really Rohit's key message was those tools and that data can help you be resilient, can help your organization be resilient and whether that's the situation like a pandemic or a major cyber attack, you need to be flexible. You need to be able to bounce back. >> You know, when we actually have infrastructure as code and no one ever talks about DevOps or DevSecOps you know, we've, it's over, it's in the right place, but I want to get your thoughts and seeing if you heard anything about automation because one of the things that you bring up about not liking the word DevSecOps is really around, having this new team formation, how people are organizing their developers and their operations teams. And it really is becoming programmable and that's kind of the word, but automation scales it. So that's been a big theme this year. What are you hearing? What did you hear on the keynote? Any signs of reality around automation, machine learning you mentioned data, did they dig into automation? >> Automation was on the periphery. So a lot of what they're talking about only works with automation. So, you know, the Netflix shout out for chaos monkey absolutely as an automated tool to take advantage of this data, you absolutely need to be automated but the keynote mainly focused on sort of the connectivity and the differences in how we view an organization over the last year versus moving forward. And I think that was actually a bit of a miss because as you rightfully point out, John, you need automation. The thing that baffles me as a builder, as a security guy, is that cyber criminals have been automated for years. That's how they scale. That's how they make their money. Yet we still primarily defend manually. And I don't know if you've ever tried to beat, you know the robots that are everything or really complicated video games. We don't tend to win well when we're fighting automation. So security absolutely needs to step up. The good news is looking at the agenda for the week, taking in some talks today, while it was a bit of a miss and the keynote, there is a good theme of automation throughout some of the deeper dive sessions. So it is a topic that people are aware of and moving forward. But again, I always want to see us move fast. >> Was there a reason Chuck Robbins headlines or is that simply because there are a big 800 pound gorilla in the networking space? You know, why Cisco? Are they relevant security? Is that signaling that networking is more important? As of 5G at the edge, but is Cisco the player? >> Obviously Cisco has a massive business and they are a huge player in the security industry but I think they're also representative of, you know and this was definitely Chuck's message. They were representative of this idea that security needs to be built in at every layer. So even though, you know I live on primarily the cloud technologies dealing with organizations that are built in the cloud, there is, you know, the reality of that we are all connected through a multitude of networks. And we've seen that with work from home which is a huge theme this year at the conference and the improvements in mobility with 5G and other connectivity areas like Edge and WiFi six. So having a big network player and security player like Cisco in the keynote I think is important just because their message was not just about inclusion and diversity for skills which was a theme we saw repeated in the keynote actually but it was about building security in from the start to the finish throughout. And I think that's a really important message. We can't just pick one place and say this is where we're going to build security. It needs to be built throughout all of our systems. >> If you were a Cicso listening today what was your take on that? Were you impressed? Were you blown away? Did you fall out of your chair or was it just right down the middle? >> I mean, you might fall out of your chair just cause you're sitting in it for so long taken in a virtual event. And I mean, I know that's the big downside of virtual is that your step counter is way down compared to where it should be for these conferences but there was nothing revolutionary in the opening parts of the keynote. It was just, you know sort of beating the drum that has been talked about, has been simmering in the background from sort of the more progressive side of security. So if you've been focusing on primarily traditional techniques and the on-premise world, then perhaps this was a little a bit of an eye-opener and something where you go, wow, there's, you know there's something else out here and we can move things forward. For people who are, you know, more cloud native or more into that automation space, that data space this is really just sort of a head nodding going, yeap, I agree with this. This makes sense. This is where we all should be at this point. But as we know, you know there's a very long tail insecurity and insecurity organizations. So to have that message, you know repeated from a large stage like the keynote I think was very important. >> Well you know, we're going to be, theCUBE will be onsite and virtual with our virtual platform for Amazon web services reinforced coming up in Houston. So that's going to be interesting to see and you compare contrast like an AWS reinforce which is kind of the I there I think they had the first conference two years ago so it's kind of a new conference. And then you got the old kind of RSA conference. The question I have for you, is it a just a position of almost two conferences, right? You got the cloud native AWS, which is really about, oh shared responsibility, et cetera, et cetera a lot more action happening there. And you got this conference here seem come the old school legacy players. So I want to get your thoughts on that. And I want to get your take on just just the cryptographers panel, because, you know, as I'm not saying this as a state-of-the-art that the old guys saying get off my lawn, you know crypto, we're the crypto purists, they were trashing NFTs which as you know, is all the rage. So I, and Ron rivers who wrote new co-create RSA public key technology, which is isn't everything these days. Is this a sign of just get off my lawn? Or is it a sign of the times trashing the NFTs? What's your take? >> Yeah, well, so let's tackle the NFTs then we'll do the contrast between the two conferences. But I thought the NFT, you know Ron and Addie both had really interesting ways of explaining what an NFT was, because that's most of the discussion around the NFT is exactly what are we buying or what are we investing in? And so I think it was Addie who said, you know it was basically you have a tulip then you could have a picture of a tulip and then you could have something explaining the picture of the tulip and that's what an NFT is. So I think, you know, but at the same time he recognized the value of potential for artists. So I think there was some definitely, you know get off my lawn, but also sort of the the cryptographer panels is always sort of very pragmatic, very evidence-based as shown today when they actually were talking about a paper by Schnorr who debates, whether RSA or if he has new math that he thinks can debunk RSA or at least break the algorithm. And so they had a very logical and intelligent discussion about that. But the cryptographers panel in contrast to the rest of the keynote, it's not about the hype. It's not about what's going on in the industry. It's really is truly a cryptographers panel talking about the math, talking about the fundamental underpinnings of our security things as a big nerd, I'm a huge fan but a lot of people watch that and just kind of go, okay now's a great time to grab a snack and maybe move those legs a little bit. But if you're interested in the more technical deeper dive side, it's definitely worth taking in. >> Super fascinating and I think, you know, it's funny, they said it's not even a picture of a tulip it's s pointer to a picture of a tulip. Which is technically it. >> That was it. >> It's interesting how, again, this is all fun. NFTs are, I mean, you can't help, but get an Amber by decentralization. And that, that wave is coming. It's very interesting how you got a decentralization wave coming, yet a lot of people want to hang on to the centralized view. Okay, this is an architectural conflict. Is there a balance in your mind as a techie, we look at security, certainly as the perimeter is gone that's not even debate anymore, but as we have much more of a distributed computing environment, is there a need for some sensuality and or is it going to be all decentralized in your opinion? >> Yeah that's actually a really interesting question. It's a great set up to connect both of these points of sort of the cryptographers panel and that contrast between newer conferences and RSA because the cryptographers panel brought up the fact that you can't have resilient systems unless you're going for a distributed systems, unless you're spreading things out because otherwise you're creating a central point of failure, even if it's at hyper-scale which is not resilient by definition. So that was a very interesting and very valid point. I think the reality is it's a combination of the two is that we want resilient systems that are distributed that scale up independently of other factors. You know, so if you're sitting in the cloud you're going multi-region or maybe even multicloud, you know you want this distributed area just for that as Verner from AWS calls it, you know, the reduced blast radius. So if something breaks, not everything does but then the challenge from a security and from an operational point of view, is you need that central visibility. And I think this is where automation, where machine learning and really viewing security as a data problem, comes into play. If you have the systems distributed but you can provide visibility centrally which is something we can achieve with modern cloud technologies, you kind of hit that sweet spot. You've got resilient underpinnings in your systems but you as a team can actually understand what's going on because that was a, yet another point from Carmela and from Ross on the cryptographers panel when it comes to AI and machine learning, we're at the point where we don't really understand a lot of what's going on in the algorithm we kind of understand the output and the input. So again, it tied back to that resiliency. So I think that key is distributed systems are great but you need that central visibility and you only get there through viewing things as a data problem, heavy automation and modern tooling. >> Great great insight, Mark. Great, great call out there. And great point tied in there. Let me ask you a question on your take on the keynote in the conference in general as first day gets going. Do you see this evolving from the classic enterprise kind of buyer supplier relationship to much more of a CSO driven or CXO driven? I need to start building about my teams. I got to start hiring developers, not so much in operation side. I mean, I see InfoSec is these industries are not going away. People are still buying tools and stacking up the tool shed but there's been a big trend towards platforms and shifting left from a developer CICB pipeline standpoint which speaks to scale on the cloud native side and that distributed side. So is this conference hitting that Mark, or you still think there are more hardware and service systems people? What's the makeup? What's the take? >> I think we're definitely starting to a shift. So a great example of that is the CSA. The Cloud Security Alliance always runs a day one or day zero summit at RSA. And this year it was a CSO executive summit. And whereas in previous years it's been practitioners. So that is a good sign I think, that's a positive sign to start to look at a long ignored area of security, which is how do we train the next generation of security professionals. We've always taken this traditional view. We've, you know, people go through the standard you get your CISSP, you hold onto it forever. You know, you do your time on the firewall, you go through the standard thing but I think we really need to adjust and look for people with that automation capability, with development, with better business skills and definitely better communication skills, because really as we integrate as we leave our sort of protected little cave of security, we need to be better business people and better team players. >> Well Mark, I really appreciate you coming on here. A cube alumni and a trusted resource and verified, trusted contributor. Thank you for coming on and sharing your thoughts on the RSA conference and breaking down the keynote analysis, the RSA conference. Thanks for coming on. >> Thank you. >> Well, what we got you here to take a minute to plug what you're doing at Lacework, what you're excited about. What's going on over there? >> Sure, I appreciate that. So I just joined Lacework, I'm a weekend. So I'm drinking from the fire hose of knowledge and what I've found so far, fantastic platform, fantastic teams. It's got me wrapped up and excited again because we're approaching, you know security from the data point of view. We're really, we're born in the cloud, built for the cloud and we're trying to help teams really gather context. And the thing that appealed to me about that was that it's not just targeting the security team. It's targeting builders, it's targeting the business, it's giving them that visibility into what's going on so that they can make informed decision. And for me, that's really what security is all about. >> Well, I appreciate you coming on. Thanks so much for sharing. >> Thank you. >> Okay CUBE coverage of RSA conference here with Lacework, I'm John Furrier. Thanks for watching. (upbeat music)

(upbeat music) >> Narrator: From theCUBE studios in Palo Alto in Boston, connecting with thought leaders all around the world, this is theCUBE conversation. >> Hey, welcome back, everybody Jeff Frick here with theCUBE coming to you from our Palo Alto studios today for a cube conversation, you know we're like six, seven, eight months into this COVID thing. We're going to be dealing with it for a while. And one of the themes we've heard about over and over as kind of a result of COVID is an increased in the attack surfaces. More people are working from home or work from anywhere. And security has only been increasing in importance. And we're excited to have somebody from the alumni group who's been on before she is Sandra Wheatley the SVP marketing threat intelligence and influencer communications at Fortinet. Sandra great to see you. >> Thank you Jeff, I'm happy to be here. >> Yeah, I think actually I misspoke. We've had a ton of great Fortinet people on we've talked to John and Ken and Phil and Tony, but actually I'm not sure that we've had you on before, so great to have you. >> No, this is my first time. >> Awesome, so let's jump into it but we're going to take a slightly different tack today and we're not going to talk about the technology as much as this other pesky little problem, which is people. And, you know we know there's a huge skills gap in tech in general right. There's tons and tons of open recs. If you go into all the big sites and then security it's even a more specific and a more acute problem. I wonder if you can tell us a little bit about kind of your perspective on this problem, being a senior executive you know, at a security company, people is a big issue. How do you guys kind of look at the problem? How should people think about it and what are we going to do about it? >> Well, Jeff, you were completely right. The Cyber security skills gap. It's one of the biggest challenges that's facing organizations today. I mean if you look at the larger landscape, cyber crime is one of the fastest growing crimes in the world, in fact by 2021, it'll cost the world about 6 trillion in total. And so tackling this issue continues to be a big problem. And it's exasperated by this the skills gap we recently did a study of Fortinet and 73% of respondents acknowledged that at least one intrusion could be attributed to the lack of skilled professionals. So it's a huge problem. We know that it would take about 4 million professionals to close that gap. And in particular with COVID, it's become even more increased. We've seen a big uptick in attacks from cyber criminals, really targeting remote workers. It's a way into the enterprise network. We've seen a resurgence of ransomware and phishing targeting that workforce. And so as this threat landscape continues to increase it's definitely a problem that cybersecurity organizations public and private partnerships really need to tackle. >> It's interesting because we talk a lot about automation and we talk about the scale of the attacks and the scale of data and you know, everything is just going so up until the right that without automation, you know you have no hope and you need some help to basically separate signal from noise. That said you still need people. And really that automation is going to hopefully get the high visibility the high priority issues to the right people. But ultimately that's an enabler for a person, not a replacement for person, for people. And it doesn't take away this tremendous need for more security professionals. And the other thing that we hear Sandra over and over right, is that security is no longer a bolt on it's no longer, you know, you just build the wall around the outside of everything, right? It's got to be baked in throughout the entire process of the product development and deployment. So the importance and kind of the reach and the breadth of security people in the influence of the building new products and shipping new products has never been greater and yet we've got this huge shortage. >> Exactly and I think you touched on it. You know, what we're hearing from our customers is that they're really using this period during COVID to really take a long-term look at their cybersecurity investments and strategy. And so you're right increasingly organizations are taking more of a platform approach to security, where they have more automation integration and AI that's one help. The other area is organizations need to be making their employees more cyber aware because it impacts everyone even employees working at home organizations. We just released InfoSec training and we offered it we made it available for free, and it really enables organizations to help educate their employees about the risk of cybersecurity and helping them to understand not to hit on the phishing email because, you know, 68% of intrusions happened as a result of careless mistakes by employees. That's a big issue, but also really making sure that we bring more professionals into the industry. I like to say, there's no job security like cybersecurity. So at the beginning of COVID, we made all of our training free and to the public in general. And I believe we had 500,000 registrations in the first six months. So that really underscores the demand for cybersecurity skills. And then organizations can also really be tapping into underrepresented of demographics, like veterans like women who make up only 14% of the workforce overall. So there was a lots of things we can be doing and working together on this problem. >> Yeah, you touched on a whole bunch of things there. So let's unpack a couple of them specifically. One of the cool things about security is that you guys do work together and that there is a big benefit from working together. So it's a great place for kind of coopetition, especially as new threats come in and you guys can share that information. So there is an interesting kind of an ecosystem that there's, you know shared basically resources against the bad guys. But you guys did a really interesting thing with Salesforce, with the world economic forum specifically to go after this problem. So where did that come from, Why Salesforce? Why world economic forum and why take you know, kind of, I guess, out of the industry approach to really addressing getting more people as cybersecurity professionals? >> Well, for dinette as a founding member of the C foresee cybersecurity forum, it was created by the world economic forum about two years ago. And right from the beginning one of the initiatives that we began working on was to reduce the skills gap. And so we started working with the world economic forum Salesforce, which is another founding member and others to tackle this problem. And so we're provide all of our training we provide our training and curriculum on the salesforce Trailhead platform. We've also entered into another partnership with IBM, where we're providing our training on there as cyber skills platform. We're working with local universities like Berkeley and others to make sure that we're getting more of the curriculum into their certifications and degree programs. Interestingly enough, one of the issues with this challenges is that there's not a lot of universities offering degrees in cybersecurity, which is really surprising. And so we're seeing a lot more uptick and interest around awareness around this area. And so it's very encouraging to see the results of some of these partnerships. >> I don't, I mean, you I'm going to tease you kind of buried the lead but so people understand what you just said. You guys basically opened up your training catalog for free, during COVID as a reaction to help basically get more people trained. Am I getting that right? >> That's completely right. We saw that this is something that can really help our customers during this time. It's something we're committed to closing and we felt this was a really impactful way to help with that issue. >> That's amazing. And I saw you in an interview with Rob Rashad I believe is his name from your team. I wonder if you can, again, share with us some of the details in terms of the numbers of people that have gone through this program. Cause he mentioned them, somebody didn't write them down this is pretty significant numbers that you guys are running through this free program. >> Yeah, so we just passed a great big milestone of 500,000 certifications. Half of those have just been this year and that program's been in place for many, many years. So there's no doubt that this is something that's in huge demand. And so we continue to offer those trainings. This was one of the reasons why we just rolled out the InfoSec training for our customers and others to educate their employees. I mean, that's one point I think we had someone registering every seven minutes. And so the response to that was excellent. And that training program has eight different modules and the curriculum in that program actually provides credits for ISC, which is a a big certification in cybersecurity and CIISSP. So, you know, it's just an invaluable training program. >> That's wild, and again, it's free all the way, not just to register for, you know, the one-on-ones, but all the way through the certification process at the end. >> Well at the end, if you want to get the actual certification that's something that you can do separately after you do the training. Although we're working with some nonprofits to help pay for those certifications so that there's no financial burden to people. >> Wow, that's tremendous. And then the other piece that you mentioned but I just want to highlight it is the opportunity to go after underrepresented groups. And you specifically mentioned that you have a program for veterans and again, it seems so logical but some people just don't get it right. Then you've got a skills shortage and you've got a talent shortage. Why not tap into those markets and of those pools of people that are under utilized because, Oh, by the way, they probably have a bunch of good qualified people in there that you can leverage. >> That's exactly right, like vets if you look at take veterans for an example, they already have a lot of the skills that really work well for cybersecurity like situational awareness. They work very well under pressure. And so we started our veterans program about two years ago. And in addition to our training we offer mentoring curriculum, resume building, interviews skills building and now at this point, trained about a thousand veterans many have had jobs on one thing that we do that's different to other programs is that we bridge those candidates to our partners and customers who are looking for talent and really closed that whole loop. So it's not just about the training, but it's also finding them as well at the end of the training once it's been completed. >> Right, that's great. I also want to touch on another thing that you do beyond just training and this comes from you published a blog on July eighth of this year talking about overcoming the cybersecurity gap skills gap. But you talked about other things beyond just the people. And I want to highlight really some attitudinal things that you suggest for people to get over this world view, cyber security as an enabler, right? Not an obstacle recognize cybersecurity is a team effort. It's not just some superstar, get the C-suite involved collaborate on cybersecurity awareness and you know, thinking about these this issue at a little broader and a more kind of macro company-wide scale versus it's just the security people's job over in the security people's corner. And that's really the best way to take care of it. >> Absolutely, and that goes back to my earlier point. I mean the insider threat continues to be the biggest vector for attacks. A lot of times it's, you know, employees hitting on a phishing email I'm sure you've seen the increase in those. And so it's really, you're right. It's more, the responsibility just doesn't lie with the folks who lead the cybersecurity organization. We all have a responsibility to be much more educated and aware. And so I think you know, the board has to get them more involved. Executive management needs to make sure that they're providing the right training and education to their employees, that they're providing mentoring that the really encouraging more employees to move into cybersecurity and become certified. So there's lots of things that organizations need to be doing that include education training. And then also making sure that you're making the right technology investments so that you have an infrastructure in place that's agile and can be flexible enough to meet the increasing demands of the threat landscape. >> Right, I just wonder if you can share some insight on the conversation that happened before you guys opened this up to be free. 