from the cube studios in Palo Alto in Boston connecting with thought leaders all around the world this is a cube conversation hello and welcome to the cube conversation here in the Palo Alto studio I'm John four host of the cube we are here at the quarantine crew of the cube having the conversations that matter the most now and sharing that with you got a great guest here Phil Quaid was the chief information security officer of Fortinet also the author of book digital bing-bang which I just found out he wrote talking about the difference cybersecurity and the physical worlds coming together and we're living that now with kovat 19 crisis were all sheltering in place Phil thank you for joining me on this cube conversation so I want to get in this quickly that I think the main top thing is that we're all sheltering in place anxiety is high but people are now becoming mainstream aware of what we all in the industry have been known for a long time role of data cybersecurity access to remote tools and we're seeing the work at home the remote situation really putting a lot of pressure on as I've been reporting what I call at scale problems and one of them is security right one of them is bandwidth we're starting to see you know the throttling of the packets people are now living with the reality like wow this is really a different environment but it's been kind of a disruption and has created crimes of opportunity for bad guys so this has been a real thing everyone's aware of it across the world this is something that's now aware on everyone's mind what's your take on this because you guys are fighting the battle and providing solutions and we're doing for a long time around security this highlights a lot of the things in the surface area called the world with what's your take on this carbon 19 orton s been advocating for architectures and strategies that allow you to defend anywhere from the edge through the core all the way up to the cloud boom so with you know high speed and integration and so all the sudden what we're seeing not just you know in the US but the world as well is that that edge is being extended in places that we just hadn't thought about or our CV that people just hadn't planned for before so many people or telecommunication able to move that edge securely out to people's homes and more remote locations and do so providing the right type of security of privacy if those communications that are coming out of those delicate ears I noticed you have a flag in the background and for the folks that might not know you spent a lot of time at the NSA government agency doing a lot of cutting-edge work I mean going back to you know really you know post 9/11 - now you're in the private sector with Fortinet so you don't really speak with the agency but you did live through a time of major transformation around Homeland Security looking at data again different physical thing you know terrorist attacks but it did bring rise to large-scale data to bring to those things so I wanted to kind of point out I saw the flag there nice nice touch there but now that you're in the private sector it's another transformation it's not a transition we're seeing a transformation and people want to do it fast and they don't want to have disruption this is a big problem what's your reaction to that yeah I think what you're reporting out that sometimes sometimes there's catalysts that cause major changes in the way you do things I think we're in one of those right now that we're already in the midst of an evolutionary trend towards more distributed workforces and as I mentioned earlier doing so with the right type of security privacy but I would think what I think the global camp in debt endemic is showing is that we're all going to be accelerating that that thing is like it's gonna be a lot less evolutionary and a little bit more faster that's what happens when you have major world events like this being 911 fortunate tragedies it causes people to think outside the box or accelerate what they're already doing I think wearing that in that world today yeah it pulls forward a lot of things that are usually on the planning side and it makes them reality I want to get your thoughts because not only are CEOs and their employees all thinking about the new work environment but the chief information security officer is people in your role have to be more aware as more things happening what's on the minds of CISOs around the world these days obviously the pandemics there what are you seeing what are some of the conversations what are some of the thought processes what specifically is going on in the of the chief information security officer yeah I think there's probably a there's probably two different two different things there's the there's the emotional side and there's the analytic side on the emotional side you might say that some Caesars are saying finally I get to show how cyber security can be in an abler of business right I can allow you to to to maintain business continuity by allowing your workers to work from home and trying sustain business and allow you to keep paying their salary is very very important to society there's a very important time to step up as the seaso and do what's helpful to sustain mission in on the practical side you say oh my goodness my job's gotten a whole lot harder because I can rely less and less on someone's physical controls that use some of the physical benefits you get from people coming inside the headquarters facility through locked doors and there's personal congress's and personal identification authentication you need to move those those same security strategies and policies and you need to move it out to this broad eggs it's gotten a lot bigger and a lot more distributed so I want to ask you around some of the things they're on cyber screws that have been elevated to the top of the list obviously with the disruption of working at home it's not like an earthquake or a tornado or hurricane or flood you know this backup and recovery for that you know kind of disaster recovery this has been an unmitigated disaster in the sense of it's been unfor casted I was talking to an IT guy he was saying well we provisioned rvv lands to be your VPNs to be 30% and now they need a hundred percent so that disruption is causing I was an under forecast so in cyber as you guys are always planning in and protecting has there been some things that have emerged that are now top of mind that are 100 percent mindshare base or new solutions or new challenges why keep quite done what we're referring to earlier is that yep any good see so or company executive is going to prepare for unexpected things to a certain degree you need it whether it be spare capacity or the ability to recover from something an act of God as you mentioned maybe a flood or tornado or hurricane stuff like that what's different now is that we have a disruption who which doesn't have an end date meaning there's a new temporal component that's been introduced that most companies just can't plan for right even the best of companies that let's say Ronald very large data centers they have backup plans where they have spare fuel to run backup generators to provide electricity to their data centers but the amount of fuel they have might only be limited to 30 days or so it's stored on-site we might think well that's pretty that's a lot of for thinking by storing that much fuel on site for to allow you to sort of work your way through a hurricane or other natural disaster what we have now is a is a worldwide crisis that doesn't have a 30-day window on it right we don't know if it's gonna be 30 days or 120 days or or you know even worse than that so what's different now is that it's not just a matter of surging in doing something with band-aids and twine or an extra 30 days what we need to do is as a community is to prepare solutions that can be enduring solutions you know I have some things that if the absent I might like to provide a little color what those types of solutions are but that that would be my main message that this isn't just a surge for 30 days this is a surge or being agile with no end in sight take a minute explain some of those solutions what are you seeing whatever specific examples and solutions that you can go deeper on there yeah so I talked earlier about the the edge meaning the place where users interact with machines and company data that edge is no longer at the desktop down the hallway it could be 10 miles 450 miles away to where anyone where I'm telling you I'm commuting crumb that means we need to push the data confidentiality things out between the headquarters and the edge you do that with things like a secure secured tunnel it's called VPNs you also need to make sure that the user identification authentication this much is a very very secure very authentic and with high integrity so you do that with multi-factor authentication there's other things that we like that that are very very practical that you do to support this new architecture and the good news is that they're available today in the good news at least with some companies there already had one foot in that world but as I mentioned earlier not all companies had yet embraced the idea of where you're going to have a large percentage of your workforce - until a community so they're not quite so they're there they're reacting quickly to to make sure this edge is better protected by identification and authentication and begins I want to get to some of those edge issues that now translate to kind of physical digital virtualization of of life but first I want to ask you around operational technology and IT OT IT these are kind of examples where you're seeing at scale problem with the pandemic being highlighted so cloud providers etc are all kind of impacted and bring solutions to the table you guys at Foot are doing large scale security is there anything around the automation side of it then you've seen emerge because all the people that are taking care of being a supplier in this new normal or this crisis certainly not normal has leveraged automation and data so this has been a fundamental value proposition that highlights what we call the DevOps movement in the cloud world but automation has become hugely available and a benefit to this can you share your insights into how automation is changing with cyber I think you up a nice question for me is it allowed me to talk about not only automation but convergence so it's let's hit automation first right we all even even pre-crisis we need to be better at leveraging automation to do things that machines do best allow people to do higher-order things whether it's unique analysis or something else with a with a more distributed workforce and perhaps fewer resources automation is more important ever to automatically detect bad things that are about to happen automatically mitigating them before they get or they get to bad you know in the cybersecurity world you use things like agile segmentation and you use like techniques called soar it's a type of security orchestration and you want to eat leverage those things very very highly in order to leverage automation to have machines circum amount of human services but you also brought up on my favorite topics which is ot graceful technology though OTS you know are the things that are used to control for the past almost a hundred years now things in the physical world like electric generators and pipes and valves and things like that often used in our critical infrastructures in my company fort net we provide solutions that secure both the IT world the traditional cyber domain but also the OT systems of the world today where safety and reliability are about most important so what we're seeing with the co19 crisis is that supply chains transportation research things like that a lot of things that depend on OT solutions for safety and reliability are much more forefront of mine so from a cybersecurity strategy perspective what you want to do of course is make sure your solutions in the IT space are well integrated with you solutions in the OT space to the so an adversary or a mistake in cause a working to the crack in causing destruction that convergence is interesting you know we were talking before you came on camera around the fact that all these events are being canceled but that really highlights the fact that the physical spaces are no longer available the so-called ot operational technologies of events is the plumbing the face-to-face conversations but everyone's trying to move to digital or virtual eyes that it's not as easy as just saying we did it here we do it there there is a convergence and some sort of translation this new there's a new roles there's new responsibilities new kinds of behaviors and decision making that goes on in the physical and digital worlds that have to then come together and get reimagined and so what's your take on all this because this is not so much about events but although that's kind of prime time problem zooming it is not the