(Techno music) >> Announcer: From around the globe, it's theCUBE! Presenting, Accelerating Automation, with DevNet. Brought to you by Cisco (Techno music ends) >> We're back, this is Dave Vellante, and TK Keanini is here. He's a distinguished engineer at Cisco. TK, my friend good to see you again. >> How are you? >> Good, I mean you and I were in Barcelona in January, and yeah, we saw this thing coming but we didn't see it coming this way, did we? >> No, no one did. But yeah, that was right before everything happened. >> Well, it's weird. I mean, it was in the back of our minds in January, we started, "Well, Barcelona hasn't really been hit yet." It looked like it was really isolated in China, but wow, what a change. And I guess I'd start with, we're seeing really a secular change in your space, in security; identity, access, management, cloud security, endpoint security. I mean, all of a sudden these things explode as the work from home pivot has occurred, and it feels like these changes are permanent or semi-permanent. What are you seeing out there? >> Yeah, I don't think anybody thinks the world's going to go back the way it was. To some degree, it's changed forever. I do a lot of my work remotely, and so being a remote worker, isn't such a big deal for me, but for some, it was a huge impact. And like I said, remote work, remote education, everybody's on the opposite side of a computer. And so the digital infrastructure has just become a lot more important to protect, and the integrity of it essentially is almost our own integrity these days. >> Yeah, and when you see that work from home pivot, I mean, our estimates along with our partner, DTR, about 16% of the workforce was at home working from home prior to COVID, and now it's north of 70% plus, and that's going to come down maybe a little bit over the next six months, we'll see what happens with the fall surge. But people essentially expect that to at least double, that 16% going forward indefinitely. So what kind of pressure does that put on the security infrastructure and how organizations are approaching security? >> Yeah, I just think from a mindset standpoint, what was optional maybe last year is no longer optional. And I don't think it's going to go back. I think a lot of people have changed the way they live and the way they work, and they're doing it in ways, hopefully that in some cases yield more productivity. Again, usually with technology that's severely effective, it doesn't pick sides. So the security slant to it is, it frankly works just as well for the bad guys. And so that's the balance we need to keep, which is, we need to be extra diligent on how we go about securing infrastructure how we go about securing even our social channels. Because remember all our social channels now are digital. So that's become the new norm. >> You've helped me understand over the years. I remember a line you shared with me in theCUBE one time is that the adversary is highly capable, I'll sort of the phrase that you used. And essentially the way you described it is, your job as a security practitioner is to decrease the bad guys' return on investment, increase their costs, increase the numerator. But as work shifts from home, I'm in my house. My Wi-Fi and my router, with my dog's name is the password. It's much much harder for me to increase that denominator at home. So (chuckles) how can you help? >> Yeah, I mean, it is truly, when you get into the mind of the adversary and the cyber crime out there, they're honestly just like any other business. They're trying to operate with high margins. And so if you can get in there and erode their margin, they'll frankly go find something else to do. And again, the shift we experience day to day is it's not just our kids are online in school, and our work is online, but all the groceries we order, this Thanksgiving and holiday season, a lot more online shopping is going to take place. So everything's gone digital. And so the question is, how do we up our game there so that we can go about our business effectively and make it very expensive for the adversary to operate and take care of their business? 'Cause it's nasty stuff. >> I want to ask you about automation generally, and then specifically how it applies to security. I mean, we certainly saw the ascendancy of the hyperscalers and of course they really attacked the IT labor problem. We learned a lot from that, and IT organizations have applied much of that thinking. And it's critical at scale. I mean, you just can't scale humans at the pace that technology scales today. How does that apply to security, and specifically, how is automation affecting security? >> Yeah, it's the topic these days. Businesses, I think realize that they can't continue to grow at human scale. And so the reason why automation and things like AI and machine learning have a lot of value is because everyone's trying to expand and operate at machine scale. Now, I mean that for businesses, I mean that for education, and everything else now, so are the adversaries. So it's expensive for them to operate at human scale, and they are going to machine scale. Going to machine scale, a necessity is that, you're going to have to harness some level of automation; have the machines work on your behalf, have the machines carry your intent. And when you do that you can do it safely, or you could do it dangerously. (chuckles) And that's really kind of your choice. Just because you can automate something doesn't mean you should. You want to make sure that frankly, the adversary can't get in there and use that automation on their behalf. So it's a tricky thing because, when you take the phrase, how do we automate security? Well, you actually have to take care of securing the automation first. >> Yeah, we talked about this in Barcelona where you were explaining that, the the bad guys, the adversaries are essentially weaponizing, using your own tooling which makes them appear safe. Because they're hiding in plain sight. >> Right? >> That's scary. >> Well, they're clever, (chuckles) I'll giving them that. There's this phrase that they they always talk about, called, living off the land. There's no sense in them coming into your network and bringing their tools, and being detected. If they can use the tools that's already there, then they have a higher degree of evading your protection. If they can pose as Alice or Bob, who's already been credentialed, and move around your network, then they're moving around the network as Alice or Bob. They're not marked as the adversary. So again, having the detecting methods available to find their behavioral anomalies, and things like that, become a paramount, but in also having the automation to contain them, to eradicate them, to minimize their effectiveness, I mean, ideally without human interaction. 