'Cause it's clearly, it's a move to do the right thing. It's a move to you know, to respond to the community that's suffering and it's something that you guys could do you had at your disposal, but I'm sure there was some naysayers in there they're saying "No, we can't give this away. This is super valuable stuff." How, you know how did you kind of make that decision to move forward? And I'm curious how it's kind of played out over time now that you've basically, as you said increased your exposure and people that are trained and you know, I'm sure a lot of positive, you know kind of second order benefits that you really didn't plan on when you were just trying to make a decision to help the community. >> Well, this was a decision that came from the top. Our CEO has always been committed to training. I mean, this is why we even started the program which our NSE program is one of the most robust in the industry. And so it's something that the founders have always been committed to. It's something that we've invested in. So there really wasn't any obstacles to doing this. This was something that everyone jumped on board with. The other thing is we really wanted to help our customers during this time. And we felt that this was one really meaningful way. We could help them by providing this training for free. And making sure that they have the talent that they need to really address all of the, you know, the expanding attack surface. But we were surprised by the demand and the response that was outstanding, right from the get-go. And so while we, you know, we've talked about this being offered to the end of the year we haven't really made any plans to change that. And so that it may continue beyond the end of the year because the demand is so great and the results have been so positive. >> Right. And I'm just curious, do you have in the training and I didn't go through exhaustively through the whole list of all the courses, but beyond just the professionals do you have all the basic training just for employees? I just don't click on the link. You know, it's so funny. I was at, I think it was RSA. One of the keynotes was a, a Cisco executive and she said you know, we tell people not to click links but that's what we do all day long. We click links, that's what we do, it's part of our job. And, you know, it's such a a weird behavior to tell people not to do. And I'm still confused how SurveyMonkey gets people to click on SurveyMonkey links but that's a different conversation for another day but I mean, are you offering the whole suite? And I just love to get your perspective as a security executive, when you talk to clients how to think about things beyond just the obvious you know, don't click on phishing emails and, you know, tighten up everything, but you know, more kind of high level how to think about security in this increasingly complex and dangerous world, if you will. >> Yeah, well, the training program has eight modules. It goes from the most basic training to the most advanced training. So our NSE one and two are really more about educating people about the threat landscape the threats out there, what it looks like the most basic emphasis security awareness around what you should do and what you should be looking out for. And all of our employees afforded that take that training. We take up to NSE 4, that's, something that's mandated. And so at the very basic level all organizations should be leveraging those modules for their employees and for individuals who are just interested at large. And then it really advances very quickly after that. And it's the most advanced, you know, it covers, you know cloud, the whole attack surface, AI, threat intelligence. And actually, as I mentioned earlier, provides credits for some of that top cybersecurity certifications in the industry, especially at the level of CSO. So it's very broad, it's extremely robust. And addition to those modules we also have what we call fast track training and that's really utilized by our customers and partners. And that's more focused on specific technology areas. It's very condensed, it may be a day or two days. And the demand for that has been phenomenal. So that's been another program we added about two years ago. That's been very well received. >> Wow, well, good for you guys. Good for you guys for making a proactive move in a very positive way to help your customers and help the community at large. It's just great to see, these are just tough times. They're going to be tough times for a little while longer. So, you know, it's nice that you have resources available that you're able to make to make available to the larger community. And I'm sure it's nothing, but goodness will come from it. So good move by you guys. And I'm sure there's a lot of tangential benefits as well. >> Thank you Jeff. >> Well, thank you Sandra for sharing the story and great to meet you and expand our our community over on the fourth tenet side, we've had a lot of great guests over the year so it was great to great to have you on as well. >> Thank you very much. We really appreciate all the support. >> Absolutely, thank you. All right, so go out and get your free training. Go to fortinet.com and sign up and you too could be a security expert, or at least as far as you want to go all the way up to certification. I'm Jeff, she's Sandra you're watching theCUBE. Thanks for watching, we'll see you next time. (upbeat music)

>> Announcer: From theCUBE studios in Palo Alto, in Boston, connecting with thought leaders all around the world. This is theCUBE conversation. >> Hey, welcome back, everybody. Jeff Frick here with theCUBE. We're in our Palo Alto studios today for theCUBE conversation. We're talking about data. We're always talking about data and it's really interesting. You know we like to go out and get you the first person insight from the people that start the companies, run the companies, the practitioners and, and, and get the insight directly from them. We also like to go out and get original research and hear from original research. And this is a great opportunity to hear from both. So we're excited to have, and welcome back into the studio. He's Aaron Kalb. He's the co founder of Alation, many time CUBE alumni. Aaron. Great to see you. >> Yeah, thanks for having me. It's good to be here. >> Yeah, it's very cool. But today it's a special, a special thing. We've never done this before with you. You guys are releasing a brand new report called, the Alation State of Data Culture Report. So really interesting report. A lot of great information that we're going to dig in here for the next few minutes. But before we do, tell us kind of the history of this report. This is a, the kind of the inaugural release. What was kind of behind it, why did you guys do this? And give us a little background before we get into the details. >> Absolutely. So, yes, that's exactly right. It's debuting today that we plan to kind of update this research quarterly we going to see the trends over time. And this emerged because, you know, I, part of my job, I talk to chief data officers and chief analytics officers across our customer base and prospects. And I keep hearing anecdotally over and over that establishing a data culture, is often the number one priority for these data leaders and for these organizations. And so we wanted to really say, can we quantify that? Can we agree upon a definition of data culture? And can we create sort of a simple yardstick to more objectively measure where organizations are on this sort of data maturity curve to get it into culture. >> Right. I love it. So you created this data, data index right? The data culture index. And, and I think it's important to look at methodology. I think people, a lot of times go right to the results on reports before talking about the methodologies. And let's talk about the methodologies cause we're supposed to be talking about data, right? So you talked to 300, some odd executives, correct. And I think it's really interesting and you broke it down into three kind of buckets of data literacy, if you will. Data search and discovery, number one, data, two kind of literacy in terms of their ability to work with the data. And then the third bucket is really data governance. And then in, in the form ABCD, you gave him a four point score and basically, are they doing it well? Are they doing it in the majority of the time? Are they doing it about half, they got one or they got a zero and you get this four point scale and you end up with a 12 point scale which we're all familiar with from, from school, from an A to an, A minus and B, et cetera. Just dig it a little bit on those three categories and how you chose those. So the first one again is kind of the data search and discovery, you know can they find it and then their competency, if you will and then a governance and compliance. Kind of dig into each of those three buckets a little bit. >> For sure. So, so the, the end goal in data culture, is to have an organization in which data is valued and decisions are made based on data and evidence, right? Versus a culture in which we go with the highest paid person's opinion or what we did last quarter or any of these other ways things get done. And so the idea is to make that possible, as you said you've to be able to find the data when you need it. That's the data search and discovery. You've to be able to interpret that data correctly and draw valid conclusions from it. And that's a data literacy, excuse me. And both of those are contingent upon having data governance in place. So that data is well-defined and has high data quality, as well as other aspects, so that it is possible to find it and understand it properly. >> Right. And what are the things too that I think is really important that we call that, and again, we're going to dive into the details, is your perceived execution versus the reported execution by the people that are actually providing data. And I think you've found and you've highlighted on specific slides that you know, there's not necessarily a match there. And sometimes that you know, what you perceive is happening, isn't necessarily what's happening when you go down and query the people in the field. So really important to come up with a number. And I think a, I think you said this is going to be an ongoing thing over a period of time. So you kind of start to see longitudinal changes in these organizations. >> Absolutely. And we're very excited to see those, those trends over time. But even at the outset is this you know, very striking effect emerges which is, as you said, if we ask one of these you know, 300 data leaders, you know, all around the world actually, you know, if we ask, how is the data culture at your company overall, and this is very broad general top down way and have them graded on the sort of SaaS scale. You know, we get results where there's a large gap between kind of that level of maturity and what emerges in a bottom up methodology excuse me, in which you ask about, you know governance and literacy and, and such kind of by department and in a more bottom up way. And so we do see that that, you know, it can be helpful, even for data people to have a, a more granular metric and framework for quantifying their progress. >> Right? Let's jump into some of the results. It's, it's a fascinating, they're kind of all over the map, but there's some definite trends. One of the trends you talked about is that there's a lot of questions on the quality of the data. But that's a real inhibitor to people. Whether that suspicion is because it's not good data. And I don't know, this question for you, is, is, do they think it's not relevant to the decision that's being made? Is it an incomplete data set or the wrong data set? It seems to be that keeps coming up over and over about, decision-makers not necessarily having confidence in the data. What, can you share a little bit more color around that? >> Yeah, it's quite interesting actually. So what we find is that 90%. So 90 people, 10 executives (indistinct) to question the data sometimes often or always. But the part that's maybe disappointing or concerning is the two thirds of executives are believed to ignore the data and make a decision kind of pushing the data aside which is really quite striking when you think about it, why have all this data, if more often than not you're sort of disregarding it to make your final answer. And so you're absolutely correct when we dug into why, what are the reasons behind pushing it aside. Data quality was number one. And I think it is a question of, Oh, is the data inaccurate? Is it out of date, these sort of concerns sort of we, we hear from customers and prospects. But as we dig in deeper in the survey results, excuse me, we, we see some other reasons behind that. One is a lack of collaboration between the data analytics folks and the business folks. And so there's a question of, I don't know exactly where this data came from or to your point kind of how it was produced. What was the methodology? How was it sourced? And maybe because of that disconnect is a lack of trust. So trust really is the ultimate I think, failure to having data culture really take root. >> Right? And it's trust in this trust, as you said, not only in the data per se, the source of the data, the quality of the data, the relevance of the data but also the people who are providing you with the data. And obviously you get, you get some data sets. Sometimes you didn't get other data sets. So, that's really I'm a little bit disconcerting. The other thing I thought was kind of interesting is, it seems to be consistent that the, the primary reason that people are using big data projects is around operations and operations efficiency, a little bit about compliance, but, you know, it's interesting we had you on at the MIT CDOIQ, Chief Data Information Officer quality symposium, and you talked about the goodness of people moving from kind of a defensive posture to an offensive posture, you know using data in terms of product development and innovation. And, and what comes across in this survey is that's kind of down the list behind you know, kind of operational efficiency. We're seeing a little bit of governance and regulation but the, the quest for data as a tool for innovation, didn't really shine through in this report. >> Well, you know, it's very interesting. It depends whether you look at the aggregate level or you break things down a little bit more. So one thing we did after we got that zero to 12 scale on the data culture index or DCI, is it actually, we were able to break it down into thirds. And among the sort of bottom third, it has the least well-established data culture by this yardstick. We've found that governance and regulatory compliance, was the number one application of data. But among the top third of respondents, we actually found the opposite where things like providing a great customer experience, doing product innovation, those sort of things actually came to the fore and governance fell behind. So I think there is this curve where, It's table stakes to get the sort of defense side of data figured out. And then you can move on to offense in using data to make your organization meet its meet its other goals. >> Right. Right. And then I wanted to get your take on kind of the democratization of data, right? This is a, this is a trend that's been going on, and really, I think you said before you know, your guys' whole mission is to empower curious and rational world to give people the ability to ask the right questions have the right data and get the right answer. So, you know, we've seen democratization in terms of the access to the data, the access to the tools, the ability to do something with the data and the tool, and then the actual authority to execute business decision based on that. The results on that seem a little bit split here because a lot of the problems seem to be focused on leadership, not necessarily taking a data based decision move, but on the good hand a lot of people trying to break down data silos and make data more accessible for a larger group of people. So that more people in the organization are making data based decisions. This seems kind of like this little bit of a bifurcation between the C suite and everybody else trying to get their job done. >> Absolutely. There's always this question of you know, sort of the, that organizational wide initiative and then what's happening on the ground. One thing we saw that was very heartening and aligns with our customers index success, is a real emphasis being placed on having data governance and data context and data literacy factors sort of be embedded at the point of use. To not expecting people, to just like take a course and look things up and kind of end up with their workflow to be able to use data quickly and accurately and, and interpret it in varied ways. So that was really exciting to see as, as, as a initiative. It sort of bridges that gap along with initiatives to have more collaboration and integration between the data people and the business people. because really you know, they exist to serve one another. But in terms of the disconnect between the C suite and other parts of the org, there was a really interesting inverse correlation. Well, or maybe it's not interesting how you look at it, but basically, you know, when we talk to C level executives and ask, you know, does the C suite ignore data? Do they question data et cetera, those numbers came in lower than when we talked to, you know, senior director about the C suite right? It's sort of the farther you get, and there's a difference there, you know, from my perspective, I almost wonder whether that distance is actually is more objective viewpoint. And when you're in that role, it's hard to even see your cognitive biases and your tendency to ignore a data when it doesn't suit you. >> Right. Right. So there's, there's some other interesting things here. So one of them is, you know, kind of predictors, right? One of the whole reasons to do studies and collect data so that we can have some predictive ability. And, and it comes out here that the reporting structure is a strong predictor of a company's data tier structure. So, you know, there's the whole rise of the chief data officers and the chief analytics officer and the chief data and analytics officer and lots of conversations about those roles and what exactly are those roles and who do they report to. Your study finds a pretty compelling leading indicator that if that role is reporting to either the CEO or the executive board, which is often a one in the same person, that that's actually a terrific indicator of success in moving to a more data centric culture. >> That's absolutely correct. So we found that that top third of organizations on the data culture index were much more likely to have a chief data executive, a CDO, CAO or CDAO. In fact, they're more likely to have folks with the analytics in their title because in some organizations, data is thought to mean sort of raw data, infrastructural defense and analytics is sort of where it gets you know, infused into business processes and value. But certainly that top third is much more likely to have the chief data executive reporting into the executive board or CEO when the highest ranking data executive is under the CIO or some other part of the organization, those orgs tend to score a far lower on the DCI. >> Right. Right. So it's interesting, you know you're a really interesting guy even doing this for a while. You were at Siri before you were at Alation. So you have a really good feel for kind of what data can do and can't do and natural human or natural language processing and, and, and human voice interaction with these devices, a really interesting case study, and they can do a really good job within a small defined data set and instruction set, but they don't do necessarily so well once you kind of get outside how, how they're trained. And you've talked a lot about how metaphor shaped the way that we think and I know you and Dave talked about data oil and data lakes I don't want to necessarily go down that whole path but I do think it's important. And what came out of the study and the way people think about data. You know, there's a lot of conversation. How do you value data? Is data, you know it used to just be an expense that we had to buy servers to store the stuff we weren't sure what we ever did with it. So I wonder if there's any, you know, kind of top level metaphors level, kind of a thought or process or framing in the companies that you study that came out. maybe not necessarily in the top line data, but maybe in some of the notes that help define why some people, you know are being successful at making this transition and putting, you know kind of data out front of their decision processing versus data, either behind as a supporting thing or maybe data, I just don't have time with it or I don't trust it, or God knows where you got that, and this is not the data that I wanted. You know, was there any, you know, kind of tangental or anecdotal stuff that came out of this study that's more reflective of, of the softer parts of a data culture versus the harder parts in terms of titles and roles and, and, and job responsibilities. >> Yeah. It's a really interesting place to explore. I do think there's a, I don't want to make this overly simplistic group binary, but at the end of the day you know, like anything else within an organization, you can view data as a liability to say, okay, we have for example, you know, customer's names and phone numbers and passwords, and we just need to prevent an adverse event in which there's a leak or some sort of InfoSec problem that could cause, you know, bad press and fines and other negative consequences. And I think the issue there is if data's a liability, the most you know, the best case is that it's worth zero as opposed to some huge negative on your company's balance sheet. And, and I think, you know, intuitively, if you really want to prevent data misuse and data problems, one fail safe, but I think ultimately in its own way risky way to do that was just not collect any data, right. And not store it. So I think that the transition is to say, look data must be protected and taken care of that's step zero. But you know, it's really just the beginning and data is this asset that can be used to inform the huge company level strategic decisions that are made in annual planning at the board level, down to the millions of little decisions every day in the work of people in customer support and in sales and in product management and in, you know, various roles that just across industries. And I think once you have that, that shift, you know the upside is potentially, you know, unbounded. >> Right. And, and it just changes the way, the way you think. And suddenly instead of saying, Oh, data needs to be kind of hidden away, it's more like, Oh, people need to be trained on data use and empowered with data. And it's all about not if it's used or if it's misused but really how it's used and why it's used, what it's being used for to make a real impact. >> Right. Right. And it's funny when I just remember it being back in business school one of the great things that help teach is to think in terms of data, right. And you always have the infamous center consulting interview question, How many manhole covers are in Manhattan. Right. So, you know, to, to, to start to think about that problem from a data centric, point of view really gives you a leg up and, and even, you know where to start and how to attack those types of problems. And I thought it was interesting you know, talking about challenges for people to have a more data centric, point of view. It's interesting. The reports says, basically everybody said there's all kinds of challenges around data quality and compliance, and they had democratization. But the bottom companies, the bottom companies said that the biggest challenge was lack of buy in from company leadership. So I guess the good news bad news is that there's a real opportunity to make a significant change and get your company from the bottom third to a middle third or a top third, simply by taking a change in attitude about putting data in a much more central role in your decision making process. 