(calm music)- Hello, and welcome to this CUBE conversation here in Palo Alto, California in theCUBE Studios, I'm John Furrier, host of theCUBE. We are here with the hot startup really working on some real, super important security technology for the cloud, great company, Orca Security, Avi Shua, CEO, and co founder. Avi, thank you for coming on theCUBE and share your story >> Thanks for having me. >> So one of the biggest problems that enterprises and large scale, people who are going to the cloud and are in the cloud and are evolving with cloud native, have realized that the pace of change and the scale is a benefit to the organizations for the security teams, and getting that security equation, right, is always challenging, and it's changing. You guys have a solution for that, I really want to hear what you guys are doing. I like what you're talking about. I like what you're thinking about, and you have some potentially new technologies. Let's get into it. So before we get started, talk about what is Orca Security, what do you guys do? What problem do you solve? >> So what we invented in Orca, is a unique technology called site scanning, that essentially enables us to connect to any cloud environment in a way which is as simple as installing a smartphone application and getting a full stack visibility of your security posture, meaning seeing all of the risk, whether it's vulnerability, misconfiguration, lateral movement risk, work that already been compromised, and more and more, literally in minutes without deploying any agent, without running any network scanners, literally with no change. And while it sounds to many of us like it can't happen, it's snake oil, it's simply because we are so used to on premise environment where it simply wasn't possible in physical server, but it is possible in the cloud. >> Yeah, and you know, we've had many (indistinct) on theCUBE over the years. One (indistinct) told us that, and this is a direct quote, I'll find the clip and share it on Twitter, but he said, "The cloud is more secure than on premise, because it's more changes going on." And I asked him, "Okay, how'd you do?" He says, "It's hard, you got to stay on top of it." A lot of people go to the cloud, and they see some security benefits with the scale. But there are gaps. You guys are building something that solves those gaps, those blind spots, because of things are always changing, you're adding more services, sometimes you're integrating, you now have containers that could have, for instance, you know, malware on it, gets introduced into a cluster, all kinds of things can go on in a cloud environment, that was fine yesterday, you could have a production cluster that's infected. So you have all of these new things. How do you figure out the gaps and the blind spots? That's what you guys do, I believe, what are the gaps in cloud security? Share with us. >> So definitely, you're completely correct. You know, I totally agree the cloud can be dramatically more secluded on-prem. At the end of the day, unlike an on-prem data center, where someone can can plug a new firewall, plug a new switch, change things. And if you don't instrument, it won't see what's inside. This is not possible in the cloud. In the cloud it's all code. It's all running on one infrastructure that can be used for the instrumentation. On the other hand, the cloud enabled businesses to act dramatically faster, by say dramatically, we're talking about order of magnitude faster, you can create new networks in matter of minutes, workloads can come and go within seconds. And this creates a lot of changes that simply haven't happened before. And it involves a lot of challenges, also from security instrumentation point of view. And you cannot use the same methodologies that you used for the on-prem because if you use them, you're going to lose, they were a compromise, that worked for certain physics, certain set of constraints that no longer apply. And our thesis is that essentially, you need to use the capabilities of the cloud itself, for the instrumentation of everything that can runs on the cloud. And when you do that, by definition, you have full coverage, because if it's run on the cloud, it can be instrumented on cloud, this essentially what Docker does. And you're able to have this full visibility for all of the risks and the importance because all of them, essentially filter workload, which we're able to analyze. >> What are some of the blind spots in the public cloud, for instance. I mean, that you guys are seeing that you guys point out or see with the software and the services that you guys have. >> So the most common ones are the things that we have seen in the last decades. I don't think they are materially different simply on steroids. We see things, services that are launched, nobody maintained for years, using things like improper segmentation, that everyone have permission to access everything. And therefore if one environment is breached, everything is breached. We see organization where something goes dramatically hardened. So people find a way to a very common thing is that, and now ever talks about CIM and the tightening their permission and making sure that every workload have only the capabilities that they need. But sometimes developers