>> Narrator: From the CUBE Studios in Palo Alto, in Boston. Connecting with thought leaders all around the world, this is a CUBE Conversation. >> Hi, everybody. Welcome to the special Cube Conversation. With COVID-19 hitting, organizations really had to focus on business resiliency, and we've got two great guests here to talk about that topic. Bob Bender's the chief technology officer at Founders Federal Credit Union. And he's joined by Jim Shook, who is the director of cybersecurity and compliance practice at Dell Technologies. Gentlemen, thanks for coming on the CUBE, great to see you. >> Thanks, Dave, great to see you, thank you. So, Bob, let's start with you, give us a little bit of background on Founders and your role. >> Founders Federal Credit Union is a financial institution that has about 225,000 members, serving them in 30 different locations, located in the Carolinas. I serve as chief technology officer bringing in the latest technology and cyber resilient direction for the company. >> Great. And Jim, talk about your role. Is this a new role that was precipitated by COVID or was this something that Dell has had for a while? Certainly relevant. >> It's actually been around for a while, Dave. The organization invested in this space going back about five years, I founded the cyber security and compliance practice. So really, my role is most of the time in the field with our customers, helping them to understand and solve their issues around the cyber resilience and cyber recovery field that we're talking about. But I also, to do that properly, spend a lot of time with organizations that are interested in that space. So it could be with an advisory partner, could be the FBI, might be a regulator, a particular group like Sheltered Harbor that we've worked with frequently. So it's just really, as you point out, taken off first with ransomware a couple of years ago, and then with the recent challenges from work from home in COVID. So we're really helping out a lot of our customers right now. >> Bob, I've talked privately to a number of CIOs and CSOs and many have said to me that when COVID hit that their business continuance was really much too (voice cuts out) Now, you guys actually started your journey way back in 2017. I wonder if you could take us back a few years and what were the trends that you were seeing that precipitated you to go on this journey? >> Well, I think we actually saw the malware, the horizon there. And I'll take you back a little further 'cause I just love that story is, when we looked at the relationship of Dell EMC, we talked to the 1% of the 1%, who is protecting their environment, their data capital, the new critical asset in our environment. And Dell EMC was the top of the line every time. When we looked at the environment and what it required, to put our assets under protection, again, we turned to Dell EMC and said, where do we need to go here? You look at this Mecklenburg County, you look at the city of Atlanta, you look at Boeing and I hate to use the examples, but some very large companies, some really experienced companies were susceptible to this malware attacks that we just knew ourself it was going to change us. So the horizon was moving fast and we had to as well. >> Well, you were in a highly regulated industry as well. How did that factor into the move? Well, you're exactly right. We had on our budget, our capital budget horizon, to do an air gap solution. We were looking at that. So the regulatory requirements were requiring that, the auditors were in every day talking about that. And we just kept framing that in what we were going to do in that environment. We wanted to make sure as we did this purpose built data bunker, that we looked at everything, talk to the experts, whether that was federal state regulation. You mentioned Sheltered Harbor, there's GDPR. All these things are changing how are we going to be able to sustain a forward look as we stand this environment up. And we also stood up a cyber security operations center. So we felt very confident in our Runbooks, in our incident response, that you would think that we would be ready to execute. I'll share with you that we reached out every which way and a friend called me and was actually in a live ransomware event and asked if I wanted to come on to their site to help them through that incident. We had some expertise on our staff that they did not possess at that time. So going into that environment, spending 30 hours of the last 72 hours of an attack we came back changed. We came back changed and went to our board and our executives and said, "We thought we knew what we were doing." But when you see the need to change from one to 10 servers recovery to 300 in 72 hours, we just realized that we had to change our plan. We turned to the investment we had already made and what we had looked at for some time, and said, "Dell EMC, we're ready to look at that "PowerProtect Cyber Recovery solution. "How can you stand this up very quickly?" >> So, Jim, Bob was saying that he looked at the 1% of the 1%, so these guys are early adopters, but anything you can add to that discussion in terms of what you saw precipitate the activity, let's go pre-COVID, certainly ransomware was part of that. Was that the big catalyst that you saw? >> It really was. So when we started the practice, it was following up on the Sony Pictures attack, which only hit Sony in that. But it was unique in that it was trying to destroy an organization as opposed to just steal their data. So we had financial industry