answer that's a streaming video how do you replicate the value of physical into the business value in digital it's not a one-to-one so it's quite possible that that we might look back on this event to cover 19 experience we might look back at it in five or ten years and say that was simply a foreshadowing of our of the importance of making sure that our physical environment is appropriate in private what I mean is that with the with the rapid introduction of Internet of Things technologies into the physical world we're going to have a whole lot of dependencies on the thing inconveniences tendencies inconveniences on things an instrument our physical space our door locks or automobiles paths our temperatures color height lots of things to instrument the physical space and so there's gonna be a whole lot of data that's generated in that cyber in a physical domain increasingly in the future and we're going to become dependent upon it well what happens if for whatever reason in the in the future that's massively disruptive so all of a sudden we have a massive disruption in the physical space just like we're experiencing now with open 19 so again that's why it makes sense now to start your planning now with making sure that your safety and reliability controls in the physical domain are up to the same level security and privacy as the things in your IT delete and it highlights what's the where the value is to and it's a transformation I was just reading an article around spatial economics around distance not being together it's interesting on those points you wrote a book about this I want to get your thoughts because in this cyber internet or digital or virtualization of physical to digital whether it's events or actual equipment is causing people to rethink architectures you mentioned a few of them what's the state of the art thinking around someone who has the plan for this again is in its complex it's not just creating a gateway or a physical abstraction layer of software between two worlds there's almost a blending or convergence here what's your what's your thoughts on what's the state of the art thinking on this area yeah the book that I number of a very esteemed colleagues contribute to what we said is that it's time to start treating cybersecurity like a science let's not pretend it's a dark art that we have to relearn every couple years and what what we said in the in the digital Big Bang is that humankind started flourishing once we admitted our ignorance in ultimately our ignorance in the physical world and discovered or invented you can right word the disciplines of physics and chemistry and once we recognize that our physical world was driven by those scientific disciplines we started flourishing right the scientific age led to lots of things whether it would be transportation health care or lots of other things to improve our quality of life well if you fast forward 14 billion years after that cosmic Big Bang which was driven by physics 50 years ago or so we had a digital Big Bang where there was a massive explosion of bits with the invention of the internet and what we argue in the book is that let's start treating cybersecurity like a science or the scientific principle is that we ought to write down and follow a Rousseau's with you so we can thrive in the in the in a digital Big Bang in the digital age and one more point if you don't mind what we what we noted is that the internet was invented to do two things one connect more people or machines than ever imagined in to do so in speeds that were never imagined so the in the Internet is is optimized around speed in connectivity so if that's the case it may be a fundamental premise of cybersecurity science is make sure that your cyber security solutions are optimized around those same two things that the cyber domains are optimized around speed in integration continue from there you can you can build on more and more complex scientific principles if you focus on those fundamental things and speed and integration yeah that's awesome great insight they're awesome I wanted to throw in while you had the internet history lesson down there also was interesting was a very decentralization concept how does that factor in your opinion to some of the security paradigms is that helped or hurt or is it create opportunities for more secure or does it give the act as an advantage yeah I love your questions is your it's a very informed question and you're in a give me good segue to answer the way you know it should be answer yeah the by definition the distributed nature of the Internet means it's an inherently survivable system which is a wonderful thing to have for a critical infrastructure like that if one piece goes down the hole doesn't go down it's kind of like the power grid the u.s. the u.s. electrical power grid there's too many people who say the grid will go down well that's that's just not a practical thing it's not a reality thing the grades broken up into three major grades and there's AB ulis strategies and implementations of diversification to allow the grid to fail safely so it's not catastrophic Internet's the same thing so like my nipple like I was saying before we ought to de cyber security around a similar principle that a catastrophic failure in one partner to start cybersecurity architecture should result in cascading across your whole architecture so again we need to borrow some lessons from history and I think he bring up a good one that the internet was built on survivability so our cybersecurity strategies need to be the same one of the ways you do that so that's all great theory but one of the ways you do that of course is by making your cybersecurity solutions so that they're very well integrated they connect with each other so that you know speaking in cartoon language you know if one unit can say I'm about to fail help me out and another part of your architecture can pick up a slack and give you some more robust security in that that's what a connected the integrated cyber security architecture do for you yeah it's really fascinating insight and I think resiliency and scale are two things I think are going to be a big wave is going to be added into the transformations that going on now it's it's very interesting you know Phil great conversation I could do a whole hour with you and do a fish lead a virtual panel virtualize that our own event here keynote speech thanks so much for your insight one of things I want to get your thoughts on is something that I've been really thinking a lot lately and gathering perspectives and that is on biosecurity and I say biosecurity I'm referring to covet 19 as a virus because biology involves starting a lab or some people debate all that whether it's true or not but but that's what people work on in the biology world but it spreads virally like malware and has a similar metaphor to cybersecurity so we're seeing conversation starting to happen in Washington DC in Silicon Valley and some of my circles around if biology weapon or it's a tool like open-source software could be a tool for spreading cybersecurity Trojans or other things and techniques like malware spear phishing phishing all these things are techniques that could be deployed metaphorically to viral distribution a biohazard or bio warfare if you will will it look the same and how do you defend against the next covet 19 this is what you know average Americans are seeing the impact of the economy with the shelter in place is that what happens again and how do we prevent it and so a lot of people are thinking about this what is your thoughts because it kind of feels the same way as cybersecurity you got to see it early you got to know what's going on you got to identify it you got to respond to it time to close your contain similar concepts what's your thoughts on with BIOS we don't look with all due respect to the the the bio community let me make a quick analogy to the cyber security strategy right cyber security strategy starts with we start as an attacker so I parts of my previous career I'm an authorized had the opportunity to help develop tools that are very very precisely targeted against foreign adversaries and that's a harder job than you think I mean I think the same is true of anyone of a natural-born or a custom a buyer buyer is that not just any virus has the capability to do a lot of harm to a lot of people selling it so it's it's if that doesn't mean though you can sit back and say since it's hard it'll never happen you need to take proactive measures to look for evidence of a compromise of something whether it's a cyber cyber virus or otherwise you have to actively look for that you have to harm yourself to make sure you're not susceptible to it and once you detect one you need to make sure you have a the ability to do segmentation or quarantine very rapidly very very effectively right so in the cyber security community of course the fundamental strategy is about segmentation you keep different types of things separate that don't need to interact and then if you do have a compromise not everything is compromised and then lastly if you want to gradually say bring things back up to recover you can do some with small chunks I think it's a great analogy segmentation is a good analogy to I think what the nation is trying to do right now by warranty kneeing and gradually reopening up things in in segments in actually mention earlier that some of the other techniques are very very similar you want to have good visibility of where you're at risk and then you can automatically detect and then implement some some mitigations based on that good visibility so I agree with you that it turns out that the cyber security strategies might have a whole lot in common with biohazard I address it's interesting site reliability engineers which is a term that Google coined when they built out their large-scale cloud has become a practice that kind of mindset combined with some of the things that you're saying the cyber security mindset seemed to fit this at scale problem space and I might be an alarmist but I personally believe that we've been having a digital war for many many years now and I think that you know troops aren't landing but it's certainly digital troops and I think that we as a country and a global state and global society have to start thinking about you know these kinds of things where a virus could impact the United States shut down the economy devastating impact so I think Wars can be digital and so I may be an alarmist and a conspirators but I think that you know thinking about it and talking about it might be a good thing so appreciate your insights there Phil appreciated what one other point that might be interesting a few years back I was doing some research with the National Lab and we're looking for novel of cybersecurity analytics and we hired some folks who worked in the biology the bio the biomedical community who were studying a biome fires at the time and it was in recognition that there's a lot of commonality between those who are doing cybersecurity analytics and those reviewing bio biology or biomedical type analytics in you know there was a lot of good cross fertilization between our teams and it kind of helps you bring up one more there's one more point which is what we need to do in cybersecurity in general is have more diversity of workforces right now I don't mean just the traditional but important diversities of sex or color but diversity of experiences right some of the best people I've worked with in the cyber analytics field weren't computer science trained people and that's because they came in problems differently with a different background so one of the things that's really important to our field at large and of course the company my company fort net is to massively increase the amount of cyber security training that's available to people not just the computer scientists the world and the engineers but people in other areas as well the other degree to non-greek people and with that a you know higher level of cyber security training available to a more diverse community not only can we solve the problem of numbers we don't have enough cybersecurity people but we can actually increase our ability to defend against these things I have more greater diversity of thought experience you know that's such a great point I think I just put an exclamation point on that I get that question all the time and the skills gap is should I study computer science and like actually if you can solve problems that's a good thing but really diversity about diversity is a wonderful thing in the age of unlimited compute power because traditionally diversity whether it was protocol diversity or technical diversity or you know human you know makeup that's tend to slow things down but you get higher quality so that's a generalization but you get the point diversity does bring quality and if you're doing a data science you don't want have a blind spot I'm not have enough data so yeah I think a good diverse data