are a bit lazy. So they'll walk by that, but also have keys that are stored that can bypass the entire mechanism that, again, everyone can do everything on any environment. So at the end of the day, I think that the most common thing is the standard aging issues, making sure that your environment is patched, it's finger tightened, there is no alternative ways to go to the environment, at scale, because the end of the day, they are destined for security professional, you need to secure everything that they can just need to find one thing that was missed. >> And you guys provide that visibility into the cloud. So to identify those. >> Exactly. I think one of the top reasons that we implemented Orca using (indistinct) technology that I've invented, is essentially because it guarantees coverage. For the first time, we can guarantee you that if you scan it, that way, we'll see every instance, every workload, every container, because of its running, is a native workload, whether it's a Kubernetes, whether it's a service function, we see it all because we don't rely on any (indistinct) integration, we don't rely on friction within the organization. So many times in my career, I've been in discussion with customer that has been breached. And when we get to the core of the issue, it was, you couldn't, you haven't installed that agent, you haven't configured that firewall, the IPS was not up to date. So the protections weren't applied. So this is technically true, but it doesn't solve the customer problem, which is, I need the security to be applied to all of my environment, and I can't rely on people to do manual processes, because they will fail. >> Yeah, yeah. I mean, it's you can't get everything now and the velocity, the volume of activity. So let me just get this right, you guys are scanning container. So the risk I hear a lot is, you know, with Kubernetes, in containers is, a fully secure cluster could have a container come in with malware, and penetrate. And even if it's air gapped, it's still there. So problematic, you would scan that? Is that how it would work? >> So yes, but so for nothing but we are not scanning only containers, the essence of Orca is scanning the cloud environment holistically. We scan your cloud configuration, we scan your Kubernetes configuration, we scan your Dockers, the containers that run on top of them, we scan the images that are installed and we scan the permission that these images are one, and most importantly, we combined these data points. So it's not like you buy one solution that look to AWS configuration, is different solution that locate your virtual machines at one cluster, another one that looks at your cluster configuration. Another one that look at a web server and one that look at identity. And then you have resolved from five different tools that each one of them claims that this is the most important issue. But in fact, you need to infuse the data and understand yourself what is the most important items or they're correlated. We do it in an holistic way. And at the end of the day, security is more about thinking case graphs is vectors, rather than list. So it is to tell you something like this is a container, which is vulnerable, it has permission to access your sensitive data, it's running on a pod that is indirectly connected to the internet to this load balancer, which is exposed. So this is an attack vector that can be utilized, which is just a tool that to say you have a vulnerable containers, but you might have hundreds, where 99% of them are not exposed. >> Got it, so it's really more logical, common sense vectoring versus the old way, which was based on perimeter based control points, right? So is that what I get? is that right is that you're looking at it like okay, a whole new view of it. Not necessarily old way. Is that right? >> Yes, it is right, we are looking at as one problem that is entered in one tool that have one unified data model. And on top of that, one scanning technology that can provide all the necessary data. We are not a tool that say install vulnerability scanner, install identity access management tools and infuse all of the data to Orca will make sense, and if you haven't installed the tools to you, it's not our problem. We are scanning your environment, all of your containers, virtual machine serverless function, cloud configuration using guard technology. When standard risk we put them in a graph and essentially what is the attack vectors that matter for you? >> The sounds like a very promising value proposition. if I've workloads, production workloads, certainly in the cloud and someone comes to me and says you could have essentially a holistic view of your security posture at any given point in that state of operations. I'm going to look at it. So I'm compelled by it. Now tell me how it works. Is there overhead involved? What's the cost to, (indistinct) Australian dollars, but you can (indistinct) share the price to would be great. But like, I'm more thinking of me as a customer. What do I have to do? What operational things, what set up? What's my cost operationally, and is there overhead to performance? >> You won't believe me, but it's almost zero. Deploying Orca is literally three clicks, you just go log into the application, you give it