>>Hello, everyone. Welcome to the AWS startup showcase. This is season two, episode four, the ongoing series covering exciting startups from the AWS ecosystem to talk about cybersecurity. I'm your host, John furrier. And today I'm excited for this keynote presentation and I'm joined by John Ramsey, vice president of AWS security, John, welcome to the cubes coverage of the startup community within AWS. And thanks for this keynote presentation, >>Happy to be here. >>So, John, what do you guys, what do you do at AWS? Take, take minutes to explain your role, cuz it's very comprehensive. We saw at AWS reinforce event recently in Boston, a broad coverage of topics from Steven Schmid CJ, a variety of the executives. What's your role in particular at AWS? >>If you look at AWS, there are, there is a shared security responsibility model and CJ, the C the CSO for AWS is responsible for securing the AWS portion of the shared security responsibility model. Our customers are responsible for securing their part of the shared security responsible, responsible model. For me, I provide services to those customers to help them secure their part of that model. And those services come in different different categories. The first category is threat detection with guard. We that does real time detection and alerting and detective is then used to investigate those alerts to determine if there is an incident vulnerability management, which is inspector, which looks for third party vulnerabilities and security hub, which looks for configuration vulnerabilities and then Macy, which does sensitive data discovery. So I have those sets of services underneath me to help provide, to help customers secure their part of their shared security responsibility model. >>Okay, well, thanks for the call out there. I want to get that out there because I think it's important to note that, you know, everyone talks inside out, outside in customer focus. 80 of us has always been customer focused. We've been covering you guys for a long time, but you do have to secure the core cloud that you provide and you got great infrastructure tools technology down to the, down to the chip level. So that's cool. You're on the customer side. And right now we're seeing from these startups that are serving them. We had interviewed here at the showcase. There's a huge security transformation going on within the security market. It's the plane at 35,000 feet. That's engines being pulled out and rechange, as they say, this is huge. And, and what, what's it take for your, at customers with the enterprises out there that are trying to be more cyber resilient from threats, but also at the same time, protect what they also got. They can't just do a wholesale change overnight. They gotta be, you know, reactive, but proactive. How does it, what, what do they need to do to be resilient? That's the >>Question? Yeah. So, so I, I think it's important to focus on spending your resources. Everyone has constrained security resources and you have to focus those resources in the areas and the ways that reduce the greatest amount of risk. So risk really can be summed up is assets that I have that are most valuable that have a vulnerability that a threat is going to attack in that world. Then you wanna mitigate the threat or mitigate the vulnerability to protect the asset. If you have an asset that's vulnerable, but a threat isn't going to attack, that's less risky, but that changes over time. The threat and vulnerability windows are continuously evolving as threats, developing trade craft as vulnerabilities are being discovered as new software is being released. So it's a continuous picture and it's an adaptive picture where you have to continuously monitor what's happening. You, if you like use the N framework cybersecurity framework, you identify what you have to protect. >>That's the asset parts. Then you have to protect it. That's putting controls in place so that you don't have an incident. Then you from a threat perspective, then you ha to de detect an incident or, or a breach or a, a compromise. And then you respond and then you remediate and you have to continuously do that cycle to be in a position to, to de to have cyber resiliency. And one of the powers of the cloud is if you're building your applications in a cloud native form, you, your ability to respond can be very surgical, which is very important because then you don't introduce risk when you're responding. And by design, the cloud was, is, is architected to be more resilient. So being able to stay cyber resilient in a cloud native architecture is, is important characteristic. >>Yeah. And I think that's, I mean, it sounds so easy. Just identify what's to be protected. You monitor it. You're protected. You remediate sounds easy, but there's a lot of change going on and you got the cloud scale. And so you got security, you got cloud, you guys's a lot of things going on there. How do you think about security and how does the cloud help customers? Because again, there's two things going on. There's a shared responsibility model. And at the end of the day, the customer's responsible on their side. That's right, right. So that's right. Cloud has some tools. How, how do you think about going about security and, and where cloud helps specifically? >>Yeah, so really it's about there, there's a model called observe, orient, decide an actor, the ULO and it was created by John Boyd. He was a fighter pilot in the Korean war. And he knew that if I could observe what the opponent is doing, orient myself to my goals and their goals, make a decision on what the next best action is, and then act, and then follow that UTI loop, or, or also said a sense sense, making, deciding, and acting. If I can do that faster than the, than the enemy, then I can, I will win every fight. So in the cyber world, being in a position where you are observing and that's where cloud can really help you, because you can interrogate the infrastructure, you can look at what's happening, you can build baselines from it. And then you can look at deviations from, from the norm. It's just one way to observe this orient yourself around. Does this represent something that increases risk? If it does, then what's the next best action that I need to take, make that decision and then act. And that's also where the cloud is really powerful, cuz there's this huge con control plane that lets you lets you enable or disable resources or reconfigure resources. And if you're in, in the, in the situation where you can continuously do that very, very rapidly, you can, you can outpace and out maneuver the adversary. >>Yeah. You know, I remember I interviewed Steven Schmidt in 2014 and at that time everybody was poo pooing. Oh man, the cloud is so unsecure. He made a statement to me and we wrote about this. The cloud is more secure and will be more secure because it can be complicated to the hacker, but also easy for the, for provisioning. So he kind of brought up this, this discussion