>> Welcome back everybody. Jeff Frick here with theCUBE, we're at Security in the Boardroom. It's a Chertoff event, they go all around the country and have these small intimate events talking about security, and today it's really about the boardroom, and escalating the conversation into the boardroom. So it's not a tech conversation, it's not a mobile phone management conversation, but really how do we get it up into the boardroom. And I'm really excited for our next guest. He's Michael Chertoff, he's the Co-Founder, Executive Chairman of the Chertoff Group, with a long established career, and I'll let you go check out his LinkedIn. He's been Homeland Security, and it's a long, long list, so I won't even go there. And Jim Pflaging, he's the Principal, Technology Sector and Strategy Performance Lead also for the Chertoff Group. Thanks, Jim kicked it off this morning. And welcome both of you. So first off, Jim, a little bit about this event. What is this event? And what is Chertoff trying to accomplish with this little bit of a road tour? >> So I think it's important to know that we're passionate about the importance of security. I mean, with Secretary Chertoff and Chad Sweet's background, they were at the ground floor of seeing the importance to our country. So we created the firm to focus wholly on security, and to help firms with the whole lifecycle of issues. As a risk, as a business opportunity, as a catalyst for growth. And it was back in 2013 when some stakeholders around said, "Hey you guys have a bunch of ex-DHS folks, there's a bunch of interesting identity technology issues that are coming to the surface, and other technology issues, why don't you bring a group together and do it?" >> Jeff: Right. >> We said, well, we're not an event company. But we went ahead and had a conversation back in D.C. It was a big success, and then it was a little bit like that line from the Godfather, you know when they say, "They keep pulling me back, they keep pulling me back". (laughs) So here we are on our tenth event, we've been to Silicon Valley three times, New York, Houston, and then D.C. And each time, the idea is, make it topical to the local community, and make it topical for the issues at hand at the moment. >> Yeah, it's interesting, the relationship and security. Specifically between government and technology companies. You know, we do a lot of big technology shows, and at IBM and HP. With the customers that we have distributed around the world and the regulations and compliance issues, in some ways we know more from a broad base of these global international customers than the government. On the other hand, the government's driving the compliance, and has the privacy issues, and hopefully looking out for people, so how do the two work more closely together to deliver better solutions? >> Well, in fairness to the government, the government also has access to information and intelligence that the private sector doesn't have. >> That's true >> So each brings to the table a certain set of capabilities, and part of the challenge is to have people speak the same language. The government has tended over the years to develop a very rigid system of procuring, of interacting with the private sector. Out here in Silicon Valley and in other tech centers there's a lot of focus on being innovative and nimble, and sometimes those two cultures need to be bridged. And actually one of the things that we started out doing, was trying to bridge those cultures. Helping the technology companies understand some of the objectives that the government had in terms of security and the economy. And helping the government understand what's out there, what are the capabilities and the techniques that you might use. Because without an awareness of the art of the possible, it's very hard to lay out a strategy for securing cyberspace. >> Right. And the whole security space to me, we talked a little bit before we put the cameras on, feels like insurance. You know you got to do something, right, you can't go unprotected, but by the same token, you can't be 100%, but do you invest forever? Because at the end of the day, for a private company, you know you have limited resources, government too. So, when these conversations are happening, and then what we're talking about here, the boardroom, the worst way a board member wants to get involved is when he reads the Wall Street Journal on Monday morning and he sees that his company has been breached, and he's in big, big trouble. So, how is the relative importance of security investment changing in the boardrooms? What are you seeing? How is that evolving? >> So, from my standpoint, it's about, first of all, understanding that it's a risk, not security. You're managing the risk, you're not guaranteeing people nothing bad will ever happen. And now, GI uses, I say to people it's like physical health. You don't go to your doctor and say, "Doctor, I want you to guarantee I'll never get sick". The doctor would throw you out of the office, or he'd have you committed. What you do, is you say, "Look Doctor, I'd like to be healthy, I'd like to have a healthy immune system, I'd like to keep most of the bacteria and the viruses out of my body, but I'd like to know if I do get invaded by bacterial viruses, which will inevitably happen, I've got a system that can detect it and white blood cells will eliminate it. That's why I get vaccinated, that's why I do other things to keep my immune system up." And that sense of managing expectations I think is critical for the board. If the board wants a guarantee we will never get hacked, then it's not realistic. If the board wants to understand what are the most important parts of our body politic, or our corporate body, we have to protect, and how do we build layers of defense to keep us healthy, then I think you can have an intelligent discussion about how much investment is enough. >> Right. But then as you said, you want to be healthy, but then we still go to bars and have a drink, and we eat ice cream when we probably shouldn't. And the security, so many percentages of the security problems are caused by people didn't update their patches, or they're respondent to this great opportunity to get a bunch of money out of an African Prince. So how are we changing the culture on the people process? You made an interesting comment about culture. We always talk about people process and technology, but you threw the culture piece in it. Which I though was a pretty interesting twist on just people. >> I think that's a key piece, and it's an area where the board can actually lead. This is when it has to start from the top. You know, if management and the board says, "Hey this is a technical issue, we're just gonnna leave it for that security team down the hall". I think you've failed right out of the gate. You need a CEO-lead, cyber-conscious culture, security-conscious culture, that shows that we value it. And that ultimately, you're going to spend time and money to reward the behavior that you're looking for, to then retain and grow that organization. But it's then looking at it both as a risk, as Secretary said, but increasingly, it's part of an opportunity. It's part of an opportunity to engage your customers in new way. Show that you're really a trusted partner. You value, and will hold private, the information that