the permission to read only permission to the environment. And it does the rest, it doesn't run a single awkward in the environment, it doesn't send a single packet. It doesn't create any overhead we have within our public customer list companies with a very critical workloads, which are time sensitive, I can quote some names companies like Databricks, Robinhood, Unity, SiteSense, Lemonade, and many others that have critical workloads that have deployed it for all of the environment in a very quick manner with zero interruption to the business continuity. And then focusing on that, because at the end of the day, in large organization, friction is the number one thing that kills security. You want to deploy your security tool, you need to talk with the team, the team says, okay, we need to check it doesn't affect the environment, let's schedule it in six months, in six months is something more urgent then times flybys and think of security team in a large enterprise that needs to coordinate with 500 teams, and make sure it's deployed, it can't work, Because we can guarantee, we do it because we leverage the native cloud capabilities, there will be zero impact. This allows to have the coverage and find these really weak spot nobody's been looking at. >> Yeah, I mean, this having the technology you have is also good, but the security teams are burning out. And this is brings up the cultural issue we were talking before we came on camera around the cultural impact of the security assessment kind of roles and responsibilities inside companies. Could you share your thoughts on this because this is a real dynamic, the people involved as a people process technology, the classic, you know, things that are impacted with digital transformation. But really the cultural impact of how developers push code, the business drivers, how the security teams get involved. And sometimes it's about the security teams are not under the CIO or under these different groups, all kinds of impacts to how the security team behaves in context to how code gets shipped. What's your vision and view on the cultural impact of security in the cloud. >> So, in fact, many times when people say that the cloud is not secure, I say that the culture that came with the cloud, sometimes drive us to non secure processes, or less secure processes. If you think about that, only a decade ago, if an organization could deliver a new service in a year, it would be an amazing achievement, from design to deliver. Now, if an organization cannot ship it, within weeks, it's considered a failure. And this is natural, something that was enabled by the cloud and by the technologies that came with the cloud. But it also created a situation where security teams that used to be some kind of a checkpoint in the way are no longer in that position. They're in one end responsible to audit and make sure that things are acting as they should. But on the other end, things happen without involvement. And this is a very, very tough place to be, nobody wants to be the one that tells the business you can't move as fast as you want. Because the business want to move fast. So this is essentially the friction that exists whether can we move fast? And how can we move fast without breaking things, and without breaking critical security requirements. So I believe that security is always about a triode, of educate, there's nothing better than educate about putting the guardrails to make sure that people cannot make mistakes, but also verify an audit because there will be failures in even if you educate, even if you put guardrails, things won't work as needed. And essentially, our position within this, triode is to audit, to verify to empower the security teams to see exactly what's happening, and this is an enabler for a discussion. Because if you see what are the risks, the fact that you have, you know, you have this environment that hasn't been patched for a decade with the password one to six, it's a different case, then I need you to look at this environment because I'm concerned that I haven't reviewed it in a year. >> That's exactly a great comment. You mentioned friction kills innovation earlier. This is one friction point that mismatch off cadence between ownership of process, business owners goals of shipping fast, security teams wanting to be secure. And developers just want to write code faster too. So productivity, burnout, innovation all are a factor in cloud security. What can a company do to get involved? You mentioned easy to deploy. How do I work with Orca? You guys are just, is it a freemium? What is the business model? How do I engage with you if I'm interested in deploying? >> So one thing that I really love about the way that we work is that you don't need to trust a single word I said, you can get a free trial of Orca at website orca.security, one a scan on your cloud environment, and see for yourself, whether there are critical ways that were overlooked, whether everything is said and there is no need for a tool or whether they some areas that are neglected and can be acted at any given moment (indistinct) been breached. We are not a freemium but we offer free trials. And I'm also a big believer in simplicity and pricing, we just price by the average number workload that you