(intro music) >> Hi, everybody, we're back. Dave Vellante and Dave Nicholson. We're covering Fal.Con 22. This is CrowdStrike's big user conference. CrowdStrike is a very hot company, as you probably know started on endpoint security, expanding into another, a number of other areas trying to build the next great generational company in cybersecurity. Michael Sherwood is here. He's the chief innovation and technology officer for the city of Las Vegas. >> Got to love that. >> Thanks so much for coming to theCUBE. >> Welcome! >> Yeah, we got to love that. I mean, if it weren't for Las Vegas, I'm not sure where we would have our CUBE events, but so thank you for hosting us. >> Thank you for being here. This is awesome. It's a great day and a lot of people, and it's exciting to see everything that's going on here. >> Yeah, the city is booming. Obviously the convention, the conference business is booming. Tech is a big part of that but there's so many other industries that come to Las Vegas. Talk about your role, really interesting, chief innovation, technology officer, CTO. Tell us about what you do day to day. >> Kind of all over the place. But a lot of it has to do with day to day technology within the organization. So managing all the different technology components. When you start looking at any city, it's a lot of different companies inside of it. Think of fire service as a different company. They all have different missions. And so our technology needs are expansive. So while we have operational IT, we also have our innovation unit. Innovation unit works on next generation technology. So Las Vegas was one of the first cities in the United States to have a autonomous vehicle drive in mix-flow traffic, meaning it was out there with, driving along cars. We're also the first city to have an accident in a autonomous vehicle. That happened on day two. (Vellante laughing) So, there's always a lot of firsts in Las Vegas, but. >> Despite the grid. >> Despite the grid, you know. But even today, so that was in 2017, when we first started working with autonomous vehicles. Up until today, where you have the ability, anybody in Las Vegas, including yourselves right after the show can go ahead and use Lyft, go outside and hail an autonomous taxi to come pick you up and drive you up and down the strip. Those vehicles actually communicate with our infrastructure. So the innovation is, how do cities work with private companies to start building next generation amenities, next generation technologies? And so that happens a lot of times. People don't realize. They come to Las Vegas for entertainment, and now we're known for sports but we do have a lot of technology here that permeates through the entire community. >> So I'm from Boston. We're trying to get the smart traffic lights, we're not quite there yet. But I was at a session, Dave you'll appreciate it, it was John Rose, who was the CTO. He was the CTO of, he's a CTO of Dell Technologies now. And the mayor of Boston, we were talking about the vision for a smart city. But Boston and I mean talk about, a challenge for building a smart city. So when I come out here, it's like amazing to me to see the technology that's there. So as a CTO and innovation officer, you've got a playground where... Now, of course you have legacy infrastructure, you've got technical debt, but you also have, in certain cases, an opportunity and more latitude to get creative. So what are some of the cool things that you're working on that you're really excited about? >> There's a lot of things I'm excited about. It's just great being in this city. But a lot of the things that we're excited about here in the next year to two years, we have an innovation district. So not a lot of cities have this but Downtown around the Fremont Street Experience, there's a corridor there that covers government, covers entertainment, medical. And so this innovation district is where we test out new technologies. So some of the things we're testing out, computer vision. So we're, our smart parks program is how do we provide better security and enjoyment of those amenities without providing physical labor to constantly patrol. And so we're using cameras and vision and different types of AI algorithms to kind of manage the park. And while we're doing that, we're also getting data back on how often is the park used? Are the facilities, are the sprinklers going on during the day? Water's a big deal here. And so those type of projects. Again, autonomy is still huge, vehicle autonomy, still working on driving those next generation changes where you'll actually have a driverless vehicle. Right now, there's a safety driver in a lot of the autonomous vehicles. Even the one I talked about earlier, you have the, while the vehicles driving itself, for safety reasons, there's still a human driver in the seat. But as we go forward in the next year to two, that >> That's soon. >> is getting ready to change. I believe that's soon. You can quote it here, you heard it here first. >> Wow. >> But that would be coming up. You got drones as well. We've already started looking at a few types of drone delivery systems. It may not be too far away. Your pizza or maybe some other item that you want is delivered in the general area. Probably not in the hotel corridor but in the outside areas of the city. I just think there's a lot of, again, we're building amenities for the future. We really want people to understand that Las Vegas is not just a place to come visit, but it's a place to live and have fun and be part of a community. >> So from an academic perspective, what you just described is a highly ambidextrous organization, right? >> Yes. >> Because you're not just worried about keeping the lights on, but you're also looking at innovation. How did your organization get to this place? What you're describing is sort of the gold standard that any organization public or private would seek to implement. How did you get there? >> Baby steps, small steps. It all started back when there was the Smart Cities Challenge. So we were not selected as the finalist. We were in the, I think top 15 at the time but we didn't give up on it. And we continued to move forward. The pandemic helped us do things. When you ask, what do I do? Well, my