>> live from Boston, Massachusetts. It's the Cube covering A W s reinforce 2019 brought to you by Amazon Web service is and its ecosystem partners. >> Welcome back to the cubes. Live coverage here in Boston, Massachusetts, for AWS reinforce Amazon web services. First inaugural conference around Cloud Security. I'm John for your Michael's Day. Volante, our next Katie Jenkins s V P. C. Vice President. See? So, Chief Information Security officer with Liberty Mutual Big Company, Lot of activity insurance. Lot of probably a lot of action on your side. Welcome to the Cube. Thanks. Thanks for coming on. So you've been in this job for about a year. Tell us about what's going on in Libya. Means you guys have a large company. 100 plus years old. You're see. So you're in charge. You're running everything. We're gonna security conference. Tell us the reality. What's going on in the real world? >> Yeah, well, this is super exciting. That reinforce, of course, is in Boston. This is Liberty Mutual's hometown assed. You mentioned 107 year old security, not security company >> insurance company. But we're >> doing really cool things in technology and security. Specifically, um, I would say to kind of bring this gathering together. We have a really rich pool of security talent of security and innovators. It really matches up with what what we're doing. So Liberty Mutual has made a very significant commitment to moving to the public cloud for our technology and computing needs. We're in about your three of that journey, maybe 25% of our workload in the public cloud. It's really been a catalyst for not just transforming our technology organisation but transforming the way security does its work in the way security engages with our development community. >> While you're the head honchos, they say there's a C so but you had 20 plus years in cyber security. This is now kind of a new category with reinforced being a branded show over AWS. I see this deserves its own conversation, and industry is a lot of action going on. What is cloud security mean to you? Because this is the focus of this show. It's not just pure clouds, a lot on premise and on cloud interactions with hybrid etcetera. You guys have been doing tons of I t over the generations with Liberty Mutual, but cloud security is the focus. What does that mean? Thio to? You guys have a cyber security standpoint? >> Yeah, um, in a word. Enablement, um, I think that the public cloud offers us, um, really interesting opportunity to reinvent security. Right? So if you think about all of the technologies and processes and many of which were manual over the years, I think we have an opportunity to leverage automation to make our work easier in some ways to to, um, avoid the situation where we have air oversight. Gosh, we encrypted everything, but you know, this set of assets over here, So through using automation and enforcement, it's a new, exciting opportunity to further develop our security capabilities. But also, you know, cloud security at cloud in general has bred a transformation of the way that are practitioners do work through agile. And it means that security has toe no work with our technologists in a different way. >> So you've had a really interesting background. Um you work for a company that does audits. I can infer from that. You've worked for service is company. You work for a technology vendor. You worked as a practitioner. So you've seen it all sides and you know Amazon. It made some comments yesterday that said, Look, the narrative in the security industry has always been fear, fear, fear. And we'd like to put forth forth the narrative. That is about Listen, the state of security is really good and strong. The union is strong and we're gonna work together in a positive message. So my question is, are you an optimist? >> Ah, a reluctant activist. Um, I think the days of having security be something that's fearful, uh are just not not doing us any any any justice in that area. I mean, security is an area of partnership. There's very little of what we do. Insecurity. It's just done by security practitioners. We need asset managers. We need compliance people. We need the privacy team. We need our auditors way. Need procurement. I mean, there's just so many different parties involved in security that if we're just instilling fear and everyone, I think it'll be difficult for us tow. Get that partnership and we need Thio. Empower people, right. We need Thio. Both empower our developers to do their work in a secure manner and we have to empower our whole workforce and our trusted third parties to make good decisions. We're educating them on how to prevent phishing attacks were doing all sorts of kind of culture based initiatives, recognizing that if it's just the security folks doing security, we're gonna have a big gap. >> One of the things that we were discussing a lot of other C. So So we've been talking privately. Off the record in the hallways and private briefings is the common theme of integration as a big part of dealing with ecosystem, either suppliers and or different teams within their different pillars of how they're organized internally and externally, and then also reducing the number of security vendors that they've been buying products from to get some also in house coding, teams working more closely on the use cases that matter. So this has become kind of ah, see, So a conversation where what? What is that criteria? How do you figure out who to have a suppliers who's gonna be around for the long haul? We're gonna be that a partnership for the enablement. So rather than having hundreds of vendors, we want to get him down to a handful. Is that something that you think about or is it a trend that you see it's happening now? >> Uh, it is a trend. I think it starts at how we even procure in select our suppliers. I mean, we're really giving a lot of thought to the area of third party risk management. And do we understand not just the elements of cyber risk and engaging with 1/3 party? But but privacy and continuity kind of risk, too. So it starts there. I don't have a sort of fabricated number in terms of I'm trying to go from X number of vendors down toe Why? But I think that there's a very purposeful thought process that we're undergoing to say, Yeah, we recognize and for certain technologies, we want to have different providers to provide some of that redundancy. Let's be smart about them. Let's make sure we really understand where those overlapping capabilities are because we don't want to be wasteful either. Right >> on the span, the question comes up to around Devil's because what we're seeing is the devil ops and security paradigms kind of coming together in terms of the concepts agility. You could do some prototyping, a hackathon do some things and then ultimately trying to get into production or two different animals. So that enablement of doing innovative things, his agility, that that's been