have, you don't need to read a long formula to understand the pricing. >> Reducing friction, it's a very ethos sounds like you guys have a good vision on making things easy and frictionless and sets that what we want. So maybe I should ask you a question. So I want to get your thoughts because a lot of conversations in the industry around shifting left. And that's certainly makes a lot of sense. Which controls insecurity do you want to shift left and which ones you want to shift right? >> So let me put it at, I've been in this industry for more than two decades. And like any industry every one's involved, there is a trend and of something which is super valuable. But some people believe that this is the only thing that you need to do. And if you know Gartner Hype Cycle, at the beginning, every technology is (indistinct) of that. And we believe that this can do everything and then it reaches (indistinct) productivity of the area of the value that it provides. Now, I believe that shifting left is similar to that, of course, you want to shift left as much as possible, you want things to be secure as they go out of the production line. This doesn't mean that you don't need to audit what's actually warning, because everything you know, I can quote, Amazon CTO, Werner Vogels about everything that can take will break, everything fails all the time. You need to assume that everything will fail all the time, including all of the controls that you baked in. So you need to bake as much as possible early on, and audit what's actually happening in your environment to find the gaps, because this is the responsibility of security teams. Now, just checking everything after the fact, of course, it's a bad idea. But only investing in shifting left and education have no controls of what's actually happening is a bad idea as well. >> A lot of people, first of all, great call out there. I totally agree, shift left as much as possible, but also get the infrastructure and your foundational data strategies, right and when you're watching and auditing. I have to ask you the next question on the context of the data, right, because you could audit all day long, all night long. But you're going to have a pile of needles looking for haystack of needles, as they say, and you got to have context. And you got to understand when things can be jumped on. You can have alert fatigue, for instance, you don't know what to look at, you can have too much data. So how do you manage the difference between making the developers productive in the shift left more with the shift right auditing? What's the context and (indistinct)? How do you guys talk about that? Because I can imagine, yeah, it makes sense. But I want to get the right alert at the right time when it matters the most. >> We look at risk as a combination of three things. Risk is not only how pickable the lock is. If I'll come to your office and will tell you that you have security issue, is that they cleaning, (indistinct) that lock can be easily picked. You'll laugh at me, technically, it might be the most pickable lock in your environment. But you don't care because the exposure is limited, you need to get to the office, and there's nothing valuable inside. So I believe that we always need to take, to look at risk as the exposure, who can reach that lock, how easily pickable this lock is, and what's inside, is at your critical plan tools, is it keys that can open another lock that includes this plan tools or just nothing. And when you take this into context, and the one wonderful thing about the cloud, is that for the first time in the history of computing, the data that is necessary to understand the exposure and the impact is in the same place where you can understand also the risk of the locks. You can make a very concise decision of easily (indistinct) that makes sense. That is a critical attack vector, that is a (indistinct) critical vulnerability that is exposed, it is an exposed service and the service have keys that can download all of my data, or maybe it's an internal service, but the port is blocked, and it just have a default web server behind it. And when you take that, you can literally quantize 0.1% of the alert, even less than that, that can be actually exploited versus device that might have the same severity scores or sound is critical, but don't have a risk in terms of exposure or business impact. >> So this is why context matters. I want to just connect what you said earlier and see if I get this right. What you just said about the lock being picked, what's behind the door can be more keys. I mean, they're all there and the thieves know, (indistinct) bad guys know exactly what these vectors are. And they're attacking them. But the context is critical. But now that's what you were getting at before by saying there's no friction or overhead, because the old way was, you know, send probes out there, send people out in the network, send packers to go look at things which actually will clutter the traffic up or, you know, look for patterns, that's reliant on footsteps or whatever metaphor you want to use. You don't do that, because you just wire up the map. And then you put context to things that have weights, I'm imagining graph technologies involved or machine learning. Is that