>> Narrator: Live from San Francisco It's theCUBE. Covering RSA Conference 2020, San Francisco. Brought to you by Silicon Angled Media >> Hi everyone, welcome to theCUBE's coverage here at RSA Conference 2020. I'm John Furrier, host of theCUBE We're on the floor getting all the data, sharing it with you here, Cube coverage. Got the best new generation shift happening as cloud computing goes to the whole other level. Multi-cloud, hybrid cloud changing the game. You're seeing the companies transition from an on-premises to cloud architecture. This is forcing all the companies to change. So a new generation of security is here and we've got a great guest, so a hot start-up. Masha Sedova, co-founder of Elevate Security. Welcome to theCUBE, thanks for joining us. >> Thank you so much for having me, John. >> So the next generation in what will be a multi-generational security paradigm, is kind of happening right now with the beginning of, we're seeing the transition, Palo Alto Networks announced earnings yesterday down 13% after hours because of the shift to the cloud. Now I think they're going to do well, they're well positioned, but it highlights this next generation security. You guys are a hot start-up, Elevate Security. What is the sea change? What is going on with security? What is this next generation paradigm about? >> Yeah, so it's interesting that you talk about this as next generation. In some ways, I see this as a two-prong move between, yes, we're moving more into the cloud but we're also going back to our roots. We're figuring out how to do asset management right, we're figuring out how to do patching right, and for the first time, we're figuring how to do the human element right. And that's what where we come in. >> You know, the disruption of these new shifts, it also kind of hits like this, the old expression, 'same wine, new bottle', all this, but it's a data problem. Security has always been a data problem, and we've seen some learnings around data. Visualization, wrangling, there's a lot of best practices around there. You guys are trying to change the security paradigm by incorporating a data-centric view with changing the behavior of the humans and the machines and kind of making it easier to manage. Could you share what you guys are doing? What's the vision for Elevate? >> Yeah, so we believe and we've seen, from our experience being practitioners, you can't change what you can't measure. If you don't have visibility, you don't know where you're going. And that's probably been one of the biggest pain-point in the security awareness space traditionally. We just roll out training and hope it works. And it doesn't, which is why human error is a huge source of our breaches. But we keep rolling out the same one-size fits all approach without wanting to measure or, being able to. So, we've decided to turn the problem on its head and we use existing data sets that most organizations who have a baseline level of maturity already have in place. Your end point protections, your DLP solutions, your proxies, your email security gateways and using that to understand what your employees are doing on the network to see if user generated incidents are getting better over time or getting worse. And using that as the instrumentation and the level of visibility into understanding how you should be orchestrating your program in this space. >> You know, that's a great point. I was just having a conversation last night at one of the cocktail parties here around RSA and we were debating on, we talk about the kind of breaches, you mentioned breaches, well there's the pure breach where I'm going to attack and penetrate the well fortified network. But then there's just human error, an S3 bucket laying open or some configuration problem. I guess it's not really a breach, it's kind of an open door so the kind of notion of a breach is multifold. How do you see that, because again, human error, insider threats or human error, these are enabling the hackers. >> Yeah >> This is not new. >> Yeah. >> How bad is the problem? >> It depends on what report you read. The biggest number I've seen so far is something like 95% of breaches have human error. But I honestly, I couldn't tell you what the 5% that don't include it because if you go far enough back, it's because a patch wasn't applied and there is a human being involved there because there is vulnerability in code, that's probably a secure coding practice when you're a development organization. Maybe it's a process that wasn't followed or even created in the first place. There's a human being at the core of every one of these breaches and, it needs to be addressed as holistically as our technologies and our processes right now in the space. >> The evolution of human intelligence augmented by machines will certainly help. >> That's it, yeah. >> I mean, I've got to ask you, obviously you're well-funded. Costanova Ventures well known in the enterprise space, Greg Sands and the team there, really strong, but you guys entered the market, why? I mean you guys, you and your founder both at Salesforce.com. Salesforce gurus doing a lot of work there. Obviously you've seen the large scale, first wave of the cloud. >> Yeah >> Why do the start-up? What was the problem statement you guys were going after? >> So, my co-founder and I both came from the world of being practitioners and we saw how limited the space was and actually changing human behavior, I was given some animated PowerPoints, said use this to keep the Russians out of your network, which is a practical joke unless your job is on the line, so I took a huge step back and I said, there are other fields that have figured this out. Behavioral science being one of them, they use positive reinforcement, gamification, marketing and advertisements have figured out how to engage the human element, just look around the RSA floor, and there's so many learnings of how we make decisions as human beings that can be applied into changing people's behaviors in security. So that's what we did. >> And what was the behavior you're trying to change? >> Yeah, so the top one's always that our attackers are getting into organizations, so, reducing