really leading the way, the regulators in the financial industry saying, "Gosh, these attacks could happen here "and they would be devastating." So they led the way. And as our practice continued, 2016 became the year of ransomware and became more prevalent, with the attackers getting more sophisticated and being able to monetize their efforts more completely with things like cryptocurrencies. And so as we come around and start talking to Bob, he still was well ahead of the game. People were talking about these issues, starting to grow concerned, but didn't really understand what to do. And Dave, I know we'll get to this a little bit later, but even today, there's quite a bit of disconnect, many times between the business, understanding the risks of the business and then the technology, which really is the business now, but making those pieces fit together and understanding where you need to improve to secure against these risks is a difficult process. >> Well, I think I'd love to come back to Bob and try to understand how you pitch this to the board, if you will, how you made the business case. To Jim's point, the adversaries are highly capable. It's a lucrative business. I always talk to my kids about ROI numerator and denominator. If you can raise the denominator, that's going to lower the value. And that's the business that you're in is making it less attractive for the bad guys. But how did you present this to the board? Was it a board level discussion? >> It was, exactly. We brought Dell EMC PowerProtect Cyber Recovery solution to them and said, not only you're experiencing and seeing in the news daily, these attacks in our regions, but we have actually gone out into an environment and watch that attack play out. Not only that is when we stepped away, and we ran through some tabletops with them and we stepped away. And we said, "Are you okay? "Do you know how it got in? "Are you prepared to protect now and detect that again?" Within 30 days, they were hit again by the same ransomware attacks and hackers. So I hate to say this, but I probably fast forwarded on the business case and in the environment, the horizon around me, players, they made my case for me. So I really appreciated that top down approach. The board invested, the executive invested, they understood what was at risk. They understood that you don't have weeks to recover in the financial institution. You're dealing with hundreds of thousand transactions per second so it made my case. We had studied, we had talked to the experts. We knew what we wanted. We went to Dell EMC and said, "I have six months and here's my spend." And that's from equipment hitting our CoLOS and our data centers, standing it up, standing up the Runbooks and it's fully executed. And I wanted an environment that was not only holistic. We built it out to cover all of our data and that I could stand up the data center within that environment. I didn't need another backup solution. I needed a cyber recovery environment, a lifestyle change, if you would say. It's got to be different than your BCP/DR. While it inherits some of those relationships, we fund it with employees separately. We treated the incident response separately, and it is really benefited. And I think we've really grown. And we continue to stress that to educate ourselves not only at the board level, but a bottom up approach as well with the employees. 'cause they're a part of that human firewall as well. >> I think you've seen this where a lot of organizations, they do a checkbox on backup or as I was saying before, DR. But then in this world of digital, when a problem hits, it's like, "Oh-oh, we're not ready." So I wonder Jim, if we can get into this solution that Bob has been talking about the Dell EMC PowerProtect Cyber Recovery solution, there's a mouthful there. You got the power branding going on. What is that all about? Talk to us about the tech that's behind this. >> It's something that we've developed over time and really added to in our capability. So at its core, PowerProtect Cyber Recovery is going to protect your most critical data and applications so that if there is a cyber attack, a ransomware or destructive attack, they're safe from that attack. And you can take that data and recover the most important components of the business. And to do that, we do a number of things, Dave. The solution itself takes care of all these things. But number one is we isolate the data so that you can't get there from here. If you're a bad actor, even an insider, you can't get to the data because of how we've architected. And so we'll use that to update the critical applications and data. Then we'll lock that data down. People will use terms like immutability or retention lock. So we'll lock it down in that isolated environment, and then we'll analyze it. So it's one thing to be able to protect the data with the solution, it's another, to be able to say that what I have here in my data vault, in my air gapped isolated environment is clean. It's good data. And if there was an attack, I can use that to recover. And then of course over time, we've built out all the capabilities. We've made it easier to deploy, easier to manage. We have very sophisticated services for organizations that need them. And then we can do a much lighter touch for organizations that have a lot of their built in capabilities. At its core, it's a recover capability so that if there was an attack that was unfortunately successful, you don't lose your business. You're not at the mercy of the criminals to