normal job is running the day to day infrastructure. I also see my role as economic development to help bring companies here and bring new ideas. We have a great community, diverse and ready to do things. But when you take, talk about the innovation and the technology and what we're doing. Like I said, during a pandemic, we came up with the idea of, Hey, we don't want to send our building inspectors or our inspectors in the people's homes, one for the inspector's health and one for the citizen's health. So we used normal tools. We took an iPhone and made it a virtual inspector. So now if you get a new water heater, you can actually do your inspection via like a FaceTime. And you hold your phone up around the water heater. We can view it, we record the video, save it, and boom give you an inspection remotely. And so you build on it. So how do you get, I wouldn't quite say we're the gold. I appreciate, we're moving there, that's the bar. You've laid out the bar for us, but we're moving in that direction. But it's building on one win and not all of our things that we've deployed. We can talk about those as well. Some of the things like trash can sensors, we looked at doing, which would monitor when the trash can was full or empty, just didn't pan out. So a lot of the times I talk about the wins a lot not as much about the things that didn't pan out. >> So what're the big challenges, generally of building out a smart city and then specifically around cyber? >> So there's, community acceptance number one. Las Vegas, I'm very lucky cameras are everywhere. So there's not as much resistance to using video technology. But a lot of times it's just getting the constituents, getting people to understand the value of what we're trying to do. Not everybody is interested in autonomous vehicles or believes they're ready for that. But when you start looking at the increments, more than any other city I know, the community here is so robust and so supportive of bringing on these technologies. Look, what other city do you know that builds new buildings and knocks them down five years later to build something new again? Or, who has a volcano in the middle of their downtown? So different things like that. But when you start looking at all the advancements we're making, you brought up one of the biggest concerns. When people ask me, what keeps you up at night? It's not the autonomous vehicle not performing, its the cyber, it's the cyber issues that go along with becoming more advanced. And as you bring innovation in, you start bleeding the lines of what's government, what's private. And then how do you continue to have the data transmission between these multiple entities? How do you keep the endpoint secure? And that is something that you learn as you go, but it's always out there. And endpoint security and security in general is a huge, huge area. >> And how about the data? You were talking before about you can get actually approval for an inspection. That's data, it's video data. How have you changed the way in which you're using data? What are you doing with that data? How do you leverage it? How do you secure it? >> It's all great questions. One of the things we've undertaken is called an open data initiative. So we have an open data portal. It's opendata.lasvegasnevada.gov, where we publish a lot of the data sets that we collect. If it's air quality, if it's ambulance runs, and we make that data available. A lot of that is, one for the public for transparency, two though, it's, we hope enables the private sector to build apps off of the data that we have. A lot of times, you either you have the data but you don't have the app or you have the app, but no data. So in our way, it's trying to help the community build up new ideas. Our push has been moving to the cloud a lot. So we're pushing a lot more data into the cloud where before I think a lot of governments keep a lot of that internal, but obviously look, the cloud's here to stay and it's not going anywhere. And so now it's more about as we migrate, using our partners, our relationship with CrowdStrike, to start securing not only our endpoints but start looking at the cloud space as well. And then we have this new technology. It's not really new, but edge compute. You've heard a lot of, there's different people talking about it. When you start talking about autonomous vehicles, autonomous delivery, drones. We own a large private wireless network. A lot of data now is computed at the edge and we're only taking the metadata and sending it up to the cloud. So it becomes rather complicated with security being at the forefront. >> Yeah, so that very small portion of the actual amount of data that's created goes back but it's such a massive amount of data. It's not to trivialize it, it's still a lot. And some of it is probably ephemeral. Do you persist at all? Or probably not. >> Not always, I mean. A lot of it, what we're learning is, it's a learning process as you go through this smart city or what we call just basically emerging into, 'cause I believe all cities are smart. Not one city smarter than another necessarily. So I'm not really a fan of the term smart city. It's more in line with me as we're building amenities for the future and building amenities for people. And a lot of that is built upon data and then built upon providing things that citizens want. And we all know, we all live somewhere and we live there because it's safe community, it has good education, good infrastructure whatever it might be. And so we're trying to build out that smart community to be as many things as we can to as many people. >> Yeah, that's fair. And there's automation, there's certainly machine intelligence that's heavily involved. Of course, you talking autonomous. Now I understand your work transcends the city of Las Vegas into the broader state of Nevada helping make Nevada a safer state. What's that all about? >> So we have a great partnership. One of the great things, I come from California, so a rather large state. Here in Nevada, it's a very close knit state. So we have a lot of communications with the state. We get to work with them very closely. One of the initiatives we've been working on is how do we, a lot of organizations spend a lot of time doing cybersecurity