'Cause you move faster, you move quicker. And I say that with an asterisk, because if done wrong, frankly, you're just making their job more effective. >> I wonder if we could talk about the market a little bit. I'm mean, the security space, cybersecurity, 80 plus billion, which by the way, is just a little infinitesimal component of our GDP. So we're not spending nearly enough to protect that massive GDP. But guys, I wonder if you could bring up the chart, because when you talk to CSOs and you ask them, "What's your biggest challenge?" They'll say, "Lack of talent." And so what this chart shows, this is from ETR, our survey partner. And on the vertical axis is net score, and that's an indication of spending momentum, on the horizontal axis is market share, which is a measure of presence, pervasiveness, if you will, inside the data sets. And so there's a couple of key points here, I wanted to put forth to our audience and then get your reactions. So you can see Cisco highlighted in red. Cisco's business and security is very, very strong. We see it every quarter, it's a growth area that Chuck Robbins talks about on the conference calls. And so you can see on the horizontal axis you've got a big presence in the data set. I mean, Microsoft is out there, but they're everywhere. But you're right there in that data set. And then you've got, for such a large presence, you've got a lot of momentum in the marketplace, so that's very impressive. But the other point here is you've got this huge buffet of options. There's just a zillion vendors here, and that just adds to the complexity. This is of course only a subset of what's in the security space, the people who answered for the survey. So my question is, how can Cisco help simplify this picture? Is it automation? You guys have done some really interesting token acquisitions, and you're bringing that integration together. Can you talk about that a little bit? >> Yeah, I mean, that's an impressive chart. I mean, when you look to the left there, it's... I had a customer tell me once that, "I came to this trade show looking for transportation and these people are trying to sell me car parts." That's the frustration customers have. And I think what Cisco has done really well is, to really focus on outcomes. What is the customer outcome? 'Cause ultimately that's, that is what the customer wants. There might be a few steps to get to that outcome, but the closer you can get to delivering outcomes for the customer, the better you are. And I think security in general has just year over year have been just ridden with, "You need to be an expert." "You need to buy all these parts and put it together yourself." And I think those days are behind us, but particularly as security becomes more pervasive. and we're selling to the business, we're not selling to the T-shirt wearing hacker anymore. >> Well, how does cloud fit in here? Because I think there's a lot of misconceptions about cloud. People think, "I'll put my data in the cloud I'm safe," but of course we know it's a shared responsibility model. So I'm interested in your thoughts on that. Really is it a sense of complacency? A lot of the cloud vendors, by the way say, "Oh, the state of security is great in the cloud." Whereas many of us out there saying, "Wow, it's not so great." So what are your thoughts on that whole narrative, and what's Cisco's play in cloud? >> I think cloud, when you look at the services that are delivered via the cloud, you see that exact pattern which is you see customers paying for the outcome or as close to the outcome as possible. No data center required, no distract required, you just get storage. It's all of those things that are again, closer to the outcome. I think the thing that interests me about cloud too is, it's really punctuated the way we go about building systems, again, at machine scale. Before, when I write code and I think about "Oh, what computers are going to run on, what servers is it going to run on?" Those thoughts never cross my mind anymore. I'm modeling the intent of what the service should do, and the machines then figure it out. So for instance on Tuesday, if the entire internet shows up, the system works without fail. And on Wednesday, if only North America shows up, you have so much. But there's no way you could staff that. There's just no human-scale approach that gets you there. And that's the beauty of all of this cloud stuff is, it really is the next level of how we do computer science. >> So you're talking about infrastructure as code and that applies to security as code, that's what DevNet is really all about. I've said many times, I think Cisco, of the the large established enterprise companies, is one of the few if not the only, that really has figured out that developer angle. Because it's practical, you're not trying to force your way into developers, but I wonder if you could talk a little bit about that trend and where you see it going. >> Yeah, that is truly the trend. Every time I walk into DevNet, the big halls at Cisco Live, it is Cisco as code. Everything about Cisco is being presented through an API. It is automation-ready, and frankly, that is the love language of the cloud. It's machines, it's the machines talking to machines in very effective ways. So it is the, I think necessary maybe not sufficient, but necessary for doing all the machine scale stuff. What's also necessary is to secure, if infrastructure is code, therefore, what security methodologies do we have today that we use to secure code? Well we have automated testing, we have threat modeling, those things actually have to be now applied to infrastructure. So then when I talk about how do you do automation securely, you do it the same way you secure your code. You test it, you threaten-model you say, "Can my adversary exhibit something here that drives the automation in a way that I didn't intend it to go?" So all of those practices apply. It's just, everything is code these days. >> TK, I've often said that security and privacy are sort of two sides of the same coin. And I want to ask you a question, and it's really to me, it's not necessarily Cisco and companies like Cisco's responsibility, but I wonder if there's a way in which you can help. And of course, there's this Netflix documentary circling around the social dilemma, I don't know if you've had a chance to see