a key theme, a positive theme. And the question is, is there a funding model? Doesn't automatically get security funding. And where's the spin that you're spending going up? So all the monetary spend questions come up. >> How do you >> deal with that ballistically? And how do you think about, you know, spend conversation? >> Yeah, um, >> it's a really interesting one, because, of course, expense >> pressures. I'm not immune to those. But I >> also think that we're in a position where, um, our executive leadership team understands the value of the work that we're doing understands the important to our policy holders. So it's less often a need to justify why we need more spend. It's a demonstration of using that spend responsibly and understanding where we might have an uplift from something that we automated to say. Well, now we have these resource is that could be doing something else. >> There's >> always something else and security, right? So if we're committed to re Skilling and making sure that people are evolving the work that they do in the talents that they have to adjust a different kind of >> no rule of thumb per se. It's more of your management recognizes the criticality of it. Therefore, you could make those calls on your own building built in building, >> project tough questions and making >> responsible decisions. But I think it comes down and knowing your technology, >> so the skills gap, obviously a huge challenge in your industry would talk to somebody else, they said. We just can't find people, so we have to bring him in and train them ourselves. We have the homegrown and take the long view. Amazon talks about the shared responsibility model, and a lot of small companies don't really understand that things misunderstood. Obviously, Liberty Mutual gets it. My question is, as you see Amazon focusing on compute in the storage and data base layer, and you guys have the opportunity to focus on other areas that are your responsibility that shared responsibility model. Have you been able to shift? Resource is how have you handled that you retrain people? Has it freed up, not freed up time to do some of those more strategic things that you want to do maybe respond more quickly. Prioritized, better automate, etcetera, etcetera. Can you talk about that from your perspective? >> Yeah. So the shared responsibility model is, uh, you know, I think that's video unimportant speaking point of this whole ecosystem. At the end of the day, Liberty Mutual. Our duty is to protect policyholder data. It doesn't matter. It's in the cloud. If it's in our data, Southers, we have that duty. It's >> on you. >> So I think a lot about the skills that we will need in the future. So I've referenced sort of vaguely that yet. Compliance area is a particularly interesting area where we have opportunities to able to more easily Bingley produced artifacts on our auditors need to really bring automation to a process that just has a very steep history and being manual in nature. So, yeah, I understand that tomorrow we're not gonna ask everyone to make a big switch and I'll become developers. But way do you know plenty of people to this conference and they are participating in the tracks on how to bring of automation to compliance. And I think that's pretty heavily in training opportunities for people. >> How do you look about the vendor lock in conversation because of cloud. The value proposition certainly shifts in the old model was, Oh, you by event supplier and you're in, You're locked in with database or whatever with Cloud. There's a lot of switching costs, opportunities to move around. But people generally settling in on one main cloud and having this may be a hybrid backup cloud or the cloud is the secondary is the focus of the team's How do you view, um, lock And when you deal with suppliers because you don't want to be stuck with once a fire? If you have the need to be agile, you want to have options. How do you guys think about that? Because being in agility is key for you guys to be successful. Not someone's just dealing with the vendors. >> Um, >> it does come down to balance. We do leverage multiple cloud providers, right? I think that, um, if we're too focused on making sure that we have that portability, and we could quickly move from one to another than we miss an opportunity to kind of deeply leverage. Some of the service is, for example, that the eight of us provides, but we also, you know, you've been around the block of >> your first rodeo. Exactly. >> And I think that it's important to have that perspective and prepare for the future. >> Do you, um, attend board meetings regularly? >> I do. I do for sent out to our board of directors. >> Is that a sort of frequent thing? And once a year, once 1/4 of interested in what the board conversation is like with >> it happens in a couple different context, whether it's specific to sort of an audit readout or sort of a general state of State of Security type A report out. But yeah, we have a really engaged board that asked great questions about our partners, right about things that are more culture base in terms of how we're doing with our anti phishing protection. And we talk about technology architectures, too, in the work that we're doing to make sure that we're being more fine grain in the way that we're authenticating users and devices, no matter where they work in a more secure way. They're they're interested in that. So I feel pretty lucky. Thio both have the opportunity and get deeply. Would >> you say the conversation is more of a strategic nature with the board. Is it more tactic? You just mentioned some tactical items. Is it more metrics driven or a sort of a combination of all three? >> It's a It's a combination right? I think they want to see demonstrated progress against areas that we have self identified Azarias that we'd like to prove improve. But they're also looking to see that I have a vision for where we're going to fully cognizant of the work that we've done in the public cloud and want to understand that the level of trust and they had in their security programme on premise will perpetuate and advance into the cloud. So >> when you look at clouds, security and now security, you guys have you had a perspective on full sides and clouds certainly accelerating involving fast when you find a legacy app that you're working with. We've heard other seasons. We've talked us who have had frank conversations, that look, we're deciding whether we lift and shifted more rebuild on. So there's been some visibility into when it's great to have lifted shifts and when it's great to rebuild. So that's been a conversation that I don't think been fully baked out yet. In the full narrative in the industry, it's one people are talking about. What's your view on when you have a legacy app, you want a lift and shifted or rebuild it? What goes through your mind? What's a conversation like? >> It's a conversation that