>> Live from Barcelona, Spain it's theCUBE! Covering Cisco Live! Europe brought to you by Cisco and its ecosystem partners. >> Hello everyone, welcome back to theCube's live coverage here in Barcelona, Spain for Cisco Live! Europe 2019. We're at day three of three days of coverage I'm John Furrier with Dave Vellante Our next two guests we're going to talk about privacy data Michelle Dennnedy, VP and Chief Privacy officer at Cisco and Robert Waitman who is the Director of Security and Trust. Welcome back, we had them last year and everything we talked about kinda's happening on steroids here this year >> Yep. >> Welcome back >> Thank you glad to be here >> Thanks for having us >> So security, privacy all go hand in hand. A lot going on. You're seeing more breaches you're seeing more privacy challenges Certainly GDPR's going to the next level. People are, quote, complying here's a gig of data go figure it out. So there's a lot happening, give us the update. >> Well, as we suggested last year it was privacypalooza all year long running up to the enforcement deadline of May 25, 2018. There were sort of two kinds of companies. There's one that ran up to that deadline and said woohoo we're ready to drive this baby forward! And then there's a whole nother set of people who are still sort of oh my gosh. And then there's a third category of people who still don't understand. I had someone come up to me several weeks ago and say what do I do? When is this GDPR going to be a law? I thought oh honey you need a hug >> Two years ago, you need some help. >> And some companies in the US, at least were turning off their websites. Some media companies were in the news for actually shutting down their site and not making it available because they weren't ready. So a lot of people were caught off guard, some were prepared but still, you said people would be compliant, kind of and they did that but still more work to do. >> Lots more work to do and as we said when the law was first promulgated two and a half years ago GDPR and the deadline A, It's just one region but as you'll hear as we talk about our study it's impacting the globe but it's also not the end of anything it's the beginning of the information economy at long last. So, I think we all have a lot to do even if you feel rather confident of your base-level compliance now it's time to step up your game and keep on top of it. >> Before we get into some of the details of the new finding you guys have I want you to take a minute to explain how your role is now centered in the middle of Cisco because if you look at the keynotes data's in the center of a lot of things in this intent based network on one side and you've got cloud and edge on the other. Data is the new ingredient that's feeding applications and certainly collective intelligence for security. So the role of data is critical. This is a big part of the Cisco tech plan nevermind policy and or privacy and these other things you're in the middle of it. Explain your role within Cisco and how that shapes you. >> How we sort of fit in. Well it's such a good question and actually if you watch our story through theCUBE we announced, actually on data privacy day several years ago that data is the new currency and this is exactly what we're talking about the only way that you can operationalize your data currency is to really think about it throughout the platform. You're not just pleasing a regulator you're not just pleasing your shareholders you're not just pleasing your employee base. So, as such, the way we organize our group is my role sits under the COO's office our Chief Operations Office under the office of John Stewart who is our Chief Trust officer. So security, trust, advanced research all live together in operations. We have sister organizations in places like public policy, legal, marketing, the sales groups the people who are actually operationalizing come together for a group. My role really is to provide two types of strategy. One, rolling out privacy engineering and getting across inside and outside of the company as quickly as possible. It's something new. As soon as we have set processes I put them into my sister organization and they send them out as routine and hopefully automated things. The other side is the work Robert and I do together is looking at data valuation models. Working about the economics of data where does it drive up revenue and business and speed time to closure and how do we use data to not just be compliant in the privacy risk but really control our overall risk and the quality of our information overall. It's a mouth full >> So that's interesting and Robert, that leads me to a question when we've seen these unfunded mandates before we saw it with Y2K, the Enron backlash certainly the United States the Federal Rules of Civil Procedure. And the folks in the corner office would say oh, here we go again. Is there any way to get more value beyond just reducing risk and complying and have you seen companies be able to take data and value and apply it based on the compliance and governance and privacy policies? >> Dave that's a great question. It's sort of the thought that we had and the hypothesis was that this was going to be more valuable than just for the compliance reasons and one of the big findings of the study that we just released this week was that in fact those investments you know we're saying that good privacy is very good for business. It was painful, some firms stuck their head in the sand and said I don't want to even do this but still, going through the GDPR preparation process or for any of the privacy regulations has taken people to get their data house in order and it's important to communicate. We wanted to find out what benefits were coming from those organizations that had made those investments and that's really what came out in our study this week for international data privacy day we got into that quite a bit. >> What is this study? can you give us some details on it? >> It's the Data Privacy Benchmark study we published this week for international data privacy day. It's sort of an opportunity to focus on data privacy issues both for consumers and for businesses sort of the one day a year kind of like mother's day that you should always think of your mom but mother's day's a good day so you should always think of privacy when you're making decisions about your data but it's a chance to raise awareness. So we published our study this year and it was based on over thirty-two hundred responses from companies around the world from 18 countries all sorts of sizes of companies and the big findings were in fact around that. Privacy has become a serious and a boardroom level issue that the awareness has really skyrocketed for companies who are saying before I do business