>> Narrator: Live from Washington, D.C., it's the Cube covering .conf 2017 brought to you by Splunk. (electronic music) >> Welcome back to our nation's capitol. Here in Washington, D.C., the Cube which is Silicon Angle TV's flagship broadcast, broadcasting live today and tomorrow from D.C. here at .conf 2017, Splunk's annual get-together. Along with Dave Vellante, I'm John Walls. Now, we're joined by Chidi Alams who is the Head of IT and Security for Heartland Jiffy Lube. We all know Jiffy Lube for sure. Chidi, thanks for being with us. Good to see you. >> Of course, thanks for having me. >> Before I jump in, I was looking at your, kind of the portfolio of responsibilities earlier. Information security, application development, database development, reporting services, enterprise PM, blah, on and on and on. When do you sleep, Chidi? >> I don't. (laughing) That's the easy answer. The reality is I also have two young children at home, so between work and the family life, I'm up all the time. >> John: I imagine so. >> But I would have it no other way. >> Dave: How old are your kids? >> Three and two. >> Oh, you won't sleep for a decade. >> Right. >> I know. >> Wait til they start driving. >> That's what they tell me. >> Then it gets even better or worse, depends on how you look at it. >> That's how you learn how to sleep on airplanes. (laughing) >> Well, let's look at the big picture of security at Jiffy Lube. Your primary concerns these days, I assume, are very much laser-focused on security and what you're seeing. What are the kinds of things that keep you up at night? Other than kids these days? >> So, we're a very large retailer and brand recognition is something that we're very proud of, however, with that comes a considerable amount of risk. So the bad guys are also aware of Jiffy Lube. They understand that as a retailer, we have credit cards, we have very sensitive data. When I started with Jiffy Lube about two and a half years ago, I started a program to focus not only on keeping the bad guys out, right, that's essentially table stakes in any security program, but also implementing a discipline approach around insider threat. Frankly, that's where Splunk has proved to be a significant value for our organization because now we have visibility with respect to both of those risks. Additionally, we've spent a lot of time just taking more of a risk-based approach to security. Quite often what happens, technologists tend to focus on implementing technology and kind of filling gaps that way. The first thing that we did was assess organizational risk based on our most critical assets. Once we were able to determine asset X, in most cases a data asset, was really critical to the organization, credit card data, we were able to build a unified solution and program to ensure that we protect not only our brand, but our customers' data all the time. >> So, first of all I'll say, I love Jiffy Lube. I'm a customer. I go there all the time. It's so convenient, great service. Generally, very customer service oriented, but I see your challenge with all this distributed infrastructure and retail shops around. I would imagine there's somewhat of a transient, some turnover in employee base. >> Chidi: Yeah. >> The bad guys can target folks and say, "Hey, here's a few bucks. "Let me in." So how do you use data and analytics? I'm sure you have all kinds of screening and all kinds of corporate policies around that that's sort of one layer, but it's multi-dimensional. So how do you use technology and data to thwart that risk internally? >> Sure. So I think the key there is having a holistic program. That's a term that's thrown around a lot, so for me, that means a clear focus on people-processed technology. As I mentioned earlier, the tendency is to start with your comfort zone, so with us as technologists, it's technology, but the people aspect, I have found in my career, is always the largest variable that you have to account for. So disgruntled employees. In retail, regardless of how robust and how strong a culture you create, you're always going to have higher turnover than any industry, particularly in the field. Having very tight alignment with HR, Operations, other stakeholders to ensure that, look, when someone leaves, we track that effectively. That's all data-driven, by the way, so that we're able to track the lifecycle of an employee not only on the positive side when they enter the organization, but when they exit. If the exit is immediate, we have triggers and data-driven events that alert us to that so we can respond immediately. Then, I mentioned insider threat. It's not just employees out in the field. Globally, insider threat is probably the biggest blind spots for organizations. Again, the focus is on the outside, so when we look at things like data exfiltration which is a risk in any large organization where there's a lot of change and transformation, you have to have a good baseline of activity that's going on and understand what activity is truly normal versus activity that could be anomalous and an indicator of a bad actor within the enterprise. We have all that visibility and more now with Splunk. >> What is the role that Splunk plays? How has that journey evolved? I don't know if you've been there long enough, but pre-Splunk, post-Splunk, maybe you could describe that. >> Yeah, so pre-Splunk we were very, very reactive. Let me answer that by providing a little more context about how we're leveraging Splunk. So Splunk Enterprise Security is our centralized hub. Data across the enterprise comes to Splunk Enterprise Security. We have a team of SOC analysts that work around the clock to monitor events that, again, could