around how cloud would be more secure turns out he's right. He was right now. People are saying, oh, the cloud's more secure than, than standalone. What's different John now than not even going back to 2014, just go back a few years. Cloud is helpful, is more interrogation. You mentioned, this is important. What's, what's changed in the cloud per se in AWS that enables customers and say third parties who are trying to comply and manage risk as well. So you have this shared back and forth. What's different in the cloud now than just a few years ago that that's helping security. >>Yeah. So if you look at the, the parts of the shared responsibility model, AWS is the further up the stack you go from just infrastructure to platforms, say containers up to serverless the, the, we are taking more of the responsibility of that, of that stack. And in the process, we are investing resources and capabilities. For example, guard duty takes an S audit feed for containers to be able to monitor what's happening from a container perspective. And then in server list, really the majority of what, what needs to be defended is, is part of our responsibility model. So that that's an important shift because in that world, we have a very large team in our world. We have a very large team who knows the infrastructure who knows the threat and who knows how to protect customers all the way up to the, to the, to the boundary. And so that, that's a really important consideration. When you think about how you design your design, your applications is you want the developers to focus on the business logic, the business value and let, but still, also the security of the code that they're writing, but let us take over the rest of it so that you don't have to worry about it. >>Great, good, good insight there. I want to get your thoughts too. On another trend here at the showcase, one of the things that's emerging besides the normal threat landscape and the compliance and whatnot is API protection. I mean APIs, that's what made the cloud great. Right? So, you know, and it's not going away, it's only gonna get better cuz we live in an interconnected digital world. So, you know, APIs are gonna be lingual Franko what they say here. Companies just can't sit back and expect third parties complying with cyber regulations and best practices. So how do security and organizations be proactive? Not just on API, it's just a, a signal in my mind of, of, of more connections. So you got shared responsibility, AWS, your customers and your customers, partners and customers of connection points. So we live in an interconnected world. How do security teams and organizations be proactive on the cyber risk management piece? >>Yeah. So when it comes to APIs, the, the thing you look for is the trust boundaries. Where are the trust boundaries in the system between the user and the, in the machine, the machine and another machine on the network, the API is a trust boundary. And it, it is a place where you need to facilitate some kind of some form of control because what you're, what could happen on the trust boundaries, it could be used to, to attack. Like I trust that someone's gonna give me something that is legitimate, but you don't know that that a actually is true. You should assume that the, the one side of the trust boundary is, is malicious and you have to validate it. And by default, make sure that you know, that what you're getting is actually trustworthy and, and valid. So think of an API is just a trust boundary and that whatever you're gonna receive at that boundary is not gonna be legitimate in that you need to validate, validate the contents of, of whatever you receive. >>You know, I was noticing online, I saw my land who runs S3 a us commenting about 10 years anniversary, 10, 10 year birthday of S3, Amazon simple storage service. A lot of the customers are using all their applications with S3 means it's file repository for their application, workflow ingesting literally thousands and trillions of objects from S3 today. You guys have about, I mean, trillions of objects on S3, this is big part of the application workflow. Data security has come up as a big discussion item. You got S3. I mean, forget about the misconfiguration about S3 buckets. That's kind of been reported on beyond that as application workflows, tap into S3 and data becomes the conversation around securing data. How do you talk to customers about that? Because that's also now part of the scaling of these modern cloud native applications, managing data on Preem cross in flight at rest in motion. What's your view on data security, John? >>Yeah. Data security is also a trust boundary. The thing that's going to access the data there, you have to validate it. The challenge with data security is, is customers don't really know where all their data is or even where their sensitive data is. And that continues to be a large problem. That's why we have services like Macy, which are whose job is to find in S3 the data that you need to protect the most because it's because it's sensitive. Getting the least privilege has always been the, the goal when it comes, when it comes to data security. The problem is, is least privilege is really, really hard to, to achieve because there's so many different common nations of roles and accounts and org orgs. And, and so there, there's also another technology called access analyzer that we have that helps customers figure out like this is this the right, if are my intended authorizations, the authorizations I have, are they the ones that are intended for that user? And you have to continuously review that as a, as a means to make sure that you're getting as close to least privilege as you possibly can. >>Well, one of the, the luxuries of having you here on the cube keynote for this showcase is that you also have the internal view at AWS, but also you have the external view with customers. So I have to ask you, as you talk to customers, obviously there's a lot of trends. We're seeing more managed services in areas where there's skill gaps, but teams are also overloaded too. We're hearing stories about security teams, overwhelmed by the solutions that they have to deploy quickly and scale up quickly cost effectively the need for in instrumentation. Sometimes it's intrusive. Sometimes it agentless sensors, OT. I mean, it's getting crazy at re Mars. We saw a bunch of stuff there. This is a reality, the teams aspect of it. Can you share your experiences and observations on how companies are organizing, how they're thinking about team formation, how they're thinking about all these new things coming at them, new environments, new scale choices. What, what do you seeing on, on the customer side relative to security team? Yeah. And their role and relationship to the cloud and, and the technologies. >>Yeah, yeah. A absolutely it. And we have to remember at the end of the day on one end of the wire is a black hat on the other end of the wire is a white hat. And so you need