>> From theCUBE studios in Palo Alto in Boston, bringing you data-driven insights from theCUBE in ETR. This is Breaking Analysis with Dave Vellante. >> Despite the more than $100 billion spent each year fighting Cyber-crime. When we do an end-of-the year look back and ask "How did we do?" The answer is invariably the same, "Worse than last year." Pre pandemic, the picture was disheartening, but since March of 2020 the situation has only worsened as cyber-criminals have become increasingly sophisticated, better funded and more brazen. SecOps pros continue to fight, but unlike conventional wars, this one has no end. Now the flip side of course, is that markets continue to value cybersecurity firms at significant premiums. Because this huge market will continue to grow by double digits for the foreseeable future. Hello and welcome to this week's Wikibon theCUBE Insights powered by ETR. In this Breaking Analysis, we look at the state of cybersecurity in 2021 and beyond. We'll update you with the latest survey data from enterprise technology research and share the fundamentals that have investors piling into the security space like never before. Let's start with the customer view. Cybersecurity remains the number one priority for CIOs and CSOs. This latest ETR survey, once again asked IT buyers to rank their top priorities for the next 12 months. Now the last three polling period dating back to last March. Cybersecurity has outranked every top spending category, including cloud, data analytics, productivity software, networking, AI, and automation or RPA. Now this shouldn't surprise anybody, but it underscores the challenges that organizations face. Not only are they in the midst of a non-optional digital transformation, but they have to also fund a cyber war that has no ceasefires, no truces, and no exit path. Now there's much more going on in cybersecurity than ransomware, but certainly that has the attention of executives. And it's becoming more and more lucrative for attackers. Here's a snapshot of some of the more well-documented attacks this decade many which have occurred in very recent months. CNA Financial, they got hit earlier this year and paid a $40 million ransom. The Ireland Health Service also got hit this year and refused to pay the ransom, but it's estimated that the cost to recover and the damage to the organization exceeded half a billion dollars. The request was for a $20 million ransom. The JBS meat company hack, they paid $11 million. CWT travel paid $5 million. The disruption from the Colonial Pipeline company, was widely reported they paid more than $4 million, as the Brenntag, the chemical company. The NBA got hit. Computer makers, Quanta and Acer also. More than 2,000 random attacks were reported to the FBI in the first seven months of 2021. Up more than 60% from 2020. Now, as I've said many times, you don't have to be a genius to be a ransomware as today. Anyone can go on the dark web, tap into ransomware as a service. Attackers, they have insidious names like darkside, evil, the cobalt, crime gang, wizard spider, the Lazarus gang, and numerous others. Criminals they have negotiation services is most typically the attackers, they'll demand a specific amount of money but they're willing to compromise in an exchange of cryptocurrency for decryption keys. And as mentioned, it's not just ransomware supply chain attacks like the solar winds hack hit organizations within the U.S government and companies like Mimecast this year. Now, while these attacks often do end up in a ransom situation. The attackers sometimes find it more lucrative to live off the land and stealth fashion and ex filtrates sensitive data that can be sold or in the case of many financial institution attacks they'll steal information from say a chief investment officer that signals an upcoming trading strategy and then the attackers will front run that trade in the stock market. Now, of course phishing, remains one of the most prominent threats. Only escalated by the work from home trend as users bring their own devices and of course home networks are less secure. So it's bad, worse than ever before. But you know, if there's a problem, entrepreneurs and investors, they're going to be there to solve it. So here's a LinkedIn post from one of the top investors in the business, Mike Speiser. He was a founding investor in Snowflake. He helped get pure storage to escape velocity and many, many other successes. This hit my LinkedIn feed the other day, his company Sutter Hill Ventures is co-leading a 1.3 Series D on an $8.3 billion valuation. They're putting in over $200 million. Now Lacework is a threat detection software company that looks at security as a data problem and they monitor exposures across clouds. So very timely. So watch that company. They're going to soar. Now the right hand chart shows venture investments in cybersecurity over the past several years. You can see it exploded in 2019 to $7.6 billion. And people thought the market was peaking at that time, if you recall. But then investments rose a little bit to $7.8 billion in 2020 right in the middle of lockdown. And then the hybrid work, the cloud, the new normal thesis kicked in big time. It's in full gear this year. You can see nearly $12 billion invested in cybersecurity in the first half of 2021 alone. So the money keeps coming in as the problem gets worse and the market gets more crowded. Now we'd like to show this slide from Optiv, it's their security taxonomy. It'll make your eyes cross. It's so packed with companies in different sectors. We'll put a link in our posts, so you can stare at this. We've used this truck before. It's pretty good. It's comprehensive and it's worth spending some time to see what that landscape looks like. But now let's reduce this down a bit and bring in some of the ETR data. This is survey data from October that shows net score or spending momentum on the vertical axis and market share or pervasiveness in the dataset on the horizontal axis. That's a measure of mentioned share if you will. Now this is just isolated on the information security sector within the ETR taxonomies. No filters in terms of the number of responses. So it's every company that ETR picks up in cybersecurity from its buyer surveys. Now companies above that red line, we consider them to have a highly elevated spending momentum for their products and services. And you can see, there are a lot of companies that are in this map first of all, and several above that magic mark. So you can see the momentum of Microsoft and Palo Alto. That's most impressive because of their size, their pervasiveness in the study, Cisco and Splunk are also quite prominent. They don't have as much spending momentum, but they're pretty respectable. And you can see the companies that have been real movers in this market that we've been reporting on for a while. Okta, CrowdStrike, Zscaler, CyberArk, SailPoint, Authzero, all companies that we've extensively covered in previous breaking analysis episodes as the up and comers. And isn't it interesting that Datadog is now showing up in the vertical axis. You see that in the left-hand side up high, they're becoming more and more competitive to Splunk in this space as an alternative and lines are blurring between observability, log analytics, security, and as we previously reported even backup and recovery. But now let's simplify this picture a bit more and filter down a little bit further. This chart shows the same X, Y view. Same data construct and framework, but we required more than a hundred responses to hit the chart. So the companies, they have to have a notable market presence in the ETR survey. It's perhaps a bit less crowded, but still very packed. Isn't it? You can see firms that are less prominent in the space like Datadog fell off. The big companies we mentioned, obviously