for just their organization. So it's focused internal on the employees that might work in that organization. We're kind of now looking outwards and saying, how do we not only do that for our internal government employees but how do we involve the entire community? One of the things is, is Las Vegas over 40,000 conventions per year. You're here a lot. What happens in Vegas stays in Vegas and a lot of people bring malware with them and it stays here. We're trying to educate people. We do a lot in government to help people with police and fire and services. What is local government doing to help the community prepare for the next generation of cyber threats and issues? So our initiative is really working with the community, bringing in CrowdStrike and other partners to help us not only work with small business, but work with those entrepreneurs as well as the midsize businesses. >> So what do you do with Crowd? You got the cool little CrowdStrike, not CrowdStrike, but you got the red splash in your lapel. Very cool cuff links, I noticed that you have there. I love the red. >> Little poker chips there. >> They're Very nice, very nice. >> They're very cool. So what do you do with CrowdStrike? >> So CrowdStrike is one of our major components in our security posture. We use them as endpoint protection. I can tell you a quick story. I know my CISO's listening probably was going to cringe now when I tell this story, but our journey with CrowdStrike has been amazing. We deployed the product and when that first week of deployment, we had a malicious actor and CrowdStrike was able to catch it. I would probably would not be here today with you two gentlemen if it wasn't for CrowdStrike. That's not an endorsement it's just a, that's a fact of how things rolled out. But we depend on CrowdStrike and their capabilities to ensure the safety of our digital assets. >> You wouldn't be here 'cause we, it used to be failure means fire. Is that what you mean? >> That's what I mean. I'm not going to, I don't like to use that word in my terminology, but basically failure is not an option in my job. It's just not there. >> Well, it's funny, we had Kevin Mandy on early, he was like, look I started my company in 2004 with the assumption that breaches will happen, you are going to get breached. >> Yes >> So that's why I say, I think there was a day when, if you got breached, oh, you're fired. Well that, then everybody got breached. So I think that that sentiment changing 'cause CrowdStrike saying that the unstoppable breach is a myth. Well, we're not there yet, but. >> I'd say damage control now. At least we have a little bit more control but, again, look, government is about trust. And so when you have that trust level, from my perspective, I keep a high standard and try to prevent any loss of data or any type of malicious activity from happening. I hope the mayor's listening and she doesn't fire me if anything would happen, but you know. >> You got a fun job. How'd you get into this? >> It was a great opportunity. I worked in law enforcement prior to here. I was a Deputy Police Chief in city of Irvine. I oversaw technology as part of that role. I've always loved Las Vegas, always liked the energy of the city and I had a great opportunity to apply and I applied and was lucky enough to be selected. I have a great team that supports me. >> Deputy Police Chief, it sounds like, what you just described, the technology role. You had an operations role essentially, is that right? >> Correct. And so kind of gave me a lot of insights and really helped me, as you progress in government, having different roles in your portfolio makes you a little bit more adaptive and it's kind of, it helps in, especially now with so much video and cameras prevalent in cities, having that law enforcement role, understanding a little of the legal aspects and understanding some of the, what law enforcement wants kind of makes that bridge from technology to the actual end user. >> A really interesting story, Michael. Thanks so much for sharing on theCUBE, appreciate it. >> Thank you for having me here. >> You're very welcome. All right, keep it right there. Dave Nicholson and Dave Vellante will be back from Las Vegas at the Aria from Fal.Con 22. You're watching theCUBE. (outro music)

(upbeat music) >> Hello, welcome to this CUBE Conversation here in Palo Alto, California. I'm John Furrier, host of theCUBE. We're here with Tim Everson, CISO at Kalahari Resorts & Conventions. Tim, great to see you. Thanks for coming on theCUBE. >> Thank you for having me. Looking forward to it. >> So, you know, RSA is going on this week. We're talking a lot about security. You've got a lot of conferences. Security is a big scale now across all enterprises, all businesses. You're in the hospitality, you got conventions. You're in the middle of it. You have an interesting environment. You've got a lot of diverse use cases. And you've got a lot of needs. They're always changing. I mean, you talk about change. You've got a network that has to be responsive, robust and support a lot of tough customers who want to have fun or do business. >> Exactly, yeah. We have customers that come in, that we were talking about this before the segment. And we have customers that come in that bring their own Roku Sticks their own Amazon devices. All these different things they bring in. You know, our resort customers need dedicated bandwidth. So they need dedicated network segments stood up at a moment's notice to do the things they're doing and run the shows they're showing. So it's never, never ending. It's constantly changing in our business. And there's just data galore to keep an eye on. So it's really interesting. >> Can you scope the scale of the current cybersecurity challenges these days in the industry? Because they're wide and far, they're deep. You got zero trust on one end, which is essentially don't trust anything. And then you got now on the software supply chain, things like more trust. So you got the conflict between a direction that's more trusted and then zero trust, and everything in between. From, endpoint protection. It's a lot going on. What's the scale of this situation right now in cyber? >> You know, right now everything's very, very up in the air. You talk