be indicators of something bad happening. So with that infrastructure in place, we've gone from a very reactive situation where we had analysts and engineers going to disparate systems and having to manually triangulate and figure out, hey, is this an event? Is this something worthy of escalation? How do we handle this? Now, we have a platform not only in Splunk, but with some other solutions that gives us data, one, that's actionable. It's not hard to aggregate data, but to make that data meaningful and expose only what's legitimate from a triage and troubleshooting perspective. So those are some of the things we've done that Splunk has played a role in that. >> Okay. Talk about the regime for cybersecurity within your organization. It used to be, oh, it's an IT problem. In your organization, is it still an IT problem? Is the balance of the organization taking more responsibility? Is there a top-down initiative? I wonder if you could talk about how you guys approach that? >> That's a great question because it speaks to governance. One of the things that I did almost immediately when I started with Jiffy Lube was worked very closely with the senior leadership team to define what proper governance looks like because with governance, you've got accountability. So what happens all too often is security is just this thing that's kind of under-the-table. It's understood we've got some technology and some processes and policies in place, however, the question of accountability doesn't arise until there is a problem, especially in the case of a breach and most certainly when that breach leads to front-page exposure which was something I was very concerned about, again, Jiffy Lube being a very large retailer. Worked very closely with the senior leadership team to first of all, identify the priorities. We can't boil the ocean, there are a lot of gaps. There were a lot of gaps, but working as a team, we said, "Look, these are the priorities." Obviously, customer data, that's everything. That's our brand. We want to protect our customers, right. It's not just about keeping their vehicles running as long as possible. We want to be good stewards of their data. So with that, we implemented a very robust data-management strategy. We had regular meetings with business stakeholders and education also played a critical role. So taking technology and security out of the dark room of IT and bringing it to the senior leadership team and then, of course, being a member of that senior leadership team and speaking to these things in a way that my colleagues in Operations or Finance or Supply Chain could readily connect with. Then, translating that to risk that they can understand. >> So it's a shared responsibility? >> Absolutely. >> A big part of security. You talked before about keeping the bad guys out. That's table stakes. Big part of security, at least this day and age, seems to be response, how effectively the organization responds and, as you well know, it's got to be a team sport. It's kind of a bro mod, but the response mechanism, is it rehearsed? It is trained? Can you describe that? >> Both. I agree, response is critical, so you have to plan for everything. You have to be ready. Some of the things that we've done: one, we created a crisis management team, an incident response team. We have a very deliberate focus and a disciplined approach to disaster recovery and business continuity which is often left out of security conversations. Which is fascinating because the classic security triad is confidentiality, integrity, and availability. So the three have to be viewed in light of each other. With that, we not only created the appropriate incident response teams and processes within IT, but then created very clear links between other parts of the business. So if we have a security event or an availability event, how do we communicate that internally? Who is in charge? Who manages the incident? Who decides that we communicate with legal, HR? What is that ecosystem look like? All of that is actually clearly defined in our security policy and we rehearse it at least twice a year. >> You know, we just had Robert Herjavec on from the Herjavec Group just a few minutes ago. He brought up a point I thought pretty interesting. He says, "Security, obviously, is a huge concern." Obviously, it's his focus, but he said, "A problem is that the bad guys, the bad actors, "are extremely inventive and innovative "and keep coming up with new entry points, "new intrusion points." That's the big headache is they invent these really newfangled ways to thwart our systems that were unpredicted. So how does that sit with you? You say you've got all of these policies in place, you've got every protocol aligned, and all-of-a-sudden the door opens a different way that you didn't expect. >> Yeah, one of my favorite topics that really speaks to the future and where I believe the industry is going. So traditionally, security has been very signature-based. In other words, we alert against known patterns of behavior that are understood to be malicious or bad. A growing trend is machine learning, artificial intelligence. In fact, at Jiffy Lube, we are experimenting with a concept that I refer to now as the security immune system. So leveraging machine data to proactively asses potential threats versus waiting for those threats to materialize and then kind of building that into our response going forward. I think a lot of that is still in the early phases, but I imagine that in the very near future that'll be a mandatory part of every security plan. We've got to go beyond two-dimensional signature-based to true AI, machine learning. Taking action, not just