set is a wonderful thing you're going to a whole nother level saying bringing diversely skill sets to the table because the problems are diverse is that what you're getting at it is it's one of our I'll say our platforms that we're talking about during the during the covered nineteen crisis which is perhaps there's perhaps we could all make ourselves a little bit better by taking some time out since we're not competing taking some time out and doing a little bit more online training where you can where you can either improve your current set of cybersecurity skills of knowledge or be introduced to them for the first time and so there's one or some wonderful Fortinet training available that can allow both the brand-new folks the field or or the the intermediate level folks with you become higher level experts it's an opportunity for all of us to get better rather than spending that extra hour on the road every day why don't we take at least you know 30 of those 60 minutes or former commute time and usually do some online soccer security treaty feel final question for you great insight great conversation as the world and your friends my friends people we don't know other members of society as they start to realize that the virtualization of life is happening just in your section it's convergence what general advice would you have for someone just from a mental model or mindset standpoint to alleviate any anxiety or change it certainly will be happening so how they can better themselves in their life was it is it thinking more about the the the experiences is it more learning how would you give advice to folks out there who are gonna come out of this post pandemic certainly it's gonna be a different world we're gonna be heightened to digital and virtual but as things become virtualized how can someone take this and make a positive outcome out of all this I I think that the future the future remains bright earlier we talked about sci-fi the integration of the cyber world in the physical world that's gonna provide great opportunities to make us more efficient gives us more free time detect bad things from happening earlier and hopefully mitigating those bad things from happening earlier so a lot of things that some people might use as scare tactics right convergence and Skynet in in robotics and things like that I believe these are things that will make our lives better not worse our responsibilities though is talking about those things making sure people understand that they're coming why they're important and make sure we're putting the right security and privacy to those things as these worlds this physical world and the soccer worlds converged I think the future is bright but we still have some work to do in terms of um making sure we're doing things at very high speeds there's no delay in the cybersecurity we put on top of these applications and make sure we have very very well integrated solutions that don't cause things to become more complex make make things easier to do certainly the winds of change in the big waves with the transformations happening I guess just summarize by saying just make it a head win I mean tailwind not a headwind make it work for you at the time not against it Phil thank you so much for your insights I really appreciate this cube conversation remote interview I'm John Ford with the cube talking about cybersecurity and the fundamentals of understanding what's going on in this new virtual world that we're living in to being virtualized as we get back to work and as things start to to evolve further back to normal the at scale problems and opportunities are there and of course the key was bringing it to you here remotely from our studio I'm John Ferrier thanks for watching [Music]

>> live from Orlando, Florida It's the que covering accelerate nineteen. Brought to you by important. >> Welcome back to the Cube. We air live in Orlando, Florida, for accelerate border, not accelerate twenty nineteen. Lisa Martin with Peter Burroughs And we're pleased to welcome back to the Cube. Chief information Security officer See, So from Fortinet fell quite Phil. Thank you so much for joining Peter and me on the Cube today. >> Thanks for much. >> So lots of news, Lots of buzz. You can hear a lot of the folks behind us in the Expo hall here. We've had probably, I think five or six or seven guests today. So far you are on the front lines as to see so afforded it talking with si sos. I'd love to get your your view on what are some of the things they're top of mind for si sos today. The challenge is that they're facing and how are they looking to for doughnut to mitigate this challenge is >> the good news is that the solution sets not as complicated a cz youthink So all the sea says and senior people I talked to are very much focused on How can they reduce complexity, And how can they better leverage automation? I know there's some overlap between those two things, but they care quite a bit about that. Why? Because with less complexity, there's less mistakes with less complexity. There's less optics, right costs, costs for people and then with automation. It also helps with the op ex problem. But automation also allows humans to do things that humans you're better doing things. That and let's machines do things that their better doing that. So, complexity management, Lebanese automation are really top of mind. Of course, you know the next level down, you really need to do segmentation. Well, you need to have good visibility, need to inspection something that But I'd say those couple things are definitely top of mind, no matter who you talked to. >> But one of the things that's especially important about this issue complexity is that the threat surface goes to value, right so that, as you think about I ot as you think about Mohr devices, Mohr elements, et cetera, the threat surface is going to go up the on ly way that you're going to be able to bring that in in a managed way that delivers consistent value without dramatically exploding amount of risk is to reduce the complexity of the rest of the threat >> surface. Thie. If you're trying to place the face the problem of of, of speed and scale, you have to adopt the solutions of automation in integration you need a strategy on. Of course, hope is never a strategy, and so you need to leverage these technologies to do that. Instead, it's all about automation integration, >> right on this notion of the threats surface going to values, gotta have some mean si SOS sort of. Some of the ones that I'm talking to are using terminology like that. Maybe not that concept directly, but they want to make sure that whatever task that they're performing, whatever, uh, whatever risked their engendering or dealing with has some corresponds back to value. Are you seeing that as well? >> Yeah, and since we're talking about value, the end point is becoming a whole lot more interesting in terms of value. So traditionally we think of the endpoint is being a place where there's desktops and then laptops and tablets, and now smartphones, and they've always been part of our cyber domain. But there's this new thing that's happening, I think just left of end point. And it's where there's going to be the heavy instrumentation of physical processes and things. So it's starting with OT operational technology. It's going to be magnified by I ot and, of course, building automation. And so all of a sudden, the definition of value, I think, is going to be places that can collect data about physical processes and things, protect that data and then commoditize it. So value is moving further, further and out into the endpoint defined as thie, a collection of information about physical processes, something so I call this environment cyber physical or, more specifically, more catchy. SciFi right. It's where cyber data, physical data will be intermingled to provide value and efficiencies to customers and things like that. It's a really important area that's the new in point >> in physics. We talk about transducers, right? The transducer is something that takes one form of energy and turns into another form of energy so they could perform a different kind of work. We're talking about what we call information transducers the idea, take one form of information and turn it into another form of information so that it can perform work that's seminal to this notion that you're describing with the side fi. >> That's a >> great analogy. I haven't heard it described that way before. It's kind of like, you know, back in the day where where people use fire to heat and people used sales to move things right. And one day >> it was a more >> wins, right? Wait, move sales. Sorry. Wings. Yeah. Okay. And, uh, someone saw the story. As the story goes, someone saw a pot on the fire, a kettle full of water boil and the lid of the pop move. So they realized I can use heat to move it. So they started integrating different ways of doing things to achieve new effects. And I think that's what you're talking about. He used the word trans transducer, but I think it's the same thing. And how can you use things previously kept separate to do things that you previously couldn't D'Oh. >> So let's talk about this SciFi era C y dash p H y. For those watching at home, what are some of the security challenges that this brings, but also the opportunities to be uncovered by that boiling point analogy. >> Yeah, if you don't mind, I'LL start with the start with positives right where the was a potential benefits to society. So we are all of us and everyone behind us. We're creatures, the physical domain and the opportunities that there will be new data connected about this physical domain that can affect his very personally. So in cyberspace, its ultimate a virtual world. So there could be compromises in cyberspace. That effect is in cyber ways, but when you have compromises in the physical domain, it could be a lot more personal. So let's say that you have a medical device or you have a something else that instruments the temperature, heat, humidity, vector, you name it. Failures in those areas can have a really profound effect on a negative way in this physical oriented domain. So now the flip side of that is because it has a very, very positive effect, Right? Thes healthcare devices could bring new conveniences or perhaps even help address some very important things where they'd be physical or mental disabilities weaken instrument very heavily how we create food products. And so maybe this heavy instrumentation of how you create food can help address world hunger. I know I'm getting kind of heavy about this, but heavy instrumentation of this physical domain has a lot of promise. Now back to the other side. It also has a lot of responsibility involved, right, because, as I mentioned earlier, we're creatures of the physical domain. So if you get it wrong, you could mess up something really important to our health. Care for our transportation, Andi. We also have a very strong feeling towards privacy. At some point, collecting too much about us physically is just too much. So you need to make sure that that any sense data's you have privacy protections built it. So like anything with great opportunity. There's great challenges involved. But by giving their name and starting described, this challenge is we are. We're one step down the path, I think. >> But if we take that and then turn it into a set of cyber security challenges, no secure network challenges, that one of the other things you describe is we're constantly learning about what are the characteristics of a good, competent, reasonable interface between the physical and digital worlds. That knowledge then has to be put back into how we handle network security. >> That's right. I like your use of the word knowledge. And earlier today I gave a talk about something I'm calling a digital big bang. It's an analogy of that. We had a digital big bang fifty years ago where an explosion of data is among us and there's some challenges will get back that in a second. The analogy is thie cosmic big bang of fourteen billion years ago. And it wasn't until we started certain had a quest for knowledge about the fundamental elements of the cosmic Big Bang and the hard sciences behind it. Physics, chemistry, biology, things like that that we actually started obtaining an accumulating knowledge. So I think to your point, there's a lot of knowledge accumulation that we need to start a quest for in this cyber physical domain. And that's that's all about treating cybersecurity more like a science rather than an art. And I think this cyber SciFi domain is a great place to start practicing that accumulating knowledge in a very, very scientific way, build on the build on the successes of our our forefathers. I could say >> Sorry if I can build on this for one second. Sorry, Lisa, that the entropy gets everything in the end. But isn't it interesting that the process of creating Mohr information creating more knowledge and then securing it is our main fight against entropy? Right. That's