still prominent Microsoft, Palo Alto, Cisco and Splunk and then those with real momentum, they stand out a little bit. There's somewhat smaller, but they're gaining traction in the market. As we felt they would Okta and Auth zero, which Okta acquired as we reported on earlier this year, both showing strength as our CrowdStrike, Zscaler, CyberArk, which does identity and competition with Okta and SentinelOne, which went public mid this year. The company SentinelOne uses AI to do threat detection and has been doing quite well. SalePoint and Proofpoint are right on that red elevated line and then there's a big pack in the middle. Look, this is not an easy market to track. It's virtually every company plays in security. Look, AWS says some of the most advanced security in the business but they're not in the chart specifically, but you see Microsoft is. Because much of AWS security is built into services. Amazon customers heavily rely on the Amazon ecosystem which is in the Amazon marketplace for security products. And often they associate their security spend with those partners and not necessarily Amazon. And you'll see networking companies you see right there, like Juniper and the bottom there and in the ETR data set and the players like VMware in the middle of the pack. They've been really acquisitive for example, with carbon black. And the, of course, you've got a lot of legacy players like McAfee and RSA and IBM. Look, virtually every company has a security story and that will only become more common in the coming years. Now here's another look at the ETR data it's in the raw form, but it'll give you a sense of two things; One is how the data from the previous chart is plotted. And two, it gives you a time series of the data. So the data lists the top companies in the ETR data sets sorted by the October net score in the right most column. Again, that measures spending momentum. So to make the cut here, you had to have more than a hundred mentions which is shown on the left-hand side of the chart that shared N, IE that's shared accounts in the dataset. And you can track the data from last October, July of this year and the most recent October, 2021 survey. So we, drew that red line just about at the 40% net score market coincidentally, there are 10 companies that are over that figure over that bar. We sometimes call out the four star companies. We give four stars to those companies that both are in the top 10 and spending momentum and the top in prominence are shared N in the dataset. So some of these 10 would fit into that profile by that methodology, specifically, Microsoft, Okta, CrowdStrike, and Palo Alto networks. They would be the four star companies. Now a couple of other things to point out here, DDoS attacks, they're still relevant, and they're real threat. So a company like CloudFlare which is just above that red line they play in that space. Now we've also shaded the companies in the fat middle. A lot of these companies like Cisco and Splunk for example, they're major players in the security space with very strong offerings and customer affinity. We sometimes give them two stars. So this is what makes this market so interesting. It's not like the high end discourage market where literally every vendor in the Gartner magic quadrant is up in the right, okay. And there's only five or four or five, six vendors there. This market is diverse with many, many segments and sub segments, and it's such a vital space. And there's so many holes to fill with an ever changing threat landscape as we've seen in the last two years. So this is in part which makes it such a good market for investors. There's a lot of room for growth and not just from stealing market share. That's certainly an opportunity there, but things like cloud, multi-cloud, shifting end points, the edge ,and so forth make this space really ripe for investments. And to underscore this, we put together this little chart of some of the pure play security firms to see how their stock performance has done recently. So you can see that here, you know, it's a little hard to read, but it's not hard to see that Okta, CrowdStrike, Zscaler on the left have been big movers. These charts where possible all show a cross here, starting at the lockdown last year. The only exception is SentinelOne which IPO mid this year. So that's the point March, 2020 when the whole world changed and security priorities really started to shift to accommodate the work from home. But it's quite obvious that since the pandemic, these six companies have been on a tear for the fundamental reason that hybrid work has created a shift in spending priorities for CSOs. No longer are organizations just spending on hardening a perimeter, that perimeter has been blown away. The network is flattening. Work is what you do, it's no longer a place. As such threats are on the rise and cloud, endpoint security, identity access tools there become increasingly vital and the vendors who provide them are on the rise. So it's no surprise that the players that we've listed here which play quite prominently in those markets are all on fire. So now in summary, I want to stress that while the picture is sometimes discouraging. The entire world is becoming more and more tuned in to the cyber threat. And that's a good thing. Money is pouring in. Look, technology got us into this problem and technology is a defensive weapon that will help us continue this fight. But it's going to take more than technology. And I want to share something. We get dozens and dozens of in bounds this time of the year because we do an annual predictions posts. So folks and they want to help us out. So now most of the in bounds and the predictions that we get, they're just kind of observations or frankly, non predictions that can't really be measured as like where you right, or where you're wrong. So for the most part I like predictions that are binary. For example, last December we predicted their IT spending in 2021 would rebound and grow at 4% relative to 2020. Well, it did rebound but that prediction really wasn't as accurate as I'd like. It was frankly wrong. We think it's actually the market's going to actually grow. Spending's going to grow more like 7% this year. Not to worry plenty of our predictions came true, but we'll leave that for another day. Anyway, I got an email from Dean Fisk of Fisk partners. It's a PR firm representing an individual named Lyndon Brown chief of strategy officer of Pondurance. Pondurance is a security consultancy. And the email had the standard, Hey, in case you're working on a predictions post this year end, blah, blah, blah. But instead of sharing with me, a bunch of non predictions, the notes said here's some trends in cybersecurity that might be worth thinking about. And there were a few predictions sprinkled in there, but I wanted to call it a couple of the comments from Linden Brown, whom I don't know, I never met the guy, but I really thought his trends were spot on. The first was a stat I'll share that the United Nations report cyber crime is up 600% due to the pandemic. If as if I couldn't feel worse already. His first point though was that the hybrid workplace will be the new frontier for cyber. Yes, we totally agree. There are permanent shifts taking place. And we actually predicted that last year, but he further cited that many companies went from zero to full digital transformation overnight and many are still on that journey. And his point is that hybrid work is going to require a complete overhaul of how we think about security. We think this is very true. Now the other point that stood out is that governments are going to crack down on this behavior. And we've seen this where criminals have had their critical infrastructure dismantled by governments. No doubt the U.S government has the capabilities to do so. And it