right? Am I getting that kind of conceptually, right, that you guys are laying it out holistically and saying, that's a lock that can be picked, but no one really cares. So no one's going to pick and if they do, there's no consequence, therefore move on and focus energy. Is that kind of getting it right? Can you correct me where I got that off or wrong? >> So you got it completely right. On one end, we do the agentless deep assessment to understand your workloads, your virtual machine or container, your apps and service that exists with them. And using the site scanning technology that some people you know, call the MRI for the cloud. And we build the map to understand what are connected to the security groups, the load balancer, the keys that they hold, what these keys open, and we use this graph to essentially understand the risk. Now we have a graph that includes risk and exposure and trust. And we use this graph to prioritize detect vectors that matters to you. So you might have thousands upon thousands of vulnerabilities on servers that are simply internal and these cannot be manifested, that will be (indistinct) and 0.1% of them, that can be exploited indirectly to a load balancer, and we'll be able to highlight these one. And this is the way to solve alert fatigue. We've been in large organizations that use other tools that they had million critical alerts, using the tools before Orca. We ran our scanner, we found 30. And you can manage 30 alerts if you're a large organization, no one can manage a million alerts. >> Well, I got to say, I love the value proposition. I think you're bringing a smart view of this. I see you have the experience there, Avi and team, congratulations, and it makes sense of the cloud is a benefit, it can be leveraged. And I think security being rethought this way, is smart. And I think it's being validated. Now, I did check the news, you guys have raised significant traction as valuation certainly raised around the funding of (indistinct) 10 million, I believe, a (indistinct) Funding over a billion dollar valuation, pushes a unicorn status. I'm sure that's a reflection of your customer interaction. Could you share customer success that you're having? What's the adoption look like? What are some of the things customers are saying? Why do they like your product? Why is this happening? I mean, I can connect the dots myself, but I want to hear what your customers think. >> So definitely, we're seeing huge traction. We grew by thousands of percent year over year, literally where times during late last year, where our sales team, literally you had to wait two or three weeks till you managed to speak to a seller to work with Orca. And we see the reasons as organization have the same problems that we were in, and that we are focusing. They have cloud environments, they don't know their security posture, they need to own it. And they need to own it now in a way which guarantees coverage guarantees that they'll see the important items and there was no other solution that could do that before Orca. And this is the fact. We literally reduce deployment (indistinct) it takes months to minutes. And this makes it something that can happen rather than being on the roadmap and waiting for the next guy to come and do that. So this is what we hear from our customers and the basic value proposition for Orca haven't changed. We're providing literally Cloud security that actually works that is providing full coverage, comprehensive and contextual, in a seamless manner. >> So talk about the benefits to customers, I'll give you an example. Let's just say theCUBE, we have our own cloud. It's growing like crazy. And we have a DevOps team, very small team, and we start working with big companies, they all want to know what our security posture is. I have to go hire a bunch of security people, do I just work with Orca, because that's the more the trend is integration. I just was talking to another CEO of a hot startup and the platform engineering conversations about people are integrating in the cloud and across clouds and on premises. So integration is all about posture, as well, too I want to know, people want to know who they're working with. How does that, does that factor into anything? Because I think, that's a table stakes for companies to have almost a posture report, almost like an MRI you said, or a clean (indistinct) health. >> So definitely, we are both providing the prioritized risk assessment. So let's say that your cloud team want to check their security, the cloud security risk, they'll will connect Orca, they'll see the (indistinct) in a very, very clear way, what's been compromised (indistinct) zero, what's in an imminent compromise meaning the attacker can utilize today. And you probably want to fix it as soon as possible and things that are hazardous in terms that they are very risky, but there is no clear attack vectors that can utilize them today, there might be things that combining other changes will become imminent compromise. But on top of that, when standard people also have compliance requirements, people are subject to a regulation like PCI CCPA (indistinct) and others. So we also show the results in the lens of these compliance frameworks. So you can essentially export a report showing, okay, we were scanned by Orca, and we comply with all of these requirements of SOC 2, etc. And this is another value proposition of essentially not only showing it in a risk lens, but also from the compliance lens. >> You got to be always on with security and cloud. Avi, great conversation. Thank you for sharing nice knowledge and going deep on some of the solution and appreciate your conversation. Thanks for coming on. >> Thanks for having me. >> Obviously, you are CEO and co founder of Orca Security, hot startup, taking on security in the cloud and getting it right. I'm John Furrier with theCUBE. Thanks for watching. (calm music)