people and, and people are a critical component of being able to defend in the context of security operations alert. Fatigue is absolutely a problem. The, the alerts, the number of alerts, the volume of alerts is, is overwhelming. And so you have to have a means to effectively triage them and get the ones into investigation that, that you think will be the most, the, the most significant going back to the risk equation, you found, you find those alerts and events that are, are the ones that, that could harm you. The most. You'll also one common theme is threat hunting. And the concept behind threat hunting is, is I don't actually wait for an alert I lean in and I'm proactive instead of reactive. >>So I find the system that I at least want the hacker in. I go to that system and I look for any anomalies. I look for anything that might make me think that there is a, that there is a hacker there or a compromise or some unattended consequence. And the reason you do that is because it reduces your dwell time, time between you get compromised to the time detect something, which is you, which might be, you know, months, because there wasn't an alert trigger. So that that's also a very important aspect for, for AWS and our security services. We have a strategy across all of the security services that we call end to end, or how do we move from APIs? Because they're all API driven and security buyers generally not most do not ha have like a development team, like their security operators and they want a solution. And so we're moving more from APIs to outcomes. So how do we stitch all the services together in a way so that the time, the time that an analyst, the SOC analyst spends or someone doing investigation or someone doing incident response is the, is the most important time, most valuable time. And in the process of stitching this all together and helping our customers with alert, fatigue, we'll be doing things that will use sort of inference and machine learning to help prioritize the greatest risk for our customers. >>That's a great, that's a great call out. And that brings up the point of you get the frontline, so to speak and back office, front office kind of approach here. The threats are out there. There's a lot of leaning in, which is a great point. I think that's a good, good comment and insight there. The question I have for you is that everyone's kind of always talks about that, but there's the, the, I won't say boring, the important compliance aspect of things, you know, this has become huge, right? So there's a lot of blocking and tackling that's needed behind the scenes on the compliance side, as well as prevention, right? So can you take us through in your mind how customers are looking at the best strategies for compliance and security, because there's a lot of work you gotta get done and you gotta lay out everything as you mentioned, but compliance specifically to report is also a big thing for >>This. Yeah. Yeah. Compliance is interesting. I suggest taking a security approach to compliance instead of a compliance approach to security. If you're compliant, you may not be secure, but if you're secure, you'll be compliant. And the, the really interesting thing about compliance also is that as soon as something like a, a, a category of control is required in, in some form of compliance, compliance regime, the effectiveness of that control is reduced because the threats go well, I'm gonna presume that they have this control. I'm gonna presume cuz they're compliant. And so now I'm gonna change my tactic to evade the control. So if you only are ever following compliance, you're gonna miss a whole set of tactics that threats have developed because they presume you're compliant and you have those controls in place. So you wanna make sure you have something that's outside of the outside of the realm of compliance, because that's the thing that will trip them up. That's the thing that they're not expecting that threats not expecting and that that's what we'll be able to detect them. >>Yeah. And it almost becomes one of those things where it's his fault, right? So, you know, finger pointing with compliance, you get complacent. I can see that. Can you give an example? Cause I think that's probably something that people are really gonna want to know more about because it's common sense. But can you give an example of security driving compliance? Is there >>Yeah, sure. So there's there they're used just as an example, like multifactor authentication was used everywhere that for, for banks in high risk transactions, in real high risk transactions. And then that like that was a security approach to compliance. Like we said, that's a, that's a high net worth individual. We're gonna give them a token and that's how they're gonna authenticate. And there was no, no, the F F I C didn't say at the time that there needed to be multifactor authentication. And then after a period of time, when account takeover was, was on the rise, the F F I C the federally financial Institute examiner's council, something like that said, we, you need to do multifactor authentication. Multifactor authentication was now on every account. And then the threat went down to, okay, well, we're gonna do man in the browser attacks after the user authenticates, which now is a new tactic in that tactic for those high net worth individuals that had multifactor didn't exist before became commonplace. Yeah. And so that, that, that's a, that's an example of sort of the full life cycle and the important lesson there is that security controls. They have a diminishing halflife of effectiveness. They, they need to be continuous and adaptive or else the value of them is gonna decrease over time. >>Yeah. And I think that's a great call up because agility and speed is a big factor when he's merging threats. It's not a stable, mature hacker market. They're evolving too. All right. Great stuff. I know your time's very valuable, John. I really appreciate you coming on the queue. A couple more questions for you. We have 10 amazing startups here in the, a AWS ecosystem, all private looking grade performance wise, they're all got the kind of the same vibe of they're kind of on something new. They're doing something new and clever and different than what was, what was kind of done 10 years ago. And this is where the cloud advantage is coming in cloud scale. You mentioned that some of those things, data, so you start to see new things emerge. How, how would you talk to CSOs or CXOs that are watching about how to evaluate startups like these they're, they're, they're somewhat, still small relative to some of the bigger players, but they've got unique solutions and they're doing things a little bit differently. How should some, how should CSOs and Steve evaluate them? How can startups work with the CSOs? What's your advice to both the buyer and the startup to, to bring their product to the market. And what's the best way to do that? >>Yeah. So the first thing is when you talk