phishing click-throughs an obvious one, increasing reporting rates, reducing malware infection rates, improving sensitive data handling, all of which have ties back to, as I was mentioning earlier, security data sources. So, we get to map those and use that data to then drive behavior change that's rooted in concepts like social proof, how are you doing compared to your peers? We make dinner decisions on that and Amazon buying decisions on that, why not influence security like that? >> So building some intelligence into the system, is there a particular market you're targeting? I mean, here people like to talk in segments, is there a certain market that you guys are targeting? >> Yeah, so the amazing thing about this is, and probably no surprise, the human element is a ubiquitous problem. We are in over a dozen different industries and we've seen this approach work across all of those industries because human beings make the same mistakes, no matter what kind of company they're in. We really work well with larger enterprises. We work well with larger enterprises because they tend to have the data sets that really provides insights into human behavior. >> And what's the business model you guys envision happening with your service product? >> We sell to enterprises and security, the CISO and the package as a whole, gives them the tools to have the voice internally in their organization We sell to Fortune 1000 companies, >> So it's a SAAS service? >> Yeah, SAAS service, yeah. >> And so what's the technology secret sauce? (laughing) >> Um, that's a great question but really, our expertise is understanding what information people need at what time and under what circumstances, that best changes their behavior. So we really are content diagnostic, we are much more about the engine that understands what content needs to be presented to whom and why. So that everyone is getting only the information they need, they understand why they need it and they don't need anything extra-superfluous to their... >> Okay, so I was saying on theCUBE, my last event was at, CIO's can have good days and bad days. They have good days, CISOs really have good days, many will say bad days, >> Masha: Yeah, it's a hard job. >> So how do I know I need the Elevate Solution? What problem do I have, what's in it for me? What do I get out of it? When do I know when to engage with you guys? >> I take a look at how many user generated incidents your (mumbles) responding to, and I would imagine it is a large majority of them. We've seen, while we were working at Salesforce and across our current customers, close to a 40% reduction rate in user generated incidents, which clearly correlates to time spent on much more useful things than cleaning up mistakes. It's also one of the biggest ROI's you can get for the cheapest investment. By investing a little bit in your organization now, the impact you have in your culture and investing in the future decision, the future mistakes that never get made, are actually untold, the benefit of that is untold. >> So you're really kind of coming in as a holistic, kind of a security data plane if you will, aggregating the data points, making a visualization in human component. >> You've got it. >> Now, what's the human touchpoint? Is it a dashboard? Is it notifications? Personalization? How is the benefit rendered for the customer? >> So we give security teams and CSOs a dashboard that maps their organization's strengths and weaknesses. But for every employee, we give personalized, tailored feedback. Right now it shows up in an email that they get on an ongoing basis. We also have one that we tailor for executives, so the executive gets one for their department and we create an executive leaderboard that compares their performance to fellow peers and I'll tell you, execs love to win, so we've seen immense change from that move alone. >> Well, impressive pedigree on your entrepreneurial background, I see Salesforce has really kind of, I consider real first generation cloud before cloud actually happened, and there's a lot of learn, it was always an Apple case, now it's AWS, but it's it's own cloud as we all know, what are the learnings that you saw from Salesforce that you said hey, I'm going to connect those dots to the new opportunity? What's the real key there? >> So, I had two major aha's that I've been sharing with my work since. One, it's not what people know, but it's what they do that matters, and if you can sit with a moment and think about that, you realize it's not more training, because people might actually know the information, but they just choose not to do it. How many people smoke, and they still know it kills them? They think that it doesn't apply to them, same thing with security. I know what I need to do, I'm just not incentivized to do it, so there's a huge motivation factor that needs to be addressed. That's one thing that I don't see a lot of other players on the market doing and one thing we just really wanted to do as well. >> So it sounds like you guys are providing a vision around using sheet learning and AI and data synthesis wrangling and all that good stuff, to be an assistant, a personal assistant to security folks, because it sounds like you're trying to make their life easier, make better decisions. Sounds like you guys are trying to distract away all these signals, >> You're right. >> See what to pay attention to. >> And make it more relevant, yeah. Well think about what Fitbit did for your own personal fitness. It curates a personal relationship based on a whole bunch of data. How you're doing, goals you've set, and all of a sudden, a couple of miles walk leads to an immense lifestyle change. Same thing with security, yeah. >> That's interesting, I love the Fitbit analogy because if you think about the digital ecosystem of an enterprise, it used to be siloed, IT driven, now with digital, everything's connected so technically, you're instrumenting a lot of things for everything. >> Yeah. >> So the question's not so much instrumentation, it's what's happening when and contextually why. >> That's it, why, that's exactly it. Yeah, you totally got it. >> Okay. I got