providing visibility via response and alerts, but taking action based on that data proactively in a way that might not include a human actor, at least initially. >> What's the organizational structure at your shop? Are you the de-facto CISO? >> Chidi: I am. >> And the CIO? >> Chidi: I am. I wear both hats. >> Yeah, so that's interesting. You know where I'm going with this. There's always the discussion about should you separate those roles. I can make a case for either way, that if you want the best security in IT, have the security experts managing that. The same time, people say, "Well, it's like the fox "watching the hen house and there's lack of transparency." I think I know where you fall on this, but how do you address the guys that say that function should be split? What's the advantage of keeping them together in your view? >> Yeah, so I think you have to marry best practice with the realities of a particular organization. That's the mistake that I think many make when they set about actually defining the appropriate org structure. There's no such thing as a copy and paste org structure. I actually believe, and I have no problem going on record with this, that the best practice does represent in reality a division between IT and security, particularly in larger organizations. Now, for us, that is more of a journey. What you do initially and your end-state are two different things, but the way you get there is incrementally. You don't go big bang out of the gate. Right now, they both roll up to me. Foreseeably, they will roll up to me, but that works best for the Jiffy Lube organization because of some interesting dynamics. The board of directors by the way, given the visibility of security, does have a say on that. Now that we're in transformation mode, they do want one person kind of overseeing the entire transformation of IT and security. Now, in the future, if we decide to split that up and I think we have to be at the right place as an organization to ensure that that transition is successful. >> I'm glad you brought up the board, Chidi, because to me, it's all about transparency. If the CIO can go to the board and say, "Hey, here's the deal. "We're going to get hacked, we have been hacked, "and here's what we're doing about it. "Here's our response routine," and in a transparent way has an open conversation with the board, that's different than historically. A lot of times CIOs would say, "Alright, we've got this covered," because failure meant fired. That's a mistake that a lot of boards made. Now, eventually, over time the board may decide, look, the job's too big to have one person which is kind of what you're ... But how do you feel about that? What's your sentiment on that transparency piece? How often do you meet with the board and what are the discussions like? >> Yeah, great topic. So, a few things. One, and you've hinted to this, it's very important for the CIO or the CISO to have board-level visibility, board-level access. I have that at Jiffy Lube. I've had to present to the board regarding the IT strategy. I think it's also important to be an effective communicator of risk. So when you're talking to the board, what I've done is I've highlighted two things and I believe this very strongly. As a security leader, you have to practice due care and due diligence. So due care represents doing your job within the scope of whatever your role is. Due diligence involves maintaining that over a period of time, including product evaluations. If you have due care and due diligence and you're able to demonstrate that, even if your environment is compromised, you have to have the enterprise including the board realize that as long as those two things are in place, then a security officer is doing his job. Now, what's fascinating is many breaches can be mapped back to a lack of due care and due diligence. That's why the security officer gets fired to be very blunt, but as long as you have those things and you articulate very clearly what that represents to the board and the senior leadership team, then I think you just focus on doing your job and continuing to communicate. >> John wanted to know if you had any Jiffy Lube coupons before we go. >> Yeah, 'cause in my car on the way home I thought I'd just jump in there. >> I'm all out, but I'll (laughs). >> You got one right down the street from the house. They probably know me all too well because I take the kids' cars there too. >> That's right. We'll hook you up, don't worry about it. >> We appreciate the time. >> Thank you. >> Thank you. A newly-converted Dallas Cowboys fan, by the way. >> That's right. Very proud. >> Perhaps here in Washington, we can work on that. >> We'll see about that. >> Alright, we'll see. Chidi, thanks for being with us. >> Thank you, appreciate it. >> Thank you very much. Chidi Alams from Heartland Jiffy Lube. Back with more here on the Cube in Washington, D.C. at .conf 2017 right after this. (electronic music)