to a CSO, be respected, be respectful of their time like that. Like, they'll appreciate that. I remember when I was very, when I just just started, I went to talk to one of the CISOs as one of the five major banks and he sat me down and he said, and I tried to tell him what I had. And he was like son. And he went through his book and he had, he had 10 of every, one thing that I had. And I realized that, and I, I was grateful for him giving me an explanation. And I said to him, I said, look, I'm sorry. I wasted your time. I will not do that again. I apologize. I, if I can't bring any value, I won't come back. But if I think I can bring you something of value now that I know what I know, please, will you take the meeting? >>He was like, of course. And so be respectful of their time. They know what the problem is. They know what the threat is. You be, be specific about how you're different right now. There is so much confusion in the market about what you do. Like if you're really have something that's differentiated, be very, very specific about it. And don't be afraid of it, like lean into it and explain the value to that. And that, that, that would, would save a, a lot of time and a lot and make the meeting more valuable for the CSO >>And the CISOs. Are they evaluate these startups? How should they look at them? What are some kind of markers that you would say would be good, kind of things to look for size of the team reviews technology, or is it doesn't matter? It's more of a everyone's environment's different. What >>Would your, yeah. And, you know, for me, I, I always look first to the security value. Cause if there isn't security value, nothing else matters. So there's gotta be some security value. Then I tend to look at the management team, quite frankly, what are, what are the, what are their experiences and what, what do they know that that has led them to do something different that is driving security value. And then after that, for me, I tend to look to, is this someone that I can have a long term relationship with? Is this someone that I can, you know, if I have a problem and I call them, are they gonna, you know, do this? Or are they gonna say, yes, we're in, we're in this together, we'll figure it out. And then finally, if, if for AWS, you know, scale is important. So we like to look at, at scale in terms of, is this a solution that I can, that I can, that I can get to, to the scale that I needed at >>Awesome. Awesome. John Ramsey, vice president of security here on the cubes. Keynote. John, thank you for your time. I really appreciate, I know how busy you are with that for the next minute, or so share a little bit of what you're up to. What's on your plate. What are you thinking about as you go out to the marketplace, talk to customers what's on your agenda. What's your talk track, put a plug in for what you're up to. >>Yeah. So for, for the services I have, we, we are, we are absolutely moving. As I mentioned earlier, from APIs to outcomes, we're moving up the stack to be able to defend both containers, as well as, as serverless we're, we're moving out in terms of we wanna get visibility and signal, not just from what we see in AWS, but from other places to inform how do we defend AWS? And then also across, across the N cybersecurity framework in terms of we're doing a lot of, we, we have amazing detection capability and we have this infrastructure that we could respond, do like micro responses to be able to, to interdict the threat. And so me moving across the N cybersecurity framework from detection to respond. >>All right, thanks for your insight and your time sharing in this keynote. We've got great 10 great, amazing startups. Congratulations for all your success at AWS. You guys doing a great job, shared responsibility that the threats are out there. The landscape is changing. The scale's increasing more data tsunamis coming every day, more integration, more interconnected, it's getting more complex. So you guys are doing a lot of great work there. Thanks for your time. Really appreciate >>It. Thank you, John. >>Okay. This is the AWS startup showcase. Season two, episode four of the ongoing series covering the exciting startups coming out of the, a AWS ecosystem. This episode's about cyber security and I'm your host, John furrier. Thanks for watching.

>> Narrator: From the Cosmopolitan Hotel in Las Vegas, Nevada, it's theCUBE, covering Coupa Inspire 2019, brought to you by Coupa. >> Welcome to theCUBE, Lisa Martin on the ground at Coupa Inspire'19 from the Cosmopolitan in Vegas. And I'm pleased to be joined by one of Coupa's spend setters from Highmark Health, Gary Foster, VP of Procurement. Gary, welcome to theCUBE. >> Thank you, it's pleasure to be here. >> So we're here with about 2,300 folks or so I think this is the eighth Coupa Inspire. Lots of energy and excitement this morning in the general session as Rob kicked that off. There is some of the interesting things that I've learned about Coupa in the last short while including this morning was that there's now $1.2 trillion of spend going through being managed by the Coupa platform. Tremendous community of data. And so imperative as the role of Chief Procurement Officer is changing, the CFO is changing. You are a veteran in the procurement industry. Before we talk about Highmark Health, give me a little bit of an overview of some of the things that you've seen change in procurement and where you think we are today in terms of that role being not only very strategic, but very influential to the top line of a business. >> Okay, it's a great question. I have spent a little over three decades in procurement. We've come a long way from back then. There was a lot of carryover from the industrialization era, and post-World War II and Korean War era, et cetera. Where really wasn't even called procurement it was purchasing. And there was a bit of the darling in the manufacturing industry, because that had such a high impact on the cost of goods sold. And as you got into other organizations, it was kind of relegated to a back office function, very transactional, very administrative, very clerical. So it really took someone with a lot of guts and a lot of vision to say we can be more than that. We can provide insights, we can deliver efficient transaction work and free up people to do more advisory type of roles. So I'm pleased to say I experimented with that early on in my procurement career. And that has been the shift that I think is continuing on. The whole buzz around digitization is another enabler to free up the talent that we have, that we can put into providing insights and predictions and becoming true strategy advisors to the business. So when the most recent, I've had for teams that I've taken over to either completely transform or build from the ground up. And this most recent one, I've sort of mashed up a lot of things that I've learned over the past three decades, to try to prepare them for where I believe that the profession is