it. >> Yeah, I can see the light bulb. >> Okay, aha, ding ding. All right, so back to the customer pain point. You mentioned some data points around KPI's that they might or things that they might want to call you so it's incidents, what kind of incidents? When do I know I need to get you involved? Will you repeat those again? >> There's two places where it's a great time to involve. Now, because of the human element is, or think about this as an investment. If you do non-investor security culture, one way or another, you have security culture. It's either hurting you or it's helping you and by hurting you, people are choosing to forego investing security processes or secure cultures and you are just increasing your security debt. By stepping in to address that now, you are actually paying it forward. The second best time, is after you realize you should have done that. Post-breaches or post incidents, is a really great time to come in and look at your culture because people are willing to suspend their beliefs of what good behavior looks like, what's acceptable and when you look at an organization and their culture, it is most valuable after a time of crisis, public or otherwise, and that is a really great time to consider it. >> I think that human error is a huge thing, whether it's as trivial as leaving an S3 bucket open or whatever, I think it's going to get more acute with service meshes and cloud-native microservices. It's going to get much more dynamic and sometimes services can be stood up and torn down without any human knowledge, so there's a lot of blind spots potentially. This brings up the question of how does the collaboration piece, because one of the things about the security industry is, it's a community. Sharing data's important, having access to data, how do you think about that as the founder of a start-up that has a 20 mile steer to the future around data access, data diversity, blind spots, how do you look at that and how do you advise your clients to think about that? >> I've always been really pro data sharing. I think it's one of the things that has held us back as an industry, we're very siloed in this space, especially as it relates to human behavior. I have no idea, as a regular CISO of a company, if I am doing enough to protect my employees, is my phishing click (mumbles), are my malware download rates above normal, below or should I invest more, am I doing enough? How do I do compared to my peers and without sharing industry stats, we have no idea if we're investing enough or quite honestly, not enough in this space. And the second thing is, what are approaches that are most effective? So let's say I have a malware infection problem, which approach, is it this training? Is it a communication? Is it positive reinforcement, is it punishment? What is the most effective to leverage this type of output? What's the input output relation? And we're real excited to have shared data with Horizon Data Breach Report for the first time this year, to start giving back to the communities, specifically to help answer some of these questions. >> Well, I think you're onto something with this behavioral science intersection with human behavior and executive around security practices. I think it's going to be an awesome, thanks for sharing the insights, Miss Masha on theCUBE here. A quick plug for your company, (mumbles) you're funded, Series A funding, take us through the stats, you're hiring what kind of positions, give a plug to the company. >> So, Elevate Security, we're three years old. We have raised ten million to date. We're based in both Berkeley and Montreal and we're hiring sales reps on the west coast, a security product manager and any engineering talent really focused on building an awesome data warehouse infrastructure. So, please check out our website, www.elevatesecurity.com/careers for jobs. >> Two hot engineering markets, Berkeley I see poaching out of Cal, and also Montreal, >> Montreal, McGill and Monterey. >> You got that whole top belt of computer science up in Canada. >> Yeah. >> Well, congratulations. Thanks for coming on theCUBE, sharing your story. >> Thank you. >> Security kind of giving the next generation all kinds of new opportunities to make security better. Some CUBE coverage here in San Francisco, at the Moscone Center. I'm John Furrier, we'll be right back after this break. (upbeat music)

(electronic music) >> From the heart of Silicon Valley, it's theCUBE! Covering, CloudNOW's 7th Annual Top Women Entrepreneurs in Cloud Innovation Awards. >> Hi, Lisa Martin with theCUBE, on the ground at Facebook headquarters. We're here for the 7th Annual CloudNOW Top Women Entrepreneurs in Cloud Innovation Awards. Our third time covering this event, and we're excited to welcome to theCube, one of tonight's winners, Masha Sedova, the co-founder of Elevate Security. Masha, welcome to theCUBE! >> Lisa, thank you so much for having me, it's really great to be here. >> And congratulations on the award. >> Thank you, thank you. >> So you are a security expert, you studied, you were a STEM kid back in school, but you had this really interesting experience when you were at Salesforce a few years ago, related to security, where you went, I think I see one of the things people have been missing where cyber security is concerned. Tell us about that aha moment. >> Yeah, absolutely. So, having grown up in the security field, there's this saying that, the human is the weakest link. And I personally never believed that, and I was like, there's got to be a way of turning this around and so, I stepped back and said, What it would look like if people wanted to do security instead of had to? What it would look like if people were champions for security, and not because we made them do it, but because each of us were invested in it? And so, I took a step back from my Computer science and computer security background, and dove into the field of behavioral science, positive psychology, and game design. And started exploring how people think, and how we make decisions, to see if I can start applying that to security. And, would you know it, there's some really amazing findings that I came