pay the ransom. You have this data and you can recover it. >> So Bob, talk to us about your objectives going into this. It's more than a project. It really is a transformation of your resiliency infrastructure, I'll call it. What were your objectives going in? A lot of companies are reacting, and it's like, you don't have time to really think. So what are the objectives? How long did it take? Paint a picture of the project and what it looked like, some of the high level milestones that you were able to achieve. >> Well, I think several times Dell EMC was able to talk us off the edge, where it really got complicated. The Foundation Services is just one of your more difficult conversations, one of the top three, definitely, patch management, notification, and how you're going to rehydrate that data, keeping that window very small to reduce that risk almost completely as you move. I think other area this apply is that we really wanted to understand our data. And I think we're on a road to achieving that. It was important that if we were going to put it into the vault, it had a purpose. And if we weren't going to put it in a vault, let's see why would we choose to do that? Why would we have this data? Why would we have this laying around? Because that's a story of our members, 225 stories. So their ability to move into financial security, that story is now ours to protect. Not only do we want to serve you in the services and the industry and make sure you achieve what you're trying to, but now we have that story about you that we have to protect just as passionately. And we had that. I think that was two of the biggest things. I think the third is that we wanted to make sure we could be successful moving forward. And I'll share with you that in the history of the credit union, we achieved one of the biggest projects here, in the last two years. That umbrella of the Cyber Recovery solution protection was immediate. We plugged in a significant project of our data capital and it's automatically covered. So I take that out of the vendor of responsibility, which is very difficult to validate, to hold accountable sometimes. And it comes back under our control into this purpose built data security and cyber resilient, business strategy. That's a business strategy for us is to maintain that presence. So everything new, we feel that we're sized, there's not going to be a rip and replace, a huge architectural change because we did have this as an objective at the very beginning. >> Tim, when you go into a project like this, what do you tell customers in terms of things that they really should be focused on to have a successful outcome? >> I'm going to say first that not everybody has a Bob Bender. So we have a lot of these conversations where we have to really start from the beginning and work through it with our customers. If you approach this the right way, it's really about the business. So what are the key processes for your business? It can be different from a bank than from a hospital than from a school point. So what are the key things that you do? And then what's the tech that supports that and underlies those processes? That's what we want to get into the vault. So we'll have those conversations early on. I think we have to help a lot of organizations through the risks too. So understand the risk landscape, why doing one or two little things aren't really going to protect you from the full spectrum of attackers. And then the third piece really is, where do we start? How do we get moving on this process? How do we get victory so that the board can understand and the business can understand, and we can continue to progress along the way? So it's always a bit of a journey, but getting that first step and getting some understanding there on the threat landscape, along with why we're doing this is very important. >> So, Bob, what about any speed bumps that you encountered? What were some of those? No project is ever perfect. What'd you run into? How'd you deal with it? >> Well, I would say the Foundation Services were major part of our time. So it really helped for Dell EMC to come and explain to us and look at that perimeter and how our data is brought into that and size that for us and make sure it's sustainable. So that is definitely, could be a speed bump that we had to overcome. But today, because of those lifts, those efforts invested the Runbooks, the increase in new products, new data as our business organically grows is a non-event. It's very plug and play and that's what we wanted from the start. Again, you go back to that conversation at 1% of the 1%, it's saying, who protects you? We followed that. We stayed with the partner we trusted, the horizon holistically has come back and paid for itself again and again. So speed bumps, we're just enjoying that we were early adapters. I don't want to throw anybody out there, but you look about two weeks ago, there was a major announcement about an attack that was successful. They got them with ransomware and the company paid the ransom. But it wasn't for the ransomware, it was for the data they stole so that they would delete it. That's again, why we wanted this environment is we needed time to react in the case that these malwares are growing much faster than we're capable of understanding how they're attacking. Now it's one, two punch, where's it going to be? Where is it going to end? We're not going to likely be patient zero, but we're also not going to have to be up at night worrying that there's a new strain out there. We have a