about zero trust. And zero trust can be defined a lot of ways depending on what security person you talk to today. So, I won't go into my long discussion about zero trust but suffice to say, like I said zero trust can be perceived so many different ways. From a user perspective, from a network perspective, from an end point. I look more broadly at the regulatory side of things and how that affects things too. Because, regulations are changing daily. You've got your GDPRs, your CCPAs, your HIPAA regulations, PCI. All these different things that affect businesses, and affect businesses different ways. I mean, at Kalahari we're vulnerable or we're not vulnerable, but we're subject to a lot of these different regulations, more so than other people. You wouldn't expect a lot of hotels to have HIPAA regulations for instance. We have health people at our resorts. So we actually are subject to HIPAA in a lot of cases. So there's a lot of these broad scenarios that apply and they come into play with all different industries. And again, things you don't expect. So, when you see these threats coming, when you see all the hacks coming. Even today I got an email that the Marriott breach data from a few years ago, or the MGM breach from a few years ago. We've got all these breaches out there in the world, are coming back to the surface and being looked at again. And our users and our guests and our corporate partners, and all these different people see those things and they rely on us to protect them. So it makes that scope just exponentially bigger. >> Yeah, there's so many threads to pull on here. One is, you know we've observed certainly with the pandemic and then now going forward is that if you weren't modern in your infrastructure, in your environment, you are exposed. Even, I'm not talking old and antiquated like in the dark ages IT. We're talking like really state of the art, current. If you're lagging just by a few years, the hackers have an advantage. So, the constant bar raising, leveling up on technology is part of this arms race against the bad guys. >> Absolutely. And you said it, you talked earlier about the supply chain. Supply chain, these attacks that have come through the SolarWinds attacks and some of these other supply chain attacks that are coming out right now. Everybody's doing their best to stay on top of the latest, greatest. And the problem with that is, when you rely on other vendors and other companies to be able to help you do that. And you're relying on all these different tool sets, the supply chain attack is hugely critical. It makes it really, really important that you're watching where you're getting your software from, what they're doing with it, how they secure it. And that when you're dealing with your vendors and your different suppliers, you're making sure that they're securing things as well as you are. And it just, it adds to the complexity, it adds to the footprint and it adds to the headache that a lot of these security teams have. Especially small teams where they don't have the people to manage those kind of contacts. >> It's so interesting, I think zero trust is a knee jerk reaction to the perimeter being gone. It's like, you got to People love the zero trust. Oh it's like, "We're going to protect this that nobody, and then vet them in." But once you're trusted, trust also is coming in to play here. And in your environment, you're a hotel, you're a convention. You have a lot of rotation of guests coming in. Very much high velocity. And spear phishing and phishing, I could be watching and socially engineering someone that could be on your property at any given time. You got to be prepared for that. Or, you got ransomware coming around the corners or heavily. So, you got the ransomware threat and you got potentially spear phishing that could be possible at your place. These are things that are going on, right? That you got to protect for. What's your reaction to that? >> Absolutely. We see all those kind of attacks on a daily basis. I see spear phishing attacks. I see, web links and I chase them down and see what's going on. I see that there's ransomware trying to come in. We see these things every single day. And the problem you have with it is not only, especially in a space where you have a high volume of customers and a high turnover of customers like you're talking about that are in and out of our resorts, in and out of our facilities. Those attacks aren't just coming from our executives and their email. We can have a guest sitting on a guest network, on a wireless network. Or on one of our business center machines, or using our resort network for any one of a number of the conference things that they're doing and the different ports that we have to open and the different bandwidth scenarios that you've got dealing with. All of these things come into play because if any attack comes from any of those channels you have to make sure that segmentation is right, that your tooling is proper and that your team is aware and watching for it. And so it does. It makes it a very challenging environment to be in. >> You know, I don't want to bring up the budget issue but I'll bring up the budget issue. You can have unlimited budget because there's so many tools out there and platforms now. I mean, if you've look at the ecosystem map of the cybersecurity landscape that you have to navigate through as a customer. You've got a lot of people knocking on your door to sell you stuff. So I have to ask you, what is the scale? I mean, you can't have unlimited budget. But the reality is you have to kind of, do the right thing. What's the most helpful kind of tools and platforms for you that you've seen that you've had experience with? Where's this going in terms of the most effective mechanisms and software and platforms that are available out there? >> From the security perspective specifically, the three things that are most important to me are visibility. Whether it's asset visibility or log visibility. You know, being able to see the data, being able to see what's going on. End user. Making sure that the end user has been trained, is aware and that you're watching them. Because the end user, the human is always the weakest link. The human doesn't have digital controls that