is very much focused on this issue. But it's tricky as Robert Gates, who was the former defense secretary, told me a few years back in theCUBE. He said, well, we have the best offense. We also have the most to lose. So we have to be very careful, but Linden's key point was you are going to see a much more forward and aggressive public policy and new laws that give crime fighters more latitude . Again, it's tricky kind of like the Patriot act was tricky but it's coming. Now, another call-out from Linden shares his assertion that natural disasters will bring increased cyber risk. And I thought this was a really astute point because natural disasters they're on the rise. And when there's chaos, there's cash opportunities for criminals. And I'll add to this that the supply chain risk is far from over. This is going to be continuing theme this coming year and beyond. And one of the things that Linden Brown said in his note to me is essentially you can't take humans out of the equation. Automation alone can't solve the problem, but some companies operate as though they can. Just as bad human behavior, can tramp good security, Good human education and behavior is going to be a key weapon in this endless war. Now the last point is we're going to see continued escalation government crackdowns are going to bring retaliation and to Gates' point. The U.S has a lot at stake. So expect insurance premiums are going to go through the roof. That's assuming you can even get cyber insurance. And so we got to hope for the best, but for sure, we have to plan for the worst because it's coming. Deploy technology aggressively but people in process will ultimately be the other ingredients that allow us to live to battle for another day. Okay. That's a wrap for today. Remember these episodes they're all available as podcasts, wherever you listen just search "breaking analysis" podcast. Check out ETR his website at ETR.plus. We also publish a full report every week on Wikibond.com and siliconangle.com. You can get in touch. Email me @david.volante@tsiliconangle.com or you can DM me @dvellante. Comment on our LinkedIn posts. This is Dave Vellante for theCUBE insights powered by ETR. Have a great week. everybody stay safe, be well. And we'll see you next time. (techno music)

(upbeat music) >> Announcer: From the CUBE studios in Palo Alto, in Boston, connecting with thought leaders all around the world. This is theCUBE Conversation. >> Hey, welcome back everybody Jeffrey Frick with theCUBE. We are getting through the COVID crisis. It continues and impacting the summer. I can't believe the summer's almost over, but there's a whole lot of things going on in terms of privacy and contact tracing and this kind of this feeling that there's this conflict between kind of personal identification and your personal privacy versus the public good around things like contact tracing. And I was in a session last week with two really fantastic experts. I wanted to bring them on the show and we're really excited to have back for I don't even know how many times Michelle has been on Michelle Dennedy, She is the former chief privacy officer at Cisco and now she's running the CEO of Identity, Michelle great to see you. >> Good to see you always Jeff >> Yeah and for the first time Dr. Ann Cavoukian and she is the executive director Global Privacy & Security By Design Center. Joining us from Toronto, worked with the government and is not short on opinions about privacy. (laughing) Ann good to see you. >> Hi Jeff thank you >> Yes, so let's jump into it cause I think one of the fundamental issues that we keep hearing is this zero-sum game. And I know and it's a big topic for you that there seems to be this trade off this either or and specifically let's just go to contact tracing. Cause that's a hot topic right now with COVID. I hear that it's like you're telling everybody where I'm going and you're sharing that with all these other people. How is this even a conversation and where do I get to choose whether I want to participate or not? >> You can't have people traced and tracked and surveil. You simply can't have it and it can't be an either or win lose model. You have to get rid of that data. Zero-sum game where only one person can win and the other one loses and it sums to a total of zero. Get rid of that, that's so yesterday. You have to have both groups winning positive sum. Meaning yes, you need public health and public safety and you need privacy. It's not one versus the other. We can do both and that's what we insist upon. So the contact term tracing app that was developed in Canada was based on the Apple Google framework, which is actually called exposure notification. It's totally privacy protective individuals choose to voluntarily download this app. And no personal information is collected whatsoever. No names, no geolocation data, nothing. It's simply notifies you. If you've been exposed to someone who is COVID-19 positive, and then you can decide on what action you wish to take. Do you want to go get tested? Do you want to go to your family doctor, whatever the decision lies with you, you have total control and that's what privacy is all about. >> Jeffrey: But what about the person who was sick? Who's feeding the top into that process and is the sick person that you're no notifying they obviously their personal information is part of that transaction. >> what the COVID alerts that we developed based on the Apple Google framework. It builds on manual contact tracing, which also take place the two to compliment each other. So the manual contact tracing is when individuals go get to get tested and they're tested as positive. So healthcare nurses will speak to that individual and say, please tell us who you've been in contact with recently, family, friends, et cetera. So the two work together and by working together, we will combat this in a much more effective manner. >> Jeffrey: So shifting over to you Michelle, you know, there's PIN and a lot of conversations all the time about personal identifiable information but right. But then medical has this whole nother class of kind of privacy restrictions and level of care. And I find it really interesting that on one hand, you know, we were trying to do the contract tracing on another hand if you know, my wife works in a public school. If they find out that one of the kids in this class has been exposed to COVID somehow they can't necessarily tell the teacher because of HIPAA restriction. So I wonder if you could share your thoughts on this kind of crossover between privacy and health information when it gets into this kind of public crisis and this inherent conflict for the public right to know and should the teacher be able to be told and it's not a really clean line with a simple answer, I don't think. >> No and Jeff, and you're also layering, you know, when you're talking about student data, you layering another layer of legal restriction. And I think what you're putting your thumb on is something that's really critical. When you talk about privacy engineering, privacy by design and ethics engineering. You can't simply start with the legal premise. So is it lawful to share HIPAA covered data. A child telling mommy I don't feel well not HIPAA covered. A child seeing a doctor for medical services and finding some sort of infection or illness covered, right? So figuring out the origin of the exact same zero one. Am I ill or not, all depends on context. So you have to first figure out, first of all let's tackle the moral issues. Have we decided that it is a moral imperative to expose certain types of data. And I separate that from ethics intentionally and with apologies to true ethicists. The moral imperative is sort of the things we find are so wrong. We don't want a list of kids who are sick or conversely once the tipping point goes the