>> Announcer: Live from Santa Clara, in the heart of Silicon Valley, it's theCUBE, covering Cloud Foundry Summit 2017. Brought to you by the Cloud Foundry Foundation and Pivotal. >> Welcome back. I'm Stu Miniman joined by my host, John Troyer. Really excited to welcome to the program one of the keynote speakers from this morning, Mojgan Lefebvre who is the SVP and chief information officer. We always love CIOs, from Liberty Mutual Insurance Global Specialty. Thank you for your keynote this morning and thank you so much for joining us on theCUBE. >> Thank you, thanks for having me. >> So you went through a lot of data and a lot of information in your keynote. Liberty Mutual, you say spent a billion dollars in tech yearly. There's certain technology companies that spend that much. As the CIO, what are some of the biggest things on your plate and we'll get in the discussion of Cloud Foundry and cloud and everything as we go from there. >> Sure so I'd say probably the priorities differ by the business unit you're in. The specialty business has generally been a bit more manual and we have over 200 or so insurance products. So really automating it is very different from automating consumer insurance which is really focused on home and auto. So really right now, our focus is increasing the productivity and the risk assessment for a lot of our underwriters. And then I say probably analytics, pricing. Making sure that we're assessing risks correctly is definitely another point of focus for us. >> Okay with so many products, we understand the rate of change must be difficult. In your keynote you spoke about embracing cloud and agile methodology. Maybe take us back to what some of the pain points were and led to yourself and management to embrace this big change. >> Yeah, absolutely so several things are going on. One is that we see a lot of new players entering the world of insurance, and it both about new capital coming into the world of insurance. Just 'cause there's not enough investments that capital can be put towards so insurance is one place to come to and the other is technology players that are coming into our world. Companies like Metromile, Lemonade, the list goes on and on and so really our world is changing. Technology is driving a lot of that change and so we know that we've got to be a big player in that area as well. And as I said really, we've got to become one of those software companies that can actually sell insurance as opposed to the other way around. I'd say some of the other things that are happening is the fact that our employees. Our consumers now have all these other software companies that they have experience with and so their expectations are very different. They've got one experience when they're at home and then they come into the workplace and it looks like they've gone back 100 years. So that paradigm needs to change. So those are some of the things that have really made us think we have no choice but to truly change the way that deliver software. We've got to get out of this mode where everything takes multiple years and multiple millions of dollars and really at the end of the day. The people that you started the work with are no longer even there to appreciate what you've delivered to them. And usually it's not what they ask for anyway. >> As you adopted the Cloud Foundry platform. One of the things about Cloud Foundry, even very early in it's life cycle was that it was associated with digital transformation, and cloud native. And especially once it was joined up with Pivotal Labs. So how much of, as you all embark on this journey. The great thing about here at Summit, there is a lot of talk about visual transformation. A lot of talk about agile. That's what we were just talking about. Some shows you go to it's a lot about features and a lot about speeds and feeds. And a lot about the latest, greatest. So how much apart of it as you all were adopting this platform? Was that culture of digital transformation surrounding the actual tech. How important was that? >> I think that was very important because again, as I said we know that, that's what the consumers expect. They no longer want things to be manual. They want things to be at the tips of their fingers and so really transforming us from being a company that's very paper intensive to really being more and more digital was critical to us. The very first application that we actually put in the cloud which was in my business unit was for document management in our Al Fresco. And actually what we named it was we're going paperless. As something that we started about three years ago, and today I can say that yep, we are