'Cause all the other stuff's kind of operational, execution challenges that we all have, not enough people, blah, blah, blah. But in terms of attitude of leadership and prioritization, that's something that's very easy to change if you so choose. And really seems to be the key to unlock this real journey as opposed to the minutiae of a lot of the little details that that are a challenge for everybody. >> Absolutely. In your changing attitudes might be the easiest thing or the hardest thing depending on (indistinct). But I think you're absolutely right. The first step, which, which which could, maybe it should be easy, is admitting that you have a problem or maybe to put it more positively, realizing you have an opportunity. >> I love that. And then just again, looking at the top tier companies, the other thing that I thought was pretty interesting in this study is, I'm looking at it here, is getting champions in each of the operational segments. So rather than, I mean, a chief data officer is important and you know, somebody kind of at the high level to shepherd it in the executive suite, as we just discussed, but within each of the individual tasks and functions and roles, whether that's operations or customer service or product development or operational efficiency, you need some type of champion, some type of person, you know, banging the gavel, collecting the data, smoothing out the complexities, helping people get their thing together. And again, another way to really elevate your position on the score. >> Absolutely. And I think this idea of again, bridging between, you know, if data is centralized you have a chance to try to really get excellent practices within the data org. But even it becomes even more essential to have those ambassadors, people who are in the business and understand all the business context who can sort of make the data relevant, identify the key areas where data can really help, maybe demystify data and pick the right metaphors and the right examples to make it real for the people in their function. >> Right. Right. So Aaron has a lot of great stuff. People can go to the website at alation.com. I'm sure you'll have a link to this, a very prominently displayed, but, and they should and they should check it out and really think about it and think about how it applies to their own situation, their own department, company et cetera. I just wanted to give you the last word before we before we sign off, you know, kind of what was the most you know, kind of positive affirmation or not the most but one or two of the most outcome affirming outcomes of this exercise. And what were one or two of the things that were a little concerning or, you know, kind of surprises on the downside that, that came out of this research? >> Yeah. So I think one thing that was maybe surprising or concerning the biggest one is sort of where we started with that disconnect between, you know, what people would, say as an off the cuff overall assessment and the disconnect between that and what emerges when we go department by department and (indistinct) to be pillars of data culture from such a discovery to data literacy, to data governance. I think that disconnect, you know, should give one pause. I think certainly it should make one think, Hmm. Maybe I shouldn't look from 10,000 feet, but actually be a little more systematic. And considering the framework I use to assess data culture that is the most important thing to my organization. I think though, there's this quote that you move what you measure, just having this hopefully simple but not simplistic yardstick to measure data culture and the data culture index should help people be a little bit more realistic in their quantification and they track their progress, you know, quarter over quarter. So I think that's very promising. I think another thing is that, you know sometimes we ask, how long have you had this initiative? How much progress have you made? And it can sometimes seem like pushing a boulder uphill. Obviously the COVID pandemic and the economic impacts of that has been really tragic and really hard. You know, a tiny silver lining in that is the survey results showed that organizations have really observed a shift in how much they're using data because sometimes things are changing but it's like a frog in boiling water. You don't realize it. And so you just assume that the future is going to look like the recent past and you don't look at the data or you ignore the data or you miss parts of the data. And a lot of organizations said, you know COVID was this really troubling wake up call, but they could even after this crisis is over, producing enduring change which people were consulting data more and making decisions in a more data driven way. >> Yeah, certainly an accelerant that, that is for sure whether you wanted it, didn't want it, thought you had it at the time, didn't have time. You know COVID is definitely digital transformation accelerant and data is certainly the thing that powers that. Well again, it's the Alation State of Data Culture Report available, go check it at alation.com. Aaron always great to catch up and again, thank you for, for doing the work and supporting this research. And I think it's really important stuff. And it's going to be interesting to see how it changes over time. 'Cause that's really when these types of reports really start to add value. >> Thanks for having me, Jeff and I really look forward to discussing some of those trends as the research is completed. >> All right. Thanks a lot, Aaron, take care. Alright. He's Aaron and I'm Jeff. You're watching theCUBE, Palo Alto. Thanks for watching. We'll see you next time. (upbeat music)

>> Announcer: From theCUBE studios in Palo Alto, in Boston, connecting with thought leaders all around the world. This is theCUBE conversation. >> Hey, welcome back, everybody. Jeff Frick here with theCUBE. We're in our Palo Alto studios today for theCUBE conversation. We're talking about data. We're always talking about data and it's really interesting. You know we like to go out and get you the first person insight from the people that start the companies, run the companies, the practitioners and, and, and get the insight directly from them. We also like to go out and get original research and hear from original research. And this is a great opportunity to hear from both. So we're excited to have, and welcome back into the studio. He's Aaron Kalb. He's the co founder of Alation, many time CUBE alumni. Aaron. Great to see you. >> Yeah, thanks for having me. It's good to be here. >> Yeah, it's very cool. But today it's a special, a special thing. We've never done this before with you. You guys are releasing a brand new report called, the Alation State of Data Culture Report. So really interesting report. A lot of great information that we're going to dig in here for the next few minutes. But before we do, tell us kind of the history of this report. This is a, the kind of the inaugural release. What was kind of behind it, why did you guys do this? And give us a little background before we get into the details. >> Absolutely. So, yes, that's exactly right. It's debuting today that we plan to kind of update this research quarterly we going to see the trends over time. And this emerged because, you know, I, part of my job, I talk to chief data officers and chief analytics officers across our customer base and prospects. And I keep hearing anecdotally over and over that establishing a data culture, is often the number one priority for these data leaders and for these organizations. And so we wanted to really say, can we quantify that? Can we agree upon a definition of data culture? And can we create sort of a simple yardstick to more objectively measure where organizations are on this sort of data maturity curve to get it into culture. >> Right. I love it. So you created this data, data index right? The data culture index. And, and I think it's important to look at methodology. I think people, a lot of times go right to the results on reports before talking about the methodologies. And let's talk about the methodologies cause we're supposed to be talking about data, right? So you talked to 300, some odd executives, correct. And I think it's really interesting and you broke it down into three kind of buckets of data literacy, if you will. Data search and discovery, number one, data, two kind of literacy in terms of their ability to work with the data. And then the third bucket is really data governance. And then in, in the form ABCD, you gave him a four point score and basically, are they doing it well? Are they doing it in the majority of the time? Are they doing it about half, they got one or they got a zero and you get this four point scale and you end up with a 12 point scale which we're all familiar with from, from school, from an A to an, A minus and B, et cetera. Just dig it a little bit on those three categories and how you chose those. So the first one again is kind of the data search and discovery, you know can they find it and then their competency, if you will and then a governance and compliance. Kind of dig into each of those three buckets a little bit. >> For sure. So, so the, the end goal in data culture, is to have an organization in which data is valued and decisions are made based on data and evidence, right? Versus a culture in which we go with the highest paid person's opinion or what we did last quarter or any of these other ways things get done. And so the idea is to make that possible, as you said you've to be able to find the data when you need it. That's the data search and discovery. You've to be able to interpret that data correctly and draw valid conclusions from it. And that's a data literacy, excuse me. And both of those are contingent upon having data governance in place. So that data is well-defined and has high data quality, as well as other aspects, so that it is possible to find it and understand it properly. >> Right. And what are the things too that I think is really important that we call that, and again, we're going to dive into the details, is your perceived execution versus the reported execution by the people that are actually providing data. And I think you've found and you've highlighted on specific slides that you know, there's not necessarily a match there. And sometimes that you know, what you perceive is happening, isn't necessarily what's happening when you go down and query the people in the field. So really important to come up with a number. And I think a, I think you said this is going to be an ongoing thing over a period of time. So you kind of start to see longitudinal changes in these organizations. >> Absolutely. And we're very excited to see those, those trends over time. But even at the outset is this you know, very striking effect emerges which is, as you said, if we ask one of these you know, 300 data leaders, you know, all around the world actually, you know, if we ask, how is the data culture at your company overall, and this is very broad general top down way and have them graded on the sort of SaaS scale. You know, we get results where there's a large gap between kind of that level of maturity and what emerges in a bottom up methodology excuse me, in which you ask about, you know governance and literacy and, and such kind of by department and in a more bottom up way. And so we do see that that, you know, it can be helpful, even for data people to have a, a more granular metric and framework for quantifying their progress. >> Right? Let's jump into some of the results. It's, it's a fascinating, they're kind of all over the map, but there's some definite trends. One of the trends you talked about is that there's a lot of questions on the quality of the data. But that's a real inhibitor to people. Whether that suspicion is because it's not good data. And I don't know, this question for you, is, is, do they think it's not relevant to the decision that's being made? Is it an incomplete data set or the wrong data set? It seems to be that keeps coming up over and over about, decision-makers not necessarily having confidence in the data. What, can you share a little bit more color around that? >> Yeah, it's quite interesting actually. So what we find is that 90%. So 90 people, 10 executives (indistinct) to question the data sometimes often or always. But the part that's maybe disappointing or concerning is the two thirds of executives are believed to ignore the data and make a decision kind of pushing the data aside which is really quite striking when you think about it, why have all this data, if more often than not you're sort of disregarding it to make your final answer. And so you're absolutely correct when we dug into why, what are the reasons behind pushing it aside. Data quality was number one. And I think it is a question of, Oh, is the data inaccurate? Is it out of date, these sort of concerns sort of we, we hear from customers and prospects. But as we dig in deeper in the survey results, excuse me, we, we see some other reasons behind that. One is a lack of collaboration between the data analytics folks and the business folks. And so there's a question of, I don't know exactly where this data came from or to your point kind of how it was produced. What was the methodology? How was it sourced? And maybe because of that disconnect is a lack of trust. So trust really is the ultimate I think, failure to having data culture really take root. >> Right? And it's trust in this trust, as you said, not only in the data per se, the source of the data, the quality of the data, the relevance of the data but also the people who are providing you with the data. And obviously you get, you get some data sets. Sometimes you didn't get other data sets. So, that's really I'm a little bit disconcerting. The other thing I thought was kind of interesting is, it seems to be consistent that the, the primary reason that people are using big data projects is around operations and operations efficiency, a little bit about compliance, but, you know, it's interesting we had you on at the MIT CDOIQ, Chief Data Information Officer quality symposium, and you talked about the goodness of people moving from kind of a defensive posture to an offensive posture, you know using data in terms of product development and innovation. And, and what comes across in this survey is that's kind of down the list behind you know, kind of operational efficiency. We're seeing a little bit of governance and regulation but the, the quest for data as a tool for innovation, didn't really shine through in this report. >> Well, you know, it's very interesting. It depends whether you look at the aggregate level or you break things down a little bit more. So one thing we did after we got that zero to 12 scale on the data culture index or DCI, is it actually, we were able to break it down into thirds. And among the sort of bottom third, it has the least well-established data culture by this yardstick. We've found that governance and regulatory compliance, was the number one application of data. But among the top third of respondents, we actually found the opposite where things like providing a great customer experience, doing product innovation, those sort of things actually came to the fore and governance fell behind. So I think there is this curve where, It's table stakes to get the sort of defense side of data figured out. And then you can move on to offense in using data to make your organization meet its meet its other goals. >> Right. Right. And then I wanted to get your take on kind of the democratization of data, right? This is a, this is a trend that's been going on, and really, I think you said before you know, your guys' whole mission is to empower curious and rational world to give people the ability to ask the right questions have the right data and get the right answer. So, you know, we've seen democratization in terms of the access to the data, the access to the tools, the ability to do something with the data and the tool, and then the actual authority to execute business decision based on that. The results on that seem a little bit split here because a lot of the problems seem to be focused on leadership, not necessarily taking a data based decision move, but on the good hand a lot of people trying to break down data silos and make data more accessible for a larger group of people. So that more people in the organization are making data based decisions. This seems kind of like this little bit of a bifurcation between the C suite and everybody else trying to get their job done. >> Absolutely. There's always this question of you know, sort of the, that organizational wide initiative and then what's happening on the ground. One thing we saw that was very heartening and aligns with our customers index success, is a real emphasis being placed on having data governance and data context and data literacy factors sort of be embedded at the point of use. To not expecting people, to just like take a course and look things up and kind of end up with their workflow to be able to use data quickly and accurately and, and interpret it in varied ways. So that was really exciting to see as, as, as a initiative. It sort of bridges that gap along with initiatives to have more collaboration and integration between the data people and the business people. because really you know, they exist to serve one another. But in terms of the disconnect between the C suite and other parts of the org, there was a really interesting inverse correlation. Well, or maybe it's not interesting how you look at it, but basically, you know, when we talk to C level executives and ask, you know, does the C suite ignore data? Do they question data et cetera, those numbers came in lower than when we talked to, you know, senior director about the C suite right? It's sort of the farther you get, and there's a difference there, you know, from my perspective, I almost wonder whether that distance is actually is more objective viewpoint. And when you're in that role, it's hard to even see your cognitive biases and your tendency to ignore a data when it doesn't suit you. >> Right. Right. So there's, there's some other interesting things here. So one of them is, you know, kind of predictors, right? One of the whole reasons to do studies and collect data so that we can have some predictive ability. And, and it comes out here that the reporting structure is a strong predictor of a company's data tier structure. So, you know, there's the whole rise of the chief data officers and the chief analytics officer and the chief data and analytics officer and lots of conversations about those roles and what exactly are those roles and who do they report to. Your study finds a pretty compelling leading indicator that if that role is reporting to either the CEO or the executive board, which is often a one in the same person, that that's actually a terrific indicator of success in moving to a more data centric culture. >> That's absolutely correct. So we found that that top third of organizations on the data culture index were much more likely to have a chief data executive, a CDO, CAO or CDAO. In fact, they're more likely to have folks with the analytics in their title because in some organizations, data is thought to mean sort of raw data, infrastructural defense and analytics is sort of where it gets you know, infused into business processes and value. But certainly that top third is much more likely to have the chief data executive reporting into the executive board or CEO when the highest ranking data executive is under the CIO or some other part of the organization, those orgs tend to score a far lower on the DCI. >> Right. Right. So it's interesting, you know you're a really interesting guy even doing this for a while. You were at Siri before you were at Alation. So you have a really good feel for kind of what data can do and can't do and natural human or natural language processing and, and, and human voice interaction with these devices, a really interesting case study, and they can do a really good job within a small defined data set and instruction set, but they don't do necessarily so well once you kind of get outside how, how they're trained. And you've talked a lot about how metaphor shaped the way that we think and I know you and Dave talked about data oil and data lakes I don't want to necessarily go down that whole path but I do think it's important. And what came out of the study and the way people think about data. You know, there's a lot of conversation. How do you value data? Is data, you know it used to just be an expense that we had to buy servers to store the stuff we weren't sure what we ever did with it. So I wonder if there's any, you know, kind of top level metaphors level, kind of a thought or process or framing in the companies that you study that came out. maybe not necessarily in the top line data, but maybe in some of the notes that help define why some people, you know are being successful at making this transition and putting, you know kind of data out front of their decision processing versus data, either behind as a supporting thing or maybe data, I just don't have time with it or I don't trust it, or God knows where you got that, and this is not the data that I wanted. You know, was there any, you know, kind of tangental or anecdotal stuff that came out of this study that's more reflective of, of the softer parts of a data culture versus the harder parts in terms of titles and roles and, and, and job responsibilities. >> Yeah. It's a really interesting place to explore. I do think there's a, I don't want to make this overly simplistic group binary, but at the end of the day you know, like anything else within an organization, you can view data as a liability to say, okay, we have for example, you know, customer's names and phone numbers and passwords, and we just need to prevent an adverse event in which there's a leak or some sort of InfoSec problem that could cause, you know, bad press and fines and other negative consequences. And I think the issue there is if data's a liability, the most you know, the best case is that it's worth zero as opposed to some huge negative on your company's balance sheet. And, and I think, you know, intuitively, if you really want to prevent data misuse and data problems, one fail safe, but I think ultimately in its own way risky way to do that was just not collect any data, right. And not store it. So I think that the transition is to say, look data must be protected and taken care of that's step zero. But you know, it's really just the beginning and data is this asset that can be used to inform the huge company level strategic decisions that are made in annual planning at the board level, down to the millions of little decisions every day in the work of people in customer support and in sales and in product management and in, you know, various roles that just across industries. And I think once you have that, that shift, you know the upside is potentially, you know, unbounded. >> Right. And, and it just changes the way, the way you think. And suddenly instead of saying, Oh, data needs to be kind of hidden away, it's more like, Oh, people need to be trained on data use and empowered with data. And it's all about not if it's used or if it's misused but really how it's used and why it's used, what it's being used for to make a real impact. >> Right. Right. And it's funny when I just remember it being back in business school one of the great things that help teach is to think in terms of data, right. And you always have the infamous center consulting interview question, How many manhole covers are in Manhattan. Right. So, you know, to, to, to start to think about that problem from a data centric, point of view really gives you a leg up and, and even, you know where to start and how to attack those types of problems. And I thought it was interesting you know, talking about challenges for people to have a more data centric, point of view. It's interesting. The reports says, basically everybody said there's all kinds of challenges around data quality and compliance, and they had democratization. But the bottom companies, the bottom companies said that the biggest challenge was lack of buy in from company leadership. So I guess the good news bad news is that there's a real opportunity to make a significant change and get your company from the bottom third to a middle third or a top third, simply by taking a change in attitude about putting data in a much more central role in your decision making process. 'Cause all the other stuff's kind of operational, execution challenges that we all have, not enough people, blah, blah, blah. But in terms of attitude of leadership and prioritization, that's something that's very easy to change if you so choose. And really seems to be the key to unlock this real journey as opposed to the minutiae of a lot of the little details that that are a challenge for everybody. >> Absolutely. In your changing attitudes might be the easiest thing or the hardest thing depending on (indistinct). But I think you're absolutely right. The first step, which, which which could, maybe it should be easy, is admitting that you have a problem or maybe to put it more positively, realizing you have an opportunity. >> I love that. And then just again, looking at the top tier companies, the other thing that I thought was pretty interesting in this study is, I'm looking at it here, is getting champions in each of the operational segments. So rather than, I mean, a chief data officer is important and you know, somebody kind of at the high level to shepherd it in the executive suite, as we just discussed, but within each of the individual tasks and functions and roles, whether that's operations or customer service or product development or operational efficiency, you need some type of champion, some type of person, you know, banging the gavel, collecting the data, smoothing out the complexities, helping people get their thing together. And again, another way to really elevate your position on the score. >> Absolutely. And I think this idea of again, bridging between, you know, if data is centralized you have a chance to try to really get excellent practices within the data org. But even it becomes even more essential to have those ambassadors, people who are in the business and understand all the business context who can sort of make the data relevant, identify the key areas where data can really help, maybe demystify data and pick the right metaphors and the right examples to make it real for the people in their function. >> Right. Right. So Aaron has a lot of great stuff. People can go to the website at alation.com. I'm sure you'll have a link to this, a very prominently displayed, but, and they should and they should check it out and really think about it and think about how it applies to their own situation, their own department, company et cetera. I just wanted to give you the last word before we before we sign off, you know, kind of what was the most you know, kind of positive affirmation or not the most but one or two of the most outcome affirming outcomes of this exercise. And what were one or two of the things that were a little concerning or, you know, kind of surprises on the downside that, that came out of this research? >> Yeah. So I think one thing that was maybe surprising or concerning the biggest one is sort of where we started with that disconnect between, you know, what people would, say as an off the cuff overall assessment and the disconnect between that and what emerges when we go department by department and (indistinct) to be pillars of data culture from such a discovery to data literacy, to data governance. I think that disconnect, you know, should give one pause. I think certainly it should make one think, Hmm. Maybe I shouldn't look from 10,000 feet, but actually be a little more systematic. And considering the framework I use to assess data culture that is the most important thing to my organization. I think though, there's this quote that you move what you measure, just having this hopefully simple but not simplistic yardstick to measure data culture and the data culture index should help people be a little bit more realistic in their quantification and they track their progress, you know, quarter over quarter. So I think that's very promising. I think another thing is that, you know sometimes we ask, how long have you had this initiative? How much progress have you made? And it can sometimes seem like pushing a boulder uphill. Obviously the COVID pandemic and the economic impacts of that has been really tragic and really hard. You know, a tiny silver lining in that is the survey results showed that organizations have really observed a shift in how much they're using data because sometimes things are changing but it's like a frog in boiling water. You don't realize it. And so you just assume that the future is going to look like the recent past and you don't look at the data or you ignore the data or you miss parts of the data. And a lot of organizations said, you know COVID was this really troubling wake up call, but they could even after this crisis is over, producing enduring change which people were consulting data more and making decisions in a more data driven way. >> Yeah, certainly an accelerant that, that is for sure whether you wanted it, didn't want it, thought you had it at the time, didn't have time. You know COVID is definitely digital transformation accelerant and data is certainly the thing that powers that. Well again, it's the Alation State of Data Culture Report available, go check it at alation.com. Aaron always great to catch up and again, thank you for, for doing the work and supporting this research. And I think it's really important stuff. And it's going to be interesting to see how it changes over time. 'Cause that's really when these types of reports really start to add value. >> Thanks for having me, Jeff and I really look forward to discussing some of those trends as the research is completed. >> All right. Thanks a lot, Aaron, take care. Alright. He's Aaron and I'm Jeff. You're watching theCUBE, Palo Alto. Thanks for watching. We'll see you next time. (upbeat music)