going, where I believe the function is going. Back to your original question. It's really evolved a lot from that back office transactional, just focus on price, a little bit on supply reliability, if it was in manufacturing, to slowly but surely started evolving to, what can you do to help us with some business objectives? And do we trust you with some important strategic initiatives that we need to accomplish as a company or in my business? >> Right, so it sounds like early on that you had this awareness of, there's pockets, there's silos of spend and purchasing happening there that we don't have the visibility into, 'cause we're talking a lot about that today with, that's what today's CPO and CFO really need is that visibility and control. >> Gary: Right. >> Especially as all of these forcing functions or disruptors happen, the more regulatory requirements or companies growing organically or inorganically. And suddenly, there's many, many areas within a business that are buying and spending. >> Right. >> And if they don't have that awareness and visibility into it, not only is it obviously, it's a cost issue, but one of your points to the resource utilization perspective. There's a lot of opportunities miss. So it sounds like you kind of saw that early on in your career, that there are things going on, we need to get visibility into all of this. >> Yes, yes. And it's, that's probably the, that's one of the foundational building blocks is to get a good handle on where's the money going. So the financial side of the house understands it from their journal entries and from their cost centers. But procurement, really great world class procurement, brings a different lens that the business doesn't think of. And that the financial industry, financial segment of the business doesn't think of. So that's, but you're really kind of a chicken and egg thing, you can't really provide the insights, if you don't have your hands on the information. And the information is got to be usable, right? Data versus information-- >> Absolutely. >> Quandary. That's very much the case with procurement. But you can't get bogged down and going for perfection, because then you'll just, analysis paralysis. You won't get out of that cycle and you'll never be able to provide. So you have to know, you have to have a gut feel that this is enough, this is directionally correct. Let's take this to the next level. Let's start moving with, here are the patterns that we see, here's what we think is happening, here's where we think there are issues, right? So those are, I think, are some of the foundational pieces to the spend analysis question. >> So talk to us a little bit about Highmark Health. What you're doing there and how you guys are really focused on changing America's approach to healthcare? Which I think would be welcomed by a lot of people, by the way. >> (chuckles) Yes, we have a very, very ambitious goal. We believe we can be a catalyst to change healthcare in America. >> Lisa: How so? >> Well, first of all, we think that the model was wrong. If you think about the way that the healthcare industry has grown up in the US, you went to a hospital because you were either sick or injured. You had to go to those locations. You had to follow those procedures. You had to fill out those forms. You had to, you went to where the care was, and you had to bend to your schedule to whatever was available, right? We've all experienced trying to get an appointment with a doctor, and it's four months out, right? So we're doing, this was a year and a half ago, we introduced same-day appointments. So we have both a hospital system and an insurance company. So we can see the whole value chain-- >> Lisa: Okay. >> Through the healthcare experience. And one of the fundamentals that we're doing is, we're trying to bring a retail mindset to healthcare. >> Where the wellness comes to- >> You, as opposed to you having to go somewhere to access your health or to get connected with experts that can advise you or for checkups, et cetera. You're wearing an Apple Watch, that's only one of those Fitbits, et cetera. There's a multitude of wearables that are coming. The combination of IoT, and healthcare and big data is intersecting at a rapid rate where we will be, we are already able to look at millions of records, of chart information about patterns of diagnoses. And we know that the data tells us that if we can get people to engage in their health and make small changes, and just learn more, be educated and learn more about how, we know that the long-term costs of their healthcare will go down. So we are looking to partner, obviously, can't do this all on our own. >> Right. >> So this is not a David and Goliath kind of a thing. So we're looking actively to partner with breaking company, lead companies and breaking technology companies to be partners with us on this journey of how do we bring health to people and help improve their health, lower their disease rates, provide a better quality of life, lower their cost of health care, lower all the complications, you can see the graphs, right? It all runs, as you get as you get older, if you don't take care of yourself. >> Lisa: Right. >> The complications of healthcare issues just go exponentially up. And we know we can bend that curve down if we can transform the way that health is thought of and delivered to people in the country. >> Well, I'm already signed, you got me. So talk to me, though, about from a technology perspective. If we think about all the emerging technologies, you mentioned IoT, millions and millions of devices, we are sometimes overly connected. >> Gary: Yes. >> What is the opportunity that Highmark is working on with Coupa to be able to start changing that mindset and bringing that retail model to healthcare? How are they hoping to ignite that? >> Well, it's not on a direct connection with Coupa. Coupa is our procuring platform. So it enables us to provide efficient transactions and we get data insights. Coupa is very much an enabler for us in this process. What I would say is, and this goes back to the evolution of procurement as a profession, by having Coupa and other technologies at the fingertips of my team, it frees them to immerse themselves into their clients' business as well as their categories. So if they're, if I have someone who's a category manager of digital marketing, they can immerse themselves into that, and they can work that, my folks go, they attend senior level staff meetings, they have one on ones with executive VPs, they co-locate with the client on a regular basis. We really immerse ourselves into it. What Coupa is doing is it's allowing us to spend less time on transactions and process, and more time learning the business, more time understanding the industries that they operate in, looking for innovation, and bringing those innovative partners to the business that wouldn't necessarily have happened on its own. We have this incredible network, particularly if we have people