you're collecting about them. As we hurdle into IOT and driverless cars, that are generating massive amounts of information, more and more, people are going to want to do business with people that are good stewards of that information. >> Right. And I think the interesting thing that came up, as well, is it's not even the technology is not even the breaches, you know we talked a little bit about the whole iPhone encryption thing. Now we all have Alexa sitting at our house, you know, is Alexa listening all the time? I heard of a case where they actually went back to the Alexa on a domestic dispute, or domestic violence to see if Alexa had collected evidence and listened in to this domestic violence attack. But the privacy issues are tremendous. So as all these things get weighed, again, you made an interesting comment, how do we define success? What does success look like? Cause it's not never. In the financial services industry, your worst nightmare is too many false positives, if your turning down people's bank account credit card. So what does success look like? How should people be thinking about success? >> I think there's a couple different dimensions to this. As Jim mentioned earlier, to the extent that you are a steward of other people's data, your ability to promise them that it'll be secure, it'll be private, and execute on the promise, is an important part of your business proposition. To the extent that you have your own business secrets, and your own business confidences you want to protect, that's important. But you raise a somewhat different issue, which is, we do make deliberate decisions sometimes to bring into our homes, into our lives, the kind of collection of information that is a feature, not bug. That's got to be a deliberate decision, because once you collect the information, as in the example of the Alexa recording some domestic disturbance, that's going to be there for somebody else to get using a lawful process or otherwise. So, part of, again, the process of culture and education is always asking, "Why do we want to collect?" Why do we want to hold? What are we connecting to?" You can make an intelligent decision, but you've got to ask the question first. >> Right. Although I heard an interesting twist on that one time. Even if you go through that analysis, and you say, okay, based on these, on yes, yes, and this is why, we're going to collect this data, which you don't know, is what someone else might do with that data in a different scenario down the road. So even if you're a responsible steward of that activity, there's always a chance that something else could happen. So there's even kind of a double whammy. >> I mean, this is one of the byproducts that people talk about with big data. And it's techy term, but people talk about a data lake, where we're collecting this, we're collecting this, we're collecting that. In and of itself, it's not sensitive information. But if you connect different breadcrumbs about a person's activity, and their identity, wow, all of sudden that could be incredibly sensitive. >> Right. >> So that's one of the issues that we've been dealing with in the tech community is how to enable us to collect that information, make good decisions from it, but understand the resulting security issues that come. >> Yeah, that's a fascinating issue because, I think that what a lot of people don't understand is although individual items collected may seem fairly benign, the ability to aggregate, and store all the amount of data is huge. And a perfect example is, you know, people are always walking around taking selfies, or pictures, or putting things in their social media, and the third parties and everybody get into that. And normally you'd say, "That's fine, somebody took a picture of me, it's going to be in their house or whatever, who cares." But if it's all up in the cloud, and someone has the ability to aggregate all that, and all of a sudden get a picture of everybody who's ever taken a photograph of me, or mentioned me, or have had some interaction with, all of a sudden, unbeknownst to me, someone could really get a 24/7 picture of all of my life. So how do you deal with those issues? Some of these are legal questions, some of them are technical questions, but I do think we're on the cusp of having some serious conversations about this. >> So they're going to come yank you guys back into the conference. So thank you for taking a few minutes to come sit down with us. So I just want to wrap up again with the board. As you talk to the boards, we've talked about things that are happening now, and things that are happening in the relative recent past, as you look forward, what's your take away for them as you've sat around, you've talked about all this crazy, scary stuff, and how they should think about it. As you tell them to look forward, what's your advice? >> Well, if I could start with that, so today we released some results from a study we did around this topic. What do boards really think about security? Is it discussed? Is it a boardroom competency? And we interviewed over a hundred senior execs, a vast percentage, forty percent, who were responding as a board member. And what we found was, there's a tale of two cities, two cyber cities. If you're in a large public, US company, in what would be called critical infrastructure, finance, healthcare, telecom, yeah, the directors and the board, they're very well versed in cyber, it's been discussed, it's part of a risk management program, and they have very good CSOs, good interaction with the board. Then there's everybody else. And I would say this actually reflects the boards that I sit on. Is that, you know, cyber's not discussed, it's maybe in reaction to a breach, but it's a technical discussion. And most directors self report, we're not where we need to be on education. So then, just quickly, as a finish, what we launched today was a seven point plan, a blueprint for directors, to help guide areas that they can ask questions, document, review. Kind of move them up their cyber-literacy curve. >> The other thing that I would say, is this, I really sympathize with that small and medium enterprises, which simply don't have the money to invest in terms of building up a whole stand alone security system. I think that takes is more and more to outsourcing some of these functions. Some of it is the cloud, because you put your data up there. Some of it is outsourcing the intelligence and information to know what's coming. It's managed services. Because most of these smaller companies, even if their heart is in the right place, they just don't have the scale to do what a major bank, for example, can do in terms of an operation center. >> Yeah, I think that's such a big piece of the cloud story, is sitting through some of the James Hamilton Tuesday night. If you ever get a chance to go to that He's talks about the investment, infrastructure, security, networking, you name it. That Amazon can make at scale, nobody else, except a very small group of companies can make type of investment. >> Exactly. >> There's just not enough money. Alright, we'll leave it there for now. Really appreciate you stopping by, great event, and thanks for having theCUBE. >> Michael: Great, thanks for having us. >> Okay, it's Michael, Jim, I'm Jeff, you're watching theCUBE. We'll be right back.