>>From around the globe with digital coverage of the 2020. Hi, I'm Stu Miniman and this is the Cube's coverage of 2020 online. I'm really happy to welcome first time guests and he is the chief information. You're the officer at Veeam. Thank you so much for joining us. Always loved it. That was a CSO. >>Awesome. Thanks for having me Stu. >>All right, so, so guilt, give us a little bit of your background and you're relatively new than beam, obviously, you know, when you took the job, uh, that the current, you know, global, uh, pandemic, uh, wasn't uh, you know, necessarily right center, but, uh, yeah. Give, give our audience a little bit of who you are. >>Yeah. Yeah. Timing is everything I, um, I have, I bet named for 90 plus days, uh, joined the company just before the global pandemic, uh, broke loose and sort of disrupted our entire, uh, our entire planet. Uh, before that I was, uh, I was the CSO for five years of, uh, uh, systemically important financial services, >>Market utility. >>Uh, but most of my experiences, um, is in government. I was a, I was a federal executive for almost 20 years in Washington, D C where I was a CSO at the department of energy, a Homeland security, Naval intelligence, and a few other places. >>Excellent. Well, that's a great pedigree. We've loved talking to them, public people. Uh, obviously you're already front and center. Uh, they're always okay. Really? I mean, it's a board level. Got, okay. Nope. Uh, dirty, so much of what's going on. Yeah. I have to ask you though with the global pandemic hitting, uh, obviously, you know, work from home is, is, is a big piece of what's going on. Mmm. Give us, you know, kind of your first reaction then they are being new to the role. How do you make it for that? You know, Veeam itself is safe and that you're customers, uh, as they're, you know, dealing with things that, you know, they stay secure. >>That's a, that's a great question. I don't think anyone can say they were a hundred percent prepared for a global pandemic, the likes of which no one's ever really experienced before, at least in the modern age, but, you know, Veeam is largely a, even though we're 5,000 strong and global is largely a virtual a workforce. So a large majority of our, um, our teammates work from home and mobile situation. So, uh, the company has a long track record of providing really innovative and secure tools so that we can conduct our business, both, you know, with our customers, with our sales teams, generating leads, our technical teams, developing product. Um, the technology here is, uh, is, is pretty impressive. I, I will say, um, >>Uh, the impact to our workforce, at least from a virtual perspective, hasn't, uh, ha hasn't been as significant as some more traditional companies, um, being the new CSO here at beam. It's a first time position for the company. Uh, who's taken this topic very seriously. It's a, it has been for me personally, a bit of, a bit of a challenge in building my team, obviously, uh, the InfoSec, uh, space, cyber security space is very competitive when you're trying to hire folks. Uh, and the, uh, the pandemic obviously has made, uh, has made folks think twice about transitioning or starting careers or changing companies. So it's put a little bit, a little bit of a hitch in my step in terms of, uh, overall planning. Uh, but we're moving on to some different strategies and building a team a little, little slower than we had anticipated. >>Yeah, well, it's definitely understandable, but put a free for most people were that awesome a little bit these days and, you know, organizationally, this is a new role. Okay. I worked for the CIO. Are you okay? Yeah. What's been your with some of those organizations, well, dynamic, you know, with CSO lives, sports in the org. Yeah. I think it really depends upon the company's culture, right. That drives where this role sits at my, at my previous company, I've worked four, uh, the CIO who was a corporate officer, uh, here at Veeam, uh, it is a new position, uh, and there's such a significance placed on, uh, cybersecurity because of the expectations around this topic. Not only from our board Mmm. Uh, our customers, uh, uh, are the government regulators and everyone else, uh, this role, my role reports directly into bill large and our CEO, which, you know, fully empowers me as a, as a member of the, of the management team of the entire company to drive the, the, the initiatives that need to be driven so that, uh, we can meet those expectations, which know, I tend to write a rise every year from, uh, expectations of our customers, product features in our, in our products, uh, regulatory requirements and so forth. >>So yeah, um, this space tends to get, uh, more difficult, more complex as time goes on. And I think, uh, that the team has, uh, constructed this role in an operating model that, um, that is going to make it highly successful. Yeah. Well, you know, data security, absolutely critical today's landscape, but, you know, give us your thoughts about, you know, data security and really modernized. Yeah. And you know, what, what is your charter? Okay. Right. Hmm. They know fits in there. Yeah. Yeah. You know, deem is now a us company. Right. And the idea here is to direct, continue to drive growth in, in North America. And one of the key components of that growth, it has to be the U S government. I have a pedigree with U S government. I understand what the requirements are to do business there. So again, back to those expectations, uh, my charge here is to deliver us not only an internal cyber security program that continues to meet and exceed those expectations, but to be able to position our products in a way that not only solves some of the data resiliency issues that the government faces and that are global customers face, but also helped us solve some of these significant cyber security issues that they're trying to manage, you know, in the boardroom cybersecurity is, is, is essentially the number one operational risk now with a lot of focus, uh, across, uh, not only the boards, but all the functional areas of the company, whether it's finance, sales, technology, and security, it's, it's just, it seems to be the topic that everyone's most concerned about. >>And we just want to make sure that we're positioned in a way, um, that, uh, that drives what we're delivering here as a competitive advantage. Yeah. So what, what are some keys to consideration for data security on modern business? >>I'm sorry, you broke up. Could you repeat that question, Stu? Are there any considerations for modern business? Yeah. You know, um, there are, uh, there there's, there's so many, right. I tend to focus on, uh, the simple things for most companies, right? The, uh, the priorities that every CSO ought to have, uh, are around, um, you know, the, the, the blocking and tackling of a risk based vulnerability management program, making sure that your identity of your managing identities so that the right people have the right access to the right resources at the right time. Um, you, you got to have those strong and fast cyber ops because you will have incidents. Right. We all know that, uh, if you're a CSO in a company that's, uh, you're not managing incidents, chances are, you're not seeing incidents, which is probably worse than, um, then not having them. >>Um, the other thing that I've learned, uh, as a key consideration for protecting your company, coming from government is this concept of information sharing and making sure that you're, uh, that you're, that you're not only speaking with your peer companies, but your competitors as well, because they're seeing an awful lot of the same issues that you will see or have seen. And there's really no, the competitive advantage in information sharing amongst the CSOs in, in, in, uh, various industry communities and financial services. I feel like they've optimized that where I came from, uh, I would talk with, uh, CSOs at my competing firms on a, on a weekly basis, uh, comparing notes, talking about threats, understanding threat actors, talking about technology and so forth, just trying to provide for, uh, this sense of collective defense that those in the financial services industry has together. Um, and then, you know, obviously for the last several years, there's gotta be a deep understanding of the differences and managing cyber security in the cloud and what that entails and, you know, holding those vendors, uh, accountable for your security requirements, you can outsource the technology, but you can't outsource the tech, uh, the risk. >>So you, you have to be able to understand how the cloud changes, uh, the risks that you're facing, um, from the internet. Yeah. No, I'm, I'm, I'm so glad you brought up, uh, you know, early in my career. Yeah, yeah. 20 years ago. And, you know, could it be a differentiator and therefore there wasn't necessarily that sharing among your group, or they were very careful how they did things because, Oh, wait, I tried this project. I might have some advantages, you know, as you said, security is something we need to, as a community, get involved with you also brought up. Wow. So if we look at cloud models today, we really, yeah. Okay. Facility model. Mmm. So know how should people be thinking about cloud, uh, how should they be, uh, you know, moving forward, you know, really these multitudes of environments that they need yeah, yeah. >>You know, we could, we could probably have an hour show and talk about some of the scar tissue that I've gained over the years in managing cloud programs. The number one, uh, the number one thing I would talk about, I think it's probably the most important thing is making sure you understand exactly what security services your cloud provider is providing. And don't assume, um, that they're going to meet your requirements. You need to understand what those requirements are, whether or not they fit your business, an operations model and whether or not they're, um, Mmm they're they're capable of meeting the risk appetite that you've set for yourself and communicated to your board. Uh, in, in, in certain, some in certain cases, the default clouds, uh, security services, won't meet those, uh, expectations and you'll have to work with the cloud vendors to augment those in a way that makes, uh, that makes it Mmm, more, uh, acceptable for your, uh, for your risk profile and for your business. >>Um, I've often I talk with peers who, Mmm. Uh, at companies, smaller companies who just assume that the large cloud providers are going to take care of everything that you used to take care of on prem. Uh, and in fact, there are just certain things, uh, that are happening in the cloud that are completely different than on prem situation, as it relates to cyber. And you've got to have a really good understanding of, of, of how those are differentiated, uh, because if, uh, if, if you're making assumptions about the level of cybersecurity services that you're procuring in the cloud, uh, it's probably gonna turn around and bite you at some point. Yeah. It, I, I laugh a little bit. I think please free cloud era. No, yeah. Force let's get somebody that is okay. Lazy or, you know, being a little bit malicious. Okay. Yeah. >>Go against dirty things that you said, well, if you go to the cloud, you know, something's angel, I haven't, I need to make sure, sure. That I've adjusted those settings. Oh, wait. Yeah. There's something I should have looked do too. Let me make sure I adjust those. I think at least, I think cloud providers are, you know, a little bit more engaged after some yeah. You know, uh, kinks in the armor, uh, that, that we're seeing. So, uh, the, the, there have been a little bit more awareness of what's going on. Everybody is engaging a little bit more Mmm. Gil, uh, governance and ransomware things hockey for many years. How does that yeah. Uh, your, your overall discussion, um, you know, governance is probably one of the most overlooked that most important components of a cybersecurity program that's effective. Um, we don't do cyber security just to do cyber security. >>We're trying to meet key business objectives. We're trying to meet customer expectations. We're trying to support technology integration programs and having all of the efforts of the CSO and his Oregon, his or her organization governed, uh, correctly within the corporate structure is just absolutely critical here at Veeam. Uh, the, um, uh, my function has governed, uh, by the border, by the board of directors, as it is in most large companies. So they're interested obviously in the health status of the projects that I'm, uh, that I'm leading the initiatives that I'm driving, the transformations that are occurring across the globe. They're interested in, uh, understanding exactly how the product feature sets and are in our Mmm. And our products are being informed by the experiences of our, of our internal team and what our customers need. Uh, for us, it's very important to provide that oversight and insight into everything that we're doing, uh, at the highest levels, so that, uh, so that our board of directors can have a really good understanding of, um, of overall risk of the, uh, of the organization and what we're facing. >>Final question I have for you, key priorities forward, what should we be looking for work? And yes, that's particularly. Yeah, sure. So we've, uh, we've gone and we've adopted a new security framework. We've adopted the NIST cybersecurity framework version one.one. We're leading ourselves through a maturity assessment based on that framework, we're setting a objective Mmm Mmm. Maturity measures for each of the components of our cyber security program based on the NIST cybersecurity framework. And we're driving some transformation across the globe to make sure that, uh, we're doing everything we can to protect, uh, not only the company, but our customer's data, our products, and so forth. We're also positioning ourselves in a way to, uh, as I said earlier, enhance our business opportunities with, with the U S government and adopting the new cyber security framework is probably right the first step in a long program to, um, to be able to do much more, much more business with, uh, with our government counterparts. All right. Well, thank you so much for joining us. Really pleasure to talk. Very good. Thanks too. Alright. Be back with lots more coverage from online. Thank you for walking. Thank you.

>> Announcer: From our studios in the heart of Silicon Valley, Palo Alto, California, this is a CUBE Conversation. >> Hello everyone, welcome to theCUBE Conversation here in Palo Alto, California, theCUBE Studios, I'm John Furrier, host of theCUBE, we're here with Reinhardt Quelle who's the principle engineer, Cloud Platforms and solutions Group at Cisco. Reinhardt, thanks for coming in, good to see you. >> Reinhardt: Thanks for having me. >> So, technical conversation around Cloud is something that we love having. We've seen the evolution over the past decade, Cloud 1.0, compute, storage, greenfield, cloud opportunities, great SaaS applications being built, you've built apps for over a decade, SaaS apps. >> That's right, I've been delivering applications, both to data centers and then of course, later into Cloud for a number of years. >> So you got some scar tissue. You have some successes, you've had some struggles, probably with on-prem, but the world's changed a lot and again, we've been covering this a couple years now. We saw public Cloud, all the benefits, no questions, great, you can lift and ship stuff up there, no problem, but the complexity's still there and now the trend is everything's shifting back to on-prem with Cloud. So now the hybrid model has been validated, Amazon Outpost, Anthos in Google, Azure Stack from Microsoft, clearly this mold, all the cloud vendors are telegraphing, they are doing it, this is a reality, this has been validated. >> Yeah, I think that's no surprise to those of us who've been deploying for a number of years. We've always had data centers where we're running our applications in data centers, and yes we started taking that into the Cloud, but there was always components of our infrastructure that continued to run on-prem, whether for historical reasons, for data gravity reasons, policy reasons, any number of reasons, but what we did learn was how to operate our applications differently and so for the last number of years, we've been moving a lot of the advantages of that Cloud back to on-prem. >> So I want to get your thoughts as principle engineer and look at the overall Cisco holistic portfolio of products because Cisco is a standard in the enterprise, every big company has Cisco gear at some level form of another. You've been dealing with networking for years, but now that networking becomes so much more acute issue because you still got to move packets around, another abstraction layer does networking, security, networking, all tie in to the growth area that is now this next generation of Cloud, Cloud 2.0, intelligent edge, data center on-prem, what's the Cisco story? Why Cisco, why now? What's the story? >> Well the amusing thing, of course, is the Cloud doesn't exist without networking. The very first thing when you set up an Amazon-- a compute in Amazon, you set up a virtual private network and you start deploying into that network, so it's always been true that networking is at the core of Cloud. And so the complexity that we're seeing over time is that the workloads are everywhere. The workloads aren't just in my data center and I'm not paying attention to data center networking or just cloud networking, it's connecting them together, securing them, making sure that they're fast and well managed. And so it's always been true that networking's at the core of this and as the edges get blurry, as we move workloads from one place to the other, all of the things that Cisco does are on managed networks, programmable networks, secure networks, all become even more important. >> And everything's amplified, too, in terms of its purpose. You're seeing automation is a big trend that's impacting the infrastructure and app developers. You've deployed SaaS apps within Cisco for over a decade, you've seen your share of successes and its issues but now as the data becomes critical, you got security perimeter issues are gone, and you got Surface here with industrial in IOT it's only getting more complex. So the complexity never went, but it's still complex these are the same problems. What's changed, what's the-- what's going on? >> Well so one of the things that's changed is that we've-- and this is something we can credit the Cloud providers for doing it is we've learned to treat our infrastructure in a different way. I mean the way we deploy and manage everything including networks compute, even applications. Operating the cloud demanded that we automate those things. Demanded the way, when you're managing now, fleets of thousands or tens of thousands of machines at scale in the cloud and when your call provider won't promise you that any machine won't go away at any moment you get good at replacing machines. And now we take those same tools, concepts, ways of operating that we did on the cloud and we apply them on print. Yeah, so a big part of what Cisco has been doing across our entire portfolio is ensuring that every piece of it from networking storage security is programmable and drivable through automation. >> You and I were talking before we came on camera and I wrote this down a phrase you like to use is, referring to Cisco, why Cisco is, We bring cloud innovation on-prem, what do you mean by that? >> Well really it's taking these new way of doing things, these new opportunities. Yeah, when we talk about-- we've had some funny conversations with our security guys, for example, we're historically in security we would have some policy, we would deploy applications against that policy once every six months or twelve months we would audit against that. Well one example of bringing the cloud innovation on-prem is the way you deploy that software, or deploy a new policy is via software. So auditing that is checking your code before you commit it, this says what it's going to do. Running reporting on the things that you've deployed so that you can see. So its taking these advantages of automation, and observability, and things like code review that are just normal practice in software development and apply them to infrastructure. And so, again, what Cisco is doing is making sure that all of our infrastructure can be-- can be programmed in that way, providing tools that allow us to program the things like Network Services Orchestrator or CloudCenter Suite that allow us to deploy applications or networks or whatever else as software entities . >> How about the reality of the person who's been innovating in the cloud and their reaction when they come back on prem they go, okay I've been doing this in the cloud and I turn around and I see all this. Is this the cloud innovation dynamic that you're referring to? Is it the realization that I had some innovation in the cloud, agility, automation and then trying to figure it out, or applying it, or both what's the reality when someone goes wow, I'm on-prem now, what's that innovation layer? >> Well there's several realities, depending on who you are and where you're coming from. One of my first roles at Cisco was, I was working on the Webex operation team and that-- the way we ran that operations was typical of the time it was built. And we did an acquisition that to accompany-- of a company that had been operating in Amazon and when they saw the way we that had to deploy and manage their application and infrastructure they were horrified. It's like, what do you mean I can't deploy a server in five minutes, what do you mean I can't manage the workflow in this way? So for them it was a shock and horror that they didn't have this infrastructure and that's when we deployed our first private cloud and Webex was to support that style of deployment. The flip side of that is the people who are operating those existing data centers with those existing workflows, their world changed, I mean they had to learn new ways of doing things, they had to learn new ways of