>> Hey, welcome back everybody. Jeff Frick here with the CUBE. We're in Palo Alto, California at the Chertoff's event, "Security in the Boardroom." And again, this is an event about elevating the security conversation beyond speeds and feeds and in-points and IOT and ever-increasing attack surfaces, and really, how do we elevate it into the boardroom discussion, because that's where it needs to be before they wake up on Monday morning and see their company's name in the newspaper, which is when you don't want to have your first conversation. So we're excited to have our next guest. He's Joe Gottlieb, the Senior Vice President of Corporate Development for Sailpoint. Joe, welcome. >> Thank you, good to be here, Jeff. >> Absolutely, so for people who aren't familiar with Sailpoint, why don't you give us a quick overview. >> Sure, so Sailpoint helps large enterprises control who has access to what. So at the end of the day, all the access that you need to do your job should fall into what your role is in the company, and what projects you're working on, and for many companies, that's not what is proactively being delivered. You're accumulating a set of things based upon who you ask, who you know, and a lot of inadvertent accumulation of things that you might need or you might not need. So we help companies put that under lock and key and under control, make sure that there's a process for who should approve your access. How can we empower you quickly when you start your job? How can we transfer you to a new role if you move jobs? And most importantly, oftentimes, how do we take away things very systematically when you leave the company? So that's what we do in a nutshell. >> So I would imagine, before you get there, it's a hodgepodge of spreadsheets and Google Docs and all types of assorted random things. >> You bet, for the average large company, this is a manual effort, and it is just not systematic, which it has to be. What you have when you don't have a systematic effort here that's filtered by business approvals and work flow processes is a cumulated surface area that need not be available to the attacker. We want to narrow that surface area by narrowing your access to only that's what's needed and keep it pruned as you evolve with your role in the company. >> It seems like there's so much low-hanging fruit, about just doing what you should be doing, just doing it and so many people don't apply patches, they don't systematically take people out of things when they leave the company. All these things that seem relatively simple on the surface from the outside, but in fact, in a large organization, are not simple by any stretch of the imagination. >> It's so true. In security in particular, it's a really hard job but consistency and patience and methodic progress is really, really key. I liken it to the quality movement that we experienced in manufacturing over two decades ago. We started measuring, we started being consistent, we started thinking about what is the root cause of this or that and how can we continually make ourselves a bit better every time period. And so that's what some of the basics are all about, and governance is a big part of that. >> Okay, so you just got off a panel. And the event here is really focused about the boardroom conversation, so let's just jump into that. You made an interesting conversation from the board about a portfolio approach, which is only natural since you're a corp dev guy, thinking of portfolio strategies. So how should they think about the portfolio? I haven't heard anyone discuss their tools in a portfolio strategy method. >> So, let's zoom out on the context here. Boards are trying to provide governance. They need wisdom to provide governance. If they don't understand security at all, how can they be wise about it? So there's definitely a really, really strong push to get the board being more proactive about demanding the right levels of security and being shown the data that they can have for how security is being applied. I look at security portfolio management as a great way to step out of the Fudd domain, where we have vendors selling us technologies that we don't understand and most of the people talking to us don't even understand, and into a domain where there is less of a bet on prevention, which we know isn't going to happen, and more of a bet on monitoring a response, governance, which is just going back to the source and making sure people have the right access, and education, helping end users understand what that phishing attack would look like, actually going through testing and really accumulating awareness of what to avoid. Because we know that's the easiest way to get started. Every attack starts with a phishing attack that compromises an end-user point in-station, and then moves laterally to the good stuff. That portfolio view allows the board to start understanding how we're not making a bunch of hopeful bets on prevention that is elusive, and we're actually making some balanced bets around the pieces of the puzzle that we know can give us immediate returns and we can measure against the returns. >> Now what about the scale of the bets? We've talked about this with a few of the other guests that came on, 'cause again I liken it to insurance. You'd add some, you could be probably over-insured. There's not infinite resources, so