paperless and so the great thing about Al Fresco was that it was indeed cloud native, and that was very important to us. We started out looking at some of the other solutions that are out there. I won't necessarily name them but they did not lend themselves to the cloud. And so really going with a cloud native solution that would enable us to become much more digital and paperless was very critical to us. >> You talked a lot about developer adoption now in your journey. Was that a tough sell at the very beginning or did developers go wait a minute, This is going to save me a lot of time. I'm on board. >> So you mean with Cloud Foundry in general? >> John: With Cloud Foundry, in general. >> So if anything I'd it was probably the developer community that really sorted this out and so by the time that the leadership and management started to pay attention. There were pockets of developers who were just very, very bought into it, and so I would say that went a long way. And then made it easier to sell it to other developers. I say they're much more listening to what their peers are saying than what we have to say. And then really meeting with the Pivotal Labs guys. I'd say those folks have truly a magical way of selling their story and they've truly helped us. Not only sell it to our developers but also sell the story to our business. I'd say that the mindset shift from thinking I'm going to have everything in one go versus no, I'm going to get it in iterations and I'm actually going to trust the fact that the next releases are going to come is a big mind shift and Pivotal was instrumental in helping sell that to us. >> One of the benefits of Cloud Foundry is to give you flexibility as to where your applications and data live. That being said, a majority of customers that have deployed Cloud Foundry are doing it on premises. How do you manage what goes, stays in your own environment. What handles the public cloud. My understanding you're doing quite a bit of AWS today. What's your viewpoint for you and management on public cloud? >> We certainly see public cloud as the future. I know Chip mentioned something about, well it's not going to be cheaper. We're actually counting on that in the end from a total cost of ownership perspective. That it will be cheaper and we truly mean it when we say we want 75% of the people writing code. And by that I mean the staff within the IT group of course. And we don't want them to have to worry about the infrastructure and so while we've started with AWS, we absolutely have a relationship with Microsoft as well. We definitely want to be independent on this cloud and I would say something like Cloud Foundry definitely allows you to do that. >> When you're looking at that total. That full TCO, you don't have fully burden, I have gear and I have people managing that gear and all the operations there. If you can shift that piece of it. You're not differentiated on the infrastructure or at those needs. You want to focus on those thousands of products that you have and your people coding to create those next opportunities. >> Exactly. We want to focus on the value add. That's where we want our people to really be focusing and we want to let the cloud players who do it extremely well to be doing that for us. >> You put forth in your keynotes some pretty audacious metrics. I think it was 60% of the work load public cloud. More than 50% of apps to release code on daily basis and you wanted 75% of the IT staff to write code. How did you come up with those numbers. How are doing against those? >> About a year ago, once we decided that the imperative for change was so critical. The IT leadership team got together. We spent a couple of days off site and we said let's come up with what we're calling today our IT manifesto. And so we said we just have to change and there are multiple things that we're going to change. And we said we're going to put some, what we call bold, audacious moves or BAMS as they've come to be known together. And so those were just some, we knew they were out of right to some extent, but we said if we don't really put some goals that are really hard to reach, we're never going to get there. >> What are some of the head winds there? What have slowed you from meeting those and any lessons learned that you share to your peers on what you've learned going through this. >> Certainly deciding on what goes to the clouds first is one of those areas that we're learning as we're doing. We know that it's easy when you're working in a greenfield and it's something new. So yeah, you can very easily say I'll build in the cloud. When you're looking at what you're existing environment is and what you move to the cloud. One of the questions as well, if we move all of our development environment. How's that going to interact with the production environment. If you have them in different clouds. Other things are how it interacts with active directory and held app and some of those things. And I say finally would be kind of the global applications always make it much more difficult as you think. How do you replicate among different clouds in different geographies. Those are some of the blockers that we've got to tackle and make sure that we get around. >> One of the interesting parts of any management