managing their infrastructure, coding skills were a requirement not something that a few guys did, scripting in the background. So it was like, there's a lot of change to the people and to the way we did things but really it's a matter of bringing those, you know, bringing the cloud, bringing software development to operations, bringing software programmable to, hard programmability, to hardware. >> Yeah, I mean that's a great point. We cover that a lot on theCube, but I think one of the things you pointed out is the realization that, okay, great, new way of doing things, innovation. But as you kind of pointed out, there's a double edged sword there. The command and control of the network, which has been an old style tactic which doesn't go away, you still need to have control of certain things and on-premise, you certainly can control it on-premise, on cloud you think you control it through software, but this is the deep dive on tech conversation I want to have with you because we're talking about app deployment, Kubernetes management and the reality, I have my own gear on-site, as well as I'm maybe serverless into the cloud, this is the new reality. That you have to manage the controls. Take us through the-- those layers. App deployment, Kubernetes, and the reality of managing infrastructure on a future basis. >> Sure so, it's-- when we think about the application deployment it's very easy to kind of think about it in terms of the layers, and the programmable layers that you provide and I'll just touch--we won't go into detail on the products, but ultimately, today for an application-- someone deploying an application increasing that means push an application into Kubernetes, in other words I'm going to package my application's container, I'm going to hand it to Kubernetes through Kubernetes API and I'm going to expect Kubernetes to do the deployment and management of that. Okay, so that just makes the problem for the guy one layer below you, where's Kubernetes come from? It's like who deploys and manages Kubernetes? And so there's a number of different solutions and the public cloud you can use, you know, AKS, or Google's Kubernetes service, or Amazon's, any of these, but on-prem, where's it come from, who's going to manage it for you, who's going to create that? So Cisco's container platform is a product to deploy and manage Kubernetes to offload that from the developer, I mean, from the operations guy or the platform manager. Of course, that deployer of Kubernetes expects programmable infrastructure, how are you going to be able to deploy a VM or manage hardware that runs below that? >> Back to your innovation message. It's the innovation they want >> Well ultimately the guy wants the simple push the button and get the application deployed, that means someone has to get this layer deployed and well to get that layered deployed, what's there? So we continue to support virtualization managers, whether VMWare or our own cVim, Cisco Virtual Infrastructure Manager. All of these products its like, how do I manage this pool of hardware to provide that next layer of service? So, but in every case the programmability of the infrastructure or as far down as you can go becomes paramount, so, you know, when the guy racks a piece of hardware in the data center he doesn't want to think about how does this read card need to get configured, right? He just wants to rack it, plug it in, and then turn it over to software as quickly as possible. >> And that's the cloud innovation on-prem that you're referring to, that's making it cloud-like operations for Agility Automation, provisioning. >> Consistency, reliability, observability, give you an example of that, I mean when we, when we were talking originally when we were starting these cloud deployments and we had this conversation with Infosac about which application lives in which zone and how do you manage that? And we were like, well the zoning processes that's used in the past don't apply anymore. The way we manage that thing is with security groups, and the security groups are created this way. Here's the software, here's the software. When I'm talking software, I'm talking about configuration and scripts in this case, Ansible, Chef, Puppet whatever, that generate those security groups that generate those rules and it's like, it changes the way the security guy interacts with your team. It's no longer, file a ticket to review your app and app deployment and have a new ticket to do a deployment, it's something that they can do in real time. We're talking about moving these processes left, you know, moving that audit to the system all the way back into the software development stage and then giving the tools to verify that afterwards. And their eyes literally popped open, it was like, you mean at any moment at any time I can say show groups and see what the security posture is right now. And it's like, yes! An that's what sold them on letting us behave in this new way, was the ability to audit in realtime. >> Yeah, and this is a major advantage. This brings up the question that comes us all the time, and I want to get your thoughts on this because this shapes into the overall cloud architecture, cloud portfolio, and in this case with Cisco products is workload portability. It used to be, oh the one way trip to the cloud, not anymore, it's not a one way trip to the cloud, it's now bi-directionally on-premise, been validated by LPOST, Anthos, and Azure Stack, this is going to be an operating model to your point about the cloud innovation now workload portability, I think that's been validated so I think we recognize, the industry recognizes that it's not just public cloud everywhere, it's hybrid. This has been validated. You agree. >> Absolutely we-- there were many things that we never did move to the cloud, never would move to the cloud. Whether it's for policy reasons, or the quantity of data that we had, or systems that weren't available on the cloud, for example DevTest Labs, that have soundproof rooms, it's all audio equipment. We sell phones, we have to test those phones, those aren't ever going to be on the cloud, they're going to be in their soundproof rooms so we can test the audio pairing. There's stuff like that that always lives unrolled. There's a myriad of-- >> Compliance resources also requires-- >> Compliance things, whether its a FedRAMP compliance, this data has to be in this country, well US in that case, European privacy things. It could be-- I was talking to one bank a number of years ago now that worked-- we're deploying, we're talking about deploying Kubernetes from, it's like what applications are you deploying? Why do they need to be here, well, they're building-- they've got a mobile first application they want to use all the latest and greatest ways to build and deploy that application. But the data that that application is accessing is in the mainframe. It hasn't moved in ten years, twenty years, it's not going to move anytime soon. So you put the application next to the data that it needs. An IoT, it might be control devices, or video devices, or any number of things that's like, I think there's a trend overall, it's less about workload portability for a lot of people or being able to move workloads, it's saying, where's the best place for this particular workload to run, and so then provide the appropriate infrastructure to run that workload. And that's where we get back to saying, wait a minute I want to use containerization, I want to use orchestration systems, I want to use all these modern tools for doing this, but still put the workload where it needs to be. >> That is a profound statement, I want to just quickly unpack that a little bit because that really is the heart of the issue, cloud innovation. The workloads are going to be defining the requirements it needs, whether it's cloud selection or where it resides on-prem with what resources underneath it. That's not saying a company has to decide that because of that workload that the entire company has to use that 'cause the choices now because of the levels or granularity that cloud brings, the applications can get almost custom built or-- well not custom built but a specific hardware and compute to serve their needs. So if its a-- you're soul sourcing a set of resources for the workload. That's not saying that the infrastructure has to be that for everything, it's just the whole single cloud versus multi cloud dynamic. >> Yeah I mean, in fact, one of the things we're seeing more and more in our customers is, like, they don't have one cloud, they have multiple clouds, for multiple purposes. On-prem there's not one big private cloud that runs everything, there's lots of Kubernetes clusters and one of the things that a product like CCP does is allow you to deploy and manage multiple Kubernetes clusters for multiple purposes. Multiple problem domains, multiple political domains, financial domains, who's paying for this thing? Well, it's easy if you just buy the servers that are appropriate to your department and you run it. You still get to take advantage of all the way you deploy and package and run these applications, which is just hands down better than we ever did before. And that's some of the innovation we have. Now once you start doing this, once you start deploying these applications in multiple places, in multiple-- well, where are your security borders, where are your perimeters, how do you secure any of this, how do you connect all this stuff? How do you visualize all this stuff? And so, as you look at our products from, you know, we talked a little bit about the infrastructure pieces of that, you know the, Kubernetes deploying to an infrastructure manager, deploying ultimately to hardware, every layer of that. You know, UCS and CVIM and CCP, all of those layers are there and programmable. Okay, now we're deploying workloads, now I've got to connect the things together, how do I monitor it, how do I-- and so that's why you see products like Stealthwatch Cloud, and AppD, and the other applications to do monitoring and security across a now fully distributed application. >> You know, sometimes it's hard for me as a cube host to kind of get the story out about certain trends, especially when big players like Cisco, a lot of people know that I'm pretty bullish on Cisco, I've been very vocal about the Cisco opportunity with respect to cloud and critical, by the way in some areas and I think I would probably advise certain things to be certain ways. But one of the things, I think, is a great opportunity that you guys have, and you're kind of getting at, I want to just get your reaction and thoughts on this, is that what you're talking about here is an environment that's going to be constantly dynamic. That's constantly changing. And being complex is not going away, abstracting away the complexity is the game. But Cisco has always been successful in multi environments, different environments because networking has always been about diversity of networks. Campus this, and SD-- so it's not a new concept for Cisco to deal with this concept of multiple environments. Do you agree with that? What's your reaction to that? How would you answer that? Is that something you think Cisco's dominating in? Is that reason why Cisco is serving all these choices? What's your thoughts on that? >> I would have to say that overall the integrating lots of disparate things. Connecting lots of disparate things is in Cisco's DNA, I mean from our original routers and switches at the very beginning it was always multiple things connected to each other often multi-vendor working across standards and across standard things. When we talk about Kubernetes we're not talking about the Cisco Kubernetes we're talking about Kubernetes, the real thing, the actual Kubernetes, we're talking about-- and we're talking about ceiling, we're talking about openstack a standard, we're talking about-- so across all these boards connecting and integrating disparate things, is kind of what Cisco does. >> And so if you're deploying applications you've done that and certainly your customers are, they're never going to have one general purpose situations that's going to be scenarios, right? And certain things will be guiding principles, some will be governors that will then dictate things that might not be classic cloud native. Can you talk about that and give some examples why that's important and the reality of the statement. >> Yeah so, just use one example of an application, Webex teams our enterprise chat application, for example, that is your classic microservices modern cloud native application. There are three ways of deploying applications in that platform that are appropriate for the three different things. We got the services themselves, the media bridges, or the switching engines that runs these containers in a container orchestration fabric. There's the VM base things that are things like media bridges that don't run in containers very well, not because of the problem with the containers, but because of the overlay networks the containers bring with it and the way you route data to those. And we got physical machines. Now when we're actually running certain things on physical machines and so all of these exist in any kind of, even a brand new modern application so even within a single product family there's not one true way of doing things, what's the appropriate way to deploy this application. What's the right deployment target for this thing and how do I connect these things. >> You measure InfoSec so politics might be a driver that have nothing to do with technology, could be a human capital, resource issue, it could be something scalable. >> And the politics or even or can be even these temporal things, it's like, look I can spend, you know, three weeks trying to convince an InfoSec to do things in a particular way or it can just deploy somewhere where it makes them happy and move on, move on to the next problem and then later when they catch up with the way we're doing things, we may move it later. The other thing about timing on all this is the story is changing constantly when we deployed that application, we did not use Docker containers. And everybody says, why aren't you using Docker? Because Docker didn't exist three years ago! It's like the decisions we were making at that time are changing ever more rapidly. And the reality for our enterprise customers is that you don't just forklift one and then replace it with another one, you tend to manage them all in parallel even as you're making transitions, you know, eventually you kind of get rid of the old stuff, maybe, the mainframe still exists >> Mhmm. >> But in general for most of our enterprise customers it's not and or it's not on-prem or on the cloud, it's not containers or visible machines, its and, I'm running all of the above. >> And to your point about the docker not being around when you guys were doing that, that's going to be a concept that's going to be applied down the road, hey that wasn't around when we set the architecture, so as an enterprise, your customers that you talk to, what is the guiding principle? What is the preferred architecture? Again, a lot of choices you guys are trying to make your portfolio fit the bill. What are some of the decisions they have to make? So, to future-proof because they don't want to foreclose an opportunity and or create technical debt for that matter. Why would they do that? So they kind of have to be holistic in their thinking. >> Yeah, future proof is always-- is a funny concept because the reality is, that the... The way you do things will change. You didn't make something that was future proof, you built an environment that allowed you to do this way and that way. So if you take a look at the way we deployed, for example, our infrastructure in general we start with the UCS substrate, we can run Oracle on bare-metal on those things when we need to. We can run virtualization on top of that, and run a layer of vms on top of that. We can run containers, now I've got choices. Common substrate, common way of managing those things but at least three different ways of deploying on those. So ultimately we're looking for standard practices that enables me to have to do the and to where I can run things side by side and can connect things, I can secure things over the top but run all of the above. And it's really a matter of building things that have kind of clean our connectural layers where one thing consumes the other and then be able to mix and match and plug them together Lego style as it were. >> This a great chat, and really reminds me of the conversations that we'll be having here in theCube. We've been doing a series with engineering leaders and you know, you mentioned foreclose in the future, future proofing which is kind of a buzz word. The conversation happening in the technical circles is about technical debt and I think, you know, I've always seen that enterprise you know, cost of ownership, you know, and the shark fin, the iceberg and what you don't see. Certainly that's been a paradigm that's been known but now you're getting into this notion of not just so much future proofing, it's really the balance of technical debt because you know something new is coming. This is a modern concept that takes costs of ownership and future proofing and kind of puts it to reality because you're essentially taking on some sort of technical debting from point A to point B, but you don't want to take on too much that you can't pay it back if new technology comes in. So this is what's been going on in some of the you know, top customers that we've been talking to. A new management concept, this is kind of a modern new management discipline. Your thoughts and reaction to that? >> So there's at least two different vectors that talk about on it. So, one of the things is, how do I take these older applications, these older ways of managing things and incrementally improve them. Because we can actually make it-- it is easier today to deploy a process running on a machine than it ever was before. Five years ago I would have a ticket, some guy would go and then install software manually, today we don't do that, we use configuration management, puppet and chefs, ansible, etc. We improve the way I do those things incrementally rather than just forklift them. I'm not rewriting these applications and saying okay, we're going to make these into cloud native applications and microservices and bla, bla, bla and replatform them. No I incrementally improve the way I operate that thing. Even if its just deploying the hardware more consistently underneath or improving this layer. So I incrementally reduce my debt by applying, again, deploying some of these new cloud... Cloud innovations, they're grown out of the cloud to the existing ways of doing things. But the other point I'll make on a lot of this, is that, certainly for our team, and for a lot of the customers I talk about we don't just arbitrarily go and replatform things, right? It's like if the thing is working, let it continue to work. Don't deploy the new thing alongside it. You know, we're more concerned about delivering new features, new capabilities, new things. And we do that, and we concentrate our efforts and our engineering efforts on that and not constantly rewriting the past. >> A container can certainly help you there too. >> Absolutely. Containers are beautiful tool for that, for encapsulating dependencies around a thing. And so you'll find in many cases we have applications that are not ready to deploy to run in Kubernetes with a schedule that's going to move it around but I can still take advantage of the container packaging and run it on a physical box with a normal Linux operating system and containerize it. So it's usually valuable. >> Reinhardt, I want to get your thoughts on one last talking track, that is relevant to something that we've been covering. Stu Miniman, co-host of theCube with me on many of these events around networking, we both love networking, both networking nerds. Always joke about how networking is where you go to find out about the state of the industry is. Look at what's going on with the network. Because network ultimately tells the truth. Movin' things around, security people go to the network. You start to see, everything's revolving around the network now, more than ever. I mean, still, it's been that way forever. But you made a comment before we went on camera you said, just adding another layer of networking. If you think about what you just said, the networking paradigm is just kind of slowly moving to another layer. So networking is happening, it's just happening differently. So as the dev ops innovations in the cloud happens it's really a network innovation. 'cause security pivots off the network data used applications, instrumentations, on the network data, everything's around networks. >> It's intrinsically tied. In the past we had a machine, a physical machine had a network interface, singular, and a network identity an address. VMs, multiple network interfaces, multiple on every VM. Kubernetes, an IP address per application, right? And it's like the networking space is exploding as we move up. And yes, we now have a network connectivity and management problem that's over of magnitudes more complicated than it was before because now, individual workloads have IP addresses. And by the way I'm deploying workloads in multiples. I don't run a single application, I run a pool of applications, each one has an address. And so yeah networking is-- continues to be intrinsic and it just moves up. >> And it's fascinating too, you know, we always speculate about looking for that new technology, the new protocol, something new, the shiny new toy. But if you think about it, all the science and intellectual property has been built already. It's usually a combination of a couple different things. In network theory, in network management, the concepts are still around. It's being applied differently now. >> Or sliced into smaller, you know, smaller, the bites are smaller that you're dealing with, right? Everything has an IP address, we got thousands of IP addresses now that we're managing. Having IP address management problems, we have other things to manage now. >> The game is still the same. >> The game is still the same, it's still TCP IP networking. >> So final question, bottom line, why Cisco and the cloud networking as it comes together? As this stuff starts to modernize, hybrid is certainly reality hardcore, as people are doing today. Multi cloud is also another reality right around the corner. Why Cisco? Why Cisco's products and portfolios for the cloud? >> Well fundamentally, as we said earlier, the cloud has a networking problem. Networking underpins everything that we do. The networking, from physical networking the compute has to run on something. So networking, compute, orchestration systems for all of that, security that overlays all of that. I think Cisco uniquely has all of the components that it takes to build a modern infrastructure stack, and in fact deploy applications to that. I think, the breath of knowledge and capabilities Cisco has across those is unique. And then, also, I would say, Cisco's experience. We have many-- several of the world's largest SaaS applications in the Cisco family. Things like umbrella, DNS security, or Webex, web conferencing, we also have deep expertise in running applications and that's within the Cisco domain of expertise. >> Certainly in good position, I really I'm really bull-ish on what you guys can do. I think the network is where the trust is, it's where the data is, that's where the action is, and I think that's the cloud 2.0 equation. Thanks for coming in. Thanks for the insight. Reinhardt Quelle, principle engineer, Cloud Platforms of Cisco here sharing his insight on this Cube conversation. I'm John Furrier, thanks for watching. (upbeat music)