little time now that we have this secure environment that we know has that air gap solution that was built with the regulatory consideration, with the legal considerations, with the data capital, with the review of malware and such. You can go back in time and say, "Scan to see if I have a problem. So again, the partnership is while we focus on our business, they're focusing on the strategy for the future. And that's what we need. We can't be in both places at once. >> How long did the project take from the point of which you agreed, signed the contract to where you felt like you were getting value out of the solution? >> Six months. >> Really? >> We were adamant. I'd put it off for a year and a half, that's two budget cycles basically is what it felt. And then I had to come back and ask for that money back because we felt so passionate that our data, our critical data didn't need to be at that risk any longer. So it was a very tight timeline. And again, product on prem within six months. And it was a lot of things going on there. So I just wasn't idle during that time. I was having a conversation with Dell EMC about our relationship and our contracts. Let's build that cyber resilience into the contract. Now we've got this, PowerProtect Cyber Recovery environment, let's build it here where you also agree to bring on extra hardware or product if I need that. Let's talk about me being on a technology advisory panel So I can tell you where the pricing of the regulations are going, so you can start to build that in. Let's talk about the executive board reporting of your products and how that can enable us. We're not just talking about cyber and protecting your data. We're talking about back then 60% of your keep the lights on IT person will spend with auditors, talking about how we were failing. This product helped us get ahead of that to now where we're data analytic. We're just analysts that can come back to the business table and say, "We can stand that up very quickly." Not only because of the hardware and the platform solution we have, but it is now covered with a cyber resilience of the the cyber security recovery platform. >> I want to ask you about analytics. Do you feel as though you've been able to go from what is generally viewed as a reactive mode into something that is more anticipatory or proactive using analytics? >> Well, I definitely do. We pull analytics daily and sometimes hourly to make sure we're achieving our KPIs. And looking at the KRIs, we do risk assessments from the industry to make sure if our controls layer of defenses are there, that they will still work what we stood up three years ago. So I definitely think we've gone from an ad hoc rip and replace approach to transformation into a more of a threat hunting type of approach. So our cyber security operation center, for us, is very advanced and is always looking for opportunities not only to improve, to do self-assessments, but we're very active. We're monetizing that with a CUSO arm of the credit union to go out and help others where we're successful, others that may not have that staff. It's very rewarding for us. And I hate to say it sometimes it's at their expense of being in-evolved in the event of a ransomware attack or a malware event. We learned so much the gaps we have, that we could take this back, create Runbooks and make the industry stronger against these types of attacks. >> Well, so Jim, you said earlier, not every company has a Bob Bender. How common is it that you're able to see customers go from that reactive mode into one that is proactive? Is that rare or is it increasingly common? It can't be a 100%, but what are you seeing as trends? >> It's more common now. You think of, again, back to Bob, that's three plus years ago, and he's been a tireless supporter and tireless worker in his industry and in his community, in the cyber area. And efforts like those of Bob's have helped so many other organizations I think, understand the risks and take further action. I think too, Bob talks about some of the challenges with getting started in that three year timeframe, PowerProtect Cyber Recovery has become more productized, our practice is more mature. We have more people, more help. We're still doing things out there that nobody else is touching. And so we've made it easier for organizations that have an interest in this area, to deploy and deploy quickly and to get quick value from their projects. So I think between that some of the ease of use, and then also there's more understanding, I think, of what the bad actors can do and those threats. This isn't about somebody maybe having an outage for a couple of hours. This is about the very existence of a business being threatened. That if you're attacked, you might not come back from it. And there've been some significant example that you might lose hundreds of millions of dollars. So as that awareness has grown, more and more people have come on board and been able to leverage learnings from people like Bob who started much earlier. >> Well, I can see the CFO saying, "Okay, I get it. "I have no choice where we're going to be attacked. "We know that, I got to buy the insurance. You got me." But I can see the CFO saying, "Is there any way we can "get additional value out of this? "Can we use it to improve our processes and cut our costs? "Can we monetize this in some way?" Bob, what's the reality there? Are you able to find other sources of value beyond just an insurance policy? >> Definitely, Dave you're exactly right. We're able to go out