with you I want to know how you're using my data. What we saw this year is that seven out of eight companies are actually seeing some sales delay from their customers asking those kinds of questions. But those that have made the investment getting ready for GDPR or being more mature on privacy are seeing shorter delays. If you haven't gotten ready you're seeing 60% longer delays. And even more interestingly for us too is when you have data breaches and a lot of companies have them as we've talked about those breaches are not nearly as impactful. The organizations that aren't ready for GDPR are seeing three times as many records impacted by the breach. They're seeing system downtime that's 50% longer and so the cost of the whole thing is much more. So, kind of the question of is this still something good to do? Not only because you have to do it when you want to avoid 4% penalties from GDPR and everything else but it's something that's so important for my business that drives value. >> So the upshot there is that you do the compliance. Okay, check the box, we don't want to get fined So you're taking your medicine basically. Turns into an upside with the data you're seeing from your board. Sales benefit and then just preparedness readiness for breaches. >> Right, I mean it's a nice-- >> Is that right? >> That's exactly right John you've got it right. Then you've got your data house in order I mean there's a logic to this. So then if you figured out where your data is how to protect it, who has access to it you're able to deal with these questions. When customers ask you questions about that you're ready to answer it. And when something bad goes wrong let's say there is a breach you've already done the right things to control your data. You've got rid of the data you don't need anymore. I mean 50% of your data isn't used for anything and of course we suggest that people get rid of that that makes it less available when and if a breach occurs. >> So I got to ask you a question on the data valuation because a lot of the data geeks and data nerds like myself saw this coming. We saw data, mostly on the tech side if you invested in data it was going to feed applications and I think I wrote a blog post in 2007 data's going to be part of the development kits or development environment you're seeing that now here. Data's now part of application development it's part of network intelligence for security. Okay, so yes, check, that's happening. At the CFO level, can you value the data so it's a balance sheet item? Can you say we're investing in this? So you start to see movement you almost project, maybe, in a few years, or now how do you guys see the valuation? Is it going to be another kind of financial metric? >> Well John, it's a great point. Seeing where we're developing around this. So I think we're still in somewhat early days of that issue. I think the organizations that are thinking about data as an asset and monetizing its value are certainly ahead of this we're trying to do that ourselves. We probed on that a little bit in the survey just to get a sense of where organizations are and only about a third of organizations are doing those data mature things. Do they have a complete data map of where their stuff is? Do they have a Chief Data Officer? Are they starting to monetize in appropriate ways, their data? So, there's a long way to go before organizations are really getting the value out of that data. >> But the signals are showing that there's value in the data. Obviously the number of sales there's some upside to compliance not just doin it to check the box there's actually business benefits. So how are you guys thinking about this cause you guys are early adopters or leaders in this how are you thinking about the data measurement of it? Can you share your insights on that? >> Yeah, so you know, data on the balance sheet Grace Hopper 1965, right? data will one day be on the corporate balance sheet because it's in most cases more valuable than the hardware that processes. This is the woman who's making software and hardware work for us, in 1965! Here we are in 2019. It's coming on the balance sheet. She was right then, I believe in it now. What we're doing is, even starting this is a study of correlation rather than causation. So now we have at least the artifacts to say to our legal teams go back and look at when you have one of our new improved streamline privacy sheets and you're telling in a more transparent fashion a deal. Mark the time that you're getting the question. Mark the time that you're finishing. Let's really be much more stilletto-like measuring time to close and efficiency. Then we're adding that capability across our businesses. >> Well one use case we heard on theCUBE this week was around privacy and security in the network versus on top of the network and one point that was referenced was when a salesperson leaves they take the contacts with them. So that's an asset and people get sued over it. So this again, this is a business policy thing. so business policy sounds like... >> Well in a lot of the solutions that exist in the marketplace or have existed I've sat on three encrypted email companies before encrypted email was something the market desired. I've sat on two advisory boards of-- a hope that you could sell your own data to the marketers. Every time someone gets an impression you get a micro cent or a bitcoin. We haven't really got that because we're looking on the periphery. What we're really trying to do is let's look at what the actual business flow and processes are in general and say things like can we put a metric on having less records higher impact, and higher quality. The old data quality in the CDO is rising up again get that higher quality now correlate it with speed to innovation speed to close, launch times the things that make your business run anyway. Now correlate it and eventually find causal connections to data. That's how we're going to get that data on the balance sheet. >> You know, that's a great point the data quality issue used to be kind of a back office records management function and now it's coming to the fore and I just make an observation if you look at what were before Facebook fake news what were the top five companies in the United States in terms of market value Amazon, Google, Facebook was up there, Microsoft, Apple. They're all data companies and so the market has valued them beyond the banks, beyond the oil companies. So you're starting to see clearer evidence quantifiable evidence that there's value there. I want to ask you about we have Guillermo Diaz coming up shortly, Michelle and I want to ask you your thoughts on the technical function. You mentioned it's a board level issue now, privacy. How should the CIO be communicating to the