can be hard set and absolutely followed. The human changes every day. And then our endpoint security solutions. Those are the three biggest things for me. You know, you have your network perimeter, your firewalls. But attackers aren't always looking for those. They're coming from the inside, they're finding a way around those. The biggest three things for me are endpoint, visibility and the end user. >> Yeah, it's awesome. And a lot of companies are really looking at their posture right now. So I would ask you as a CISO, who's in the front end of all this great stuff and protecting your networks and all your environments and the endpoints and assets. What advice would you have for other CISOs who are kind of trying to level up to where you're at, in terms of rethinking their security posture? What advice would you give them? >> The advice I would give you is surround yourself with people that are like-minded on the security side. Make sure that these people are aware but that they're willing to grow. Because security's always changing. If you get a security person that's dead set that they're going to be a network security person and that's all they're going to do. You know, you may have that need and you may fill it. But at the end of the day, you need somebody who's open rounded and ready to change. And then you need to make sure that you can have somebody, and the team that you work with is able to talk to your executives. It never fails, the executives. They understand security from the standpoint of the business, but they don't necessarily understand security from the technical side. So you have to make sure that you can cross those two boundaries. And when you grow your team you have to make sure that that's the biggest focus. >> I have to ask the pandemic question, but I know cybersecurity hasn't changed. In fact, it's gotten more aggressive in the pandemic. How has the post pandemic or kind of like towards the tail end of where we're at now, affect the cybersecurity landscape? Has it increased velocity? Has it changed any kind of threat vectors? Has it changed in any way? Can you share your thoughts on what happened during the pandemic and now has we come out of it into the next, well post pandemic? >> Absolutely. It affected hospitality in a kind of unique way. Because, a lot of the different governments, state, federal. I'm in Ohio. I work out of our Ohio resort. A lot of the governments literally shut us down or limited severely how many guests we could have in. So on the one hand you've got less traffic internal over the network. So you've got a little bit of a slow down there. But on the flip side it also meant a lot of our workers were working from home. So now you've got a lot of remote access coming in. You've got people that are trying to get in from home and work machines. You have to transition call centers and call volume and all of the things that come along with that. And you have to make sure that that human element is accounted for. Because, again, you've got people working from home, you no longer know if the person that's calling you today, if it's not somebody you're familiar with you don't know if that person is Joe Blow from the front desk or if that person's a vendor or who they are. And so when you deal with a company with 5,000 ish employees or 10,000 that some of these bigger companies are. 15,000, whatever the case may be. You know, the pandemic really put a shift in there because now you're protecting not only against the technologies, but you're dealing with all of the scams, all of the phishing attempts that are coming through that are COVID related. All of these various things. And it really did. It threw a crazy mix into cybersecurity. >> I can imagine that the brain trust over there is prior thinking, "Hey, we were a hybrid experience." Now, if people who have come and experienced our resorts and conventions can come in remotely, even in a hybrid experience with folks that are there. You've seen a lot of hybrid events for instance go on, where there's shared experience. I can almost imagine your service area is now extending to the homes of those guests. That you got to start thinking differently. Has that been something that you guys are looking at? >> We're looking at it from the standpoint of trying to broaden some of the events. In the case of a lot of our conventions, things of that nature. The conventions that aren't actually Kalahari's run conventions, we host them, we manage them. But it does... When you talk about workers coming from home to attend these conventions. Or these telecommuters that are attending these conventions. It does affect us in the stance that, like I said we have to provision network for these various events. And we have to make sure that the network and the security around the network are tight. So it does. It makes a big deal as far as how Kalahari does its business. Being able to still operate these different meetings and different conventions, and being able to host remotely as well. You know, making sure that telecommunications are available to them. Making sure that network access and room access are available to them. You know for places where we can't gather heavily in meetings. You know, these people still being able to be near each other, still being able to talk, but making sure that that technology is there between them. >> Well, Tim is great to have you on for this CUBE Conversation. CISO from the middle of all the action. You're seeing a lot. There's a lot of surface area you got to watch. There's a lot of data you got to observe. You got to get that visibility. You can only protect what you can see, and the more you see the better it is. The better the machine learning. You brought up the the common area about like-minded individuals. I want to just ask you on the final point here, on hiring and talent coming into the marketplace. I mean, this younger generation coming out of university and college is, or not even going to school. There's no cyber degree. I mean, there are now. But I mean, the world's changing. It's easy to level up. So, skill sets you can't get a degree in certain things. I mean, you got to have a broad set. What do you look for in talent? Is there a trend you see in terms of what makes a