we have. We have legacy. I won't hide behind behind that. But it's not a conversation in a decision that's just made by technologists, right? I think we have to articulate what the options are, and that has to be a joint decision with our business partners. I think generally I'm not preferring a lift and shift because I think that we are may be overlooking some of the opportunities to make similar security improvements that I see. But when we can get an application that's using our software development pipelines that we have embedded security controls, we have better visibility. We have better enforcement, ensuring what we know that we know what's going into. The cloud has met, you know, a number of our security standards, so to speak, that's a much better position. >> So the destruction of multiple clouds I'm interested in how you handle that you take separate teams is the same team, sort of handling everything, and it's sort of a follow up on that is I'm interested in your relationship with AWS and how that's affected your business. >> Yeah, so the security team does not. Oh, the cloud environment, so to speak. That's that's, Ah Secure Dev Ops team within our infrastructure organization. And they're very close partner of ours, right? So, yes, I do have a resource. Is that our specialist in AWS versus other clouds and others that are identity and access management specialists are able to work on the development of those patterns across different cloud environments. Right. You know, I there's nothing bad that I could say about the relationship with our AWS partners that we felt very supported and understanding what we're trying to do introduce us to new service is and introduced it probably most importantly, introducing us to other customers that have but you know, are a little bit ahead of us in their journey. So weaken, hopefully not repeat, >> not helping you with security pieces. Well, I'm that's something that they with shared responsibility there are there working with you on this securing those workloads as you move. Glad >> be Definitely leverage their expertise. >> And you mentioned that you guys kind of made a decision a few years ago. Toe go all in on the cloud. How has that affected your business? What kind of results have you seen? A zit met expectations. Is it exceeded? You know, I >> mean, is I mentioned we do still have, Ah, a lot of a lot of our technology on premise, but for the use cases that have really seen that rapid acceleration of agile practices allowed teams to develop code so much more quickly. I think the business is generally delighted that their needs are being far more quickly met. Then >> I could ask you, there's a perpetual line in the men's room. It's quite long. So what's it like to be long? And the lady I was going to say? I don't think it is because I would say the proportion of women here is actually lower than even the industry and most conferences that we attend. So what's it like being a woman in this male dominated security business? >> I been in it so on, but I certainly have. You're in a little bit of custom toe, but not so accustomed that I'm not motivated on a daily basis to bring more women in. I think that security just has tremendous opportunities and, you know, certainly the marketing of security professionals is hoody wearing white male kind of persona. Just >> their opportunity. What some of those opportunities for women who are stem science, they might your daughters all stem love public policy, the sociology impact side. The impact that's here is a lot of range of skills. What are some of those that you would inspire someone >> I studied? Math is an undergrad. We didn't have security >> back then and since got a Masters >> degree in cyber security. So that's cool. But, you know, I think a great security professional is a great communicator, a great collaborator. I need technologists. I need developers. I need process experts. I need people that think you know very deeply about assurance type control so way have tried to attract people out of other technology round. >> And it's just not just math and computer science is creativity involved. There's a lot of things that that blend sells all kinds of diversity. >> There is, you know, you think about human psychology, right? We just totally transformed one of the systems that we use for approving for managers to approve the access of their people. Right Past system was ugly. People didn't know how to interact with it. I mean, that user experience expertise that over laid and how we developed our new platform just makes all the difference to make sure that it's actually invaluable process. Now, like I'm so frustrated. I'm just gonna sign off on this because I I give up >> really interesting because you spend a lot of time and effort and money on things that drive revenue. But this drives so much productivity in business value that, you know he's not maybe direct dollars, but clearly there. I have a question. When you recruit people, presumably you tap your network. And it's not just the good old boys network your women. Are you able to successfully find women or young women in particular that you can attract and recruit into your business as security practitioners? They had much success there. >> Yeah, so we definitely are outpacing industry numbers in terms of women and security. We have a long way to go, you know, historically excluded people right? Not just women people of color. I mean, we just have a long ways to go, right. And I think it takes more than sitting back and waiting for a recruiter to bring recruiter to bring me a slate of candidates to say no. I know people. I know people that know people. And I really have toe invest myself and make sure that my leaders know that that's my expectation of them, right? I mean, I think that way feel that diversity of thought, no matter how that diversity is expressed, is really important doing the work. >> Let us know how we could help in Silicon Valley days here in Boston as well. Love help get the word out. So anything you need for muscle now. Okay. Thanks so much for his great insights. Love to have you on the cube again sometime. Thanks. Coming on S V p. C. So at Liberty Mutual here in the cube, extracting the signal, sharing the reality of what's going on in the security equation for cloud security. I'm John for Dave. A lot. Right back after this short break