how we create increase optimization of our resources. How we get Maura out of less on DH. That seems to me to be an especially important thing here. A CZ we think about it is how we utilize that knowledge, share it and in so doing security so that we're sharing inappropriately. >> There's a there's a great saying. I'm sure you're familiar with each of you. It's called. I use it often. Data is the oil the twenty first century, right? So the last century, those who could find oil explored it put it good use and protected dominated that century. Let's fast forward to the twenty first century. I think the same words apply data right. Those who can find it generate wisdom from it, insight from it and protect it will dominate in a good way the twenty first century. So, on the way you were going to do that. This is the collective we is bias. You said Collect, Ate it. Make it better. Send it back out, bring it back in. Make it better. Send it back out. It's a somewhat circular, but I think it's a very, very healthy example of, ah, circular augmentation. >> So don't think I want to touch on a little bit with you. Feel before we let you go is we talked about knowledge a minute ago and sharing that knowledge forty nights Very dedicated to education. Educating your customers, educating your partners When you're talking with si SOS and we know that there's an ostensible skills got with cyber security. What are some of the solutions that you talked to those customers that like Hey, this is how fourteen that nurse ecosystem partners can help you here. Address this so you can leverage the power of that data to, As you said, you know, for the twenty first century, for example, data becomes the new oil. What's that education conversation like there's >> a There's a long game in a short game, you know, the short game is about leveraging like we talked about a few minutes ago. Speed, speed, automation, integration, too. Compliment the shortage of human beings right rely machines, moron for what machines we're good at on DH. Take the humans, the humans, the steel personnel and have them do the higher order thinking. So the near term game. It's foreign. It's really well. Pasha provide our customers is speed, automation and integration. So that's the short game. Long game is about creating, Ah, larger workforce or larger population of folks who could all be construed contribute to this great new world we've been talking about. And that's training. And that's education. And I think, you know important. It's also, you know, working the long game as well, with some near term training at multiple levels for folks in in the networking world, but were also part of something called the World Economic Form West's Center for Cyber Security. We're founding member, and there were trying to create a long game where we can help educate a whole lot of people on cybersecurity and create the future. Workforce is in the long game. So short term long game, both her important >> except well, Phil, thank you so much for joining Peter and me on the cute this afternoon. We appreciate your time. >> Thanks again. It was nice. Nice being back and >> excellent. Our pleasure for Peter. Boris. I'm Lisa Martin. You're watching the Cube

(computerized music) >> Announcer: Live from Las Vegas, it's theCUBE. Covering Fortinet Accelerate 18. Brought to you by Fortinet. (computerized music) >> Hi, welcome back to Fortinet Accelerate 2018. I'm Lisa Martin with theCUBE. Excited to be back here for our second year. I'm joined by my esteemed cohost Peter Burris. Peter and I are excited to be joined by the chief information security officer of Fortinet, Phil Quade. Phil, welcome back to theCUBE >> Thanks of having me today. >> Great to have you here. So you had this interesting keynote this morning talking about cyber security fundamentals in the age of digital transformation. So we'll kind of peel apart that. But, something that I'm really curious about is, as a CISO, you are probably looked at as a trusted advisor to your peers, at Fortinet customers, at perspective customers. Tell us about, as we're in this evolution of security that Kenzie talked about, what are some of the things that you're hearing? What are they looking to you to help them understand and help from strategic perspective to enable in their environments? >> I often hear people say, "I recognize that my security's inadequate, what can I do about it?" Or, "I think my security's good enough, but I'm not evolving commensurably with the risk." And they say, "What do I do about that? How do I get to a better spot?" And I typically talk about them modernizing their strategy, and then based on their modernized strategy, that leads to specific technical solutions. And I'll have to talk to you more about what some of those might be. >> Yeah, on the strategy side of things, I find that very interesting. Peter and I were talking with Kenzie earlier, and with the 20 to 30 different security solutions that an organization has in place today that are disparate, not connected, where does the strategy discussion start? >> Well it starts to me with, I say, the adversary's comin at you at speed and scale, so how do you address the problems of speed and scale? It's through automation and integration. And fortunately, I believe in that strategy, but it plays directly into Fortinet's strengths, right? We have speed baked into our solution set. We have speed at the edge for our custom ASICs. And we're fundamentally are an integrated company where our products are designed to work together as a team because what you want to do strategy wise, is you want to, I think, you want to defend at your place of strength. And at a time and place of strength as opposed if your adversaries, where he's probing at your weak point. So, that's this integration thing's not only strategic, but it's essential to address the problems with speed and scale. >> So, Phil, technology's being applied to a lot of IT and other business disciplines. So, for example, when I was seeing machine learning, and related types of technologies actually being applied to improve programmer productivity through what we call augmented programming. And that may open the aperture on the number of people that actually can participate in the process of creating digital value. But it still requires a developer mindset. You still have to approach your problem from a developer perspective. What is the security mindset? That as security technology becomes more automated, that more people can participate, more people can be cognizant of the challenges. What is that constant security mindset that has to be sustained in an enterprise to continue to drive better and superior security. >> Got it. I think that some companies get too hyped about artificial intelligence, and I think it's important to remember that you need to use computer science to get to science fiction. So, a very disciplined way you need to say, well in order to achieve high degrees of automation, or perhaps machine learning, or artificial intelligence, what are the building blocks of that? Well, the building blocks are speed, because if you have a decision that's too late, who cares. Integration. If you have a decision that can't be communicated effectively, who cares. And then, of course, access to all the right types of data. In order to get smart to do machine learning, you need access to lots of different data sources, so you need to have lots of disparate centers sending in data for you to analyze. Back in my old job, we used to do some centralized processing, say back in the data center. We would precompute a result, we'd push that precomputed result back to the edge, and then you would do that last bit of analysis right at the point of need. And I think, again, the Fortinet architecture supports that in that we have a back end called Fortiguard Labs, if you know what that is. It does deep analysis and research, pushes their results forward, then we use speed at the edge inside customer premises to sort of compute, I'm mixing metaphors, but do the last mile of computing. So I think it's, back to your question, what's the mentality? It's about leveraging technology to our advantage, rather than people being the slaves of machines, we need to have machines serving more man. And we need computer science to do that, rather than, like I say, creating busy work for humans. >> Peter: Got it. >> You talked about speed and scale a minute ago. And as we look at, I'm curious of your perspective as the CISO, how do you get that balance between enabling digital business transformation, which is essential for growth, profitability, competition, and managing, or really balancing that with security risk management. So, if a business can't evolve digitally at speed and scale, and apply security protocols at every point they need to, is digital transformation meaningless? How do they get that-- >> Great question. Cause you don't want to feel like it's going to be a haves and have nots. The good news is that, for example, for those who seek to move to the cloud for whatever reason, convenience or agility or business efficiencies, you don't have to go all cloud or no cloud, right. And the security solutions of Fortinet allows you to do each. You can have some cloud, some non-cloud, and get them both to work together simultaneously under what we call a single pane of glass. So, as a user, you don't care if your firewall is a physical appliance or a virtual one, you want to establish a security policy and have that pushed out no matter what your firewall looks like. So to answer your question, I think that hybrid solutions are the way to go, and we need to let people know that it's not an all or nothing solution. >> That visibility that you kind of mentioned seems to have been kind of a bane of security folk's existence before. How do we get that broad visibility? >> Yeah, I think right, it's visibility and complexity I'd say are the bane of cyber security, right? Visibility, what you can't see, you can't defend against, and complexity is the enemy of security, right? So we need to address the problems. You asked me what CISOs say. We have to reduce complexity, and we have to improve visibility. And again, I think Fortinet's well postured to offer those types of solutions. >> So as you increase, we talk about the edge, you mentioned the edge. As more processing power goes to the edge, and more data's being collected, and more data's being acted upon at the edge, often independent of any essential resource, the threat of exposure goes up. Cause you're putting more processing power, or more data out there. How is securing the edge going to be different than securing other resources within the enterprise? >> Well encryptions will remain a part, right. Encryption to create confidentiality between the two computing entities is always a part. And then of course encryption can be used to authenticate local processes at the edge. So even though encryption might not be perceived as the silver bullet that it used to be, in the age of pending quantum computing, I can talk more about that in a second. In fact encryption is a fantastic tool for creating trust among entities and within an entity. So I think the applications of smart, strong encryption among and within the entities can create that web of trust we're talking to. If I could just briefly go back to quantum computing, right. So most commercial entities today, or most think tanks think that a quantum computer, a usable one, will be invented within 15ish or so years or so. Fortinet is actually already implementing quantum resistant cryptography in our products. >> Peter: Quantum what? >> It's called quantum resistant cryptography. And a quantum computer-- >> I understand. >> Will be able to break asymmetric encryption, so we're making sure we're implementing the algorithms today to future-proof our products against a future quantum computer. >> That's a major statement. Cause as you said, we're probably not looking at a more broad base utilization of quantum computing for many many many many years. And we'll know when they're being used by bad guys. We'll know who has one. How fast is that going to become a real issue. I mean as people think about it. >> The problem is that private sector doesn't know what the bad guy countries, when they will indeed have a computer, so Fortinet is being forward leaning, making sure we're starting to get familiar with the technology now. And also encryption's the type of thing that sometimes it requires special hardware requirements, special power-- >> Peter: Quantum computing does. >> No. Any encryption technology. The more computation you have to do, sometimes it might require more memory, or a faster processor. Well that takes months, if not years, if you're putting that into a custom chip. So we're planning and doing these things now, so we can make sure that we're ready, and aren't surprised by the actual compute power that's required of quantum resistant cryptography, or, and of course, aren't surprised when an