>> Voiceover: Live, from Washington, DC. It's the Cube covering .NEXT Conference. (upbeat music) Brought to you by Nutanix. >> We're back at Nutanix .NEXT, everybody. This is the Cube, the leader in live tech coverage. This is day two of our wall-to-wall coverage of .NEXT Conf. Kirk Skaugen is here, he's the president of the Lenovo Data Center Infrastructure Group. Sudheesh Nair is the president of Nutanix. Gentlemen, welcome to the Cube. I'm Dave Vellante, this is Stu Miniman. We're part of the nerd herd here at the conference. So Kirk, let's start with you. We've been talking to Nutanix all week. You guys got the great booth, we've been looking at your booth all week. Transform, last week you guys had a big conference. Lenovo, obviously undergoing major transformations, as are your customers and your partners. Give us the update, how's it going? >> Well, it was a big event for us. We've been working for about two and a half years since the acquisition, the IBM X-Series team. So we launched basically our biggest data center portfolio in history, about 14 new servers, seven new storage boxes, five new network machines, and, probably more importantly to our relationship, we announced two big new brands. So Think System is kind of for the traditional infrastructure and then Think Agile, and our appliances with Nutanix for hyper-converge infrastructure. >> You guys have been talking to analysts and your community about what I call choice. You know, you've got a lot of different choices of partners, of even now processor types, hyper-visors, etc. So talk about how that's important to your partnership strategy, generally and specifically unpack some of the Lenovo specifics. >> I think it is important to have a point of view, when you're talking to customers nowadays. The problem is: is the point of view about your own company's thought process, Wall Street expectations or the point of view's doing by what is right for the customer. Take it for example, an SSD, a commodity SSD from Samsung or Toshiba. If you take that SSD and put it inside a Solar and try to sell it, you probably will get X dollars for it. That same SSD, if you put it inside a high-end SAN, you can probably take like 10X more that, right? Where do you you are-- >> Those were the days. (laughing) >> The thing is where do you think you will be going first? What will you be trying to sell first? The thing I like about Lenovo is that they're made to be efficient. That it is going to be a software defined world. But hardware does matter, the library matters, support matters and along with Lenovo, we are able to go to customers and completely re-transform, you know sort of change their architecture without being caged by any sort of Wall Street expectation that goes counter to what is right for customers. >> Kirk, I know there are many milestones you talked about at Lenovo Transform. I think if I remember it, one of them was the 20 millionth x86 server is going to be shipping sometime in the next couple weeks. >> That's right. >> To think Agile line to kind of look at software defined, how does Nutanix fit into that? You've been OEM-ing them since before you went into this branding so tell us how that came together to the new line. >> So I think we're celebrating this year 25 years an x86 servers and so you're right, we are looking at a software defined world and what I constantly hear is that Lenovo is getting pulled in because we don't have a legacy infrastructure of a big SAN business or a big router business, so we're kind of unencumbered by that but we're shipping our 20 millionth x86 server in July, next month. But with Nutanix, what we're basically doing is we're tightly integrating our management software with their prism software, we're looking at integrating some of the network topology work now with innovation because rather than kind of a legacy network that people are used to now, well we moved to a hyper-converge infrastructure, some of those pain points move onto networking but we've been innovating together now for almost two years and I think we're crossing almost 300 customer deployments now, almost 200% growth since we've started. At least Lenovo's goal is we're going to be Nutanix's largest growing OEM partner this year. >> So talk more about that innovation strategy because, you know, the general consensus is well, it's x86, they're all the same. How do you guys differentiate from an innovation standpoint? >> Well, what we talked about at Transform is our legacy now is we're number one in customer satisfaction in Lenovo on x86 systems in actually 21-22 categories. And that's a third party survey that's done across like 700 customers in 20 countries. Number one in reliability. So we're building off of this infrastructure, off of a really strong customer base. What we're trying to do on Think Agile is completely redefine the customer experience. From the way you configure the system, we can now do configure to order in three weeks. Which we think is about half of what anyone else in the industry can do relative to our competitors. And then we're innovating down the the manageability layer, the networking stack, all of those pieces to really build the best solutions together. >> Sudheesh, there's an interesting two differing things if I look at Lenovo and your partnership. Number one is Kirk says they don't have any legacy, but one of the reasons you're in OEM with them is because they do have history, they've got brand, they've got channel, how do those come together in the partnership? >> So remember, I think before XEI, servers used to be a stateless machine, being they would move the VM's back and forth because the data lives somewhere else in the storage system. So what you expect out of the server, when it comes to reliability and serviceability are very different. What we did with XEI when we came on for the first time, we took the liable storage piece, sharded into small segments and move them inside the servers. All of a sudden, the library of the server has become exponentially more important. Affordability, serviceability, how you do things like form guard management, all those things become important now because your entire core banking application is running inside a bunch of servers, there is no SAN sitting behind protecting all of this. One of the reasons why Lenovo's ex-clarity project is one of the first apps on our app store is because we want to