that really, really have a passion for procurement, and really have a passion for being intimate with the customer. I know it's an overused phrase, but the trusted advisor status is definitely where we should be. That's an, the Coupa org, the Coupa platform, and tools enable my team to have, to bring those insights and those opportunities to the business. And we've gotten tremendous accolades from the CEO through the entire C-suite, about the level of business partnership that the procurement organization has, with all of the various areas of the Highmark organization. >> So you have this visibility now that you didn't have before with Coupa? >> Yeah. >> This control. Sounds like your resources and different parts of the organization are much better able to use their time to be strategic on other projects and to really start bringing that retail experience out there. Coupa kind of as, you mentioned, as an enabler is really foundational to that. I know you've actually won some awards. I think, Rob Bernstein actually mentioned this on stage this morning that you took top honors at the Procurement Leaders, Inaugural America's Procurement Awards. >> Gary: Yes. >> You've also been recognized as a Procurement Leader of the Year for transforming Highmark Health. What I love about the story is that showing how procurement, not only has it transitioned tremendously to be very strategic, but you're helping to transform an industry by getting this visibility on everywhere, where there's spend there, that operationally, Highmark Health seems to have a big leg up. >> Yes, yeah. No one could be everywhere at once. And if we can earn that trust, then the people in the business who are hired to play certain roles, strategy, development, or whatever, if they're, if they will, let us help them with our expertise, they can spend, they're more effective in their role. >> Right. >> Because they're not doing procurement work. They're not talking to suppliers. They're not negotiating deals. They're not looking, then let us provide that service, that professional service to them, really, as a consultant, as an advisor, and bring companies that, the more we get in depth into understanding the industries that we're buying in, the more we're learning about emerging companies. Who are the innovators? Who are the disruptors? Bringing those organizations because we're studying that in our markets, to our business partner, and making that introduction, which sparks an idea, which sparks an opportunity for the two to work together collaboratively on something new, or to resolve an issue that has not been addressed and no one found an answer to in the past. >> Well, you've put this really strong foundation in place that not only gives you the visibility and control, but it's going to allow Highmark Health on this ambitious goal, as you mentioned, about bringing wellness to us. And of course, there's the whole, there's the human in the way. So maybe tomorrow, Deepak Chopra, who's keynoting, will be able to give you guys some insight into how to help these people. And it's all of us people, right? Really embrace mindfulness, to be able to focus more on our passions. But what you guys are doing to transform healthcare is really inspirational so Gary, thank you-- >> Thank you very much. >> For joining me on theCUBE today. >> It was a pleasure. >> Likewise. For Gary Foster, I'm Lisa Martin. You're watching theCUBE from Coupa Inspire'19. Thanks for watching. (upbeat music)

>> Live from Washington, DC, it's theCUBE, covering AWS Public Sector Summit. Brought to you by Amazon Web Services. >> Welcome back everyone to theCUBE's live coverage of the AWS Public Sector Summit, here in our nation's capital. I'm your host, Rebecca Knight, co-hosting with John Furrier. We have two guests for this segment, we have George Gagne, he is the Chief Information Officer at Defense POW/MIA Accounting Agency. Welcome, George. And we have Christopher McDermott, who is the CDO of the POW/MIA Accounting Agency. Welcome, Chris. >> Thank you. >> Thank you both so much for coming on the show. >> Thank you. >> So, I want to start with you George, why don't you tell our viewers a little bit about the POW/MIA Accounting Agency. >> Sure, so the mission has been around for decades actually. In 2015, Secretary of Defense, Hagel, looked at the accounting community as a whole and for efficiency gains made decision to consolidate some of the accounting community into a single organization. And they took the former JPAC, which was a direct reporting unit to PACOM out of Hawaii, which was the operational arm of the accounting community, responsible for research, investigation, recovery and identification. They took that organization, they looked at the policy portion of the organization, which is here in Crystal City, DPMO and then they took another part of the organization, our Life Sciences Support Equipment laboratory in Dayton, Ohio, and consolidated that to make the defense POW/MIA Accounting Agency, Under the Office of Secretary Defense for Policy. So that was step one. Our mission is the fullest possible accounting of missing U.S. personnel to their families and to our nation. That's our mission, we have approximately 82,000 Americans missing from our past conflicts, our service members from World War II, Korea War, Korea, Vietnam and the Cold War. When you look at the demographics of that, we have approximately 1,600 still missing from the Vietnam conflict. We have just over a 100 still missing from the Cold War conflict. We have approximately 7,700 still missing from the Korean War and the remainder of are from World War II. So, you know, one of the challenges when our organization was first formed, was we had three different organizations all had different reporting chains, they had their own cultures, disparate cultures, disparate systems, disparate processes, and step one of that was to get everybody on the same backbone and the same network. Step two to that, was to look at all those on-prem legacy systems that we had across our environment and look at the consolidation of that. And because our organization is so geographically dispersed, I just mentioned three, we also have a laboratory in Offutt, Nebraska. We have detachments in Southeast Asia, Thailand, Vietnam, Laos, and we have a detachment in Germany. And we're highly mobile. We conduct about, this year we're planned to do 84 missions around the world, 34 countries. And those missions last 30 to 45 day increments. So highly mobile, very globally diverse organization. So when we looked at that environment obviously we knew the first step after we got everybody on one network was to look to cloud architectures and models in order to be able to communicate, coordinate, and collaborate, so we developed a case management system that consist of a business intelligence software along with some enterprise content software coupled with some forensics software for our laboratory staff that make up what we call our case