good cybersecurity professional, developer, analyst? Is there roles that you see emerging that you think people should pay attention to? What's your take on this as someone who's looking at the future? And- >> You know, it's very interesting that you bring this up. I actually have two of my team members, one directly working for me and another team member at Kalahari that are currently going through college degree programs for cybersecurity. And I wrote recommendations for them. I've worked with them, I'm helping them study. But as you bring people up, you know the other thing I do is I mentor at a couple of the local technical schools as well. I go in, I talk to people, I help them design their programs. And the biggest thing I try to get across to them is, number one, if you're in the learning side of it. Not even talking about the hiring side of it. If you're in the learning side of it, you need to come into it with a kind of an understanding to begin with to where you want to fit into security. You know, do you want to be an attacker, a defender, a manager? Where do you want to be? And then you also need to look at the market and talk to the businesses in the area. You know, I talk to these kids regularly about what their need is. Because if you're in school and you're taking Cisco classes, and focusing on firewalls and what an organization needs as somebody who can read log and do things like that. Or somebody who can do pen testing. You know, that's a huge thing. So I would say if you're on the hiring side of that equation, you know. Like you said, there's no super degrees that I can speak to. There's a lot of certifications. There's a lot of different things like that. The goal for me is finding somebody who can put hands to the ground and feet to the ground, and show me that they know what they know. You know, I'll pull somebody in, I'll ask them to show me a certain specific or I'll ask them for specific information and try to feel that out. Because at the end of the day, there's no degree that's going to protect my network. There's no degree that's a hundred percent going to understand Kalahari, for instance. So I want to make sure that the people I talk to, I get a broad interview scope, I get a number of people to talk to. And really get a feel for what it is they know, and what tools they want to work with and make sure it's going to align with us. >> Well, Tim, that's great that you do that. I think the industry needs that. And I think that's really paying it forward, by getting in and using your time to help shape the young curriculums and the young guns out there. It's interesting you know, like David Vellante and I talk on theCUBE all the time. Cyber is like sports. If you're playing football, you got to know the game. If you're playing football and you come in as a baseball player, the skills might not translate, right? So it's really more of, categorically cyber has a certain pattern to it. Math, open mindedness, connecting dots, seeing things around corners. Maybe it's more holistic views, if you're at the visibility level or getting the weeds with data. A lot of different skill sets needed. The aperture of the job requirements are changing a lot. >> They are. And you know, you touched on that really well. You know, they talk about hacking and the hacker mindset. You know, all the security stuff revolves around hacker. And people mislabel hacker. Hacking in general is making something do something that it wasn't originally designed to do. And when I hire people in security, I want people that have that mindset. I want people that not only are going to work with the tool set we have, and use that mathematical ability and that logic and that reasoning. But I want them to use a reasoning of, "Hey, we have this tool here today. How can this tool do what I want it do but what else can it do for me?" Because like any other industry we have to stretch our dollar. So if I have a tool set that can meet five different needs for me today, rather than investing in 16 different tool sets and spreading that data out and spreading all the control around. Let's focus on those tool sets and let's focus on using that knowledge and that adaptive ability that the human people have on the security side, and put that to use. Make them use the tools that work for them but make 'em develop things, new tools, new methods, new techniques that help us get things across. >> Grow the capabilities, protect, trust all things coming in. And Tim, you're a tech athlete, as we say and you've got a great thing going on over there. And again, congratulations on the work you're doing on the higher ed and the education side and the Kalahari Resorts & Conventions. Thanks for coming on theCUBE. I really appreciate the insight you're sharing. Thank you. >> Thanks for having me. >> Okay. I'm John Furrier here in Palo Alto for theCUBE. Thanks for watching. (somber music)

>> Announcer: From Las Vegas, it's theCUBE. Covering Qualys Security Conference 2019, brought to you by Qualys. >> Hey welcome back everybody, Jeff Frick here with theCUBE, we're in Las Vegas at the Bellagio, at the Qualys Security Conference, pretty amazing, it's been going on for 19 years, we heard in the keynote. It's our first time here, and we're excited to have our first guest, he was a keynote earlier this morning, the author of nine books, Richard Clarke, National Security and Cyber Risk expert, and author most recently of "The Fifth Domain." Dick, great to see you. >> Great to be with you. >> Absolutely. So you've been in this space for a very long time. >> I started doing cybersecurity in about 1996 or 1997. >> So early days. And preparing for this, I've watched some of your other stuff, and one of the things you said early on was before there was really nothing to buy. How ironic to think about that, that first there was a firewall, and basic kind of threat protection. Compare and contrast that to walking into RSA, which will be in a couple of months in Moscone, 50,000 people, more vendors than I can count on one hand, now there's too much stuff to buy. Do you look at this evolution? What's your take? And from a perspective of the CIO and the people responsible for protecting us, how should they work through this morass? >> Well, the