make sure that customers have a fully integrated souped enough experience of not just managing the product but also experiencing the day one and day two. Upgrades, replacements, failure replacement, all of those things. So between our relationship with Lenovo's hardware and engineering, plus the support, we are able to deliver a one plus one equals three experience for our customers. >> So Sudheesh, I heard almost 300 customers you're at. Could you give us a little bit of kind of either verticals or geography that you're being successful? >> What we've seen with Lenovo that is a little different from the rest of the business that we do is that majority of the business is coming from large customers and second, I would say financial sectors were the biggest initial moment it seem to be. And the repeat business is following the same pattern that the customers who buy are coming back and buying again. In fact, one of the largest financial institutions in the country, New York, bought last quarter a decent size, a seven figure plus deal, and they'll probably come back and buy again this quarter. So that pick-up is happening really fast and customers are happy with the overall experience. And it's also about the courting process, the shipping process that he talked about, these are all simple things but these are extremely important in the customer buying experience. >> I think from our perspective, we operate in over 160 countries, a lot of people don't realize we have over 10,000 support specialists that call with more than a 90% customer sat rating. So when we're bringing in Think Agile, what we're bundling now with Think Agile and the Nutanix appliances is premiere customer support so you don't even go to an automated system, you go directly to a local language speaking person on the phone immediately and you get one vendor to support you across your server, your storage, your networking in the whole configuration. That has gotten customers like for us, Jiffy Lube, Holloway, Beam Suntory who's the third largest premium spirits vendor in the world, one of the largest Japanese auto-manufacturers, I mean, I think it's been across all verticals that we've seen success together. >> I was in Asia last week, two weeks ago, and the business there is tremendously picking up speed. It goes through the story, you know, they have local language support, local marketing, local channel enablement, those things matter significantly. Lenovo's very strong in all those areas. >> We live in a world that's data driven. Data is the new oil. You've got to montage your data. You guys have big volumes, you have a lot of data. In relation to partnerships, in this day and age, what role does the data play? Is there an integration of data, is there a way to get more value, how are you getting more value out of the data that you share with your customers? >> I started maybe working China as well in one of the areas, this is an extremely important question, don't think of this as a hardware and infrastructure software play, this is about what customers want. In one area, for example, SAP. One of the largest SAP's partner is Lenovo and by partnering with Lenovo, we are now able to deliver, in fact, there is a specific product CD's that we've built for Lenovo HANA customers called Bridge to HANA where we deliver certified HANA platform on Lenovo along with the Nutanix software as a prediction and testing and wiring IB's next to that. By lapping the Lenovo SAP expertise, the hardware expertise, and the Nutanix's infrastructure expertise, the customers can have a single one-stop shop for analytics, ERT, and everything. Those kind of experiences are what customers are looking for. >> I think one of the reasons people are coming to Lenovo is we're not trying to compete with them necessarily far up the stack like we would think some of our competitors are doing. But if you look at SAP, we're excited because we've had a relationship in software defined with SAP since probably eight years ago. We were actually blazing the trail, I think, with them on software defined and we got rid of the legacy SAN out of that solution probably in 2010, started eliminating some of the costs associated with that. And now we're proud that SAP runs Lenovo, and Lenovo runs SAP. We're starting to pull some big customers together like V-Grass which is one of the largest, fastest growing clothing manufacturers in China, but we're not trying to like hoard the data and use the data, or compete with our customers on data. >> Alright, guys, we're out of time. But just to sort of last questions relates to the future. Where do you guys want to take this? A couple years down the road, where are we going to see this partnership, what's your shared vision? >> You saw today, we moved from that hyper-converge to a multi-cloud world. A multi-cloud world where we are redefining what hybrid cloud really means. There's a lot of work to be done to bring applications, infrastructure, and uses togethers. And partners like Lenovo is how we are going to get there. >> Yeah, absolutely, I think this is just the beginning. We're looking to a transposable world, hyper-convergence is one path along the way. We've been participating in public cloud and now the world is moving into hybrid cloud. We've got great partnerships I think we'll see strong growth with both companies for the next few years. >> Can't do it alone. Kirk and Sudheesh, thanks very much for coming to the Cube, I really appreciate it. >> Thanks so much. >> You're welcome. Keep right there, buddy, Stu and I will be back with our next guest right after this short break. We're live from Nutanix .NEXT, we'll be right back. (upbeat music)