management system that cloud hosted. >> So business challenges, the consolidation, the reset or set-up for the mission, but then the data types, it's a different kind of data problem to work, to achieve the outcomes you're looking for. Christopher, talk about that dynamic because, >> Sure. >> You know, there are historical different types of data. >> That's right. And a lot of our data started as IBM punchcards or it started from, you know, paper files. When I started the work, we were still looking things up on microfiche and microfilm, so we've been working on an aggressive program to get all that kind of data digitized, but then we have to make it accessible. And we had, you know as George was saying, multiple different organizations doing similar work. So you had a lot of duplication of the same information, but kept in different structures, searchable in different pathways. So we have to bring all of that together and make and make it accessible, so that the government can all be on the same page. Because again, as George said, there's a large number of cases that we potentially can work on, but we have to be able to triage that down to the ones that have the best opportunity for us to use our current methods to solve. So rather than look for all 82,000 at once, we want to be able to navigate through that data and find the cases that have the most likelihood of success. >> So where do you even begin? What's the data that you're looking at? What have you seen has had the best indicators for success, of finding those people who are prisoners of war or missing in action? >> Well, you know, for some degrees as George was saying, our missions has been going on for decades. So, you know, a lot of the files that we're working from today were created at the time of the incidents. For the Vietnam cases, we have a lot of continuity. So we're still working on the leads that the strongest out of that set. And we still send multiple teams a year into Vietnam and Laos, Cambodia. And that's where, you know, you try to build upon the previous investigations, but that's also where if those investigations were done in the '70s or the '80s we have to then surface what's actionable out of that information, which pathways have we trod that didn't pay off. So a lot of it is, What can we reanalyze today? What new techniques can we bring? Can we bring in, you know, remote sensing data? Can we bring GIS applications to analyze where's the best scenario for resolving these cases after all this time? >> I mean, it's interesting one of the things we hear from the Amazon, we've done so many interviews with Amazon executives, we've kind of know their messaging. So here's one of them, "Eliminate the undifferentiated heavy lifting." You hear that a lot right. So there might be a lot of that here and then Teresa had a slide up today talking about COBOL and mainframe, talk about punch cards >> Absolutely. >> So you have a lot of data that's different types older data. So it's a true digitization project that you got to enable as well as other complexity. >> Absolutely, when the agency was formed in 2015 we really begin the process of an information modernization effort across the organization. Because like I said, these were legacy on-prem systems that were their systems' of record that had specific ways and didn't really have the ability to share the data, collaborate, coordinate, and communicate. So, it was a heavy lift across the board getting everyone on one backbone. But then going through an agency information modernization evolution, if you will, that we're still working our way through, because we're so mobilely diversified as well, our field communications capability and reach back and into the cloud and being able to access that data from geographical locations around the world, whether it's in the Himalayas, whether it's in Vietnam, whether it's in Papua New Guinea, wherever we may be. Not just our fixed locations. >> George and Christopher, if you each could comment for our audience, I would love to get this on record as you guys are really doing a great modernization project. Talk about, if you each could talk about key learnings and it could be from scar tissue. It could be from pain and suffering to an epiphany or some breakthrough. What was some of the key learnings as you when through the modernization? Could you share some from a CIO perspective and from a CDO perspective? >> Well, I'll give you a couple takeaways of what I thought I think we did well and some areas I thought that we could have done better. And for us as we looked at building our case management system, I think step one of defining our problem statement, it was years in planning before we actually took steps to actually start building out our infrastructure in the Amazon Cloud, or our applications. But building and defining that problem statement, we took some time to really take a look at that, because of the different in cultures from the disparate organizations and our processes and so on and so forth. Defining that problem statement was critical to our success and moving forward. I'd say one of the areas that I say that we could have done better is probably associated with communication and stakeholder buy-in. Because we are so geographically dispersed and highly mobile, getting the word out to everybody and all those geographically locations and all those time zones with our workforce that's out in the field a lot at 30 to 45 days at a time, three or four missions a year, sometimes more. It certainly made it difficult to get part of that get that messaging out with some of that stakeholder buy-in. And I think probably moving forward and we still deal regarding challenges is data hygiene. And that's for us, something else we did really well was we established this CDO role within our organization, because it's no longer about the systems that are used to process and store the data. It's really about the data. And who better to know the data but our data owners, not custodians and our chief data officer and our data governance council that was established. >> Christopher you're learnings, takeaways? >> What we're trying to build upon is, you define your problem statement, but the pathway there is you have to get results in front of the end users. You have get them to the people who are doing the work, so you can keep guiding it toward the solution actually meets all the needs, as well as build something that can innovate continuously over time. Because the technology space is changing so quickly and dynamically that the more we can surface our problem set, the more help we can to help find ways to navigate through that. >> So one of the things you said is that you're using data to look at the past. Whereas, so many of the guests we're talking today and so many of the people here at this summit are talking about using data to predict the future. Are you able to look your data sets from the past and then also sort of say, And then this is how we can prevent