>> From the SiliconANGLE Media office in Boston, Massachusetts, it's the cube. Now, here's your host, Dave Vellante. >> Hello everyone and welcome to this week's Wikibon cube insights powered by ETR. In this breaking analysis ahead of the RSA conference, we want to update you on the cyber security sector. This year's event is underlined by coronavirus fears, IBM has pulled out of the event and cited the epidemic as the reason and it's also brings to the front the sale of RSA by Dell to STG partners and private equity firm. Now in our last security drill down, we cited several mega trends in the security sector. These included the ever escalating sophistication of the attacker, the increased risk from the data economy, the expanded attack surface with the huge number of IP addresses that are that are exploding out there, and the lack of skills and the number of cyber tools that are coming to the market. Now, as you know, in these segments, we'd like to share insights from the cube. And I want you to listen to two American statesman and what they said, on The Cube. Here's general Keith Alexander, who's the former director of the NSA, along with Dr. Robert Gates, who's the former director of the CIA and former Secretary of Defense, play the clip. >> When you think about threats, you think about nation states, so you can go to Iran, Russia, China, North Korea, and then you think about criminal threats, and all the things like ransomware. Some of the nation state actors are also criminals at night, so they can use nation state tools and my concern about all the evolution of cyber threats is that the attacks are getting more destructive. >> I think cyber and the risks associated with cyber, and IT need to be a regular part of every board's agenda. >> So you hear General Alexander really underscore the danger, as well, Dr. Gates is articulating what we've said many times on the cube that cyber security is a board level agenda item. Now, the comments from both of these individuals represent what I would consider tailwinds for cyber technology companies. Now we're going to drill into some of those today. But it's not all frictionless. There are headwinds to in this market space, cloud migration, the shift from north south south to East West network traffic, its pressure traditional appliance based perimeter security solutions, increase complexity and lack of skills and other macro factors, including questions on ROI. CFO saying, hey, we spend all this cash, why aren't we more secure? Now, I want you to hear from two chief information security officers officers on both the challenges that they face and how they're dealing with them. Roll the clip. >> Lack of talent, I mean, we're starving for talent. Cybersecurity is the only field in the world with negative unemployment. We just don't have the actual bodies to actually fill the gaps that we have and in that lack of talent Cecil's are starving. >> I think that the public cloud offers us a really interesting opportunity to reinvent security right. So if you think about all of the technologies and processes and many of which are manual over the years, I think we have an opportunity to leverage automation to make our work easier in some ways. >> Now I featured Brian Lozada and Katie Jenkins before and breaking analysis segments, and you can hear it from the cyber leaders, we lack the talent, and cloud computing and automation are areas we're pursuing. So this challenges security companies to respond. But at the end of the day, companies have no no choice. In other words, organizations buying security solutions, the sophistication of the attacker is very high and the answer to my CFO and ROI is fear based. If you don't do this, you might lose billions in market cap. Now, I want you to take a listen to these cubilam talking about the attacker of sophistication and the importance of communication skills in order to fund cyber initiatives, really to keep up with the bad guys, please play the clip. >> The adversary is talented and they're patient, they're well funded okay, that's that's where it starts. And so, you know why why bring an interpreter to a host when there's already one there right? Why write all this complicated software distribution when I can just use yours. And so that's that's where the play the game starts. And and the most advanced threats aren't leaving footprints because the footprints already there, you know, they'll get on a machine and behaviorally they'll check the cash to see what's hot. And what's hot in the cash means that behaviorally, it's a fast they can go they're not cutting a new trail most of the time, right? So living off the land is not only the tools that they're using the automation, your automation they're using against you, but it's also behavioral. >> That's why the most the most important talent or skill that a security professional needs is communication skills. If you can't articulate technical risk into a business risk to fund your program, it's, you know, it's very hard for you to actually be successful in security. >> Now, the really insidious thing about what TK Keanini just said is the attackers are living off the land, meaning they're using your tools and your behaviors to sneak around your data unnoticed. And so as Brian Lozada said, as a security Pro, you need to be a great communicator in order to get the funding that you need to compete with the bad guys. Which brings me to the RSA conference. This is why you as a security practitioner attend, you want to learn more, you want to obtain new skills, you want to bring back ideas to the organization. Now one of the things I did to prepare for this segment is to read the RSA conference content agenda, which was co authored by Britta Glade and I read numerous blogs and articles about what to expect at the event and from all that I put together this word cloud, which conveys some of the key themes that I would expect you're going to hear at the shows. Look at skills jump right out, just like Brian was saying, the human element is going to be a big deal this year. IoT and the IT OT schism, everyone's talking about the Olympics, and seeing that as a watershed event for cyber, how to apply machine learning and AI is a big theme, as is cloud with containers and server less. phishing, zero trust and frameworks, framework for privacy, frameworks for governance and compliance, the 2020 election and weaponizing social media with deep fakes, and expect to hear a lot about the challenges of securing 5G networks, open source risks, supply chain risks, and of course, the need for automation. And it's no surprise there's going to be a lot of talk about cyber technology, the products and of course, the companies that sell them. So let's get into the market and unpack some of the ETR spending data and drill into some of these companies. The first chart I want to show you is spending on cyber relative to other initiatives. What this chart shows is the spending on cyber security highlighted in the green in relation to other sectors in the ETR taxonomy. Notice the blue dot. It shows the change in spending expected in 2020 versus 2019. Now, two points here. First, is that despite the top of my narrative that we always hear, the reality is that other initiatives compete for budget and you just can't keep throwing cash at the security problem. As I've said before, we spend like .014% percent of our global GDP on cyber, so we barely scratched the surface. The second point is