there and take these Runbooks and really start to educate what cyber resilience means and what air gap means, what are you required to do, and then what is your responsibility to do it. When you take these exercises that are offered and you go through them, and then you change that perspective and go through a live event with other folks that see that after 60 hours of folks being up straight, it really changes your view to understand that there's no finish line here. We're always going to be trying to improve the product and why not pick somebody that you're comfortable with and you trust. And I think that's the biggest win we have from this is that was a Dell EMC partnership with us. It is very comfortable fit. We moved from backup and recovery into cyber resilience and cybersecurity as a business strategy with that partner, with our partner Dell, and it hasn't failed us. It's a very comforting. We're talking about quality of life for the employee. You hear that, keep the lights on. And they've really turned into professionals to really understand what security means differently today and what that quality of data is. Reports, aren't just reports, they're data capital. The new currency today of the value we bring. So how are we going to use that? How are we going to monetize that? It's changing. And then I hate to jump ahead, but we had our perimeters at 1% of our workforce remote and all of a sudden COVID-19 takes on a different challenge. We thought we were doing really good and next, we had to move 50% of our employees out in five days. And because of that Dell EMC, holistic approach, we were protected every step of the way. We didn't lose any time saying, we bought the wrong control, the wrong hardware, the wrong software. It was a very comfortable approach. The Runbooks held us, our security posture stayed solid. It's been a very rewarding. >> Well, Bob, that was my next question, actually is because you've started the journey. >> Sorry. >> No, no, it's okay. Because you started the journey early, were you able to respond to COVID in a more fast sell manner? it sounds like you just went right in. But there's nuance there, because you've got now 50% or more of the workforce working at home, you got endpoint security to worry about. You got identity access management, and it sounds like you were, "No problem. "We've got this covered." Am I getting that right? >> You're exactly right, Dave. We test our endpoints daily. We make sure that we understand what residue of data is where. And when we saw that employee shift to a safe environment, our most consideration at that time, we felt very comfortable that the controls we had in place, again, Dell and their business partners who we are going to hold true and be solid. And we test those metrics daily. I get reports back telling me, what's missing in patch management, what's missing in a backup. I'll go back to keeping BCP and cyber security separate. In the vault, we take approach of recovery and systems daily. And now that goes from maybe a 2% testing rate almost to 100% annually. So again, to your point, COVID was a real setback. We just executed the same Runbooks we had been maturing all along. So it was very comfortable for employees and it was very comfortable for our IT structure. We did not feel any service delays or outages because of that. In a day, when you have to produce that data, secure that data, every minute of every day of every year, it's very comforting to know it's going to happen. You don't push that button and nothing happens. It's executed as planned. >> Jim, did you see a huge spike in demand for your services as a result of COVID and how did you handle it? You guys got a zillion customers, how did you respond and make sure that you were taking care of everybody? >> We really did see a big spike, Dave. I think there were a couple of things going on. As Bob points out, the security posture changes very quickly when you're sending people to work from home or people remotely, you've expanded or obliterated your parameter, you're not ready for it. And so security becomes even more important and more top of mind. So with PowerProtect Cyber Recovery, we can go in and we can protect those most critical applications. So organizations are really looking at their full security posture. What can we do better to detect and protect against these threats? And that's really important. For us, we're focusing on what happens when those fail? And with that extension and people going home, and then the threat actors getting even more active, the possibilities of those failures become more possible and the risks are just in front of everybody. So I think it was a combination of all of those things. Many, many customers came to us very quickly and said, "Tell us more about what you're doing here. "How does it fit into our infrastructure? "What does it protect us against? "How quickly can we deploy?" And so there has been a huge uptake in interest. And we're fortunate in that, as you pointed out early on, Dave, we invested early here. I'm five years into the practice. We've got a lot of people, very mature, very sophisticated in this area, a lot of passion among our team. And we can go take care of all those customers. >> Bob, if you had a mulligan, thinking about this project, what would you do differently if you had a chance to do it over? >> I think I would start earlier. I think that was probably the biggest thing I regret in that realizing you need to understand that you may not have the time you think you do. And