across in that space. >> So you were saying, before we went on that, a pretty significant percentage of breaches are, unfortunately, caused by us humans. >> Yeah, something like 95% have a human error related to it. And if you think about cyber attacks, it's a human being attacking another human being with a bunch of technology in the middle. And if we keep solving it with just technology we're going to keep ending up making the same mistakes we have been making for decades. But if we look at the human element, and why we make mistakes, and how we let ourselves learn from them and make better mistakes and also better choices, we can actually move the needle in a really significant way. >> So, Elevate Security co-founded just a couple of years ago. Really impressive with your board. Tell us about your leadership team and the board before we get into the significance of the name. >> Yeah, absolutely. So, it's co-founded by myself and my co-founder Robert Fly. So, we have a diverse founding team. And from the very beginning we believed that embracing our diversity, in our hires would be of significant differentiator and not just the way we hire, but also the way we build our product. Because we're building products for employees of a whole bunch of companies all over the world and so it was really important to us. And so, to date we're 50% women including our engineering team and we have an all outside female board, board of directors which is a fact I'm really excited to announce today. >> Excited and proud. So when you had this idea, (clears throat) excuse me, and clearly all of the data show that, like you said if we keep throwing technology at the problem with security we're not going to solve it. >> Yeah >> What were the conversations like as a female co-founder, going in and trying to get funding for this idea in something as, hot of a topic and sensitive as cyber security? >> Yeah, you know, it was challenging. Fundraising, I think if you ask any founder you'd say, it would be challenging. I would recommend anybody going into this know your stuff, and stand up behind it, know that you have experience and an idea or a brand, that brings you to the table, brings something to the table and that you have that behind you. So, just because several VCs might say no it doesn't mean that your idea's not worth fighting for or coming to life. And so, it took us a while but we found a fantastic set of venture partners to back us who had very similar philosophies in the way they both raise money and supported entrepreneurship and it's really exciting, exciting time to be have partnered with them. >> So, one of the things you mentioned before went on was the card that your mom gave you. >> Yeah. >> I think that's so inspiring and share that with our audience for those who might have a great idea like you did but say, I keep being told no. >> Yeah, just 'cause it's hard, doesn't mean it's not worth doing. If I, were to have gotten to the end of my life and I didn't try starting a company, I knew that I was always regret it. And, that is something I definitely couldn't live with. And, the card that my mom sent me, it was in late in 2016 it said, "A ship is safe in the harbor "but that is not what ships are built for." And I realized, I had to do this. I absolutely had to start this company, I had to see where it goes and I have a unique perspective and a unique set of experiences in the world. And ideas about how this really hard problem can be solved and I want to see it come to life. And I have had the opportunity to gather an amazing team around me to help me make that vision come to life and I'm really excited to see where it goes. >> So in terms of where it's going, humans are sensitive people. >> (chuckles) Yeah. >> When you're talking with companies, >> Yeah. >> Whether they're born in the cloud companies or legacy enterprise companies and you're saying, Hey, guys it's your people, we're all human. >> Yeah. >> From a cultural response. >> Yeah. >> What's that conversation like do they understand it? And how do you help them go from those really, like we were talking about boring-- >> Yeah. >> Videos and training tutorials to actually, impacting behavior? >> Mm hmm Yeah, so there's two schools of thought in security field. It's the people who believe that human element can't be solved, that humans will always make mistakes, so we need to throw as much technology at it as possible. We've been doing that for three decades and it hasn't worked. And honestly I'm waiting for that generation to move on until we get a new set of ideas in. And what I'm seeing is the up and coming, set of security leadership coming in saying, You know what? Let's try something new, let's try something different. And, you know, I have invested in technology and it hasn't solved it. What if we try a different approach? And, the thing is, security people aren't known for our human expertise. We're good at a lot of other things, but not human expertise, and so bringing in things like behavioral science which is known for understanding how and why we make decisions is a perfect combination to solve this problem that, to date has been unsolvable. Because we really haven't been bringing in expertise outside of our field which on the topic of diversity, is exactly what we need. >> Exactly. So what are you looking forward to as we are just about in the finishing the first month of 2019? >> Oh yeah so, we'll be at RSA at the end of February, early March speaking about our brand new product Snapshot. But I'm also really excited to continue hiring out our team. We are hiring tons of engineers, so if anyone is looking please-- >> Where can they go? >> Elevatesecurity.com. >> Elevatesecurity.com. >> Mm Hmm, yeah, and so continuing to build out our team in San Francisco and in Montreal. >> Well Masha, congratulations on the award, on this really innovative idea bringing in, behavior to security. We appreciate your time and look forward to seeing more of what you guys are about to do. >> Thank you so much. >> Congratulations. We want to thank you for watching theCUBE, I'm Lisa Martin on the ground at Facebook. See you next time. (electronic music)