list of kids who are well. So then they are called out that's the moral choice. The ethical choice is just because you can should you, and that's a much longer conversation. Then you get to the legal imperative. Are you allowed to based on the past mistakes that we made. That's what every piece of litigation or legislation is particularly in a common law construct in the US. It's very important to understand that civil law countries like the European theater. They try to prospectively legislate for things that might go wrong. The construct is thinner in a common law economy where you do, you use test cases in the courts of law. That's why we are such a litigious society has its own baggage. But you have to now look at is that legal structure attempting to cover past harms that are so bad that we've decided as a society to punish them, is this a preventative law? And then you finally get to what I say is stage four for every evaluation is isn't viable, are the protections that you have to put on top of these restrictions. So dire that they either cannot be maintained because of culture process or cash or it just doesn't make sense anymore. So does it, is it better to just feel someone's forehead for illness rather than giving a blood assay, having it sent away for three weeks and then maybe blah, blah, blah, blah, blah, blah. >> Right. >> You have to look at this as a system problem solving issue. >> So I want to look at it in the context of, again kind of this increased level of politicization and or, you know, kind of exposure outside of what's pretty closed. And I want to bring up AIDS and the porn industry very frankly right? Where people behaving in the behavior of the business risk a life threatening disease of which I still don't think it as a virus. So you know why, cause suddenly, you know, we can track for that and that's okay to track for that. And there's a legitimate reason to versus all of the other potential medical conditions that I may or may not have that are not necessarily brought to bear within coming to work. And we might be seeing this very soon. As you said, if people are wanting our temperatures, as we come in the door to check for symptoms. How does that play with privacy and healthcare? It's still fascinates me that certain things is kind of pop out into their own little bucket of regulation. I'm wondering if you could share your thoughts on that Ann. >> You know, whenever you make it privacy versus fill in the blank, especially in the context of healthcare. You end up turning it to a lose lose as opposed to even a win lose. Because you will have fewer people wanting to allow themselves to be tested, to be brought forward for fear of where that information may land. If it lands in the hands of your employer for example or your whoever owns your house if you're in renting, et cetera. It creates enormous problems. So regardless of what you may think of the benefits of that model. History has shown that it doesn't work well that people end up shying away from being tested or seeking treatment or any of those things. Even now with the contact tracing apps that have been developed. If you look globally the contact tracing apps for COVID-19. They have failed the ones that identify individuals in the UK, in Australia, in Western Canada that's how it started out. And they've completely dropped them because they don't work. People shy away from them. They don't use them. So they've gotten rid of that. They've replaced it with the, an app based on the Apple Google framework, which is the one that protects privacy and will encourage people to come forward and seek to be tested. If there's a problem in Germany. Germany is one of the largest privacy data protection countries in the world. Their privacy people are highly trusted in Germany. Germany based their app on the Apple Google framework. About a month ago they released it. And within 24 hours they had 6.5 million people download the app. >> Right. >> Because there is such trust there unlike the rest of the world where there's very little trust and we have to be very careful of the trust deficit. Because we want to encourage people to seek out these apps so they can attempt to be tested if there's a problem, but they're not going to use them. They're just going to shy away from them. If there is such a problem. And in fact I'll never forget. I did an interview about a month ago, three weeks ago in the US on a major major radio station that has like 54 million people followers. And I was telling them about the COVID alert the Canadian contact tracing app, actually it's called exposure notification app, which was built on the Apple Google framework. And people in hoard said they wouldn't trust anyone with it in the US. They just wouldn't trust it. So you see there's such a trust deficit. That's what we have to be careful to avoid. >> So I want to hold on the trust for just a second, but I want to go back to you Michelle and talk about the lessons that we can learn post 9/11. So the other thing right and keep going back to this over and over. It's not a zero-sum game. It's not a zero-sum game and yet that's the way it's often positioned as a way to break down existing barriers. So if you go back to 9/11 probably the highest profile thing being the Patriot Act, you know, where laws are put in place to protect us from terrorism that are going to do things that were not normally allowed to be done. I bet without checking real exhaustively that most of those things are still in place. You know, cause a lot of times laws are written. They don't go away for a long time. What can we learn from what happened after 9/11 and the Patriot Act and what should be really scared of, or careful of or wary of using that as a framework for what's happening now around COVID and privacy. >> It's a perfect, it's not even an analogy because we're feeling the shadows of the Patriot Act. Even now today, we had an agreement from the United States with the European community until recently called the Privacy Shield. And it was basically if companies and organizations that were, that fell under the Federal Trade Commissions jurisdiction, there's a bit of layering legal process here. But if they did and they agreed to supply enough protection to data about people who were present in the European Union to the same or better level than the Europeans would. Then that information could pass through this Privacy Shield unencumbered to and from the United States. That was challenged and taken down. I don't know if it's a month ago or if it's still March it's COVID time, but very recently on basis that the US government can overly and some would say indifferent nations, improperly look at European data based on some of these Patriot Act, FISA courts and other intrusive mechanisms that absolutely do apply if we were under the jurisdiction of the United States. So now companies and private actors are in the position of having to somehow prove that they will mechanize their systems and their processes to be immune from their own government intrusion before they can do digital trade with other parts of the world. We haven't yet seen the commercial disruption that will take place. So the unintended consequence of saying rather than owning the answers or the observations and the intelligence that we got out of the actual 9/11 report, which said we had the information we needed. We did not share enough between the agencies and we didn't have the decision making activity and will to take action in that particular instance. Rather than sticking to that knowledge. Instead we stuck to the Patriot Act, which was all but I believe to Congress people. When I mean, you see the hot mess. That is the US right now. When everyone but two people in the room vote for something on the quick. There's probably some sort of a psychological gun