adversary does in fact have one. >> Peter: Interesting. >> Good stuff. >> One of the things that you're doing later today is a panel, right? Between IT and OT folks. And I wanted to explore with you some of the evolution in the risks on the operational technology side. Tell us a little bit about what that panel today is going to discuss and maybe and example of, Triton for example, and how these types of attacks are now very prevalent from a physical stand point. >> Favorite topic of mine. Thanks for bringing it up. So one of the first things I'll do is I'll make the distinction between OT, operational technology, and IOT. So what I'll say is operational technology's designed primarily to work to protect the safety and reliability of physical processes and things. Things that move electricity, move oil and gas inside industrial automation plants. So operational technology. And then I'll talk a little bit more about IOT, the internet of things, which are primarily, and I'm cartooning a little bit, more about enabling consumer friendly things to happen. To increase the friendliness, the convenience, of our everyday lives. And so, once I make that distinction, I'll talk about the security solutions that are different between those. So, the OT community has done just fine for years, thank you very much, without the IT folks coming in saying I'll save your day. But that's because they've had the luxury of relying on the air gap. But unfortunately-- Meaning to attack an OT system you had to physically touch it. But unfortunately the air gap is dead or dying in the OT space as well. So we need to bring in new strategies and technologies to help secure OT. The IT side, that's a different story, because IOT is fundamentally lightweight, inexpensive devices without security built in. So we're not as a community going to automatically be able to secure IOT. What we're going to need to do is implement a strategy we call earned trust. So a two part strategy. Number one, rather than pretend we're going to be able to secure the IOT devices at the device level, that are currently unsecurable, we're going to move security to a different part of the architecture. Cause remember I talked about that's what you can do with security fabric, if you do defense as a team, you want to defend at the time and place you're choosing. So with IOT, we'll move the defense to a different part of the architecture. And what we'll implement is a strategy we call earned trust. We'll assign a level of trust to the IOT appliances, and then evaluate how they actually behave. And if they do in fact behave over time according to their advertised type of trust, we'll allow more, or in some cases, less access. So that's our IOT solution. And both of them are really important to the community, but they're very different IOT and OT. But unfortunately they share two letters and people are mixing them up to much. >> But at the same time, as you said, the air gap's going away, but also we're seeing an increasing number of the protocols and the technologies and other types of things start to populate into the OT world. So is there going to be a-- There's likely to be some type of convergence, some type of flattening of some of those devices, but it would be nice to see some of those as you said, hardened, disciplined, deep understanding of what it means to do OT security also start to influence the way IT thinks about security as well. >> Love it. Great point. Not only can the OT folks perhaps borrow some strategies and technologies from the IT folks, but the opposite's true as well. Because on the OT side, I know you're making this point, they've been securing their industrial internet of things for decades, and doing just fine. And so there's plenty that each community can learn from each other. You brought up a recent type of malware effecting OT systems Triton or Trisis. And the memory brings me back to about nine years ago, you might be familiar there was just a catastrophic incident in Russia at their-- It was a failure of operational technology. Specifically it was the largest electricity generation, hydroelectric plant, ninth biggest in the whole world, they took it offline to do some maintenance, loaded some parameters that were out of range, cause vibration in the machinery, and next thing you know, a major cover flew off, a 900 ton motor came off its bearings, water flooded the engine compartment, and it caused a catastrophic explosion. With I think, I'll just say, well over 50 people dying and billions of dollars of economic loss. So, what I'm trying to say is not, you know, get excited over a catastrophe, but to say that the intersection between physical and cyber is happening. There's not just the stuff of spy novels anymore. Countries have demonstrated the will and the ability to attack physical infrastructures with cyber capabilities. But back to Triton and Trisis. This is just a couple months ago. That sort of rocked the operational community because it was a very sophisticated piece of malware. And not only could it affect what are called control systems, but the safety systems themselves. And that is considered the untouchable part of operational technologies. You never want to affect the safety system. So the time is here. The opportunity and need is here for us to do a better job as a community to protecting the OT systems. >> So the speed, the scale, all the other things that you mentioned, suggests that we're moving beyond, and Kenzie has talked about this as well, the third generation of security. That we're moving beyond just securing a perimeter and securing a piece of hardware. We're now thinking about a boundary that has to be porous, where sharing is fundamentally the good that is being provided. How is a CISO thinking differently about the arrangement of hardware, virtuals, services, virtual capabilities, and, in fact, intellectual property services, to help businesses sustain their profile? >> I think you're spot on. The boundary as we know it is dead. You know, dying, if not dead. Right so, the new strategy is doing agile segmentation, both at the macro level and the micro level. And because you might want to form a coalition today that might break apart tomorrow, and that's why you need this agile segmentation. Back you your point about having some stuff in the cloud and some stuff perhaps in your own data center. Again, we don't want to make people choose between those two things. We need to create a virtual security perimeter around the data, whether part of it's existing in the data center or part of it exists in the cloud. And that again gets back to that strategy of agile segmentation at both macro and micro levels. And of course we need to do that with great simplicity so we don't overwhelm the managers of these systems with complexity that causes the human brain to fail on us. I'll often times say it's not the hardware or the software that fails us, it's the wetware. It's the brain that we have that we get overwhelmed by complexity and it causes us to do silly or sloppy things. >> So let me build on that thought one second, and come back to the role that you play within Fortinet, but also the CISO is starting to evolve into. As a guy who used to run not a big business, but a publicly traded company, I learned that when you wanted to go into a partnership with another firm, you got a whole bunch of lawyers involved, you spent a long time negotiating it, you set the parameters in place, and then you had a set of operating models with people that made sure that the partnership worked together. When we're talking about digital, we're talking about that partnership happening at much faster speeds, potentially much greater scale, and the issue of securing that partnership is not just making sure that the people are doing the right things, but the actual systems are doing the right things. Talk about the evolving role of the CISO as a manager of digital partnerships. >> I think you're right, it used to be the case where if you're entering a partnership, you're partner might say tell me a little bit more about how you secure your systems. And that company might say that's none of your business, thank you very much. But today, for the reasons you so well said, your risk is my risk. As soon as we start operating collaboratively, that risk becomes a shared situation. So, in fact, it becomes a responsibility of the CISOs to make sure the risks are appropriately understood and co-managed. Don't get me wrong, each company still needs to manage their own risk. But once you start richly collaborating, you have to make sure that your interfacing doesn't create new risks. So it used to be the day that only a couple of people in a company could say no. Of course the CEO, maybe the general council, maybe the CFO. But increasingly the CISO can say no too, because the exposure to a company is just too broad to take risks that you can't understand. >> And it's not a financial problem. It's not a legal problem. It's an operational problem >> That's right. That's right. And so the good news that CISOs I think are stepping up to the plate for that. The CISOs of today are not the CISOs of five, seven years ago. They're not insecure folks fighting for their posture C suite. They are valued members to the C suite. >> I wish we had more time guys, cause I would love to dig into that shared responsibility conversation. We've got to wrap up. Phil, thank you so much for stopping by theCUBE again, and sharing your insights on the strategic side, not only the evolution of Fortinet and security, but also the evolution that you guys are leading in at 2018 with your partners. We wish you a great time at the event, and we think you're having us back. >> Thanks for having me very much. I enjoyed talking to you both. >> And for my cohost Peter Burris, I'm Lisa Martin. We are live on theCUBE at Fortinet Accelerate 2018. Stick around and we'll be right back. (computerized music)

(electronic music) >> Hi, welcome to today's very special in-studio presentation of theCUBE, I'm Peter Burris, Chief Research Officer of Wikibon, and we've got a great guest, we're going to talk about critical infrastructure today, which is a topic that deserves a lot of conversation, but sometimes ends up being a lot of talk and not as much action, and we've got Phil Quade, who's a Chief Information Security Officer of Fortinet to talk about it. Phil, thanks for coming to theCUBE. >> Appreciate being here, thank you. >> So Phil, the issue of security is something, as I said, that's frequently discussed, not often understood, and therefore often is not associated with action, or perhaps as much action as it should be. Talk about the conversation that you're having with customers and peers in the boardroom about the role that security is playing in business thinking today. >> Sure, thank you. The folks I've talked to, they're not dumb people, you don't make it into the C-Suite without having some type of intellect and perspective. What I found is that they recognize indeed that we are in the midst of another computing revolution, and the roots of that trace back from mobility to the cloud and now the Internet of Things. What they don't quite recognize, though, is that we're in the midst of a security revolution as well. And I look at that as going from security from being point solutions to being ubiquitous security everywhere, to having that security integrated so it works as a team. To have that team-oriented security simplified so it doesn't overwhelm the operators. And importantly into the future, much more automation, so highly automated to the degree that it will actually execute the intent of the operator and of the security people. >> So Phil, you made a very interesting point, you said security everywhere, we usually think about security as being something that existed at the perimeter, almost now, I guess, to walking into a building and securing the outside of the building, and once we secure the outside of the building, everything else was fine. But the nature of security everywhere means that the threats seem to be changing. Talk a little about the evolution of some of the threats, and why this notion of security everywhere becomes so important. >> You're right, we all know how well relying on boundary security alone works. It doesn't. You have to have boundary security where there is indeed a defined boundary, but increasingly, networks are borderless. You'll work from home, you'll work from your car. You'll work while you're taking a stroll in the park, but you also need to recognize that you have important assets there in your data centers, there in your clouds, so it's not about having point solutions at the border, it's about having ubiquitous security that can operate in your pocket, on your laptop, on the edge, in the data center, in the cloud as well, but this is importantly, having all those pieces working together as a team. >> We like to talk at Wikibon about the idea of, everybody talks about digital transformation, but to us, that means