luckily, we came to our senses, we executed and I got to say it was with common sense, comfortable products that we already understood. We didn't have to learn a whole new game plan. I don't worry about that. I don't worry about the sizing of the product 'cause we did it, I feel correctly going in and it fits us as we move forward. And we're growing at an increased rate that we may not expect. It's plug and play. Again, I would just say, stay involved, get involved, know that what we know today about malware and these attacks are only going to get more complicated. And that's where I need to spend my time, my group become experts there. Why I really cherish the Dell EMC relationship is from the very beginning, they've always been very passionate on delivering products that recover and protect and now are cyber resilient. I don't have to challenge that, you pay for what you get for. And I just got to say, I don't think there's much other than I would have started earlier. So start today, don't put it off. >> So you said earlier though, you're never done, you never are, in this industry. So what's your roadmap look like? Where do you want to go from here with this capability? >> I definitely want to keep educating my staff, keep training them, keep working with Dell. Again, I tell you they're such forward thinking as a company. They saved me that investment. So if you're looking at part of the investment, it's got to be, are you with a partner that's forward thinking? So we definitely want to mature this, challenge it, keep challenging, keep working with Dell and their products to deliver more. Again, we go to the federal and state regulatory requirements. You go to the Sheltered Harbor, the ACET testing from the NCUA regulators, just software asset management. You can keep on going down the line. This product, I hate to say it, it's like the iPhone. You think about how many products the iPhone has now made not relevant. I don't even own a flashlight, I don't think. This is what the Dell product line brings to me is that I can trust they're going to keep me relevant so I can stay at the business table and design products that help our members today. >> Jim, how about from Dell's perspective, the roadmap, without giving away any confidential information, where do you want to take this? We talk about air gaps. I remember watching that documentary Zero Days and hearing them say, "We got through an air gap. "No problem." So analytics obviously plays a role in this machine intelligence, machine learning, AI. Where does Dell want to take this capability? Where do you see that going? >> We've got some things in mind and then we're always going to listen to our customers and see where the regulations are going to. And thus far, we've been ahead of those with the help of people like Bob. I think where we have a huge advantage, Dave is with PowerProtect Cyber Recovery. It's a product. So we've got people who are dedicated to this full time. We have a maturity in the organization, in the field to deliver it and to service it. And having something as a product like that really enables us to have roadmaps and support and things that customers need to really make this effective for them. So as we look out on the product, and thanks for your reminder, I don't want to risk saying anything here I'm going to get in trouble for. We look at things in three paths. One is we want to increase the ability for our customers to consume the product. So they want it in different forms. They might want it in appliances, in the Cloud, virtual, all of those things are things that we've developed and continue to develop. They want more capabilities. So they want the product to do more things. They want it to be more secure, and keeping up. As you mentioned, machine learning with the analytics is a big key for us. Even more mundane things like operational information makes it easier to keep the vault secure and understand what's going on there without having to get into it all the time. So those are really valuable. And then our third point, really, we can't do everything. And so we have great partners, whether they're doing delivery, offering cyber recovery as a service or providing secure capabilities, like our relationship with Unisys. They have a stealth product that is a zero knowledge, zero trust product that helps us to secure some of the connections to the vault. We'll keep iterating on all of those things and being innovative in this space, working with the regulators, doing things. Bob's mentioned a couple of times, Sheltered Harbor. We've been working with them for two years to have our product endorsed to their specification. Something that nobody else is even touching. So we'll continue along all those paths, but really following our customer's lead in addition to maybe going some places that they haven't thought about before. >> It's great guys. I have to fear that when you talk to SecOps pros, you ask them what their biggest challenge is, and they'll say lack of talent, lack of skills. And so this is a great example, Jim, you're mentioning it, you've productized this. This is a great example of a technology company translating, IT labor costs into R&D. And removing those so customers can spend time running their business. Bob and Jim, thanks so much for coming on the CUBE. Great story. Really appreciate your time. >> Thank you, Dave. >> Thank you, Dave. >> Thanks, Bob. >> All right. And thank you everybody for watching. This is Dave Vellante for the CUBE. We'll see you next time. (instrumental music)