to your head. That's probably well thought out thing. We fight each other. That's part of being an American dammit. So I think having these laws that say, you've got to have this one solution because the boogeyman is coming or COVID is coming or terrorists or child pornographers are coming. There's not one solution. So you really have to break this down into an engineering problem and I don't mean technology when I say engineering. I mean looking at the culture, how much trust do you have? Who is the trusted entity? Do we trust Microsoft more than we trust the US government right now? Maybe that might be your contact. How you're going to build people, process and technology not to avoid a bad thing, but to achieve a positive objective because if you're not achieving that positive objective of understanding that safe to move about without masks on, for example, stop, just stop. >> Right, right. My favorite analogy Jeff, and I think I've said this to you in the past is we don't sit around and debate the merits of viscosity of water to protect concrete holes. We have to make sure that when you lead them to the concrete hole, there's enough water in the hole. No, you're building a swimming pool. What kind of a swimming pool do you want? Is it commercial, Is it toddlers? Is it (indistinct), then you build in correlation, protection and da da da da. But if you start looking at every problem as how to avoid hitting a concrete hole. You're really going to miss the opportunity to build and solve the problem that you want and avoid the risk that you do not want. >> Right right, and I want to go back to you on the trust thing. You got an interesting competent in that other show, talking about working for the government and not working directly for the people are voted in power, but for the kind of the larger bureaucracy and agency. I mean, the Edelman Trust Barometer is really interesting. They come out every year. I think it's their 20th year. And they break down kind of like media, government and business. And who do you trust and who do you not trust? What what's so fascinating about the time we're in today is even within the government, the direction that's coming out is completely diametrically opposed oftentimes between the Fed, the state and the local. So what does kind of this breakdown of trust when you're getting two different opinions from the same basic kind of authority due to people's ability or desire to want to participate and actually share the stuff that maybe or maybe not might get reshared. >> It leaves you with no confidence. Basically, you can't take confidence in any of this. And when I was privacy commissioner. I served for three terms, each term that was a different government, different political power in place. And before they had become the government, they were all for privacy and data protection believed in and all that. And then once they became the government all that changed and all of a sudden they wanted to control everyone's information and they wanted to be in power. No, I don't trust government. You know, people often point to the private sector as being the group you should distrust in terms of privacy. I say no, not at all. To me far worse is actually the government because everyone thinks they're there to do good job and trust them. You can't trust. You have to always look under the hood. I always say trust but verify. So unfortunately we have to be vigilant in terms of the protections we seek for privacy both with private sector and with the government, especially with the government and different levels of government. We need to ensure that people's privacy remains intact. It's preserved now and well into the future. You can't give up on it because there's some emergency a pandemic, a terrorist incident whatever of course we have to address those issues. But you have to insist upon people's privacy being preserved. Privacy forms the foundation of our freedom. You cannot have free and open societies without a solid foundation of privacy. So I'm just encouraging everyone. Don't take anything at face value, just because the government tells you something. It doesn't mean it's so always look under the hood and let us ensure the privacy is strongly protected. See emergencies come and go. The pandemic will end. What cannot end is our privacy and our freedom. >> So this is a little dark in here, but we're going to lighten it up a little bit because there's, as Michelle said, you know, if you think about building a pool versus putting up filling a hole, you know, you can take proactive steps. And there's a lot of conversation about proactive steps and I pulled Ann your thing Privacy by Design, The 7 Foundational Principles. I have the guys pull up a slide. But I think what's really interesting here is, is you're very, very specific prescriptive, proactive, right? Proactive, not reactive. Privacy is the default setting. You know, don't have to read the ULAs and I'm not going to read the, all the words we'll share it. People can find it. But what I wanted to focus on is there is an opportunity to get ahead of the curve, but you just have to be a little bit more thoughtful. >> That's right, and Privacy By Design it's a model of prevention, much like a medical model of prevention where you try to prevent the harms from arising, not just deal with them after the facts through regulatory compliance. Of course we have privacy laws and that's very important, but they usually kick in after there's been a data breach or privacy infraction. So when I was privacy commissioner obviously those laws were intact and we had to follow them, but I wanted something better. I wanted to prevent the privacy harms from arising, just like a medical model of prevention. So that's a Privacy By Design is intended to do is instantiate, embed much needed privacy protective measures into your policies, into your procedures bake it into the code so that it has a constant presence and can prevent the harms from arising. >> Jeffrey: Right right. One of the things I know you love to talk about Michelle is compliance, right? And is compliance enough. I know you like to talk about the law. And I think one of the topics that came up on your guys' prior conversation is, you know, will there be a national law, right? GDPR went through on the European side last year, the California Protection Act. A lot of people think that might become the model for more of a national type of rule. But I tell you, when you watch some of the hearings in DC, you know, I'm sure 90% of these people still print their emails and have their staff hand them to them. I mean, it's really scary that said, you know, regulation always does kind of lag probably when it needs to be put in place because people maybe abuse or go places they shouldn't go. So I wonder if you could share your thoughts on where you think legislation is going to going and how should people kind of see that kind of playing out over the next several years, I guess. >> Yeah, it's such a good question Jeff. And it's like, you know, I think even the guys in Vegas are having trouble with setting the high laws on this. Cameron said in I think it was December of 2019, which was like 15 years ago now that in the first quarter of 2020, we would see a federal law. And I participated in a hearing at the Senate banking committee, again, November, October and in the before times. I'm talking about the same thing and here we are. Will we have a comprehensive, reasonable, privacy law in the United States before the end of this president's term. No, we will not. I can say that with just such faith and fidelity. (laughing) But what does that mean? And I think Katie Porter who I'm starting to just love, she's the Congresswoman who's famous for pulling on her white board and just saying, stop fudging the numbers. Let's talk about the