ultimately is that, companies are using data as an asset, that's the essence of digital transformation. This notion of border security becomes especially important, because our data becomes our representation of us, of our brand, data is acting on our behalf right now. So what are some of those key new things that we're concerned about, in terms of the new viruses? If we think about a hierarchy of concerns, bullying all the way down to strategic, where are we in understanding that hierarchy, and how we're dedicating the right resources to making sense of it? >> Sure, it's tempting to think that WannaCry and NotPetya represent the new normal, or the cutting edge of the cybersecurity threats we're seeing today, but I think we need to take a step back and recognize the intent of such threats. Some threats come at you because someone simply wants to cause mischief. Others because they are trying to bully you into doing certain things. Some of these threats are based on a criminal element, where they're trying to get some type of financial gain, but now others are much more, much more, I'll say harmful. Some might be due to revenge, so, look at the Sony incident. The Sony incident was primarily because a foreign leader was upset of a film company's portrayal of his country, or himself. And the two that are especially worrisome to me are threats that are motivated by military tactical advantages, but most importantly, strategic advantages, so for example, there's some countries that hope to hold our strategic assets at risk, and what I mean is, they'd like to be able to impose their national will on the United States, or other democracies, by holding some of our critical infrastructures at risk, as in preventing their reliable and safe operation, or causing folks to have a distrust of their financial system. So I'm really worried about the threats that come after us from a strategic perspective. Don't worry, WannaCry and NotPetya are important, but they're very different than being strategic threats. >> Now, this issue of strategic threats sounds like there's also a continuum of the characteristics of the threat, from, you totally bring something down, to you actually introduce behaviors that are not expected or not wanted. So talk a little bit about this notion of critical infrastructure, and how we're getting more, both planful, and subtle, and strategic in our responses to the threats against critical infrastructure. >> Well, it's the subtle ones, you're right, it's the subtle ones that worry you, meaning, it's relatively easy to recognize when something bad happens to you, 'cause you can immediately try and fix it, but when something subtle, oftentimes it passes, your prickly sensors don't come up. And the problem is, when all these subtle things build on top of each other, so that all of a sudden, 10 subtle things turn out to be one very big thing, and those are the types of things we need to worry about with some particular critical infrastructures. So for example, a terrorist's malicious activity might simply be looking for one big high-visible attack, meaning, causing heat and light to happen on a TV screen for an exploding oil field, or something like that, but a much more subtle malicious activity would be the gradual degradation of the quality or availability of water, or the gradual degradation on the precision of some of our critical manufacturing, so I'm with you, that some of the subtle things are what we need to worry about. We call those low-and-slow attacks, so it's, you not only be prepared for the loud and stealthy ones, but also the low and slow ones. >> Now, we used to think for example of one of the more famous portrayals of security concerns in movies and whatnot is the idea that I take off the last six decimal places of a transaction, I somehow amass millions of dollars. Is that the kind of thing you mean by low and slow? Those aren't necessarily the kind of threats, I know, but that kind of thing, it's subtle, and it doesn't have an immediate, obvious impact, but over time, it can lead to dramatic changes in how business, or an infrastructure, a national asset, works. >> That's a great analogy, the old financial attacks where they bleed off 0.01 cent per transaction, that adds up very quickly into a very high-volume loss. Well, imagine applying that style of attack on something that could result in not simply a financial loss, but could cause a physical or safety event, whether it be a pressure explosion on a pipeline, a degradation of water, or something of the sort. Those are very, very important, and we need to make sure we're looking for those too. Now, the question might be, well, how do you find such things? And the answer is automation. Human cognition is such that they're not going to be capable of tracking these very low and subtle and slow attacks, so you're going to need to use some always-on analytics to find those types of things. >> So I want to bring you back to a word that you use that, in the context of this conversation, it actually becomes very important. Simple, small word. We. In this world of security, when we start thinking about, for example, the internet, which is a network of networks, some of which are owned by that person, some of which are owned by that corporation, some of which may have more public sponsorship, the idea of we becomes crucially important. We all have to play our role, but to secure critical infrastructure's going to be a public-private effort. So talk a little about how we go about ensuring this degree of control over the public infrastructure. >> So bingo, oftentimes when I say we, it's the royal we, because as you know, as I know, critical infrastructure's not owned and operated by any one place, in fact, it's owned and operated by hundreds if not thousands of different entities. Unfortunately, some people think that the government, the US government, is going to swoop in and do something magical and magnificent to secure critical infrastructure. And the other, certainly, intent, not intent, there's a will to do such a thing, the government doesn't have the authority nor resources nor expertise to do such thing. So what it means is we, this is the royal we, the public sector, the private sector, and there's an even a role for individual citizens, we need to come together in new and innovative ways to get the security critical infrastructure to a much better place. >> And this is part of that conversation, having the conversation about the role that critical infrastructure plays in the economy, in social endeavors, in government, in democracy, becomes a crucial element of this whole thing, so when you think about it, what do the rest of us need to know about critical infrastructure to have these conversations, to be active and competent participants in ensuring that we are having, focusing on the right thing, making the right investment, putting our faith in the right people and corporations? >> I think the first step is taking a long-term approach. I'm a big believer in the old Chinese proverb, a journey of 1,000 miles starts with one small step. The problem with critical infrastructure security is that the problem is so big, and it's so important, that we're often paralyzed into inaction, and that gets back to the point we were talking about earlier, that no one single person is in charge. But we need to recognize that and get past it, we need to recognize that the solution lies in several folks, several communities coming together to try and figure out what we each can bring to this problem. And I believe there's some actional things we can do. I don't know what those 1,000 steps look like to get to where we need to be, but I do know what those first five, 10, 15, 25 things are, as do other folks in the community. So why don't we start acting on them now, and that has the side benefit of not only making incremental progress towards them, but it develops what I call muscle memory between the public and private sector, of how we go about working together on problems where no one entity owns the whole problem, or solution. >> So one of the things that makes critical infrastructure distinct from, again, this goes back to the idea of what do we need to know, is that critical infrastructure is distinct from traditional networking, or traditional infrastructure, in that critical infrastructure usually has a safety component to it, and you and I were talking beforehand about how IT folks like to talk about security, OT folks, or operational technology people, the people who are often responsible for a lot of these critical infrastructure elements, talk about safety. Bring that distinction out a little bit. What does it mean to have a perspective that starts with safety, and figures out how security can make that easier, versus starts with identity, and figures out how to control access to things? >> Right, I think that's an important point, because too often, the folks in the IT, information technology community, and folks in the operational technology community, the OT community, too often were talking past each other, and one of the reasons is just as you said, one focuses on the security of bits and bytes, and other focuses on the safety of water and chemical and electrons and things like that. >> Well, at the end of the day, it's hard to say, "I'm going to secure water by not letting this group drink." >> Right, that's right. >> You can do that kind of thing in the IT world. >> Right. So, very much so, the industrial control system folks, the OT folks, what's number one on their mind is the safety and reliability of their systems and equipment. They're serving the public with reliable transportation, water, electricity, and the like, and so one of the first things we need to do is recognize that, it's not either/or, security or safety, it's both, number one. Number two, I think an important solution is, an important part of the solution is mutual respect, meaning that, yes it's true that the IT folks have some important strategies and technologies to bring into the OT space, but the opposite's also true. The OT folks, some of the smartest folks I know in the business, have been doing what people recently breathlessly call the Internet of Things. So in the critical infrastructure world, they have what's called the Industrial Internet of Things, and they've been using these lightweight distributing appliances for decades successfully. And so I think that we need to take some of the lessons from IT, and apply it to the OT space, but the same is also true. There's some OT lessons learned, so we need to apply the OT space. So, the real solution though is now, taking both of those who are working together to address the increasingly blended critical infrastructures, IT, OT worlds. >> So Phil, if you were to have a recommendation of someone who has worked in, been familiar with the black security world, the black ops world, the black hat world as well as the white hat world, if you were to have a recommendation as to where people should focus their time and attention now, what would it be? What would kind of be the next thing, the next action that would recommend that people take? >> If I could, I'd like to answer that in two parts. First part is, what are the group of activities where we could naturally make some progress? Well, the first one is, getting some like-minded thought leaders together in agreeing that this is in fact a 10-year problem, not a one-year problem. And no matter what jobs we're all in, commit ourselves to working together over that period to get to a good spot, so one is a forming of like-minded people to agree on the vision and determination to help us get there. But then there's some practical things we can do, like, the mundane but important automating information-sharing. There's some critical infrastructures that do that very well today, the financial sector's often brought out as one of the best in that field. But some of the other sectors have a little ways to go, when it comes to automating information-sharing of the threats and the risks in the situations they're seeing. Another thing that I think we can do is, I call 'em pilots. Specifically, we need to explore all the dimensions of risk. Right now when we think about mitigating risk, we think about, how can I stop a threat, or how can I fix a vulnerability. But too often we're not talking about, what are the bad consequences I'm trying to avoid to begin with? And so, the critical infrastructure community especially is ensuring a discipline called consequence-based engineering, so it's mitigating risk by engineering out the bad consequences from the very beginning, and then using your technology to address the threats and the vulnerabilities. So I'd like to see us do some public-private partnerships, some pilots, based on consequence-based engineering, and that will not only reduce overall risk, but it will create, as I mentioned earlier, that muscle memory. >> Consequence-based engineering. >> That's right. >> So is there one particular domain where