strategy in any company is skills, up skilling. So how have you been approaching that in terms of this new cloud native world. Both for the devs, is this year at Cloud Foundry Summit. Are people here learning? There's new certifications. >> I say it's a multi prong approach. We definitely have partnered with several companies to put some training together to make sure that we're training our staff. We started a program that we call go for code and so we've asked volunteers. For people who are not coding today and who want to get there that actually they go to these coding schools and they're going to spend the next two to three months actually learning how to code. It's very rigorous. >> So they might have been technical in an infrastructure way before and they want to learn how to code? >> Yeah, it may be that or they may have just been business analysts who are just doing requirements gathering or project management, and they want to learn how to code. So we've tried to be as transparent as possible because when you say I want 75% of my IT staff to be coding. Like you've got 50% who are not coding today. There's a message in that and so of course it's up to us to make sure that we're providing the tools and what's needed for that to happen. Our goal is to get anyone on our staff who really wants to get there and is willing to put the sweat in to be able to do it. 'Cause we also know it's not like software engineers are just lying out there on the streets. There is a shortage of software engineers and that's going to become more and more of a problem. So really getting our own employees that we value greatly to be able to do that transformation, I think is critical for us. >> Another great one line, you had your keynote was out with the annual, in with the weekly. I think you said it was 16 releases in five months. The counter to that and I'm curious how you deal with it and talk to your peers is how do people keep up with just all the changes that are happening? I talk to the companies that create code on just regular occasions and they can't keep up. And how do you make sure your staff doesn't get burned out? >> So great, great question again. We're at the very beginnings of our transformation. The one thing I will say is looking at the team that did this and did the 16 releases in five months versus teams that are working on annual releases. The energy, the enthusiasm, the excitement and hopefully some of it came through in the video that you saw is just phenomenal. So I'd say, I'm much less worried about them burning out than hey can we keep the others as excited. I will tell you automation and things like Cloud Foundry that actually help you automate your pipeline are critical. You can not do multiple releases or daily releases if you don't have those tools. If you truly get to the point where you do have the automated pipeline. I think a lot of that is done for you so that's what we're gearing towards and driving towards. >> One of the things that people always love to pontificate is in the future, what is the role of the CIO? We'd love to see you embracing things like cloud because it was like well, when I had gear, and I had capital budget I understood it. But I'm changing the role. I'm doing that. What have you been seeing as the changing role? Anything down the line you see and how that changes? >> You're right, so a lot of people say, well there is no need for a CIO in the future. I'd say there's probably more and more need for very business oriented, strategic CIOs who also understands technology really well and they're the epitome of someone who understands technology and is the head of engineering so to speak. But also making sure that they can work very well with the business and understands the impact of technology on the business. I'll be waiting for the day where the need for someone like that goes away. I don't see it coming too soon. >> Final question I have for you is what brings you to an event like this? Spend the time, give the keynote. What do you get out of it personally and for your company? >> One is really learning 'cause again, if you're a doctor in medicine. If you want to keep up with what's going on around you you've got to educate yourself. So certainly that aspect of go out there, see what's going on. Making sure that you're keeping up with new technology that's one thing. The other was my experience with Pivotal has been phenomenal, and so I thought it was critical to actually take the opportunity to share that. Hopefully others will learn. A lot of the tweets that I saw was well, if a big 100 year old insurance company can do this. Then nobody has an excuse and I'll say yeah of course. So it's really both to give back and to continue to learn and then to reconnect with colleagues. Cornelia and I actually worked together over 10 years ago. So just coming to here and being able to have dinner with her tonight is going to be very enjoyable. >> Absolutely a tight knit community. Really appreciate you coming on the program. We welcome you to theCUBE alumni list now, our community, >> Thank you. Of the thousands that we had on the program. From John and myself, we'll be back with lots more coverage here from the Cloud Foundry Summit. Thanks for watching theCUBE. (uptempo techno music)