there's there's there's a solid year on year growth quite high at 12% for a sector that's estimated at 100 to 150 billion dollars worldwide, according to many sources. Now let's take a look at some of the players in this space, who are going to be presenting at the RSA conference. You might remember to my 2020 predictions in that breaking analysis I focused on two ETR metrics, Net Score, which is a measure of spending velocity and Market Share, which measures pervasiveness in the data set. And I anointed nine security players as four star players. These were Microsoft, Cisco, Palo Alto Networks, Splunk, Proofpoint, Fortinet, Oka, Cyber Ark and CrowdStrike. What we're showing here is an update of that data with the January survey data. My four star companies were defined as those in the cyber security sector that demonstrate in both net scores or spending momentum, that's the left hand chart and market share or pervasiveness on the right hand chart. Within the top 22 companies, why did I pick 22? Well, seemed like a solid number and it fit nicely in the screen and allowed more folks. So a few takeaways here. One is that there are a lot of cyber security companies in the green from the standpoint of net score. Number two is that Fortinet and Cisco fell off the four star list because of their net scores. While still holding reasonably well, they dropped somewhat. Also, some other companies like Verona's and Vera code and Carbon Black jumped up on the net score rankings, but Cisco and Fortinet are still showing some strength in the market overall, I'ma talk about that. Cisco security businesses up 9% in the quarter, and Fortinet is breaking away from Palo Alto Networks from a valuation perspective, which I'm going to drill into a bit. So we're going to give Cisco and Fortinet two stars this survey period. But look at Zscaler. They made the cut this time their net score or spending momentum jumped from 38% last quarter to nearly 45% in the January survey, with a sizable shared in at 123. So we've added Zscaler to the four star list, they have momentum, and we're going to continue to watch that quarterly horse race. Now, I'd be remiss if I didn't point out that Microsoft continues to get stronger and stronger in many sectors including cyber. So that's something to really pay attention to. Okay, I want to talk about the valuations a bit. Valuations of cyber security space are really interesting and for reasons we've discussed before the market's hot right now, some people think it's overvalued, but I think the space is going to continue to perform quite well, relative to other areas and tech. Why do I say that? Because cyber continues to be a big priority for organizations, the software and annual recurring revenue contribution ARR continues to grow, M&A is going to continue to be robust in my view, which is going to fuel valuations. So Let's look at some of the public companies within cyber. What I've compiled in this chart is eight public companies that were cited as four star or two star firms, as I defined earlier, now ranked this by market value. In the columns, we show the market cap and trailing 12 month revenue in billions, the revenue multiple and the annual revenue growth. And I've highlighted Palo Alto Networks and Fortinet because I want to drill into those two firms, as there's a valuation divergence going on between those two names, and I'll come back to that in just a minute. But first, I want to make a few points about this data. Number one is there's definitely a proportional relationship between the growth rate and the revenue multiple or premium being paid for these companies. Generally growth ranges between one and a half to three times the revenue multiple being paid. CrowdStrike for example has a 39 x revenue multiple and is growing at 110%, so they're at the high end of that range with a growth at 2.8 times their revenue multiple today. Second, and related, as you can see a wide range of revenue multiples based on these growth rates with CrowdStrike, Okta and now Zscaler as the standouts in this regard. And I have to call at Splunk as well. They're both large, and they have high growth, although they are moving beyond, you know, security, they're going into adjacencies and big data analytics, but you you have to love the performance of Splunk. The third point is this is a lucrative market. You have several companies with valuations in the double digit billions, and many with multi billion dollar market values. Cyber chaos means cash for many of these companies, and, of course for their investors. Now, Palo Alto throw some of these ratios out of whack, ie, why the lower revenue multiple with that type of growth, and it's because they've had some execution issues lately. And this annual growth rate is really not the best reflection of the stock price today. That's really being driven by quarterly growth rates and less robust management guidance. So why don't we look into that a bit. What this chart shows is the one year relative stock prices of Palo Alto Networks in the blue and compared to Fortinet in the red. Look at the divergence in the two stocks, look at they traded in a range and then you saw the split when Palo Alto missed its quarter last year. So let me share what I think is happening. First, Palo Alto has been a very solid performance since an IPO in 2012. It's delivered more than four Rex returns to shareholders over that period. Now, what they're trying to do is cloud proof their business. They're trying to transition more to an AR model, and rely less on appliance centric firewalls, and firewalls are core part of the business and that has underperformed expectations lately. And you just take Legacy Tech and Cloud Wash and Cloud native competitors like Zscaler are taking advantage of this and setting the narrative there. Now Palo Alto Network has also had some very tough compares in 2019 relative to 2018, that should somewhat abate this year. Also, Palo Alto has said some execution issues during this transition, especially related to sales and sales incentives and aligning that with this new world of cloud. And finally, Palo Alto was in the process of digesting some acquisitions like Twistlock, PureSec and some others over the past year, and that could be a distraction. Fortinet on the other hand, is benefiting from a large portfolio refresh is capitalizing on the momentum that that's bringing, in fact, all the companies I listed you know, they may be undervalued despite, of all the company sorry that I listed Fortinet may be undervalued despite the drop off from the four star list that I mentioned earlier. Fortinet is one of those companies with a large solution set that can cover a lot of market space. And where Fortinet faces similar headwinds as Palo Alto, it seems to be executing better on the cloud transition. Now the last thing I want to share on this topic is some data from the ETR regression testing. What ETR does is