it, but that basically dramatizes the way in which companies are appropriating our data to sell us ads, and creating own little set of facts, et cetera. And that comes down to sort of how we think about privacy, and that means good from the standpoint of awareness, you may or may not care if you're a social media user. I love TikTok, I don't care. But they sort of laid out, this is pretty scary scenario with a lot of the inventors of those technologies. You have any thoughts on that, and can Cisco play a role there in terms of protecting our privacy? I mean, beyond GDPR and California Consumer Privacy Act, what do you think? >> Yeah, my humble opinion is, you fix social problems with social tools. You fix technology problems with technology tools. I think there is a social problem that needs to be rectified. We weren't built as human beings to live and interact with an environment that agrees with us all the time. (chuckles) It's just pretty wrong. So yeah that series did really kind of wake up a lot of people, it's probably every day I hear, somebody ask me if I saw it. But I do think it also, with that level of awareness, I think we overcome it or we compensate by what number one, just being aware that it's happening. Number two, how you go about solving it, I think maybe come down to an individual or even a community's solution. And what might be right for one community might be not the same for the other. So you have to be respectful in that manner. >> Yeah, so it's almost, I think if I could play back, what I heard is, is yeah, technology maybe got us into this problem, but technology alone is not going to get us out of the problem. It's not like some magic AI bot is going to solve this. It's going to be, society has to really take this on, is your premise. It's a good one. >> When I first started playing online games, I mean going back to the text-based adventure stuff like MUDs and MOOs, I did a talk at MIT one time and this old curmudgeon in the back of the room, we were talking about democracy, and we were talking about the social processes that we had modeled in our game and this and that. Then this guy just gave us the smack-down. He basically walked up to the front of the room and said, "You know all you techies, you judge efficiency by how long it takes." He says, "Democracy is completely the opposite which is, you need to sleep on it. In fact, you should be scared if somebody can decide in a minute, what is good for the community? If two weeks later, they probably have a better idea of what's good for the community. So it almost has the opposite dynamic." And that was super interesting to me. >> That's really interesting, you read the Lincoln historians and he was criticized in the day for having taken so long to make certain decisions, but ultimately when he acted, he acted with confidence. So to that point. But so what else are you working on these days that is interesting, that maybe you want to share with our audience? Anything that's really super exciting for you, are you... >> Yeah, generally speaking, I'm trying to make it a little harder for the bad guys to operate. I guess that's a general theme, making it simpler for the common person to our use tools. Again, all of these security tools no matter how fancy it is, it's not that we're losing the complexity, it's that we're moving the complexity away from the user, so that they can thrive at human scale, and we can do things at machine scale. And kind of looping those two together is sort of the magic recipe. It's not easy, but it is fun. So that's what keeps me engaged. >> I'm definitely seeing, I wonder if you see it, this sort of obviously a heightened organizational awareness, but I'm also seeing shifts in the organizational structures. It used to be a SecOps team in an Island, "Okay, it's your problem." The CSO can not report into the to the CIO because that's like the fox in the henhouse, a lot of those structures are changing it seems, this responsibilities is becoming much more ubiquitous across the organization. What are you seeing there- >> Yeah, I know, and it's so familiar to me, because I started out as a musician. So, bands are a great analogy, you play bass, I play guitar, somebody else plays drums, everybody knows their role, and you create something that's larger than the sum of all parts. And so that analogy I think is coming to, we saw it sort of with DevOps where the developer doesn't just throw their code over the wall and it's somebody else's problem, they move together as a band. And that's what I think organizations are seeing is that, why stop there? Why not include marketing? Why not include sales? Why don't we move together as a business, not just, "Here's the product, and here's the rest of the business." (chuckles) That's pretty awesome. I think we see a lot of those patterns, particularly for the high-performance businesses. >> In fact, it's interesting, you have great analogy by the way. And you actually see in that within Cisco. You're seeing sort of, and I know sometimes you guys don't like to talk about the plumbing, but I think it matters. I mean, you've got a leadership structure now, I've talked to many of them, they seem to really be more focused on how they're connecting across organizations, and it's increasingly critical in this world of silo busters, isn't it? >> Yeah, no, I mean, as you move further and further away, you can see how ridiculous it was before, it would be like acquiring a band and say, "Okay, all you guitar players, go over here. All you bass players over there. Then I'm like, "What happened to the band?" (both laughing) So that's what I'm talking about. All of those disciplines moving together, and servicing the same backlog and achieving the same successes together, is just so awesome. >> Well, I always feel better after talking to you. I remember Art Coviello used to put out this letter every year, I would read it and I'd get depressed. (chuckles) We spent all this money, now we're less secure. But when I talk to you TK, I feel much more optimistic. So I really appreciate the time you spend on theCUBE. It's awesome to have you as a guest. >> I love this session, so thanks for inviting me. >> And I miss you, hopefully next year we can get together at some of the Cisco shows or other shows, but be well and stay weird, like the sign says. >> (talks faintly) Bring my product. >> TK Keanini, thanks so much for coming to theCUBE. We really appreciate it, and thank you for watching everybody. This is Dave Vellante. We'll be right back with our next guest, after this short break. (upbeat music)