there's always a ying and yang on how much do we invest and then what came up in the kickoff this morning and then how do we measure success? Because obviously success would be no problems, but you probably need a much softer way to measure success. >> Very true. So this came up earlier in the discussion, and that is you've got to get the board thinking about a risk posture, where there are tradeoffs. You can't ask them, you can't use Fudd on the board. You're going to freak 'em out. You have to say, "This is what I have to do "to enable this business to operate at this velocity." And if they don't want that risk, here's the velocity that they ought to be operating within because we are less exposed at that velocity. And so translating it into these sorts of terms that the board understands in the world of business. They're well experienced in advising you on how to operate your business. They've thought about travel risks. They've thought about plant closure risks. And they've thought about employee lawsuit risks. Translate security into risks that they can also understand and then present your measurements and your investment trade-offs in that context. That's what the best practice appears to be. It's still really hard, and so here's the knock: you can have all that great thinking and still struggle because of the degree of difficulty here. You just have to keep at it. >> Now unfortunately, the CISO on the agenda at the board meeting was down toward the end of the day and just before him was the CMO and the Head of Sales and Operations and they're like, "We got to go, we got to go, it's digital transformation. "We got to go, we got to go, competitors are going like crazy. "Speed, speed, speed, digital transformation." That's what you beat us up about last quarter. So as people are trying to really evolve their companies, they're trying to move to a more digital platform, they're innovate faster, they're trying to enable more people in the company to have access to the data, and access to the tools so they can innovate faster. How does that then bang up when he sits down and the CISO stands up? >> So, digital transformation is an opportunity. For me, it's just code for reinventing business around customer engagement, for many companies that have direct relationships to their customers in a broad form, at least it's that for them. That means there's an investment elasticity opportunity. And so building security into that velocity we talked about, or the mode of digital transformation that you're going to deliver is really, really key. It's less about defending security as a horizontal utility that is generic and hard to place within the context of that digital transformation, that customer engagement, that velocity of business, it's that latter scenario. Actually, one of the folks of the panel that I was on, Debbie from PNC Bank, made a great point. She talks about security as part of the brand, part of the brand prompts. We want people to trust our brand. And so more and more, I would argue that the monetization and the maturation of the attack life cycle, and the ability to take customer records and sell them, has forced us to realize that's a distinct business risk. So losing all of our customer data is a huge business risk that business people now understand and you can equip them to reduce that risk with good security measures. While you're doing digital transformation, you have an opportunity to bake it in. So now, you can suddenly say, "Hey look! "We can fit that into the overall architecture." You want it to be a collaborative part of the new design, versus an overlay, which has typically been the approach, when we've automated business on top of IT and then wrapped security around that. >> It's funny, you're the first person that's ever really tied security to trust and trust to brand, because there's always an ongoing conversation about, "Do brands matter? "What is a brand? "How are brands defined "in an increasingly competitive world?" So, is security in that context, table stakes or is it a competitive advantage? >> Well, let me ask you a question. How's Yahoo's brand today? >> Not so good. >> After repeated losses, right, I could name plenty. The circumstance and the experience, and our ability to absorb that experience frankly through a lot of reporting, has helped us to know what we're up against. What are the downsides? That's just education. I think that's the good part of Fudd, when things are reported accurately and we understand that these things have happened, even if we learn a bit later, that's very necessary for us to say, "This is what needs to be done." Just like anything else. When transportation evolved and we reinvented business at the speed of our new transportation in the way we collaborate, that was an impact. We now have to continue to think about business as being more digital and has to be more secure. >> Well, Joe, this has been a great conversation and the other thing you nailed, you're the first person that has ever talked about digital transformation as redefining your business process around customer engagement. That is spectacular. >> Wow. >> Thanks for sharing that, we'll use that. >> Good stuff. >> Alright. Thanks for stopping by. >> You bet. >> He's Joe Gottlieb, I'm Jeff Frick, you're watching the CUBE. We'll catch you next time, thanks for watching.