>> Hey Jeff Rick here with the cube. We're here in Palo Alto at the Chertoff event, its called security in the boardroom. We're talking about the security conversations that need to happen in the boardroom not just at the IT department and locking down your phone and your VPN. Its really how do we elevate the conversation, especially as things continue to change, digital transformation is forcing people to move quickly and everyone's becoming a digital company. All our assets are becoming digital. So it needs to get elevated. We're excited to have, our next guest, he's Paul Farrell, he's the CEO of Nehemiah. Paul welcome. >> Thank you. >> And joining us again, Jason Cook from the Chertoff Group. Good to see you again. >> Hi. Alright so lets jump into it, so you're CEO... Well before you get it, first tell people about Nehemiah, you are familiar with the company. >> Nehemiah has a cyber security suite where we know, manage and help protect organizations and the knowing part is what we're probably going to talk more about today which is our risk quantifier software. >> Well lets jump in what is risk quantifier software? >> We take a bottoms up look at the organization to get a high fidelity copy of the corporate network and then we layer business applications on top of it so boards can get a look at what the business exposure is to the cyber security risk. >> So the network and the application. So very techy piece of it, how much of it, in terms of the process and the people get filled into that piece as well. >> We call that process BIA or Business Impact Analysis and a lot of the Fortune 500 firms have already been doing this to be compliant with Sarbanes Oxley and other regulations. And its being able to work with them to take some of that information out of the system and combine it with the cyber information we have, to give them a good look at risk. So if I'm looking to invest $2 million dollars, what's my risk buy down. Is it 10 million? Is it two million? Is it nothing? I just need to do it. So these are some of the questions we're trying to help boards answer. >> I'm just curious, from a why do we need to do this point of view. How much of it is compliance and governance and regulation? And how much of it is not? Its just, we need to protect ourselves from the bad guys. I would imagine especially financial services and healthcare, a lot of it was driven by compliance before but is that percentage going down? >> Go ahead. >> So, no not at all. >> Not at all, still mainly governance, compliance regulation. >> And what you have to bring together now is security risk and compliance. Its all the one thing. And at the board level, you don't have those as separate agenda topics anymore and that's why we talk about a risk management program. Especially the Fortune 500 boards becoming very educated and also actioning and taking forward and that's really where that stuff comes together. Compliance, especially if you look at the finance industry, health care industry for example, its always going to be there cause its a duty of care as to the industry, how to run the business and to all of the consumers at the end of the day at the end of that. So you need a bit of (indistinct talking) and its a very useful tool, if you apply risk management to it, if you're applying security to it and bring those things together. Many CSOs will talk about situational awareness and one of things they need to do, if they've got a seat at the board table, is, what do I have, what's my assets? And that's no longer just purely from a technical perspective. You hear the phrase, many organizations have technology silos, that don't talk, that don't come together, perhaps different business units that are running those silos. And at the board level how do you ascertain what you've got when you have an issue and that situational awareness then, is also going to help drive, what parties do I take when I have to take action. So that's something that Nehemiah's security is really focusing on. So they're saying let us put together for you and work with you to assemble your silos of IT network and everything else there. Essentially underpinning your digital footprint as you go on that digital journey. But then how do you have actionable business intelligence that's going to help you prioritize how to run that, how to secure it but also how to invest and run your business through this journey. >> You're going to say summn? >> I think its the word that Jason used a lot is the journey and there's a lot of things we should be doing just because its cyber hygiene and its intelligence, is what we should do to run our business by taking the business information and marrying what we got up and then communicate it in language that the board knows. Which is key, don't be talking about WannaCry viruses and all that and SNB ports. That doesn't make any sense to them, they make business decisions every day, so its we're investing X and you take a risk profile overtime and you say, this will help reduce our exposure here, but its good and we need to do it. Whether compliance says it or not, we need to be protecting our data. That's one of the things that... Compliance is a checklist and we need to check, make sure that's done and everybody does audited financial statements and that's great, we should do it every year but there's somethings that are basic we should do basic stuff in finance, we should do basic stuff in cyber hygiene as well as updating our systems, keeping them current, educating our employees on scams and stuff that happen. These are things that need to happen over time and so its a journey for the board and for the senior management but for every employee, to be able to know these things and to actually integrate it as part of their everyday job, in my opinion. >> It sounds like the cyber hygiene stuff is still just not (laughs), we're not hygienic enough (laughs) as we should be. Its amazing that just continues to be a recurring thing. >> One of the ethos approaches that Nehemiah is taking to this is, they call it know. What do you know about your environment and it starts there. To say so, especially for an organization, as many are on a digital journey. Well what is underpinning all of our digital footprint. Do you know that? And unfortunately so many organizations out there have bits of it but they don't maintain that. So when you have, for example, the famous WannaCry incident, they kicked off very very large organizations as well as many small one were impacted. Why? Well cause they didn't actually understand what they had and they didn't have the business intelligence and the business analytics to make a prioritization to say, we need to invest our focus and time and effort here to respond to this activity from a hygiene perspective. And until those things are addressed, you're not actually going to truly be able to go on your digital journey as an organization. So if anything, what this is doing is heightening the awareness at the board level that you need to have an articulated dialogue, where at the board level you can understand the impact to the business of what's going on here but then take all of that and take all the knowledge that you're building to then drive actionable intelligence, business as well as technology coming together, which underpins risk management in that context. >> And I would imagine those types of incidents are helpful in terms of helping to define what is that risk. >> Tragically helpful. >> Yeah tragically helpful but still without those types of things its probably harder or harder to really monetize what is the risk so that I can come up with a portfolio that then I can validate my investment. >> Its about being prepared. Its about thinking about what are your critical business systems. And so when you got something happening, no matter what it is, lets make sure that critical business systems are protected first and then we'll get to the the less priority systems. Its not that they're not all important, its just that there're some that are more critical. Inventory systems or sales at the end of the quarter, it tends to be we find to be, not only the systems but also the time of the year. If you're selling seeds, March and April, North America is really big. If you're Amazon its Christmas time. The inventory system and order entry system has got to be going so but its taking that step back now and saying; what are our critical business systems, what are the risks and then, the only thing we also look at that we've talked to Jason about is, we know what the risks are but what's the probability those risks are going to hit you. Everybody's not a 100%, some people are 20%. So when you go to the board you got to give them a true idea of, this is the true risk that we're seeing and we've tempered it down by saying if it was a 100 million at risk but you only have a 20% chance of getting that exploit then its really just $20 million that we're talking about not 100 cause the days are gone where we slam our hand on the board that you must do this, you must do this. Boards are more cyber aware now than ever and they don't want to just pay people throw information at them they want to understand it to be able to respond properly and not react. >> Right. So really the Net Nat is speaking a language, boil it down into language in the decision making process in which they're use to doing. Cause its not a zero sum game, it not a one or zero anymore, its really a probability decision and the risk assessment. >> Yeah that happens over time. That's the whole thing. There's ebbs and flows of the year and you look at things over time and I think that's the other thing that we'd like to talk about. And its renassessing, and one of the things that we talk is, we talk with a lot of people and the chief information security officers are embracing us because they're looking for new ways to be able to communicate properly and succinctly to the boards and that's one of the big things that we see. >> Good cause when they get bumped up the agenda items on the board that's what you want to see right. (laughing) >> Absolutely. >> Well Paul and Jason thanks for stopping by really appreciate your time >> Thank you. >> I'm Jeff Rick you're watching the cube, we'll see you next time, thanks for watching.