their data scientists run regression models and fit a linear equation to determine whether Wall Street earnings consensus estimates are consistent with the ETR spending data, they started trying to line those up and see what the divergence is. What this chart shows is the results of that regression analysis for both Fortinet and Palo Alto. And you can see the ETR spending data suggests that both companies could outperform somewhat expectations. Now, I wouldn't run and buy the stock based on this data as there's a lot more to the story, but let's watch the earnings and see how this plays out. All right, I want to make a few comments about the sale of the RSA asset. EMC bought RSA for around the same number, roughly $2 billion that SDG is paying Dell. So I'm obviously not impressed with the return that RSA has delivered since 2006. The interesting takeaway is that Dell is choosing liquidity over the RSA cyber security asset. So it says to me that their ability to pay down debt is much more important to Dell and their go forward plan. Remember, for every $5 billion that Dell pays down in gross debt, it dropped 25 cents to EPS. This is important for Dell to get back to investment grade debt, which will further lower its cost. It's a lever that Dell can turn. Now and also in thinking about this, it's interesting that VMware, which the member is acquiring security assets like crazy and most recently purchased carbon black, and they're building out a Security Division, they obviously didn't paw on the table fighting to roll RSA into that division. You know maybe they did in the financial value of the cash to Dell was greater than the value of the RSA customers, the RSA product portfolio and of course, the RSA conference. But my guess is Gelsinger and VMware didn't want the legacy tech. Gelsinger said many times that security is broken, it's his mission to fix it or die trying. So I would bet that he and VMware didn't see RSA as a path to fixing security, it's more likely that they saw it as a non strategic shrinking asset that they didn't want any part of. Now for the record, and I'm even won't bother showing you the the data but RSA and the ETR data set is an unimpressive player in cyber security, their market share or pervasiveness is middle of the pack, so it's okay but their net score spending velocities in the red, and it's in the bottom 20th percentile of the data set. But it is a known brand, certainly within cyber. It's got a great conference and it's been it's probably better that a PE company owns them than being a misfit toy inside of Dell. All right, it's time to summarize, as we've been stressing in our breaking analysis segments and on the cube, the adversaries are very capable. And we should expect continued escalation. Venture capital is going to keep pouring into startups and that's going to lead to more fragmentation. But the market is going to remain right for M&A With valuations on the rise. The battle continues for best of breed tools from upstarts like CrowdStrike and Okta and Zscaler versus sweets from big players like Cisco, Palo Alto Networks and Fortinet. Growth is going to continue to drive valuations. And so let's keep our eyes on the cloud, remains disruptive and for some provides momentum for others provides friction. Security practitioners will continue to be well paid because there's a skill shortage and that's not going away despite the push toward automation. Got in talk about machine intelligence but AI and ML those tools, there are two edged sword as bad actors are leveraging installed infrastructure, both tools and behaviors to so called live off the land, upping the stakes in the arms race. Okay, this is Dave Vellante for Wikibon's CUBE Insights powered by ETR. Thanks for watching this breaking analysis. Remember, these episodes are all available as podcasted Spotfire or wherever you listen. Connect with me at david.vellante at siliconangle.com, or comment on my LinkedIn. I'm @dvellante on Twitter. Thanks for watching everybody. We'll see you next time. (upbeat music).

>> From the SiliconANGLE Media office in Boston, Massachusetts, it's theCUBE. Now, here's your host, Dave Vellante. >> Hello, everyone, and welcome to this week's Cube Insights, powered by ETR. Today is November 8, 2019 and I'd like to address one of the most important topics in the minds of a lot of executives. I'm talking about CEOs, CIOs, Chief Information Security Officers, Boards of Directors, governments and virtually every business around the world. And that's the topic of cyber security. The state of cyber security has changed really dramatically over the last 10 years. I mean, as a cyber security observer I've always been obsessed with Stuxnet, which the broader community discovered the same year that theCUBE started in 2010. It was that milestone that opened my eyes. Think about this. It's estimated that Stuxnet cost a million dollars to create. That's it. Compare that to an F-35 fighter jet. It costs about $85-$100 million to build one. And that's on top of many billions of dollars in R&D. So Stuxnet, I mean, it hit me like a ton of bricks. That the future of war was all about cyber, not about tanks. And the barriers to entry were very, very low. Here's my point. We've gone from an era where thwarting hacktivists was our biggest cyber challenge to one where we're now fighting nation states and highly skilled organized criminals. And of course, cyber crime and monetary theft is the number one objective behind most of these security breaches that we see in the press everyday. It's estimated that by 2021 cyber crime is going to cost society $6 trillion in theft, lost productivity, recovery costs. I mean, that's just a staggeringly large number. It's even hard to fathom. Now, the other C-change is how organizations have had to respond to the bad guys. It used to be pretty simple. I got a castle and the queen is inside. We need to protect her, so what do we do? We built a mote, put it around the perimeter. Now, think of the queen as data. Well, what's happened? The queen has cloned herself a zillion times. She's left the castle. She's gone up to the sky with the clouds. She's gone to the edge of the kingdom and beyond. She's also making visits to machines and the factories and hanging out with the commoners. She's totally exposed. Listen, by 2020, there's going to be hundreds of billions of IP addresses. These are going to be endpoints and phones, TVs, cameras, tablets, automobiles, factory machines, and all these represent opportunities for the bad guys to infiltrate. This explosion of endpoints that I'm talking about is created massive exposures, and we're seeing it manifest itself in the form of phishing, malware, and of course the weaponization of social media. You know, if you think that 2016 was nuts, wait 'til you see how the 2020 presidential election plays out. And of course, there's always the threat of ransomware. It's on everybody's minds