CIO and the CFO, got used to thinking cyber security costs a little bit, 'cause you can only buy, this is 1997, you can only buy antivirus, firewall, and maybe, in 1997, you could buy an intrusion detection system. Didn't do anything, it just went "beep," but you could buy that too. So you had three things in 1997. And so that resulted in the IT budget having to take a tiny little bit of it, and put it aside for security, maybe 2%, 3% of the budget. Well, now, if you're only spending 2 or 3% of your IT budget on security, somebody owns your company, and it's not you (laughs). >> And that's 2 or 3% of the IT budget, that's not the whole budget. >> No, that's the IT budget. What we found in researching the book, is that secure companies, and there are some, there's companies that don't get hacked, or they get hacked, but the hack gets in, immediately contained, identified, quarantined. The damage is done, but it's easily repaired. Companies that are like that, the resilient companies, are spending 8%, 10%, we found companies at 12 and 17%, of their IT budget on security, and to your point, how many devices do you have to buy? You look at the floor at any of these RSA Conventions, Black Hat, or something, now there are 2000 companies at RSA, and they're all selling something, but their marketing message is all the same. So pity the poor CSO as she goes around trying to figure out, "Well, do I want to talk to that company? "What does it do?" We found that the big banks, and the big corporations, that are secure, have not three, anymore, but 75, 80, different, discreet cybersecurity products on their network, most of it software, some of it hardware. But if you've got 80 products, that's probably 60 vendors, and so you got to, for yourself, there's the big challenge, for a CSO, she's got to figure out, "What are the best products? "How do they integrate? "What are my priorities?" And, that's a tough task, I understand why a lot of the people want to outsource it, because it's daunting, especially for the small and medium-size business, you got to outsource it. >> Right, right. So the good news is, there's a silver lining. So traditionally, and you've talked about this, we talk about it all the time too, there's people that have been hacked and know it, and people that have been hacked and just don't know it yet, and the statistics are all over the map, anywhere you grab it, it used to be hundreds of days before intrusions were detected. Kind of the silver lining in your message is, with proper investments, with proper diligence and governance, you can be in that group, some they're trying to get in all the time, but you can actually stop it, you can actually contain it, you can actually minimize the damage. >> What we're saying is, used to be two kinds of companies, those that are hacked and knew it, and those that are hacked that don't, that didn't know it. Now there's a third kind of company. The company that's stopping the hack successfully, and the average, I think, is a 175 days to figure it out, now it's 175 minutes, or less. The attack gets in, there's all the five or six stages, of what's called "the attack killchain," and gets out very, very quickly. Human beings watching glass, looking at alerts, are not going to detect that and respond in time, it's got to be automated. Everybody says they got AI, but some people really do (laughs), and machine learning is absolutely necessary, to detect things out of the sea of data, 75 different kinds of devices giving you data, all of them alarming, and trying to figure out what's going on, and figure out in time, to stop that attack, quarantine it, you got to move very, very quickly, so you've got to trust machine learning and AI, you got to let them do some of the work. >> It's so funny 'cause people still are peeved when they get a false positive from their credit card company, and it's like (laughs), do you realize how many of those things are going through the system before one elevates to the level that you are actually getting an alert? >> So the problem has always been reducing the number of false positives, and identifying which are the real risks, and prioritizing, and humans can't do that anymore. >> Right, right, there's just too much data. So let's shift gears a little bit about in terms of how this has changed, and again, we hear about it over and over, right, the hacker used to be some malicious kid living in his mom's basement, being mischievous, maybe, actually doing some damage, or stealing a little money. Now it's government-funded, it's state attacks, for much more significant threats, and much more significant opportunities, targets of opportunity. You've made some interesting comments in some of your prior stuff, what's the role of the government? What's the role of the government helping businesses? What's the role of business? And then it also begs the question, all these multinational business, they don't even necessarily just exist in one place, but now, I've got to defend myself against a nation state, with, arguably, unlimited resources, that they can assign to this task. How should corporate CIOs be thinking about that, and what is the role, do you think, of the government? >> Let's say you're right. 20 years ago we actually used to see the number of cyber attacks go up on a Friday night and a Saturday night, because it was boys in their mother's basement who couldn't get a date, you know, and they were down there having fun with the computer. Now, it's not individuals who are doing the attacks. It is, as you say, nation states. It's the Russian Army, Russian Intelligence, Russian Military Intelligence, the GRU. The North Korean Army is funding its development of nuclear weapons by hacking companies and stealing money, all over the world, including central banks, in some cases. So, yeah, the threat has changed, and obviously, a nation state is going to be far more capable of attacking, military is going to be far more capable of attacking, so, CISOs say to me, "I'm being attacked by a foreign military, "isn't that the role of the Pentagon "to defend Americans, American companies?" And General Keith Alexander, who used to run Cyber Command, talks about, if a Russian bomber goes overhead, and drops a bomb on your plant, you