numbers. There's about a, what she calls the 20% legislative flip phone a caucus. So there are 20% or more on both sides of the aisle of people in the US who are in the position of writing our laws. who are still on flip phones and aren't using smart phones and other kinds of technologies. There's a generation gap. And as much as I can kind of chuckle at that a little bit and wink, wink, nudge, nudge, isn't that cute. Because you know, my dad, as you know, is very very technical and he's a senior citizen. This is hard. I hope he doesn't see that but... (laughing) But then it's not old versus young. It's not let's get a whole new group and crop and start over again. What it is instead and this is, you know, as my constant tome sort of anti compliance. I'm not anti compliance. You got to put your underwear on before your pants or it's just really hard. (laughing) And I would love to see anyone who is capable of putting their underwater on afterwards. After you've made the decision of following the process. That is so basic. It comes down to, do you want the data that describes or is donated or observed about human beings. Whether it's performance of your employees. People you would love to entice onto your show to be a guest. People you'd like to listen and consume your content. People you want to meet. People you want to marry. Private data as Ann says, does the form the foundation of our freedom, but it also forms the foundation of our commerce. So that compliance, if you have stacked the deck proactively with an ethics that people can understand and agree with and have a choice about and feel like they have some integrity. Then you will start to see the acceleration factor of privacy being something that belongs on your balance sheet. What kind of data is high quality, high nutrition in the right context. And once you've got that, you're in good shape. >> I'm laughing at privacy on the balance sheet. We just had a big conversation about data on the balance sheets. It's a whole, that's a whole another topic. So we can go for days. I have Pages and pages of notes here. But unfortunately I know we've got some time restrictions. And so, and I want to give you the last word as you look forward. You've been in this for a while. You've been in it from the private side, as well as the government side. And you mentioned lots of other scary things, kind of on the horizon. Like the kick of surveillance creep, which there's all kinds of interesting stuff. You know, what advice do you give to citizens. What advice do you give to leaders in the public sector about framing the privacy conversation >> I always want to start by telling them don't frame privacy as a negative. It's not a negative. It's something that can build so much. If you're a business, you can gain a competitive advantage by strongly protecting your customer's privacy because then it will build such loyalty and you'll gain a competitive advantage. You make it work for you. As a government you want your citizens to have faith in the government. You want to encourage them to understand that as a government you respect their privacy. Privacy is highly contextual. It's only the individual who can make determinations relating to the disclosure of his or her personal information. So make sure you build that trust both as a government and as a business, private sector entity and gain from that. It's not a negative at all, make it work for you, make it work for your citizens, for your customers, make it a plus a win win that will give you the best returns. >> Isn't it nice when doing the right thing actually provides better business outcomes too. It's like diversity of opinion and women on boards. And kind of things- >> I love that. we cover these days. >> Well ladies, thank you very very much for your time. I know you've got a hard stop, so I'm going to cut you loose or else we would go for probably another hour and a half, but thank you so much for your time. Thank you for continuing to beat the drum out there and look forward to our next conversation. Hopefully in the not too distant future. >> My pleasure Jeff. Thank you so much. >> Thank you. >> Thank you too. >> All right She's Michelle. >> She's Ann. I'm Jeff. You're watching theCUBE. Thanks for watching. We'll see you next time. (upbeat music)

>> Narrator: Live from Nashville, Tennessee. It's theCUBE covering Commvault GO 2018. Brought to you by Commvault. >> Welcome back to Nashville, Tennessee. You're watching theCUBE at Commvault GO. I'm Stu Miniman with my co-host Keith Townsend. Happy to welcome to the program Lance Shaw, who's the director of Solutions Marketing at Commvault. Thanks so much for joining us. >> Thank you so much, glad to be here. >> All right, so we've been having a great day here. We're talking to some of your partners. Talking to some of your customers. Solutions Marketing, of course, everything's a solution these days. That's what they're looking for. Tell us a little bit about your background and what you do at Commvault. >> Lance: Absolutely, right. So, I came from a product management and product marketing background and one of the things we're really focused on here at this show, of course, is all about customers and what their stories are and frankly, how we can improve our products and our solutions to better meet the needs of the customers, right. That's what ultimately what it all comes down to. And so, that's why we're here, the whole reason for the show. I think what's been interesting so far at this show has been the focus on, not only just cloud utilization, but the fact that customers are having to deal with multiple clouds and the fact that why they have to do that. There's a variety of reasons that drive people to say well you know maybe five years ago, you would have said, "Are you using a cloud?" Yeah, I've got one cloud provider, but now I've got lots. >> Stu: Yeah, and Lance I'd love to hear what you're hearing from customers 'cause one of the things you talk to customers and oh, they have a multi-cloud strategy and when you dig in, first of all, every customer has a totally different environment, >> Lance: Right. >> Stu: and it reminds me, I spent the last two decades trying to help customers get out of their silos, and in some ways I'm a little worried that we've just created a whole bunch of new silos, that just don't happen to live in my data center, and we called it multi-cloud >> Lance: Right. >> Stu: because the strategy is oh, well I did this application for here and then oh, there's this service over here that I needed and then I sissified a bunch of stuff. So, tell me we've got it all figured out. Customers, they have a good strategy, they're really sharp as to where they're going, and the future is bright. >> Lance: Absolutely. Now the reality of that is, (laughs) that in fact, you're absolutely right. Unwittingly or unknowingly we've gotten to a path of history repeating itself where I'm creating new silos of information and data. So, you're absolutely right. Organizations start out with a point solution for a particular application or a particular data set or acquired a company and so brought in this new thing. And pretty soon, I have no idea what I've got in the Singapore office versus the London office versus New York, right, so. And how do I reconcile that and bring it back together? So I've got that same old problem that, if you've been around in the industry for a few years, we saw 10 years ago, 15 years ago, I've got to bring my silos of information together. And so, yeah you're right. It's suddenly a new, same old challenge all over again. Alright, so and that's why it's become a focus area because I suddenly have fragmented, disconnected application and data silos. So that's really where Commvault, turns out, can really help because sometimes it's a matter of consolidation. You know