these days. So I want to try to put some of this in context and share with you some insights that we've learned from the experts on theCUBE. And then let's drill into some of the ETR data and assess the state of security, the spending patterns. We're going to try to identify some of those companies with momentum and maybe some of those that are a little bit exposed. Let me start with the macro and the challenged faced by organization and that's complexity. Here's Robert Herjavec on theCUBE. Now, you know him from the Shark Tank, but he's also a security industry executive. Herjavec told me in 2017 at the Splunk.com Conference that he thought the industry was overly complex. Let's take a look and listen. >> I think that the industry continues to be extremely complicated. There's a lot of vendors. There's a lot of products. The average Fortune 500 company has 72 security products. There's a stat that RSA this year, that there's 1500 new security start-ups every year. Every single year. How are they going to survive? And which ones do you have to buy because they're critical and provide valuable insights? And which ones are going to be around for a year or two and you're never going to hear about again? So it's a extremely challenging complex environment. >> So it's that complexity that had led people like Pat Gelsinger to say security is a do-over, and that cyber security is broken. He told me this years ago on theCUBE. And this past VM World we talked to Pat Gelsinger and remember, VMware bought Carbon Black, which is an endpoint security specialist, for $2.1 billion. And he said that he's basically creating a cloud security division to be run by Patrick Morley, who is the Carbon Black CEO. Now, many have sort of questioned and been skeptical about VMware's entrance into the space. But here's a clip that Pat Gelsinger shared with us on theCUBE this past VM World. Let's listen and we'll come back and talk about it. >> And this move in security, I am just passionate about this, and as I've said to my team, if this is the last I do in my career is I want to change security. We just not are satisfying our customers. They shouldn't put more stuff on our platforms. >> National defense issues, huge problems. >> It's just terrible. And I said, if it kills me, right, I'm going to get this done. And they says, "It might kill you, Pat." >> So this brings forth an interesting dynamic in the industry today. Specifically, Steven Smith, the CISO of AWS, at this year's Reinforce, which is their security conference, Amazon's big cloud security conference, said that this narrative that security is broken, it's just not true, he said. It's destructive and it's counterproductive. His and AWS's perspective is that the state of cloud security is actually strong. Kind of reminded me of a heavily messaged State of the Union address by the President of the United States. At the same time, in many ways, AWS is doing security over. It's coming at it from the standpoint of a clean slate called cloud and infrastructure as a surface. Here's my take. The state of security in this union is not good. Every year we spend more, we lose more, and we feel less safe. So why does AWS, the security czar, see if differently? Well, Amazon uses this notion of a shared responsibility security model. In other words, they secure the S3 buckets, maybe the EC2 infrastructure, not maybe, the EC2 infrastructure. But it's up to the customer to make sure that she is enforcing the policies and configuring systems that adhere to the EDIX of the corporation. So I think the shared security model is a bit misunderstood by a lot of people. What do I mean by that? I think sometimes people feel like well, my data's in the cloud, and AWS has better security than I do. Here I go, I'm good. Well, AWS probably does have better security than you do. Here's the problem with that. You still have all these endpoints and databases and file servers that you're managing, and that you have to make sure comply with your security policies. Even if you're all on the cloud, ultimately, you are responsible for securing your data. Let's take a listen to Katie Jenkins, the CISO of Liberty Mutual, on this topic and we'll come back. >> Yeah, so the shared responsibility model is, I think that's an important speaking point to this whole ecosystem. At the end of the day, Liberty Mutual, our duty is to protect policyholder data. It doesn't matter if it's in the cloud, if it's in our data centers, we have that duty to protect. >> It's on you. >> All right, so there you have it from a leading security practitioner. The cloud is not a silver bullet. Bad user behavior is going to trump good security every time. So unfortunately the battle goes on. And here's where it gets tricky. Security practitioners are drowning in a sea of incidents. They have to prioritize and respond to, and as you heard Robert Herjavec say, the average large company has 75 security products installed. Now, we recently talked to another CISO, Brian Lozada, and asked him what's the number one challenge for security pros. Here's what he said. >> Lack of talent. I mean, we're starving for talent. Cyber security's the only field in the world with negative unemployment. We just don't have the actual bodies to actually fill the gaps that we have. And in that lack of talent CISOs are starving. We're looking for the right things or tools to actually patch these holes and we just don't have it. Again, we have to force the industry to patch all of those resource gaps with innovation and automation. I think CISOs really need to start asking for more automation and innovation within their programs. >> So bottom line is we can't keep throwing humans at the problem. Can't keep throwing tools at the problem. Automation is the only way in which we're going to be able to keep up. All right, so let's pivot and dig in to some of the ETR data. First, I want to share with you what ETR is saying overall, what their narrative looks like around spending. So in the overall security space, it's pretty interesting what ETR says, and it dovetails into some of the macro trends that I've just shared with you. Let's talk about CIOs and CISOs. ETR is right on when they tell me that these executives no longer have a blank check to spend on security. They realize they can't keep throwing tools and people at the problem. They don't have the bodies, and as we heard from Brian Lozada. And so what you're seeing is a slowdown in the growth, somewhat of a slowdown, in security spending. It's still a priority. But there's less redundancy. In other words, less experimentation with new vendors and less running systems in parallel with legacy products. So there's a slowdown adoption of new tools and more replacement of legacy stuff is what we're seeing. As a result, ETR has identified this bifurcation between those vendors that are very well positioned and those that are losing wallet share. Let me just