>> Announcer: Live from San Diego, California it's The Cube! Covering Cisco Live US 2019. Brought to you by Cisco and it's ecosystem partners. >> Welcome back to The Cube's coverage of Cisco Live Day 2 from sunny San Diego. I'm Lisa Martin joined by Dave Vallante. Dave and I have an alumni, a Cube alumni back with us, Jeff Moncrief, consulting systems engineer from Cisco. Jeff, welcome back! >> Thank you very much, it's great to be back! >> So, we're in the DevNet Zone, loads of buzz going on behind us. This community is nearly 600,000 strong. We want to talk with you about Stealthwatch. You did a very interesting talk yesterday. You said, it had a couple hundred folks in there. War stories from real networks. War stories ... strong descriptor. Talk to us about what that means, what some of those war stories are, and how Stealthwatch can help customers learn from that and eradicate those. >> So it's called Saved by Stealthwatch. It was a really good session. This is the third Cisco Live that I've presented this session at. And it's really just stories from actual customer networks where I've actually deployed Stealthwatch into. I've been selling Stealthwatch for about five years now. And I've compiled quite a list of stories, right? And it really ... if you think about advanced threats and insider threats and those kinds of exciting things, the presentation was really about getting back to fundamentals. Getting back to the fact that in all these years that I've been working with customers and using Stealthwatch, a lot of the scary things that I have found have nothing to do with that. With the advanced type threat stuff. It really has to do with the fact that they're forgetting the basics. Their firewalls are wide open, their networks are flat. Their segmentation boundaries aren't being adhered to. So it's allowed us to come in and expose a lot of scary things that were going on and they were just completely oblivious to it. >> Why are those gaps there? Is it because of a change management issue? Technology's moving so quickly? Lack of automation? >> Yeah, I think there's a couple reasons that I've seen. It's a recurring theme really. Limited resources ... number one. Number two, limited budgets, so your priorities have to shift. But I think a big one that I've seen a lot is turnover and attrition. A lot of times we'll go in with Stealthwatch and we'll kick off an evaluation or whatnot and the customer will say, I just don't know what's there. I don't know if I have 100 machines that need visibility or for a thousand. And I'm a Stealthwatch cloud consulting systems engineer so the cloud world is where I spend a lot of my time now and what I'm seeing as it relates to the cloud realm is that's exponentially worse now. Because now you've got things like devops and shadow IT that are all playing in the customer's public cloud environment deploying workloads, deploying instances and building things that the security team has no awareness of. So there's a lot of things that are living and breathing on the network that they just don't know about. >> And so the tribal knowledge leaves the building, how do you guys help solve that problem? >> So we come in ... and you know the last time that you and I spoke, you used the term cockroaches, I think, which I loved. I actually have used that a lot since then, so thank you for that. >> Dave: Yeah, you're welcome. >> No, but, you know ... we come in and we actually, we turn the customer's network infrastructure ... Whether it's on-prem or in the public cloud into a giant security sensor grid. And we leverage something called NetFlow, which you've probably heard of. And it's essentially allowing us to account for every conversation throughout the entire infrastructure, whether or not it's on-prem or in the public cloud or maybe even in a private cloud. We've got you covered in that area. And it allows us to expose every one of those living, breathing things. And then we can just query the system. So think of us like a giant network DVR on steroids. We see everything, you can't hide from us, because we're using the network to look at everything. And then we can just set little trip wires up. And that's kind of what I go into in my presentation also is how you can set these trip wires ahead of time to find things that are going on that you just didn't know about and frankly, they're probably going to scare ya. >> One of the stories that you shared in your talk yesterday. You talk about people really forgetting the basics. A university that had a vending machine breach. You just think, a vending machine in a cafeteria? >> Jeff: That's right. >> Really? Tell us about that. What kind of data was exposed from a vending machine? >> So that's one of my favorite stories to tell. We had gone in and we'd installed Stealthwatch at a small university in the US. And they had a very small team. Okay, you're going to see that recurring theme. Limited staff. And they really just had a firewall. Okay, that was what they were doing for security. So we came in, we enabled NetFlow, we kind of let Stealthwatch do it's thing for a couple of days, and I just queried the system. Okay, it's not rocket science, it's not AI a lot of times, it's really the fundamentals. And I just said, tell me anything talking on remote desktop protocols inside the network out to the internet. And lo and behold, there was one IP address that had communication from it to every bad country you can imagine ... actively. And I said to them ... I said, what is this IP address? What's it doing? And that was in the conference room in the university with their staff and the guy looked it up in the asset inventory system, and he looked at me and he goes, that's a vending machine. And I said, a vending machine? And he said, yeah. And then I was like, okay, well that's a first, I've never heard of that before. And he goes wait a minute, it's a dirty tray return machine. You ever heard of one of those? >> Lisa: No. >> I hadn't either. >> Lisa: Explain. >> So for loss prevention, I guess universities and other public institutions, they will buy these unique vending machines that are designed for loss prevention. So that the college students don't go around and you know, steal or throw away the trays from the cafeteria. You have to return the tray to get a coin. There's a common supermarket chain that does the same thing with their shopping carts. And it's for loss prevention. So I said, okay, that's pretty strange. Even stranger than just vending machine. And I said, well did you realize that it was talking to a remote desktop all over the world? And he said no. And I said so, can you tell me what it has access to? So he looked it up in the firewall manager right there and he said, it has access to the entire network. Flat network, no segmentation. No telling how long this had been going on, and we exposed it. >> And Stealthwatch exposes those gaps with just kind of old school knock on the door. >> Yeah, it really is. We're talking about fundamental network telemetry that we're gathering off the route switch infrastructure itself. You know, obviously, we're at Cisco Live, we work really well with Cisco gear. Cisco actually invented NetFlow about 20 years ago. And we leveraged that to give visibility footprint that allow us to expose things like the vending machine. I've found hospital x-ray machines that were scanning all the US military, for instance. I find things in the cloud that are just completely wide open from a security ACL standpoint. So we've got that fundamental level of visibility with Stealthwatch, and then we kick in some really cool machine learning and statistical analytics and machine running analytics and that allows us to look for anomalies that would be indicators of compromise. So we're taking that visibility footprint and we're taking it to that next level looking for threats that might be in the customer's environment. >> So before we get to the machine intelligence, I presume that cloud and containers only makes this problem worse. What are you seeing in the field? How are you dealing with that? >> So we're in a landscape today where we've got a lot of customers that might be cloud averse. But we've also got a lot of customers that are on the wide other side of that spectrum and they're very cloud progressive. And a lot of them are doing things like server-less micro services, containers and, when you think of containers you think of container orchestration ... kubernetes. So Stealthwatch Cloud is actually in that realm right now today, able to protect and illuminate those environments. That's really the Wild West right now, is trying to protect those very abstract server-less and containerized environments but yeah, we come in, we are able to deploy inside kubernetes clusters or AWS or azure or GCP, and tell the Stealthwatch story in those environments, find segmentation violations, find firewall holes just like we would on premise, and then look for anomalies that would be interesting. >> So the security paradigm for those three you mentioned, those three cloud vendors, and you're on-prem, and maybe even some of your partners, is a lot of variability there. How should customers deal with maintaining the edicts of the organization and sort of busting down those silos? >> Yeah, so you think about like Stealthwatch Cloud which is the product that I'm a CSE for, we're really focusing on automation, high efficacy and accuracy. All right, we're not going to be triggering hundreds or thousands of alerts whenever you plug us in. It's going to further bog down a limited team. They've got limited time and they have to change their priorities constantly. This solution is designed to work immediately out of the box quickly deploy within a matter of hours. It's all SAAS based so actually it lives in the cloud. And it really takes that burden off of the organization of having to go and set a bunch of policies and trip wires and alerts. It does it automatically. It's going to let you know when you need to take a look at it so that you can focus on your other priorities. >> So curious where your conversations are within an organization - whether it's a hospital, or a university when what you're finding is in this multi-cloud world that we live in where there's attrition and all of these other factors contributing to organizations that don't know what they have with multi-cloud edge comes this very amorphous perimeter, right? Where are those conversations because if data is the lifeblood of an organization, if it's not secure and protected, if it's exposed there's a waterfall of problems that could come with that. So is this being elevated into the C-Suite of an organization? How do you start those conversations? >> So it's not just the C-Suite and the executive type structure that we're having to talk to now, traditionally we would go in with the Stealthwatch opportunity and talk to the teams in the organization it's going to be the InfoSec team, right? As we move to the cloud though, we're talking about a whole bunch of different teams. You've got the InfoSec team, you've got the network operations team now, they're deploying those workloads. The big one though that we've really got to think about and what we've really got to educate our customers on is the Dev Ops teams. Because the Dev Ops teams, they're really the ones that are deploying those cloud workloads now. You've got to think about ... they've got API access, they've got direct console login access. So you've got multiple different entry points now into all these different heterogeneous environments. And a lot of times, we'll go in and we'll turn on Stealthwatch and we show the organization, yeah, you knew that Dev Ops was in the VPC's deploying things, but you didn't know the extent that they were deploying them. >> Lights up like a Christmas tree? >> Yeah, lights up like a Christmas tree and like a conversation I had last week with a customer. I asked them, I said, all right so you're in AWS, are we talking do you have 50 instances or do you have 500? He said, I have no idea. Because I'm not the one deploying these instances. I'm just lucky enough to get permission to have access to them to let you plug your stuff in to show me what's going on in that environment. But yet they're in charge of securing that data. So it's quite frightening. >> So you've got discovery, you've got ways to expose the gaps, and then you're obviously advising on remediation activity. And you're also bringing in machine intelligence. So what's the endgame there? Is it automation? Is it systems of agency where the machine is actually taking action? Can you explain that? So when the statistical analysis comes in and the anomaly detection comes in, it's really that network DVR, so we've got the data, now let's do some really cool things with it. And that's where we're in actually, for every single one of these entities, and I do stress entities because the days of operating systems and IP addresses are going away. Face it, it's happening. Things are becoming more and more abstract. You know, API keys, user accounts, lambda's and runtime compute, we have to think about those. So what we do for all these different entities is we build a model for each one of these, and that model, that's where all the math and the AI comes in. We're going to learn Known Good for it. Who do they talk to? How much data's sent or received? And then we start looking for activity in that infrastructure as it relates to that entity that's outside of that Known Good model. So that would be the anomaly detection and you know, our anomaly detection, it really can be attributed to two different major categories. Number one is going to be, we're looking for things that cross the cyber kill chain. So those different IOC's as a threat actually manifests. That's what the anomaly detection's doing. And then we're also looking for just straight compliance and configuration violations in the customer's cloud infrastructure, for instance, that would just be a flat out security risk today, day one, forget base lining anomaly detection, it should just not be configured that way. >> Let's see, roughly 25% of Cisco's revenue is in services, what role does the customer service team play in all this? How do you interact ... how do the product guys and the service guys work together? >> So we've got a great customer experience team, customer services team for Stealthwatch and it doesn't matter if we're talking Stealthwatch on-premise or the Stealthwatch cloud, they cover both. And what will happen is we'll come in from a pre-sales standpoint, we do the evaluation, show good value, and then we've got a good relationship with the CX team where we'll hand that off to them, and then we'll work with the CX team to make sure that customer is good to go, they're taken care of, and it's not we've sold this and we're just going to forget you type scenario. They do a good job of coming in, they make sure that the customer's needs are met, any feature requests that they like taken care of. You know, they have routine touchpoints with the customers and they make sure that the product, for all intents and purposes, doesn't lose interest or visibility in the customer's environment. That they're using it, they're getting good value out of it, and we're going to build a relationship. I call it cradle to grave. We're going to be with that customer cradle to grave. >> Now Jeff, one of the things I didn't talk to you about at Google Next was ... first I got to ask you, you're a security guy, right? Have you always been a security guy? >> Yeah, security for about 20 years now, dating back to internet security systems. >> The question I often ask security guys is who's your favorite superhero? >> My favorite superhero ... I'd say Batman. >> Dave: Batman? >> Yeah. >> I like Batman. (chuckles) The reason I ask is that somebody told me one time that true security guys, they love superheroes because they grew up kind of wanting to save the world and protect the innocent. So ... just had to ask. >> Yeah there you go .. Batman. >> I'm sensing a tattoo coming. Last question for you Jeff is in terms of time to business impact, the vending machine story is just so polarizing because it's such a shocking massive exposure point, did they ever discover how long it had been open and in terms of being able to remedy that, how quickly can Stealthwatch come in, identify these- >> So very quick operation wise. So like the vending machine story, that's something that if you turn on Flow, and you send it to Stealthwatch right now, we can pick that up in 10 minutes. That quick to visibility and value. Now how long has it been going on? A lot of times they can't answer that question because they've never had anything to illuminate that to begin with. But moving forward, now they've got a forensic incident response audit trail capability with Stealthwatch which is actually a pretty common use case. Especially if you think about things like PCI that have got auto requirements and whatnot. A lot of organizations if they're not using a Flow based security analytics tool, they can't always meet those audit and forensic requirements. So at least from the point of installing Stealthwatch they'll be good to go from that point forward. >> So if they can find an anomaly that needs to be rectified in 10 minutes, what's the next step for them to actually completely close that gap? >> So like with Cisco Identity Services engine, we've got a great integration there where we can actually take action, shut off that machine instantly. We can shut off a switch port. We can isolate that machine to an isolated sandboxed VLAN, get it off the network, and then in the cloud, we can do things like automated remediation. We can use things like Amazon and Lambda to actually shut off an instance that might be compromised. We can actually use Lambda's to insert firewall rules. So if we find a hole, we can plug it. Very easily, automated- >> Ship a function to it and plug a hole. >> Batman slash detective. I think you need a tattoo and a badge. >> I can work on that, I like it. >> Jeff thank you so much for joining Dave and me on The Cube this afternoon. >> My pleasure. >> Really interesting stuff, we appreciate your time. >> Absolutely. >> For Dave Vallante, I'm Lisa Martin. You're watching The Cube's second day of coverage of Cisco Live from San Diego. Thanks for watching. (upbeat music)

>> Live from Las Vegas, it's theCUBE covering VMworld 2018. Brought to you by VMware and it's ecosystem partners. >> Hey, welcome back everyone, we are live here in the broadcast booth presented by theCUBE. I'm John Furrier co-host with Dave Vellante. VMworld 2018, day three of three days of wall-to-wall coverage. Our 9th year covering VMworld and the VMware ecosystem. It's great to have on theCUBE Tom Corn, who's the Senior Vice President, General Manager of the Security Products from VMware. Welcome to theCUBE, good to see you. >> Thank you! >> We were just bantering before we came on that you are part of building AppDefense, one-year-old product. >> Yes, yeah. >> You're in the nerd nation, if you will. >> (chuckles) Yes. (laughter) >> We say that with all due respect, Tom. >> I take it. >> I had to stay for Stanford since the football opening day is Friday, so we'll be tailgating at Stanford, but Palo Alto VMware, tons of technology in VMware, we covered the radio event, which was first opened to the press this year, we were there. Security's number one. Pat Gelsinger has said on theCUBE so many times, even four years ago, he said security's a do-over. But it's more than a do-over, it's central to how the Cloud and on-premises are working. >> Yes. >> Hybrid Cloud validated by Andy Jassy this week. >> Yes. >> With RDS on VMware on premises, pretty major industry milestone there. You're in the middle of the security leading the team. What's the update for VMware, still pumping on all cylinders? >> Uh, I think this is actually, we're making some of the biggest strides forward in security right now. I think there is such a huge opportunity to not make the mistakes we made in the past, and start with a clean slate, do security the way it really, ultimately, makes sense. At the end of the day, we're really not trying to protect servers or networks, we're trying to protect data and applications. And being able to see things through, look at the infrastructure through the lens of the application, the lens of the data, and align security to that, is a huge opportunity to fundamentally make Cloud more secure than a traditional, sort of physical environment. >> So, we, I got a stat from TrendMicro, just came by theCUBE today on the briefing, they said one in six dollars are being spent outside the organization and buying other SAAS platforms. Cloud certainly, with Shadow IT has caused that. Whether it's DropBox, ADS-Bih instances, just stuff flying up there opening up, potential vulnerabilities. Virtual networking is clearly a part of the architecture with virtual machines. So security is really under a lot of pressure, and Micro Segmentation seems to be a hot topic. This is driving a lot of new value as the architecture shifts to Hybrid Cloud, which is such a Cloud Operations. >> Yeah. >> Infosec teams, Net Ops, are all working together now, but it seems more confusing than ever. Can you clarify how companies are organizing around the Cloud, Hybrid Cloud operating model in Multi-Cloud with security? >> Yeah, so, first it's important to understand the central idea behind micro-segmentation is to provide a mechanism to compartmentalize all the elements that compose an application, a regulatory scope, so that if one thing falls, everything doesn't fall, right? The reality is a perimeter of a data center is so porous in so many dimensions that you cannot, your security strategy can't be predicated on anything inside my data center is just fundamentally secure. I think we live in a state of compromise. Deal with it, right? And so, the notion of compartmentalizing an application allows for a limited lateral movement of attacks. It also provides a policy boundary to say, you know, I can place controls on the boundaries of an application and that boundary may not exist in the physical world, but it does in the virtual world. You know, the best analogy I came up with for this is imagine you had an entire company in a skyscraper, now all the employees were in that skyscraper. You could put guards in the front door of that building, and the instructions for them on who gets in and who gets out, or what looks weird in the lobby, pretty straightforward, okay? Now take the employees and spread them out into parts of floors of different buildings all over the city, fill the building that you had with employees from lots of different companies, now there's a bank, a TGI Friday's, a bowling alley, and the FBI. Now tell those guards what looks weird in the lobby. Like, now tell those guards who should get in. Now, suddenly, it gets really confusing, and the ability to say I want to create a virtual skyscraper that will put all the employees in one place, that's the idea behind micro-segmentation. >> Tom, you talked about the Cloud, the potential for the Cloud to be more secure than the traditional environment. In June, John and I were at the public sector summit, and we heard the CEO of the CIA say Cloud, on our worst day, from a security standpoint, is better than my client server. 'Cos the first time I'd heard client server in about ten years, but nonetheless, >> (laughs) That's the government. >> So, (laughs) my question for you is, in terms of, so his implication was, it's already there. What has to be done to bring that level of security to that hybrid world? >> Yeah. First, I would be careful with that statement. I think we are probably right for the average company, the way a Cloud provider would secure the infrastructure on down, is actually very solid. The application's your problem. The data that's running on it is your problem. And that's not quite the same thing, there's a different set of things about what can get access, how that's isolated for other things. So-- >> Let me make sure I understand that. So you're saying, the infrastructure check, but that's not the story. >> And what's above the operating system, my applications, and how data's flowing on that, and there's no good excuse that oh, it was running on such and such infrastructures or service, it's not my problem. It's still the company's problem, right? >> Right. >> So a lot of the basic things of access control, alignment of controls, policy, those are still, ultimately, in the hands of the customer. Now, I do agree that the opportunity is to make the simpler, less misalignment, less misconfigurations, those are tremendous opportunities of the Cloud. >> But there's some conventional wisdom in the industry that says, you know what, it's a fait accompli you're going to get hacked, so it's all about how you respond. I'm inferring from you that no, that's not the case, that you could actually protect the data if you take an application view. >> Yeah. >> Of course, response is important. >> Yeah, but I feel like there's no perfect solution. I guess maybe the best way to think of security is as a risk management exercise. You're going to spend whatever you're going to spend. The question is, are you spreading that like peanut butter on a bunch of stuff, or are you investing your time, money, and capital in the things that would have the most material reduction in risk? There's a wonderful framework that Gartner came up with that I liked that, and Neil Macdonald from Gartner came up with it, which is the, he calls it the Cloud Workload Protection Framework. He's stack ranked all the things you could do to protect the workload, in order of how much risk it gets rid of. The things at the bottom, the big risks, patching, segmentation, application control, protect the memory, encryption, those are all things that have to do with reducing attack surface as opposed to finding the attack of the day. The stuff at the top, you know, antivirus running for a server inside the data server behind all these walls, it's not, it's marginal residual risk, so the focus of VMware, in the security realm, has been we can not only bake security in, so you're not adding boxes, you're not managing agents. More importantly, we're in this unique position to understand where things are supposed to be. You know, for example, the AppDefense product that we launched last year, you mentioned, and we have a bunch of new stuff here, we're leveraging the hypervisor itself to understand the intention of the applications you loaded on it, and then use the hypervisor to say that's all it can do, nothing else. It flips the model completely from saying I'm going to try to find bad things to I'm going to really understand what good it's supposed to be, and that's all that's allowed. >> So you're narrowing the scope with policy, bascially? >> 100%. >> I mean, so this comes up with IOT, I heard a guy saying these light bulbs that are WiFi-enabled have full, multi-process threads, we don't need it, it's a light bulb. It needs to go on and off, so by bounding, by bounding the apps, that's what you're saying. >> That's exactly right. >> Using virtualization mechanisms to do that. >> Exactly right. We've never used it for this before, but the hypervisor kernel does a bunch of pretty amazing things, we just. It can see what's running, it can see what you provisioned in the first place, it can do that without adding an agent, it can do that in a way that can't be turned off, without a lot of overheard, and it can do almost anything in response. So the central idea behind AppDefense was, let's use it, it will tell you what all your VM's are for, now you have an application view that says here are the applications in your infrastructure divided into services, divided into machines, here's what they're supposed to be, tell us what you want to have happen if what's running doesn't match what you intended. That's it. >> Well, technology's perfectly positioned with that. And Pat was mentioning NSX, and I want to ask about that in a second about NSX. >> Yes. >> But I want to put you on the spot and ask the question that comes up all the time. Two factors in security that's hard to get your arms around. >> Yeah. >> One is, patching. Which, you said, you don't patch stuff, so you don't patch up the whole surface area. Two, social engineering. 