what, I need to get down from three locations to two, or four to one, or whatever the case may be, some sort of consolidation. And usually there's some cost savings involved there. And or, it's I got these multiple solutions that are out there and I've got no control and I have no visibility, I know I'm exposed so, I've got a risk factor now that I didn't have before. So when you start to blend all of those together, you're absolutely right, it's the same old story again, right. >> Keith: Industry versus vertical versus use case, you've given us a couple of different ones. Use cases, reducing costs, consolidation, even multi-cloud in itself is a use case. But, if you're an enterprise software company, if you're an enterprise IT company, you're challenged as you talk to different industries about specific solutions. You got to tailor solutions to industries. Talk about some of the industries that Commvault has come to solve specific problems for. >> Lance: Right, well I think there's a lot, to be honest, right, because every company faces those set of challenges. I think where it gets really interesting is in highly regulated industries, right. So, you think about biopharmaceuticals, you think about financial services, or certainly in the government space, in the federal space. And they have a whole set of unique challenges there because you're dealing with top secret clouds and you're dealing with, you know, some special concerns there. I think where it gets of particular interest is when I've got all those fragmented or disconnected silos, is that I need to address my compliant's concerns. I need to understand the data for more than just is it protected and could I recover it in a specific amount of time? I actually need to be able to show that I have it and prove that what I've got and be able to address specific industry regulations that are unique to my particular industry. So, that's where we start to see very specific use cases that kind of get down from the generic or the general, down to the very specific how do I manage this data and how do I understand what I have? And then of course you get into, you know, can you prove what you've got? Can you go out and retrieve it? And there's all sort of, you know, regulations along that that I've got to adhere to. But that can be addressed once I have that full index, an understanding of what my environment's like. Now, I can go out and locate that information, I can retrieve it when I need to, and actually open it up from a persona based access perspective, let specific people in an organization have access just to the limited data sets that they need, alright. So that comes into play a lot, especially, for example, every organization, right, you've got database admins, you've got critical tier zero applications that you need need to manage. It's your CRM system, it's your supply chain management system. If it goes down, you know, people freak out, alright. So, and I want to be able to provide, you know, self-service access to information for those people. So I've got a well-managed understanding of my environment, but then I'm able to dole out access to the individuals that need it when they need it and they don't have to come ask us or ask IT or ask anybody else, you know, for that information. >> Stu: Yeah, Lance as we watch the cust-to-cust companies really understand that data is very valuable, we have a transition that's going on. Traditional customer for Commvault, you're talking about things like RPO and RTO and the like. And, you know, you've got the admins of the world trying to figure out how they do their jobs and things like, okay, backup Windows of the past versus recovery and all those moving pieces. As opposed to today, you talk about the value of data, these are board-level discussions. >> Lance: Right. >> Stu: You've got the C-Suite that you're working with. We talked to a few of your teams about, well, you've got the top down and the bottom up. How are you helping them and what conversations do you have with them? >> Lance: They are entirely different conversations, right. IT is serving the business, as we all know, right. You know, maybe a bit cliché, sorry. >> Stu: Hopefully, if they're doing their job right, they're responding to and actually doing what they need to. >> Lance: Why am I here? Oh, that's right! To serve the business. Yeah, let's try that. So, anyways, there's that delivery of data, but you're absolutely right. The utilization of data and how it's consumed and the understanding that I can get from it, that is an entirely different conversation and, you're right, it is. It's a business unit discussion, you know, it's a line of business discussion at the very least, and it's probably a senior executive discussion because with that additional visibility, I'm then able to make much better, at least theoretically, better business decisions and because I've got more information to draw from. So, you're right, in terms of the conversation, we're not talking about strictly data protection. It's like, yes, when your data is understood, here's what else you can do with it. And then you got to tailor that to the specific industry, specific vertical, and a little more specific to that particular conversation. >> Keith: So Lance, give us a feel for that conversation that's happening here at Commvault GO, 2,000 people, over 150 sessions, education focused event, and there's different personas. I'll let the focus on that executive persona a little bit. I got you in front of the SVP of some group, the CDO. What's the Commvault story? Why Commvault over any other data protection company? >> Lance: I like to think of it as the proverbial, killing two birds with one stone, right. So, is my data growing? Oh, yeah, right. You're never going to hear someone say, you know data is shrinking, I have less to worry about. I mean, I've been in the industry a couple years now, give or take, and it's just never going to happen, right. So, you don't have to worry about that. With that in mind, the need to be able to have the visibility is continuing to increase. So, you see the rise of a chief data officer and what are they concerned about? They're concerned about utilizing data in ways that they were previously never able to do. And so, when we have those conversations, it's one of if I'm going to kill two birds with one stone, I'm going to be able to not only protect my data, but I'm going to give you additional visibility that you didn't have before because I'm providing you visibility into all of the secondary data and the application protection and I'm allowing you to be, ultimately, more flexible because now you're able to actually move data where you need it and expand your data center in ways you previously could not. So, I want to move from one cloud to the other. No problem, I can do that. I want to finally move, finally get off of tape and consolidate my environments and move either to an on premises environment or to a cloud. Not a problem. I can come back, we see customers that are coming back to on premises from cloud in some cases just for particular use cases. So the conversations that we have with a CEO, will just stick with a CEO as an example, are around better utilization of the data and better risk mitigation around that data, alright. So I've had a number of conversations related to that where we were concerned about not, you know, everybody talks about ransomware, but in general, attacks on the business and it's not if it's when, so how do I make sure that I can keep my business up and running? And so, it's that broader perspective that you have around how I manage data and how I deliver it to the business. That's what they care about, alright. That's crazy you're protected by the way, that's sort of important too. But what I can do with it and how I deliver it to my