expect the United States Air Force to intercept that Russian bomber, that's why you pay your taxes, assuming you pay taxes. What's the difference? General Alexander says, whether that's a Russian bomber attacking your plant, or a Russian cyber attack, attacking your plant, and he says, therefore, people should assume the Pentagon will protect them from foreign militaries. That sounds nice. There's a real ring of truth to that, right? But it doesn't work. I mean, how could the Pentagon defend your regional bank? How could the Pentagon defend the telephone company, or a retail store? It can't. It can barely defend itself, and they're not doing a great job of that either, defending the federal government. So, do you really want the Pentagon putting sensors on your network? Looking at your data? No, you don't. Moreover, they can't. They don't have enough people, they don't have enough skills. At the end of the day, whatever the analogy is about how the Defense Department should defend us from foreign military attack, they can't. And they shouldn't, by the way, in my view. The conclusion that that gets you to, is you got to defend yourself, and you can, right now, if you use the technology that exists. The government has a role, sure. It can provide you warnings, it can provide the community with intelligence, it can fund development and stuff, can train people, but it cannot defend your network, you have to defend your network. >> And you have municipalities, I think it's Atlanta, is the one that keeps getting hit, there's-- >> Well Louisiana, just the other night, the whole state of Louisiana government unplugged from the internet, because it was being hit by a ransomware attack. The whole city of Baltimore's been down, the whole city of Atlanta, as you said. There's a real problem here, because people, many of them are paying the ransom, and they pay the ransom, and they get their network back right away. People ask me, "Can I trust these criminals?" Well you can trust them to give you your network back, because they have a reputation to maintain. Think about that. This whole thing about ransomware depends on their reputation, the bad guys' reputation. If they get a reputation for not giving you your network back when you pay, no one's ever going to pay, so they do give it back, and sometimes that's a lot quicker, and a lot cheaper, than saying no and rebuilding your network. But if we give them the money, what are they doing with it? Yeah, they're buying Ferraris to drive round the streets of Moscow, but some of that money is going back into R&D, so they can develop more effective attacks. >> So it's an interesting take, right, so most people, I think, would say that the cybersecurity war is completely always going to be kind of cat and mouse, whack-a-mole, that the bad guys are always a little step ahead, and you're always trying to catch up, just the way the innovation cycle works. You specifically say no, that's not necessarily always true, that there are specific things you can do to, not necessarily have an impenetrable wall, but to really minimize the impact and neutralize these threats, like a super white blood cell, if you will. So what are those things that companies should be doing, to better increase their probability, their chance, of, I don't know, blocking-- >> Depends on the size of the company. >> Absorbing. >> Depends on the size of the company. But I think whether you're a small-to-medium business, or you're an enterprise, you begin in the same place. And I do this with all of my consulting contracts, I sit down with the leadership of the company individually, and I ask every one of them, "What are you worried about? "What could happen? "What could a bad guy do to you "that matters to your company?" 'Cause what matters to one company may not matter to another company. And you can't spend your entire budget defending the network, so let's figure out exactly what risk we're worried about, and what risk we're just kind of willing to tolerate. And then, we can design security around that, and sometimes that security will be outsourced, to a managed security provider. A lot of it means getting into the cloud, because if you're in Amazon or Microsoft's cloud, you've got some security automatically built in, they've got thousands of people doing the security of the cloud, and if your server's in your basement, good luck. (laughs) >> So, as you look forward, now you said you finished the book earlier in the year, it gets published, and it's out, and that's great, but as you said, it's a fast-moving train, and the spaces develops. 10 years from now, we don't want to look at 10 years from now, it's way too long. But as you look forward the next couple, two, three years, what are you keeping an eye on, that's going to be, again, another sea change of both challenge and opportunity in this space? >> The three technologies we talk about in the book, for the three-year time horizon, 'cause I can't get beyond three years, more machine learning on the defense, but also more machine learning on the offense, and where does that balance work out? To whose advantage? Secondly, quantum computing, which, we don't know how rapidly quantum computing will come onto the market, but we do know it's a risk for some people, in that it might break encryption, if the bad guys get their hands on the quantum computer, so that's a worry. But one I think most immediately, is 5G. What 5G allows people to do, is connect millions of things, at high speed, to the internet. And a lot of those things that will be connected are not defended right now, and are outside firewalls, and don't have end-point protection, and aren't really built into networks on a secure network. So I worry about 5G empowering the Internet of Things, and doing what we call expanding the attack surface, I worry about that. >> Right, Richard, well thank you for taking a few minutes, and congrats on the book, and I'm sure within a couple of years the gears will start turning and you'll put pen to paper and kick another one out for us. >> Number 10. >> All right. He's Richard, I'm Jeff, you're watching theCUBE, we're at the Qualys Security Conference at the Bellagio in Las Vegas, thanks for watching, we'll see you next time. (upbeat music)