'Cos you've got human error whether you pass or not, did I configure the bounding properly, that's a human error, batching, I call human error and social engineering. Those are two factors that are still prevalent in security. >> Absolutely. >> Your thoughts on that? >> Well, you can't patch humans, so that is all weak, and then the thing that we can really advance there is to move increasingly to automation, and do things that, candidly, humans probably aren't the best at doing that, but you can't just automate, old, unreliable processes, that just makes them faster, it doesn't necessarily make them better. >> Yeah. >> I think that the key to a lot of this is, >> Automating a bad process still makes it a bad process. >> Yeah, it's just faster. (chuckles) It's more efficient. >> (chuckles) An efficiently bad process. >> Exactly, exactly right. So, you know, I think a lot of the automation and ability to compartmentalize things and, candidly, a lot of the policies, whether it's for patching, etc, when thought of through the lens of an application as opposed to like, what's our policy for patching the patient care system, how often? Is my patient care system unpatched, is different from saying I've got thousands of machines, and some of them are patched and some of them are not, how do I prioritize which ones I should get. It really does, not only simplify things, but align things to a business outcome, which really, it goes back to a risk management decision a business has. >> Ransomware is a great example to your point earlier, I think you said that off-camera as well, is that, you know, you don't want to attack the same treadmill of problems. So ransomware, one guy said that on theCUBE here at another event said that, ransomware's easy, just patch them back up and you're good. >> Yeah. >> That sounds simple, doesn't it? >> Yeah. It-- >> Surface area, patch it, back it up. >> Yeah. Sometimes there's reasons why the patch, that people just don't roll out the updates to an absolute critical server on the trading floor, sometimes they have challenges. But, you know, interesting enough, yesterday we were showing, we had a live, we did a live attack on stage with Petya, with a live strain or ransomware, throwing it against the machine, we showed why it worked, and we were just using AppDefense to say, all right, let's assume you didn't patch it, AppDefense is going to make sure that application can't do anything you didn't intend it to do, the ransomware doesn't work. And it's not because we understand what malware you had there, it's because the malware, to work, has to change. >> I'm thinking about security strategies in general for organizations. You know, given that credential theft is still such a huge problem, are the things that you can do with analytics, because you may have visibility on certain parts from the infrastructure standpoint, that you can do to maybe not stop credential theft, that's bad human behavior, but to identify some anomalous behavior. What's happening with analytics, and what role, if any, does VMware play? >> Yeah, so, again, the central theme, I suppose, is summed up as, we're trying to say, here's your applications and data, what is intended? On the network with NSX, on the compute stack with AppDefense, Workspace One is trying to address that from a user and a device perspective. And the questions one asks for what your discussing is, is this who they say they are, are they on the list of invites, and are they on a trusted device? And those were traditionally silo decisions, separately. And what we're saying is, it's about answering those things in concert that allow us to spot the stuff that doesn't make sense. It's the ability to answer them in concert that allows you to make that less intrusive into the daily activities of the users. So the work that's happening on Workspace One Intelligence to do analytics looking at the device and how the device is behaving, the user, and how the user is, what indication, what risk do we see? This may not be the person or the risk that they're working from a device I might not trust even if I trust who it is. Either of those might tip me off to say, you know what, I might want to limit what they have access to, or this is the place I need to look at first. Again, I think that starts to clarify and put things in context. >> We were talking off-camera about the infosec team and the IT team, and often they're in silos and not talking to each other. What's the right regime, in terms of what you see in the marketplace, of best practice to approach this problem? >> It sort of depends on the size and scope. But the infosec team, often lead by the Chief Security Officer, often, in most organizations that I deal with, own the security operation center, security architecture, and governs it's risk and compliance. They're mostly looking at setting overall policy, and seeing when things are breaking down, and reacting to it. But as you point out, there's a lot of security happening in the infrastructure teams, whether it's firewalling, segmentation, locking down the computer stack, even things like AV running by end user services teams. They're looking to set policy, and things that are getting in the data path, that are about locking things down, and they need to collaborate. They need to, to be effective, they need to each know their roles and operate from a single source of truth, and that's where it's breaking down. In fact, I would take it a step further. The other group that needs to be part of this conversation is the application team. And as we move to Dev Ops, and the applications change very rapidly, it's going to be increasingly important that they collaborate, and not ignore each other as silos. >> Mm-hmm. >> I want to ask you, I know we've got one more question left, but, I want to get out there. You mentioned adaptive segmentation is an extension of where micro-segmentation is going. A lot of buzz here at VMworld on micro-segmentation. What is adaptive segmentation? >> So it's really the next logical evolution. Which is, we've taken some of the technology that we've built with AppDefense, that can figure out and map out the applications. Now we have manifests that say what these things are for, and we know the patient care system is actually all these machines and how they interact. It's basically saying, why don't we have the system program the micro-segment, and do it in an automated way? Now you have a micro-segment that is automatically and perfectly aligned driven from the application itself. And the other beauty is, the adaptive portion, which says, if the application changes, that's pushed down through puppet or chef or it's, or something is modified through patching, to have the system to be smart enough to see that's an update, and that automatically changed the actual segment, and lock the network and compute down. That's what we're doing there. >> What is the impact to the customer? And what is the impact of that? >> It's simpler. Much faster time to actually go in. It's simpler, and it's a much more accurate representation of the application. You lock things down both from lateral and direct attacks, so it's a big deal. >> Okay, final, final question. I always like to get the final question in here. Tom, tell us about a prediction for 2019. Next year VMworld, what are we going to be talking about? What are going to be the security issues on the table? More of the same, rinse and repeat issues? What is your prediction for 2019 in the security world? Well, you know what, I think security's going to get more complicated before it gets simpler. I think we're on the right path, but there are so many moving parts. I think, one thing, I don't think you're going to start seeing people increasingly open to security being delivered as SAAS. Because there's too many benefits of machine learning across populations of users. I think we're going to start to see security models that are, to fool one of us you've got to fool all of us. I think those are the kinds of things that are going to be the needle mover. >> Sounds a great service, security's a service, theCUBE is a service bringing these three days of wall-to-wall coverage, we'll be back with more on day three coverage. I'm John, for Dave, stay with us for more after this short break.

>> Announcer: Live from Las Vegas, it's theCube! Covering ServiceNow Knowledge 2018. Brought to you by ServiceNow. >> Rebecca: Welcome back to theCube's live coverage of ServiceNow Knowledge '18. We are here in Las Vegas at the Venetian I'm Rebecca Knight, your host along with my co-host, Dave Vellante. We are joined by Thomas Squeo. He is the Senior Vice President for Digital Transformation & Enterprise Architecture at West Corp. Thanks so much for coming on the show! >> Good morning, thank you for having me. >> So Digital Transformation, you're the SVP it's a buzzword of the technology industry and also at this conference. Tell us a little bit about how you describe it what it means and then also about West's journey. >> Sure, so in my own role within West Digital Transformation gives me an opportunity to have higher amounts of contact with the business side of the organization. Whether it be customer success, product management, looking at our strategic accounts team and basically working across all aspects of the business. While I am running Enterprise Architecture I also run product engineering for the organization and those combined rolls give me the opportunity to take things from strategy to tactic inside the organization but the Digital Transformation component gives me the context for what the organization needs to move towards. >> Dave: Essentially, you guys are a digital company, right? >> We are. >> So, I mean, you're digital evolving maybe. What is Digital Transformation mean to a company like yours that's born digital if you will? >> Right, so we came out of a traditional Teleco background so everything about our business was driven by software and up until about 2015 it was very human capital intensive. So what we've done is we've kind of re-tooled ourself to be a more forward looking technology organization that's driven by software delivering solutions on behalf of our customers. And that includes much more of a service and solution portfolio then it does in a human capital portfolio. >> So as you transition from a business to a digital business what was the roll of data? How did the data model evolve? >> Well I think that one of the things that we look at in our data model is that because of the scope and scale of our business, they have different data model requirements for different aspects of our business. Our safety business operates under DHS critical infrastructure rules whereas our unified communications is particularly dictated by regulatory and compliance environments and healthcare, education, commercial and utility markets and other aspects depending on what kind of notifications are going out. It might be under HIPA, high trust and those kinds of things Those are really kind of the drivers for us to be able to prioritize how it effects our data model and our INFOSEC profile. >> So you have to have sort of semi-siloed data model, right? >> Correct. So we don't see a lot of customer movement across the organization only about 30% of our customers buy from multiple West businesses and they're typically very compartmentalized around the use and consumption model that we actually have been approached for. >> So as the digital leader, does that present challenges for you or it is what it is and you just deal with it? >> Thomas: It actually presents more opportunities than anything else and the reason why is because we can take learning from very forward looking, leaning cloud native platforms and be able to apply that into some of our legacy business or we could also look at something like the regulatory environment than how certain businesses actually satisfy that and be able to mature some other aspects of our business that might be a little bit more loose or came in through an acquisition that wasn't governed by kind of an organization of the scale of ours. >> Rebecca: So you're a very progressive leader and before the cameras were rolling we were talking a little bit about how there is this mentality particularly in IT this sort of break it, fix it mentality and keeping going that way. What's your best advice for people in rolls in IT and elsewhere in the organization to get out of that mindset? >> Well the most important thing I think is that you have to move out of an order taker roll and your really have to kind of move into a either a strategic advisor kind of an internal consultancy model where in which your IT leadership team is not necessarily seeking a seat at the table, that's kind of a cliche in that regard but much more of how do you partner with the General Managers, Segment Presidents and so on and so forth as an advisor on the side working with them on how they consume the technology services across the organization. That's really how we focused our architecture team as opposed to necessarily looking at bringing in an external consultancy to kind of lead and broker that conversation inside the organization. >> Dave: What are you doing with ServiceNow? >> So we are actually, we've just released in April our first phase with ServiceNow. It was a significant transition over multiple service management platforms. We've rolled out service management and knowledge already. We're underway with operations management next. And we're talking about all the aspects of it. So we're taking very much an out of the box approach. We're not doing an customizations, we're doing a lot more configuration around workflow and so on. We've been able to establish a really strong leadership presence around the organization from a governing perspective, how we're going to float those changes into the organization and then ultimately how are we going to deliver. We kind of take it as kind of the base fractal as the first phase and first implementation. And then how do you expand upon that to ultimately make sure it's woven into the fabric in the organization as a tool for not only employee experience but customer experience as well. >> So no custom mods. Check. >> Thomas: No custom mods. >> Smart. How about a single CMDB with a siloed or a fractured data model. >> Thomas: That's very much a part of our strategy. >> So okay, you bought into that. >> We look at asset management as kind of the bridge between logical Enterprise Architecture models and how it actually translates into physical infrastructure the CMDB is that source of truth for that and we're looking to ServiceNow to be able to provide that for our organization and that includes not only in our on prem instances, our virtualized environments our hybrid cloud environments ultimately looking at them as kind of a cloud management provider as we scale up and take advantage of that. And that includes charge back, show back being able to show what consumption is, being able to have our capacity teams be able to do forecasts based on, you know, cyclical environments where or storms or things like that move across and effect where our compute resources are ultimately deployed. >> But you don't get there overnight. I mean you got organizational barriers you got politics involved. What's the timeline look like to effect that? >> We started our transformation journey in late 2015. We reorganized the initial aspects of our IT organization everything but product development in 2016 and really spent the next 18 months kind of driving towards table setting on a platform level, not only in how we were dealing with service management but how our cloud native platform was being built out, our CICD tools data center consolidation all those activities. And then ultimately when in 2017 we reorganized the last elements of our product engineering and our development organization and now really kind of lit a fuse if you will on that transformation journey. So rather than necessarily have it start at on point and look at the distance between strategic kind of alignment we've actually gone and put definite milestones and breakpoints for us to be able to kind of reenergize that part of the organization. >> Thomas, thanks so much for coming on theCube it's been really fun talking to you. >> Thank you for the opportunity. >> I'm Rebecca Knight for Dave Vallante we will have more from ServiceNow Knowledge '18 in a little bit. (upbeat music)

>> Announcer: Live from Las Vegas. It's theCUBE. Covering Fortinet Accelerate 18. Brought to you by Fortinet. (upbeat music) >> Welcome back to theCUBE. Our continuing coverage of Fortinet Accelerate 2018. We're excited to be here. I'm Lisa Martin with Peter Burris, and we're excited to talk to one of the Keynotes the big cheese from the main stage session this morning, John Maddison. >> I say, small cheese I would say. >> SVP of Products and Solutions at Fortinet. Welcome back to theCUBE. >> It's great to be here again. >> So two things I learned about you when you started off your Keynote. One you're a Man City Fan, Manchester City. >> Manchester City Blue. >> Okay. >> Through and through, for many years. >> Premier League all the way. And you have the best job at Fortinet. >> I do indeed. >> Wow. >> That is to announce the new products of course. >> So let's talk about that. So you talked about some exciting announcements today. Tell us about, start with a Security Fabric. What's new there, what's going on, what's exciting? >> Well the core of the Security Fabric is FortiOS 6.0, that's our network operating system. That's the core of he Fabric and when we do a big release like this, many different features, new functionalities. Also we have tighter integration now between all our products in the Fabric. Bus, as I said, new features as well. Things like SD-WAN has been improved, we now have probably estimate of breed SD-WAN security. The Fabric integration itself is going on. We built out some new connectors with cloud. Now we have connectors for all the public clouds. All the public clouds. We have a new CASB connector, acronym city, of course, as usual, CASB is cloud access security broker, API access the SaaS clouds. And so we've got that not only in it's standalone form but also very much integrated inside the Fabric. We've also introducing some new FortiGuard service as part of FortiOS 6.0, a new security rating which is based on a bunch of new practices or best practices that all our customers have said this is great best practices, can you put this together and apply these to our network overall. That's just skimming the surface as I say, I think I said there's 200 plus new services I could have stood up there for like six hours or whatever. But great new services are 6.0 big announcement for us. >> We just chatted with your America's Channel Chief Jon Bove, talk to us about. >> Who's an Arsenal fan by the way. >> What. >> And we beat him Sunday three nil in the Cup final. >> Excellent. >> Just to make sure you get this. >> I'm sure. >> Write that down. >> Jot that down. >> So what excitement are you hearing in, from your perspective, in the channel with respect to all of the new announcements that you made today? >> Great feedback, so this obviously is a big channel partner event here. You know what a lot of channel partners are saying is that I need to make sure I provide more of a solution to the customers. In the past, you know maybe they sell a point product, it's hard to kind of keep that relationship going with that customer. But if they sell a solution with one or two products that's part of that solution or managed and some services as part of that, it's much stickier for the partners and gives them a bit more of an architectural approach to their customers network. They really like the Fabric as I said. The Fabric doesn't have to be everything inside the Fabric, they can be components. It's what we've seen far from a Fabric components. Our partners really latched on to the network plus the advanced threat protection, plus the management or plus the access points. But they definitely prefer to sell a complete solution. It's hard for them to manage 40 different security vendors, the skill sets, the training and everything else. Now they're not saying there needs to be one security vendor, much as we would like it to be Fortinet, but they need to be reduced to maybe a set of 10 or 12 and really, our Fabric allows them to do that. >> That's a key differentiator. >> Absolutely key differentiator and as I said, you know it's very hard to build a Fabric. It's a mesh network, all these products talk to each other. You can only really do that if you build those products organically, step-by-step, alongside the network operating system. It's no good acquiring lots of bits and pieces and trying to bolt it together, it's not going to work. We spent a long time, 10 years, building out this Fabric organically to make sure it integrates but also putting the best of breed features and things like SD-WAN and CASB. >> What is the product? In this digital world what is a product? >> A security product? >> Any kind of product. As a guy who runs product management, what's a product, can we talk about what is a security product? >> I think in the past you know product management used to be very focused on I've got a box that comes out, or I've got a piece of software that comes out, these days it could be virtual machine or cloud, but it's doing a single instance, there's a single thing that it's doing inside, inside the network from a security perspective. What we believe in is that multifunction, now consolidation, multiple threat vectors I refer to this that like the digital attack surface. The digital transformation, security transformation. The biggest issue though, is that digital attack surface. That's just expanded enormously, it's very dynamic. Things are coming on on off the network was spinning up virtual machines and applications here and there. A point product these days just can't cope, can't cope. You need solutions against specific threat vectors that are applied in a dynamic way using the Fabric. >> But arguably it's even beyond solutions. You need to be able to demonstrate to the customer that there is an outcome that's consistent and that you will help achieve that outcome, You'll take some responsibility for it. In many respects, we move from a product to a solution, to an outcome orientation. Does that resonate with you and if so, how does that influence the way you think and the way that you're guiding Fortinet and partners? >> Yes, definitely. You know one of the first things they're very worried about is you know can they see that digital attack surface. It's very large now and it's moving around. Their outcome, first outcomes to say, do I know my risk on my attack surface? That's the very first out. Is it visible, can I see it, or can I protect it or can I apply the right threat protection against that. That outcome to them is they can see everything, protect everything, but as I said also, now they're moving into this more detection environment. Where you've got machine learning, artificial intelligence because you need to apply that. The bad guys these days are very smart in that they know they can morph things very quickly and provide you know targeted attacks, zero-day attacks, we probably haven't seen it before. I hate this analogy where we say somebody else got to get infected before everyone else gets protected. It shouldn't be that way. With, you know, with technologies like artificial intelligence, machine learning, we should be able to protect everybody from day one. >> Kind of pivoting on, you brought up the word outcome, and I want to go off that for a second. When you're talking with customers and you mentioned, I think, before we went live that you visited, talked to over 300 customers last year. Who is at the table, at a customer, in terms of determining the outcome we need to have? Are we talking about the CSO's team, what about folks in other organizations, operational technology departments. Who are you now seeing is in this conversation of determining this outcome. >> A new job role which I think been coming for a while, it's the security architect. Two years ago, I'll go into a room and there would be the networking team on one side of the table, this InfoSec team security side, on this side of the table, the CIO over here and the CSO over here and they be debating. I would be almost invisible in the room. They'll be debating what's going to happen because you know the CIO wants to build out more agile business applications, wants to move faster. The security team has got to answer to the Board these days, and they got to make sure everything's secure. What's their risk factor? And what I see is a new job function called the security architect, that kind of straddles a bit the networking team, understands what they're building out from an SDN, architecture, cloud perspective, but also understands the risks when you open up the network. The security architect provides more holistic, long-term architecture view for the customer, versus, I've got to fix this problem right now I've got a hold of a bucket, I've got to fix it, then we move on to the next. They're building a