more POW. Are you using, are you thinking at all, are you looking at the future at all with you data? >> I mean, certainly especially from our laboratory science perspective, we have have probably the most advanced human identification capability in the world. >> Right. >> And recovery. And so all of those lessons really go a long ways to what what information needs to be accessible and actionable for us to be able to, recover individuals in those circumstances and make those identifications as quickly as possible. At the same time the cases that we're working on are the hardest ones. >> Right. >> The ones that are still left. But each success that we have teaches us something that can then be applied going forward. >> What is the human side of your job? Because here you are, these two wonky data number crunchers and yet, you are these are people who died fighting for their country. How do you manage those two, really two important parts of your job and how do you think about that? >> Yeah, I will say that it does amp up the emotional quotient of our agency and everybody really feels passionately about all the work that they do. About 10 times a year our agency meets with family members of the missing at different locations around the country. And those are really powerful reminders of why we're doing this. And you do get a lot of gratitude, but at the same time each case that's waiting still that's the one that matters to them. And you see that in the passion our agency brings to the data questions and quickly they want us to progress. It's never fast enough. There's always another case to pursue. So that definitely adds a lot to it, but it is very meaningful when we can help tell that story. And even for a case where we may never have the answers, being able to say, "This is what the government knows about your case and these are efforts that have been undertaken to this point." >> The fact there's an effort going on is really a wonderful thing for everybody involved. Good outcomes coming out from that. But interesting angle as a techy, IT, former IT techy back in the day in the '80s, '90s, I can't help but marvel at your perspective on your project because you're historians in a way too. You've got type punch cards, you know you got, I never used punch cards. >> Put them in a museum. >> I was the first generation post punch cards, but you have a historical view of IT state of the art at the time of the data you're working with. You have to make that data actionable in an outcome scenario workload work-stream for today. >> Yeah, another example we have is we're reclaiming chest X-rays that they did for induction when guys were which would screen for tuberculosis when they came into service. We're able to use those X-rays now for comparison with the remains that are recovered from the field. >> So you guys are really digging into history of IT. >> Yeah. >> So I'd love to get your perspective. To me, I marvel and I've always been critical of Washington's slowness with respect to cloud, but seeing you catch up now with the tailwinds here with cloud and Amazon and now Microsoft coming in with AI. You kind of see the visibility that leads to value. As you look back at the industry of federal, state, and local governments in public over the years, what's your view of the current state of union of modernization, because it seems to be a renaissance? >> Yeah, I would say the analogy I would give you it's same as that of the industrial revolutions went through in the early 20th century, but it's more about the technology revolution that we're going through now. That's how I'd probably characterize it. If I were to look back and tell my children's children about, hey, the advent of technology and that progression of where we're at. Cloud architecture certainly take down geographical barriers that before were problems for us. Now we're able to overcome those. We can't overcome the timezone barriers, but certainly the geographical barriers of separation of an organization with cloud computing has certainly changed. >> Do you see your peers within the government sector, other agencies, kind of catching wind of this going, Wow, I could really change the game. And will it be a step function into your kind of mind as you kind of have to project kind of forward where we are. Is it going to a small improvement, a step function? What do you guys see? What's the sentiment around town? >> I'm from Hawaii, so Chris probably has a better perspective of that with some of our sister organizations here in town. But, I would say there's more and more organizations that are adopting cloud architectures. It's my understanding very few organizations now are co-located in one facility and one location, right. Take a look at telework today, cost of doing business, remote accessibility regardless of where you're at. So, I'd say it's a force multiplier by far for any line of business, whether it's public sector, federal government or whatever. It's certainly enhanced our capabilities and it's a force multiplier for us. >> And I think that's where the expectation increasingly is that the data should be available and I should be able to act on it wherever I am whenever the the opportunity arises. And that's where the more we can democratize our ability to get that data out to our partners to our teams in the field, the faster those answers can come through. And the faster we can make decisions based upon the information we have, not just the process that we follow. >> And it feeds the creativity and the work product of the actors involved. Getting the data out there versus hoarding it, wall guarding it, asylumming it. >> Right, yeah. You know, becoming the lone expert on this sack of paper in the filing cabinet, doesn't have as much power as getting that data accessible to a much broader squad and everyone can contribute. >> We're doing our part. >> That's right, it's open sourcing it right here. >> To your point, death by PowerPoint. I'm sure you've heard that before. Well business intelligence software now by the click of a button reduces the level of effort for man-power and resources to put together slide decks. Where in business intelligence software can reach out to those structured data platforms and pull out the data that you want at the click of a button and build those presentations for you on the fly. Think about, I mean, if that's our force multiplier in advances in technology of. I think the biggest thing is we understand as humans how to exploit and leverage the technologies and the capabilities. Because I still don't think we fully grasp the potential of technology and how it can be leveraged to empower us. >> That's great insight and really respect what you guys do. Love your mission. Thanks for sharing. >> Yeah, thanks so much for coming on the show. >> Thank you for having us. >> I'm Rebecca Knight for John Ferrer. We will have much more coming up tomorrow on the AWS Public Sector Summit here in Washington, DC. (upbeat music)