lines of business, that's where the interest starts to lie in a CEO level conversation. >> Yeah, Lance. One of the things everybody loves coming to a show like this, you get some of those great user stories. This morning, we had the State of Colorado on talking about how they're recovering from ransomware. >> Right, right, right. >> We had American Pacific Mortgage on talking about just the scale. You talked about the growing data and how, you know, using Commvault they're able to manage that much better. Any other specific examples of kind of interesting use cases or good customer stories you might have? >> Yeah, we recently had a very large customer that was looking to consolidate their environment. It was a classic case of I got offices spread around the world and they had a number of different point solutions, right. So, without naming names, I've got different protection solutions for different areas. I've got different administrators. I've got different policies. And, you know, they hit a scenario where they were exposed from a risk perspective that that particular set of data was not covered as they thought it was because they didn't have standardization of policies, standardized policies I should say, around how they manage, access, and the retention of that data. And so that, sometimes there's that forcing event that says we have a problem here, we need to do something about this. Alright so, in their case, they we able to consolidate from multiple solutions down to Commvault where they could have predefined set of policies in place around the data and not only for what they were gathering in. So as they ingested it or moved data under Commvault's management, they were able to automatically assign policies to that, but then in their case, they were also acquiring other companies. So, they were acquiring a rather large European entity, and when they were bringing that organization in, they wanted to make sure that they did so in a way that didn't expose the risk again in the future because if we're going to grow as a business with an acquisition strategy, we've got to be able to make sure that what comes into the organization is consistent. >> So, being partner presence here, Commvault has been pretty direct and forward talking about how you're shifting from a direct sales model and having gone through partners to help provide the solutions to these challenges. Talk through, how do you enable partners, or how do you encourage partners, this is a crowded market, there's a lot of investment in the area of data protection, how do you rise to the top of the partner list and for partners putting your solutions in front of their customers? >> Lance: Right, there's two ways we do that, right. So, the first, because you're absolutely right. You know, partners are key to our growth and we can be key to their growth and success. No doubt about it. So, the first thing is give them something that's going to really make them successful. So, instead, if I'm a partner, I want the flexibility to be able to address a wider variety of demands. I want to be able to go in to a potential prospect and say yeah, I can address this, but also I have the software behind the scenes, Commvault, to be able to attack multiple other scenarios for you. Oh and by the way, it's all in one and you've got one solution to be able to address all that. So, one of the key ways that we differentiate, and you're right, in a very crowded market, alright, that says we should really have Commvault in the back of your mind, at the top of your list. If you're going in and seeing scenarios where point solutions simply doesn't do it or paints you into a corner where you're not going to be able to help them grow down the future. The other thing partners obviously want, as every business wants, is repeat business. I want to be able to go back in and expand, I want to build my footprint out, and if I can go in with a partner that enables me to do that, then I've got long term opportunity versus just going in like, hey, I made a quick sale and I'm out and good luck to you, right. >> Stu: Lance, last thing I wanted to ask you. Last year, GDPR was the talk of every single show like this. >> Lance: Yeah, I've seem to have heard about that, yeah. >> Stu: We got a good education. My boss actually read through the entire specs. I read the Cliffnotes version >> Lance: Okay, yeah, me too. >> Stu: and then talked to a lot of smart people about it. California is looking at some new legislation, but what's the latest on that? It seems like, you know, I know some of the lawsuits already happening at some of the biggest companies in Europe, you know, from a technology standpoint, but what are you hearing and how has Commvault helped customers understand kind of today and future legislation? >> Lance: Yeah, I think, you know what's interesting? When we looked at, you know, everybody was kind of marching up to the GDPR date as if it was Y2K all over again. >> Stu: Right. >> Lance: Not that I remember that of course. I'm too young for that. (Keith laughs) You know, it was like May 25th, May 25th, the sky's going to fall, and we all knew that, hey listen, that day is going to come and go and somebody's going to be made an example at some point, right. And sure enough, that's starting to happen. And you know, it's a good thing. It's building the awareness that we tried to educate people, tried to get the word out, you know, it happens longer. Why wait past May 25th? It's still going on, right. So, for a lot of customers that we're talking to, they're looking to, they've had a plan in place and they're moving there gradually, it wasn't right away, but I think sometimes when you see those things in the press about there's actually being a finesse, it's actually real and it brings it to life like, uh we should really do something here, right. So, I think, honestly, that's a process that's going to continue for years. You know, I've heard everything from we'll just pay the fine, which is a risky strategy both probably on a personal level as well as professional. (Keith laughs) You wouldn't want to bet your career on that strategy. With the advent of, we also always knew that hey, GDPR is one of these set of regulations. There will be others, there are others. And you have to be able to adhere to those no matter where you live on the Earth. So, you know, long story short, I think it's a continuing evolution. We help customers understand their data. So, you know, through our Commvault activate product, we can do it. Even if you're not using Commvault for backup and recovery, you're actually able to go out and scan your environment and get a better understanding of what personal information you've got under lock and key, what you've got in your environment, and be able to ascertain well okay, where's my risk, where am I exposed? And then I can start to put a plan in place to mitigate that. So, I think it'll be going on for quite some time in terms of especially as new laws like the California law. I always forget the letters and numbers associated with it, but it's same idea around personal privacy. And I think, you know, we've had the Patriot Act for a long time, right, where foreign governments are concerned about data sovereignty and where data lives and that's going to continue to increase, you know, for a variety of reasons. So organizations have to really know where their data is and what's encapsulated within that data and that's where the Commvault data platform, the index, actually shines to uncover that information. >> Stu: Well, Lance Shaw, I really appreciate you sharing with us where your customers are in a lot of these really important issues. For Keith Townsend, I'm Stu Miniman. We'll be back with more coverage here from Commvault Go in Nashville, Tennessee. Thanks for watching theCUBE. (upbeat music)