board about privacy? What should that conversation be like? >> Oh my gosh. So we now report quarterly to the board so we're getting a lot of practice We'll put it that way. I think we're on the same journey as the security teams used to you used to walk into the board and go here's what ransomware is and all of these former CFOs and sales guys would look at you and go ah, okay, onto the financials because there wasn't anything for them to do strategically. Today's board metrics are a little soft. It's more activity driven. Have you done your PIAs? Have you passed some sort of a third party audit? Are you getting rejected for third party value chain in your partner communities? That's the have not and da da da. To me I don't want my board telling us how to do operations that's how we do. To really give the board a more strategic view what we're really trying to do is study things like time to close and then showing trending impacts. The one conversation with John Chambers that's always stuck in my head is he doesn't want to know what today's snapshot is cause today's already over give me something over time, Michelle, that will trend. And so even though it sounds like, you know who cares if your sales force is a little annoyed that it takes longer to get this deal through legal well it turns out when you multiply that in a multi-billion dollar environment you're talking about hundreds of millions of dollars probably a week, lost to inefficiency. So, if we believe in efficiency in the tangible supply chain that's the more strategic view I want to take and then you add on things like here's a risk portfolio a potential fair risk reporting type of thing if we want to do a new business Do we light up a business in the Ukraine right now versus Barcelona? That is a strategic conversation that is board level. We've forgotten that by giving them activity. >> Interesting what you say about Chambers. John you just interviewed John Chambers and he was the first person, in the mid 90s to talk about a virtual close, if you remember that. So, obviously, what you're talking about is way beyond that. >> Yeah and you're exactly right. Let's go back to those financial roots. One of the things we talk about in privacy engineering is getting people's heads-- the concept that the data changes. So, the day before your earnings that data will send Chuck Robbins to jail if someone is leaking it and causing people to invest accordingly. The day after, it's news, we want everyone to have it. Look at how you have to process and handle and operationalize in 24 hours. Figuring out those data stories helps it turn it on its head and make it more valuable. >> You know, you mentioned John Chambers one of the things that I noticed was he really represented Silicon Valley well in Washington DC and there's been a real void there since he retired. You guys still have a presence there and are doing stuff there and you see Amazon with Theresa Carlson doing some great work there and you still got Oracle and IBM in there doing their thing. How is your presence and leadership translating into DC now? Can you give us an update of what's happening at-- >> So, I don't know if you caught a little tweet from a little guy named Chuck Robbins this week but Chuck is actually actively engaged in the debate for US federal legislation for privacy. The last thing we want is only the lobbyists as you say and I love my lobbyists wherever you are we need them to help give information but the strategic advisors to what a federal bill looks like for an economy as large and complex and dependent on international structure we have to have the network in there. And so one of the things that we are doing in privacy is really looking at what does a solid bill look like so at long last we can get a solid piece of federal legislation and Chuck is talking about it at Davos as was everyone else, which was amazing and now you're going to hear his voice very loudly ringing through the halls of DC >> So he's upping his game in leadership in DC >> Have you seen the size of Chuck Robbins? Game upped, privacy on! >> It's a great opportunity because we need leadership in technology in DC so-- >> To affect public policy, no doubt >> Absolutely. >> And globally too. It's not just DC and America but also globally. >> Yeah, we need to serve our customers. We win when they win. >> Final question, we got to get wrapped up here but I want to get you guys a chance to talk about what you guys announced here at the show what's going on get the plug in for what's going on Cisco Trust. What's happening? >> Do you want to plug first? >> Well, I think a few things we can add. So, in addition to releasing our benchmark study this week and talking about that with customers and with the public we've also announced a new version of our privacy data sheets. This was a big tool to enable salespeople and customers to see exactly how data is being used in all of our products and so the new innovation this week is we've released these very nice, color created like subway maps, you know? They make it easy for you to navigate around it just makes it easy for people to see exactly how data flows. So again, something up on our site at trust.cisco.com where people can go and get that information and sort of make it easy. We're pushing towards simplicity and transparency in everything we do from a privacy standpoint and this is really that trajectory of making it as easy as possible for anyone to see exactly how things go and I think that's the trajectory we're on that's where the legislation both where GDPR is heading and federal legislation as well to try to make this as easy as reading the nutrition label on the food item. To say what's actually here? Do I want to buy it? Do I want to eat it? And we want to make that that easy >> Trust, transparency accountability comes into play too because if you have those things you know who's accountable. >> It's terrifying. I challenge all of my competitors go to trust.cisco.com not just my customers, love you to be there too go and look at our data subway maps. You have to be radically transparent to say here's what you get customer here's what I get, Cisco, here's where my third party's. It's not as detailed as a long report but you can get the trajectory and have a real conversation. I hope everybody gets on board with this kind of simplification. >> Trust.cisco.com we're going to keep track of it. Great work you guys are doing. I think you guys are leading the industry, Congratulations. >> Thank you. >> This is not going to end, this conversation continues will continue globally. >> Excellent >> Thanks for coming on Michelle, appreciate it. Robert thanks for coming on. CUBE coverage here day three in Barcelona. We'll be back with more coverage after this break.