system on architecture long term. We have something called a Network Security Expert, it's our training education capability. We have an NSC eight, we have around 100 thousand people certified in the last two years on NSC between one and eight. And about 100 people on eight, because eight's a very high level architect level across all the security technologies. But we definitely see a lot of partners who want to get their people trained to NCE level eight because they would like to provide that security architect that's in the customer now, that advice on what should be that holistic security architecture. The big change to me is that the networking team and the security team have realized they can't just keep fixing things day to day, they need a more holistic long-term architecture. >> Let's talk about that holistic approach. At Wikibon we talk a lot about SiliconANGLE Wikibon, we talk a lot about how the difference between business and digital business is the role that data assets play in the digital business. I think it's a relatively interesting, powerful concept, but there's not a lot of expertise out there about thinking how is a data asset formed. I think security has a major role to play in defining how a data assets structured because security in many respects is the process of privatizing data so that it can be appropriated only as you want it to. What does the security architect do? Because I could take what you just said and say the security architect is in part responsible for defining and sustaining the data asset portfolio. >> Yes and you know, if you go back a few years, there's data leakage prevention was a big area, big marketplace, DLP is the best thing. Their biggest problem that they did was they couldn't tag the assets. They didn't know what assets were so then when it came to providing data protection they go well, what is it, I don't know where it's from, I don't know what it is. And so that a whole marketplace kind of just went away. We're still there a bit, but everyone's really struggling with it still. The 6.0 introduced something called tagging technology. It's inherent already inside routing systems and switching systems, SDN systems. The tagging technology allows you to look at data or devices or interfaces or firewalls from a higher level and say this is the business relationship between that device, that data and what my business objectives are. We talked about intent based network security and the ability long term is to say, hey, if I've got a user and I want to add that user to this network at security level six to that application, I say that, then it gets translated into bits and bytes and network comport and then gets translated end-to-end across the network. The tagging technology from my mind is the first step in a to be able to kind of tag interfaces and data and everything else. Once you've got that tagging done then you can apply policies as a much higher level which are data centric and business aware centric. >> I'm going to ask you a question related to that. Historically, networks in the IT world were device was the primary citizen right. Then when we went to the web the page became a primary citizen. Are we now talking about a world in which data becomes the primary citizen we're really talking about networks of data? >> I think to some extent. If you look at the users today, they have like maybe three or four devices. Because students, universities, there's something on with those lectures, they've got an iPad, their iPhone, three devices attaching there. I think the definition of one user and one device has gone away and it's multiple devices these days. And you know a lot of devices attaching that no one has any clue about. I don't think it's going to be completely data centric because I still think it's very very hard to tag and classify that data completely accurately as it's moving around. I think tends to be a part of it, I think devices going to be part of it, I think the network itself, the applications, are all going to be part of this visibility. In our 6.0 we provide this topology map where you can see devices users. You can see applications spin up, you can see the relationship between those things and the policies, the visibility is going to be extremely important going forward and then the tagging goes along with that and then you can apply the policy. >> With respect to visibility, I wanted to chat about that a little bit in the context of customers. One of the things that Ken talked about in his keynote was. >> Ken? >> Ken. >> Ken Xie. >> Yes. (laughing) >> Ken who? >> That guy? The guy that steals slides from you in keynotes. >> He did as usual. >> I know, I saw that. >> Tells me like two minutes before tells me John, I need that slide. (Peter laughing) >> That's why you have the best job. Everybody wants to copy you. In terms of what what the CEO said, that guy, that Fortinet protects 90% of the global S&P 100. There were logos of Apple, Coca-cola, Oracle, for example. In terms of visibility, as we look at either, a giant enterprise like that or maybe a smaller enterprise where they are, you mentioned this digital tax surface is expanding because they are enabling this digital business transformation, they've got cloud, multi-cloud, mobile, IoT, and they also have 20, north of 20, different security products in their environments. How did they get visibility across these disparate solutions that don't play together. How does Fortinet help them achieve that visibility, so they can continue to scale at the speed they need to? >> Well I think they use systems like SIM systems we have a Forti SIM as well where you can use standard base sys logs and SNMP to get information up there so they can see it that way. They're using orchestration systems to see parts of it, but I think long term, I think I speak to most customers they say, although there's specific, new vendors maybe for specific detection capabilities, they really want to reduce the number of vendors inside their network. You say 20, I sometimes I hear 30 and 40. It's a big investment for them. But they also realize they can't maintain it long term. Our recommendation to customers is to, if you've got some Fortinet footprint in there, look at what's the most obvious to build out from a Fortinet perspective. Sometimes we're in the data centers or sometimes we expand into the WAN and sometimes we expand into the cloud. Sometimes we'll add some advanced threat protection. We're not saying replace everything obviously with Fortinet, we're saying build what's most obvious to you and then make sure that you've got some vendors in that which are part of our Fabric alliance. We have 42 vendors now, security vendors, from end point to cloud to management that can connect in through those different APIs. And when we click them through those APIs they don't get you know the full Fabric functionality in terms of telemetry and visibility but they apply a specific functionality. A good example would be an endpoint vendor connecting through our sandbox not quite sure about files, entered our sandbox we'll give them a recommendation back. As soon as we know about that, all the Fabric knows about it instantly across the whole network because time is of the essence these days. When something gets hacked, it's inside a network. It's less than 60 seconds for something for the whole network. That's why segmentation, interim segmentation, is still a very important project for our customers to stop this lateral movement of infections once they get inside the network. >> But, very quickly, it does sound as though that notion of the security architect, this increasing complexity inside the network and I asked the question about whether data is going to be the primary decision, you get a very reasonable answer to that. But it sounds like increasingly, a security expert is going to have to ask the question how does this data integrate? How am I securing this data? And that, in many respects, becomes a central feature of how you think about security architecture and security interactions. >> Yeah but I think people used to build a network and bolt on security as an afterthought. I think what they're saying now is we need for the networking people and security people to work together to build a holistic security architecture totally integrated day one, not some afterthought that goes on there. That's why we know, we've been building the Fabric all these years to make sure it's a totally integrated Fabric end-to-end segmentation architecture where you can also then connect in different parts of the network. It has to be built day one that way. >> Last question, is sort of, I think we asked your CSO this, the balance between enabling a business to transform digitally at speed and scale. I think it was one of you this morning, that said that this is going to be the year of security transformation. Could've been that guy, that other guy, that you know, steals your slides. But how do how does a company when you're talking with customers, how do they get that balance, between we are on this digital transformation journey. We've got a ton of security products. How do they balance that? It's not chicken and egg to be able to continue transforming to grow profit, you know be profitable, with underpinning this digital business with a very secure infrastructure. >> As I said, I think most of them got that now. They kind of go, they've got this five-year plan versus a one-year plan or a six-month plan on the security side. It's integrated into the network architecture plan long term and that's the way they're building it out and that's the way they've got a plan to get, you know, you look at financial organizations who want to provide internet access or branch offices. They've got a plan to roll it out, that's safe going forward, or they want to add broadband access to their internet, like 5G or broadband interconnection, they've got a plan for it. I think people are much more aware now that when I build something out whether it be on the data side on the network side, it has to be secure from day one. It can't be something I'll do afterwards. I think that's the biggest change I've seen in my customer interactions is that they absolutely, essential is absolutely essential that they build out a secure network from day one, not an afterthought going forward. >> Well, we'll end it there, secure network from day one. John, thanks so much for stopping by theCUBE, congratulations on the announcements and we hope you have a great show. >> Great thanks. >> Thank you for watching, we are theCUBE, live from Fortinet Accelerate 2018. I'm Lisa Martin with my co-host Peter Burris. Stick around, we'll be right back.

>> Hey, welcome back here everybody. It's Jeff Frick here with theCUBE. We're at PagerDuty Summit. It's in San Francisco at Pier 27. It's a new facility, we've never been here. It's pretty unique. It's right between the Bay bridge and Pier 39. Beautiful day out on the water and it's all about DevOps here at PagerDuty. And I'm going to tease Jen later if people even know what a pager is at this town. So we are excited to have Nicole Forsgren She's a founder at CEO and chief scientist of DevOps research and assessment. I had to read it, it's a big mouthful but it goes buy DORA for sure. Nicole, welcome to see you. Good to see you. >> Thanks so much. It's good to be here. >> Alright so you are the DevOps expert. You got a really interesting past. Did some research on the LinkedIn profile industry. Academe industry, Academe and now you're out helping people. >> Yes, bounce around a bit. It's all about the pivot right? >> Absolutely. >> Out here doing DevOps. >> Absolutely, absolutely so you do an annual report on the state of DevOps. So where are we? DevOps has been being talked about for a long, long time. How much is reality? How far are we on this journey? What are you seeing? >> Right so it's really interesting you point that out right, because for years everyone's been like DevOps. What is it? Does it matter? And so DORA and by the way, DORA is myself. Jess Humble, Jame Kim. We just brought on Sue Chow. But the core founders, we've partnered up with the team at Puppet, and for the last several years. We've put out the state of DevOps report. To kind of help define at least from a research standpoint and from our standpoint. What it is? What are the key contributors to really drive value and does it drive value? It's for years and I'll talk about this later this afternoon on my closing keynote. For years and when I say years, I mean decades of academic rigorous, pure review research. Technology didn't matter. Like it didn't matter at all. It just never delivered value to organizations. But then we started seeing patterns and really interesting patterns and companies saying no. We're seeing results, we're delivering value. We're delivering outcomes. Core essential outcomes for end users and customers in the business. And so we got together and say okay, let's really take a look at this in a really important way. >> Right, now how far we've come right. 'Cause now most companies are technology companies. They just happen to warp their technology around a particular product or a particular service. >> Yeah, exactly. >> And now most leading the technology in terms of a vehicle to drive value and to drive transformation. So DevOps is also very wrapped up in this whole concept of digital transformation. That's all anybody wants to talk about. It's in every earnings call, so how closely are the two related and how do you see, 'cause DevOps got a little bit more history in terms of the buzz of transformation. Are people applying DevOps concept beyond strictly development and operations? >> So, there's a lot to unpack there. So like you said, it's really, really involved. Although it has some kind of a buzz word, right? Some people love it, some people embrace it, some people never want to hear it. So it's really all about what's important to the company in delivering value. But it's core is really about taking important methodologies and practices to deliver value and it's about using technology and automation, in conjunction with core values and practices and processes that we've adopted from the lane and agile movements. >> Jeff: Right, right. And having a really good healthy culture that's about more than just DevOps. Right like you said. DevOps, QA, Info Sec. The business marrying all of that, pulling all of it together, working in conjunction in the right kind of ways to deliver value. To deliver key outcomes to help us pivot, move fast, learn, have fast feedback. So that we can do what we need to do for the company, for the business, because like you said, it's so many companies right now, really are technology organizations that happened to be wrapped around in some particular industry. >> Jeff: Right, right. >> Capital One is a financial institution. Really they are a technology organization that happens to do finance and deliver finance really, really well for their customers. So many other companies are doing retail but it's driven by technology. Right or they do insurance and it's driven by technology or they're a healthcare organizations that really can't do what they do unless they have technology to really drive it. >> Right, right. The financials institutions are interesting because if you talk to like my kids. If they've ever been inside of an actual bank and then and how often do they go to the atm? So not even atm, so the way that people more and more interact with the company is through digital mediums. >> Right. >> But I'm curious to get you're input on the big question that we always ask people is how do I get started. Right, what is the easy paths to success? How do I get some early success so I can build on that success? What's interesting is you have a very unique approach to solve that question as oppose to what I think or based on what I'm really good at, I think we should start here. >> Yes, we really do-- >> Do you guys have different-- >> And this is really why DORA exist and this is what we do. So myself Jess Humble, Jean Kim. This explains the genesis of DORA. So we have a couple different things so the mission of DORA is to help companies get better through science and proven methods. Ans so we have a couple of different things we do. The first is that state of DevOps report that we put together at Puppet. And those are all open sourced and so if you want some ideas of what really statistically drives improvement, go find those. They're open source, they're totally free. We've tried so many resources because we don't want companies to fail. We've all lived through that awful dot com mess. We've seen companies fail. Go find those resources. Now your question though, where should I start? If I'm a company, what should I do? We've all go into conferences myself, Jean, Jess and we've had companies come up and say well where should I start? And the answer is always, it depends. The answer is always it depends because I can't tell you absent context, absent data, absent information. If I don't know about someone's detail information. I can't tell you and so what we also have is we offer an assessment where I can collect data from the doers. Right there's this fantastic report from Forester. It's called the dangerous disconnect and that's such a great title because if you ask executives. They drastically over estimate technology and DevOps maturity in organizations. So you shouldn't be, I mean I love-- >> Over estimate. >> Of course they do. I mean because we need to be really, really optimistic about where our organizations are going. >> Right, right. >> Those are our roles as executives. And so that's appropriate but in certain conditions that's appropriate. But where it's not appropriate is when you're setting detail strategy for your organizations. And so what we do is we offer an assessment where using these strong scientifically based measure that we have prepared and refined over now, four years of rigorous academic research. We can go with a 15 minute survey, collect data from everyone in organization that like I said are the doers. DevOps, TestOps, QA, InfoSec including vendors, contractors, consultants to people that are in the weeds every single day. I can measure you. I can benchmark you against the industry. I've got over 23,000 data points around the world. All industries, all company sizes. And then, where should they start? I can algorithmically tell you what your bottle neck is, what your constraint is. Where you should start to accelerate your performance. >> Based on my data? >> Based on your data. >> Based on your algorithms and based on your population data from this huge data set >> Yes, and with the companies that we're working with right now, they're seeing amazing results. They're calling it out-sized results. So a really great example we have was with Capital One. They did the assessment across over a dozen lines of business. And by focusing on two core capabilities out of over 20. We focus them on the right two capabilities. They saw a 20X improvement in deploy frequency in only two months with zero increase in internet. >> 20% improvement-- >> 20X >> 20X? >> 20X >> In two months. >> 20 times. >> Wow. >> So it's that ability to measure consistently see visibility throughout that software engineering life cycle. So we also had feedback from customer like Verizon. That that visibility, that consistency of measurement was also a really huge value add. >> Jeff: Right, right. >> Measurements hard. >> Well it's interesting, I saw some of your videos and some of your prior key notes and stuff and talking about, everyone says data is in the world. But the data without context, the data without the right algorithms, and you talk about a bunch data dirty things and data problems. Data itself is not the new oil. So I wanted to get to your report 'cause that's kind of your bench mark. That's your big stake in the ground. So how are we've been doing it? What do you do different than other things that are out there? Besides the fact that it's open source which I'll ask you about as a follow up. What makes your research special? >> So why is our report different from any other reports out there? I think there's a couple things. The piece that makes me the proudest is that, the state of DevOps report is so different because it's academically rigorous. It's a true research report and I love that the team has been so loving and so patient with me. Because when I started working with the rest of the group four years ago, I stepped in and I said. This is what I want to do. These are my ideas. I was still a professor at the time, so as you mentioned, I was industry and then academia and I'm now in industry again. But I stepped in and I said, I think there's this really, really fantastic opportunity to take a look of what's going on but we have to measure this in really rigorous ways. And by doing that, it allows us to look at predictive relationships, which is interesting because it let's us say. If we focus on core capabilities, they will predict organization's ability to develop and deliver quality software with speed and stability. Which will in turn drive improvements in organizational performance. Profitability, productivity, market share. Effectiveness, efficiency delivering mission and organizational goals. Notice I'm saying predict and drive. I'm not saying correlate, which is really interesting. And so in these years of research, we've been able to identify core capabilities that drive improvement. So it allows organizations to understand what's important to invest in. It's not just this worked for my team. This worked for that team. Hey, I think this is what I'm going to try because as someone fond of joking. Anecdote is nice but the plural of anecdote isn't anecdata. (laughing) Right, and that was my frustration when I was in tech and before and when I was in consulting. If you want to try a thing and you want to apply it but it's really hard if I only have one or two or three or five maybe even 10 stories. We need so much data to really understand what will likely work for teams and for industries as a whole. And like I said, God bless the team, because I came in and I was really rigorous and I would say that doesn't work, we can't measure that. That doesn't work here and sometimes I'd come back and I'd say that doesn't hold. The stats don't hold and they say, "But it has to." "I know it worked here and I know it worked here." And I'm like, but it's not, we have no evidence to support that. The stats don't hold. This doesn't work. We can't say that and we're like hey, we'll have to try it again next year. Not try it again next year but we have to find a different way to measure it. We have to have a different hypothesis to test. But then we also find really amazing things like I said a couple times, it predicts a team's ability to develop and deliver code with speed and stability. Speed and stability. We found four years ago speed and stability go together. For years, we didn't know that was the case or we thought that in order to get stability, you had to slow down. It doesn't show up anywhere in the data. No where, high performers get both. >> So do the executives, do they realize the leader that having better internal thought for development has an impact on their business relative to saving a few bucks on parts or spending a few more bucks on marketing? As a real driver of value as oppose to it's just always internal apps that we have to build for whatever reason. >> They're starting to get there. And so what we're starting to do is we're really focusing heavily on delivering code with speed and stability. And then, we're saying okay, imagine if you could deliver with speed and stability here. What could you do with delivering features? How does that help you get to market faster? How does that help you beat your competitors? How does it allow you to respond to complaints and regulatory changes? And so that's really what helps us drive and then another way that we are a little different from other reports that are out there. Other industry reports are also very helpful but they are very different. So I don't say things like 27% of the industry is using configuration management. Other report say that and that is interesting. I don't report on percentage of the industry that's doing something. >> Right, right. >> But those other reports can not say what is predictive of improvement. So we are the prediction. Occasionally, I'll report correlations if I don't have the statistics to go as strong as-- >> And what moves it from correlation to prediction is the strength of the algorithms? >> No, it's the strength of the research design. >> The strength of the research design upfront? >> Yep, up front. >> Before you feed it in. >> Upfront and-- >> 'Cause really, you're knocking them at research. >> Yes. >> Rigor. >> Yep. >> That's the underpinning of the whole thing. >> And much more data has been published in academic periodicals, so we are still actively doing research. >> And I would imagine that the annual report is really an ongoing, longitudinal study across a whole lot of the same companies over and over and over, year in, year out. So you get them-- >> So it's open every year. >> As well. >> Yep. >> Awesome, alright Nicole. Well that is fascinating and everyone should go to DORA and get the free research. And then if they want to bring you guys in, and you offer custom services to help the particular company execute and do better. >> Yes, absolutely. So you can go to DevOps-research.com to find all of our research and anything else you want to find out about engaging with us or anything like that. >> Nicole Forsgren. She's DORA the explorer. She'll help you out with your DevOps. I'm Jeff Frick, you're watching theCUBE from PagerDuty Summit. Thanks for watching. (uptempo techno music)