mention a few that have the momentum, and we're going to dig into this data in more detail. Palo Alto Networks, CrowdStrike, Okta, which does identity management, Cisco, who's coming at the problem from its networking strength. Microsoft, which recently announced Sentinel for Azure. These are the players, and some of them that are best positioned, I'll mention some others, from the standpoint spending momentum in the ETR dataset. Now, here's a few of those that are losing momentum. Checkpoint, SonicWall, ArcSight, Dell EMC, which is RSA, is kind of mixed. We'll talk about that a little bit. IBM, Symantec, even FireEye is seeing somewhat higher citations of decreased spending in the ETR surveys and dataset. So there's a little bit of a cause for concern. Now, let's remember the methodology here. Every quarter ETR asks are you green, meaning adopting this vendor as new or spending more? Are you neutral, which is gray, are you spending the same? Or are you red, meaning that you're spending less or retiring? You subtract the red from the green and you get what's called a net score. The higher the net score, the better. So here's a chart that shows a ranking of security players and their net scores. The bars show survey data from October '18, July '19, and October '19. In here, you see strength from CrowdStrike, Okta, Twistlock, which was acquired by Palo Alto Networks. You see Elastic, Microsoft, Illumio, the core, Palo Alto Classic, Splunk looking strong, Cisco, Fortinet, Zscaler is starting to show somewhat slowing net score momentum. Look at Carbon Black. Carbon Black is showing a meaningful drop in net score. So VMware has some work to do. But generally, the companies to the left are showing spending momentum in the ETR dataset. And I'll show another view on net score in a moment. But I want to show a chart here that shows replacement spending and decreased spending citations. Notice the yellow. That's the ETR October '19 survey of spending intentions. And the bigger the yellow bar, the more negative. So Sagar, the director of research at ETR, pointed this out to me, that, look at this. There are about a dozen companies where 20%, a fifth of the customer base is decreasing spend or ripping them out heading into the year end. So you can see SonicWall, CA, ArcSight, Symantec, Carbon Black, again, a big negative jump. IBM, same thing. Dell EMC, which is RSA, slight uptick. That's a bit of a concern. So you can see this bifurcation that ETR has been talking about for awhile. Now, here's a really interesting kind of net score. What I'm showing here is the ETR data sorted by net score, again, higher is better, and shared N, which is the number of shared accounts in the survey, essentially the number of mentions in that October survey with 1,336 IT buyers responded. So how many of that 1,300 identified these companies? So essentially it's a proxy for the size of the install base. So showing up on both charts is really good. So look, CrowdStrike has a 62% net score with a 133 shared account. So a fairly sizable install base and a very high net score. Okta, similar. Palo Alto Networks and Splunk, both large, continue to show strength. They got net scores of 44% and 313 shared N. Fortinet shows up in both. Proofpoint. Look at Microsoft and Cisco. With 521 and 385 respectively on the right hand side. So big install bases with very solid net scores. Now look at the flip side. Go down to the bottom right to IBM. 132 shared accounts with a 14.4% net score. That's very low. Check Point similarly. Same with Symantec. Again, bifurcation that ETR has been citing. Really stark in this chart. All right, so I want to wrap. In some respects from a practitioner perspective, the sky erectus is falling. You got increased attack surface. You've got exploding number of IP addresses. You got data distributed all over the place, tool creep. You got sloppy user behavior, overwork security op staff, and a scarcity of skills. And oh, by the way, we're all turning into a digital business, which is all about data. So it's a very, very dangerous time for companies. And it's somewhat chaotic. Now, chaos, of course, can mean cash for cyber security companies and investors. This is still a very vibrant space. So just by the way of comparison and looking at some of the ETR data, check this out. What I'm showing is companies in two sectors, security and storage, which I've said in previous episodes of breaking analysis, storage, and especially traditional storage disk arrays are on the back burner spending wise for many, many shops. This chart shows the number of companies in the ETR dataset with a net score greater than a specific target. So look, security has seven companies with a 49% net score or higher. Storage has one. Security has 18 above 39%. Storage has five. Security has 31 companies in the ETR dataset with a net score higher than 30%. Storage only has nine. And I like to think of 30% as kind of that the point at which you want to be above that 30%. So as you can see, relatively speaking, security is an extremely vibrant space. But in many ways it is broken. Pat Gelsinger called it a do-over and is affecting a strategy to fix it. Personally, I don't think one company can solve this problem. Certainly not VMware, or even AWS, or even Microsoft. It's too complicated, it's moving too fast. It's so lucrative for the bad guys with very low barriers to entry, as I mentioned, and as the saying goes, the good guys have to win every single day. The bad guys, they only have to win once. And those are just impossible odds. So in my view, Brian Lozada, the CISO that we interviewed, nailed it. The focus really has to be on automation. You know, we can't just keep using brute force and throwing tools at the problem. Machine intelligence and analytics are definitely going to be part of the answer. But the reality is AI is still really complicated too. How do you operationalize AI? Talk to companies trying to do that. It's very, very tricky. Talk about lack of skills, that's one area that is a real challenge. So I predict the more things change the more you're going to see this industry remain a game of perpetual whack a mole. There's certainly going to be continued consolidation, and unquestionably M&A is going to be robust in this space. So I would expect to see continued storage in the trade press of breaches. And you're going to hear scare tactics by the vendor community that want to take advantage of the train wrecks. Now, I wish I had better news for practitioners. But frankly, this is great news for investors if they can follow the trends and find the right opportunities. This is Dave Vellante for Cube Insights powered by ETR. Connect with me at David.Vellante@siliconangle.com, or @dvellante on Twitter, or please comment on what you're seeing in the marketplace in my LinkedIn post. Thanks for watching. Thank you for watching this breaking analysis. We'll see you next time. (energetic music)