you have, like when you sit back and say, "I want to see these public-private partnerships," is there a place where you'd like to see that start? Part of the whole critical infrastructure story. >> Right. You can't ignore the electric critical infrastructure. And the good news is that they've been practicing this science, this art, consequence-based engineering, for some time now. So for example, in the electric grid, as you certainly know, there are three major interconnects in the United States, the eastern, western, Texas interconnect. So they already create segments, or islands, so that one failure won't propagate across the whole US. So the mythical US-wide power grid is in fact a myth. But even within those segments, the eastern, the western, and the Texas interconnect, there's other further segmentation. They don't quite call it segmentation, they call it islanding. So when things fail, they fail in a relatively safe way, so islands of power can continue to be generated, transmitted, and distributed. So, in the sense, some of the folks in the electric companies, the electric sectors, are already practicing this discipline. We need to, though, pivot that and use it in some of those other disciplines as well. Think, oil and gas, transportation, water, critical manufacturing, and possibly a couple others. >> So Phil, I find it fascinating, you were talking about the electric grid as a network, and all networks have kind of similar problems, we have to think about them in similar ways, and Fortinet has been at the vanguard of thinking about the relationship between network and security for a long time now. How is your knowledge, how is Fortinet's knowledge of that relationship, going to manifest itself when we start thinking about bringing more networking, more network thinking to critical infrastructure overall? >> You're right, the strategy of segmentation is still king in the security business, and that's especially true in the IT space. At Fortinet, we offer a range of security solutions from the IoT to the cloud, and can segment within each of those different pieces of the network, but more importantly, what we offer is a security fabric that allows you to integrate the security at the edge, at the cloud, in the data center, and other parts of your network, integrate that into a fully-cooperating team of security appliances. What that allows you to do is to integrate your security, automate it much more so, because you don't want to bring a knife to a gun fight, meaning, the adversaries are coming at us in lots of different ways, and you need to be prepared to meet on their terms, if not better. But it also greatly decreases the complexity in managing a network, by leveraging greater automation and greater visibility of your assets. So, you're right. Segmentation is a strategy that's proven the test of time, it's true of the IT space, and it's especially true to the OT space, and at Fortinet, we'd like to see the blending of the planning and implementation of some of these strategies, so we can get these critical infrastructures to a better spot. >> Well, Phil Quade, thank you very much for coming on theCUBE and talking with us about critical infrastructure and the role the network is going to play in ensuring that we have water to drink and we have electricity to turn on our various devices, and watch theCUBE! Philip Quade, CISO of Fortinet, thank you very much. >> My pleasure, thank you. >> And I'm Peter Burris, and I'm, again, Chief Research Officer working on SiliconANGLE, you've been watching theCUBE, thank you very much for being here as part of this very important discussion, and we look forward to seeing you in the future! (electronic music)

>> Announcer: Live from Orlando, Florida it's theCUBE covering Accelerate19. Brought to you by Fortinet. >> Welcome to theCUBE's coverage of Fortinet Accelerate 2019 live from Orlando, Florida. I'm Lisa Martin with Peter Burris. Peter, it's great to be with you our third year co-hosting Accelerate together. >> Indeed, Lisa. >> So we moved from, they've moved from Vegas to Orlando, hence we did so we had a little bit of a longer flight to get here. Just came from the Keynote session. We were talkin' about the loud music kind of getting the energy going. I appreciated that as part of my caffeination (laughs) energy this morning but a lot of numbers shared from Fortinet Accelerate. 4,000 or so attendees here today from 40 different countries. They gave a lot of information about how strong their revenue has been, $1.8 billion, up 20% year on year. Lots of customers added. What were some of the takeaways from you from this morning's keynote session? >> I think it's, I got three things, I think, Lisa. Number one is that you've heard the expression, skating to where the puck's going to go. Fortinet is one of those companies that has succeeded in skating to where the puck is going to go. Clearly cloud is not a architectural or strategy for centralizing computing. It's a strategy for, in a controlled coherent way, greater distribution of computing including all the way out to the edge. There's going to be a magnificent number of new kinds of architectures created but the central feature of all of them is going to be high performance, highly flexible software-defined networking that has to have security built into it and Fortinet's at the vanguard of that. The second thing I'd say is that we talk a lot about software defined wide-area networking and software-defined networking and software-defined infrastructure and that's great but it ultimately has to run on some type of hardware if it's going to work. And one of the advantages of introducing advanced ACICS is that you can boost up the amount of performance that your stuff can run in and I find it interesting that there's a clear relationship between Fortinet's ability to bring out more powerful hardware and its ability to add additional functionality within its own stack but also grow the size of its ecosystem. And I think it's going to be very interesting over the next few years to discover where that tension is going to go between having access to more hardware because you've designed it and the whole concept of scale. My guess is that Fortinet's growth and Fortinet's footprint is going to be more than big enough to sustain its hardware so that it can continue to drive that kind of advantage. And the last thing that I'd say is that the prevalence and centrality of networking within cloud computing ultimately means that there's going to be a broad class of audiences going to be paying close attention to it. And in the Keynotes this morning we heard a lot of great talk that was really hitting the network professional and the people that serve that network professional and the security professional. But Fortinet's going to have to expand its conversation to business people and explain why digital business is inherently a deeply networked structure and also to application developers. Fortinet is talking about how the network and security are going to come together which has a lot of institutional and other implications but ultimately that combination of resources is going to be very attractive to developers in the long run who don't necessarily like security and therefore security's always been a bull time. So if Fortinet can start attracting developers into that vision and into that fold so the network, the combined network security platform, becomes more developer-friendly we may see some fascinating new classes of applications emerge as a consequence of Fortinet's hardware, market and innovation leadership. >> One of the things that they talked about this morning was some of the tenets that were discussed at Davos 2019 just 10 weeks ago. They talked about education, ecosystem and technology, and then showed a slide. Patrice Perche, the executive senior vice president of sales said, hey we were talking about this last year. They talked about education and what they're doing to not only address the major skills gap in cybersecurity, what they're doing even to help veterans, but from an education perspective, rather from an ecosystem perspective, this open ecosystem. They talked about this massive expansion of fabric-ready partners and technology connector partners as well as of course the technology in which Ken Xie, CEO and founder of Fortinet, was the speaker at Davos. So they really talked about sort of, hey, last year here we were talking about these three pillars of cybersecurity at the heart of the fourth industrial revolution and look where we are now. So they sort of set themselves up as being, I wouldn't say predictors of what's happening, but certainly at the leading edge, and then as you were talking about a minute ago, from a competitive perspective, talked a lot this morning about where they are positioned in the market against their competitors, even down from the number of patents that they have to the number of say Gartner Magic Quadrants that they've participated in so they clearly are positioning themselves as a leader and from the vibe that I got was a lot of confidence in that competitive positioning. >> Yeah and I think it's well deserved. So you mentioned the skills gap. They mentioned, Fortinet mentioned that there's three and a half million more open positions for cybersecurity experts than there are people to fulfill it and they're talking about how they're training NSEs at the rate of about, or they're going to, you know, have trained 300,000 by the end of the year. So they're clearly taking, putting their money where their mouth is on that front. It's interesting that people, all of us, tend to talk about AI as a foregone conclusion, without recognizing the deep interrelationship between people and technology and how people ultimately will gate the adoption of technology, and that's really what's innovation's about is how fast you embed it in a business, in a community, so that they change their behaviors. And so the need for greater cybersecurity, numbers of cybersecurity people, is a going to be a major barrier, it's going to be a major constraint on how fast a lot of new technologies get introduced. And you know, Fortinet clearly has recognized that, as have other network players, who are seeing that their total addressable market is going to be shaped strongly in the future by how fast security becomes embedded within the core infrastructure so that more applications, more complex processes, more institutions of businesses, can be built in that network. You know there is one thing I think that we're going to, that I think we need to listen to today because well Fortinet has been at the vanguard of a lot of these trends, you know, having that hardware that opens up additional footprint that they can put more software and software function into, there still is a lot of new technology coming in the cloud. When you start talking about containers and Kubernetes, those are not just going to be technologies that operate at the cluster level. They're also going to be embedded down into system software as well so to bring that kind of cloud operating model so that you have, you can just install the software that you need, and it's going to be interesting to see how Fortinet over the next few years, I don't want to say skinnies up, but targets some of its core software functionality so that it becomes more cloud-like in how it's managed, its implementations, how it's updated, how fast patches and fixes are handled. That's going to be a major source of pressure and a major source of tension in the entire software-defined marketplace but especially in the software-defined networking marketplace. >> One of the things Ken Xie talked about cloud versus edge and actually said, kind of, edge will eat the cloud. We have, we live, every business lives in this hybrid multi-cloud world with millions of IoT devices and mobile and operational technology that's taking advantage of being connected over IP. From your perspective, kind of dig into what Ken Xie was talking about with edge eating cloud and companies having to push security out, not just, I shouldn't say push it out to the edge, but as you were saying earlier and they say, it needs to be embedded everywhere. What are your thoughts on that? >> Well I think I would say I had some disagreements with him on some of that but I also think he extended the conversation greatly. And the disagreements are mainly kind of nit-picky things. So let me explain what I mean by that. There's some analyst somewhere, some venture capitalist somewhere that coined the term that the edge is going to eat the cloud, and, you know, that's one of those false dichotomies. I mean, it's a ridiculous statement. There's no reason to say that kind of stuff. The edge is going to reshape the cloud. The cloud is going to move to the edge. The notion of fog computing is ridiculous because you need clarity, incredible clarity at the edge. And I think that's what Ken was trying to get to, the idea that the edge has to be more clear, that the same concepts of security, the same notions of security, discovery, visibility, has to be absolutely clear at the edge. There can be no fog, it must be clear. And the cloud is going to move there, the cloud operating model's going to move there and networking is absolutely going to be a central feature of how that happens. Now one of the things that I'm not sure if it was Ken or if was the Head of Products who said it, but the notion of the edge becoming defined in part by different zones of trust is, I think, very, very interesting. We think at Wikibon, we think that there will be this notion of what we call a data zone where we will have edge computing defined by what data needs to be proximate to whatever action is being supported at the edge and it is an action that is the central feature of that but related to that is what trust is required for that action to be competent? And by that I mean, you know, not only worrying about what resources have access to it but can we actually say that is a competent action, that is a trustworthy action, that agency, that sense of agency is acceptable to the business? So this notion of trust as being one of the defining characteristics that differentiates different classes of edge I think is very interesting and very smart and is going to become one of the key issues that businesses have to think about when they think about their overall edge architectures. But to come back to your core point, we can call it, we can say that the edge is going to eat the cloud if we want to. I mean, who cares? I'd rather say that if software's going to eat the world it's going to eat it at the edge and where we put software we need to put trust and we need to put networking that can handle that level of trust and with high performance security in place. And I think that's very consistent with what we heard this morning. >> So you brought up AI a minute ago and one of the things that, now the Keynote is still going on. I think there's a panel that's happening right now with their CISO. AI is something that we talk about at every event. There are many angles to look at AI, the good, the bad, the ugly, the in between. I wanted to get your perspective on, and we talked about the skills gap a minute ago, how do you think that companies like Fortinet and that their customers in every industry can leverage AI to help mitigate some of the concerns with, you mentioned, the 3.5 million open positions. >> Well there's an enormous number of use cases of AI obviously. There is AI machine learning being used to identify patterns of behavior that then can feed a system that has a very, very simple monitor, action, response kind of an interaction, kind of a feedback loop. So that's definitely going to be an important element of how the edge evolves in the future, having greater, the ability to model more complex environmental issues, more complex, you know, intrinsic issues so that you get the right action from some of these devices, from some of these censors, from some of these actuators. So that's going to be important and even there we still need to make sure that we are, appropriately, as we talked about, defining that trust zone and recognizing that we can't have disconnected security capabilities if we have connected resources and devices. The second thing is the whole notion of augmented AI which is the AI being used to limit the number of options that a human being faces as they make a decision. So that instead of thinking about AI taking action we instead think of AI, taking action and that's it, we think of AI as taking an action on limiting the number of options that a person or a group of people face to try to streamline the rate at which the decision and subsequent action can get taken. And there, too, the ability to understand access controls, who has visibility into it, how we sustain that, how we sustain the data, how we are able to audit things over time, is going to be crucially important. Now will that find itself into how networking works? Absolutely because in many network operating centers, at least, say, five, six years ago, you'd have a room full of people sitting at computer terminals looking at these enormous screens and watching these events go by and the effort to correlate when there was a problem often took hours. And now we can start to see AI being increasingly embedded with the machine learning and other types of algorithms level to try to limit the complexity that a person faces so you can the better response, more accurate response and more auditable response to potential problems. And Fortinet is clearly taking advantage of that. Now, the whole Fortiguard Labs and their ability to have, you know, they've put a lot of devices out there. Those devices run very fast, they have a little bit of additional performance, so they can monitor things a little bit more richly, send it back and then do phenomenal analysis on how their customer base is being engaged by good and bad traffic. And that leads to Fortinet becoming an active participant, not just at an AI level but also at a human being level to help their customers, to help shape their customer responses to challenges that are network-based. >> And that's the key there, the human interaction, 'cause as we know, humans are the biggest security breach, starting from basic passwords being 1, 2, 3, 4, 5, 6, 7, 8, 9. Well, Peter-- >> Oh, we shouldn't do that? >> (laughs) You know, put an exclamation point at the end, you'll be fine. Peter and I have a great day coming ahead. We've got guests from Fortinet. We've got their CEO Ken Xie, their CISO Phil Quade is going to be on, Derek Manky with Fortiguard Labs talking about the 100 billion events that they're analyzing and helping their customers to use that data. We've got customers from Siemens and some of their partners including one of their newest alliance partners, Symantec. So stick around. Peter and I will be covering Fortinet Accelerate19 all day here from Orlando, Florida. For Peter Burris, I'm Lisa Martin. Thanks for watching theCUBE. (techno music)

>> Announcer: Live from Las Vegas, it's the Cube, covering Fortinet Accelerate 2018. Brought to you by Fortinet. >> Hi. Welcome back to Fortinet Accelerate 2018. I am Lisa Martin with the Cube. We're excited to be here for our second year. I'm joined by Peter Burris from the Cube as well. And we're very excited to be joined by our next guest, John Bove, the Vice President of America's channels at Fortinet. Welcome to the Cube. >> Thank you. Thank you for having us. >> So, it's exciting for us to be here. I, as a marketer, geek out on tag lines. >> Yup. >> So, I'd love for you to kind of tell our viewers, strength and numbers. >> Yup. >> As the title of event. What does that mean? >> Well, it's really about the depth and breadth of what Fortinet's doing in the marketplace. You know, bringing the security fabric, not only to our customers, but to enable our partner community, right. So, Accelerate is a collection and we have about, almost 3,000 attendees here, about 2,300 of those are our carrier partners, resell partners, manage security service providers, and also our fabric ready alliance partners, right. So, the security fabric has allowed us to incorporate, you know, some additional third party technologies, right. And it's really, we're creating a really strong culture around, you know, integration and openness. >> Before we get into the technology, let's talk about pivot on that culture for a second. >> Sure. >> 'Cause one of the things that, that was evident from the keynotes this morning that Kenzie talked about, which really, this long standing partner driven culture that Fortinet has. You've recently come back to Fortinet. >> I have. >> Tell us about being a boomerang. What excites you about coming back? But also, how has that culture of really being partner-focus and maybe partner-first evolve? >> Well, the channel first culture at Fortinet makes my job really easy, right. And the reason that I came back was here with the company for six years, we experienced a tremendous, you know, run of revenue. And to have the opportunity to lead the America's Channel Organization is a great privilege. But, it really comes from the culture within the company of being a channel leverage and a channel first company. I think, you know, in Patrice's keynote this morning, and in Ken's keynote as well, they really talked about the channel program, and the channel partners. You know, the partners are the fabric of what we do as an organization. You know, and we're doing the security fabric. Something that they can build a business around. >> Joe, as you think about what the type or the nature of the changes that are taking place in all business. Security business, and as we've heard today, the repitity with which changes happening in security world. That, I got to believe is putting a fair amount of stress on your partners because they have to come up to speed very, very rapidly on new things, even as they demonstrate that they can sustain operational excellence for all things. What is the role that education's playing? Culturating your partner's to a new network. Or a new approach doing these, how is that leading to a better set of capabilities for your customers? >> Sure. Well, I think the one change in this digital transformation era is change, right. We're seeing customers consume technologies much differently than they ever have before. And so our partners have to be in a situation to be able to deliver those technologies. We're seeing the threat landscape continue to widen and be very broad in nature. And so, existing postures and existing deployments are not necessarily going to be able to protect those customers and quite frankly, from a partner standpoint, the way that they look at their business, and build their business needs to be different today than it was due to the change that digital transformation is driving. >> So in terms of your, sort of, symbiosis with the channel, we talked with Phil Quade just a minute ago, we talked about, you know, how our seat is looking to him, to say how are you guys doing this at Fortinet in terms of security? Tell me about the symbiotic relationship with your partners. What information are they bringing to you from the front lines from the customers? Whether it's education, fedsled, healthcare, that is helping to evolve Fortinet's technologies >> I mean, at the end of the day, security is a very noisy space right now, right. And we depend upon our partners, not only to ensure our programs and how we go deliver, you know, value to them, but also, I mean what the customers are telling them, and what they're seeing in the marketplace today. We're really focused on service enablement and the service delivery because the transactional type of business that we've seen in the past is no longer the route to market for success for, you know, the broad base, you know channel organizations, right. So, you know, we have a responsibility as a company to ensure that our partners have the capabilities to deliver services in ways that customers want it, you know, consume. You know, IOT is a marketplace that's been created, right. OT is opportunistic for the bad actors, right. The move to, of workloads, to public clouds and data based applications, and the fabric is really resonating with those partners in terms of being able to meet those customers changing needs. >> And you guys have had a, do a partner advisory council. >> We do. >> How long has that been going on? And what are some of the things that excite you about it? >> Yeah, so. Over 10 years we've had a partner advisory council. And it's, you know, it's industry leaders that are business owners and business drivers that, you know, really kind of keep us honest about what we're doing internally. They have access to our executive staff. They have access to, you know, product roadmaps as well. And you know, with the creation of the fabric, and what we're doing with our alliance partnerships, you know, they're kind of helping fill some of those holes as to, you know, what we're seeing in the marketplace today. You know, I think today we announced 11 additional fabric alliance partners. You know, today, organizations like Fanta for orchestration and automation, right. Integration is truly the new best breed. But the ability to react when things occur, and to orchestrate and to automate those controls are really important. And the company's done a great job, and we attribute a lot of that guidance to our partner advisory council. >> As Fortinet grows and expands its footprint, which in place new types of arrangements, like the CTA and other types of things, it's ecosystem continues to expand, in a way that Fortinet is moving towards the center. More of a focus, at least a low side >> Right. >> within the ecosystem. What does that mean from your ability to get partners, to influence partner behavior and customers, and get more pull through out of the entire ecosystem? How is that going to shape the way Fortinet competes in a way Fortinet serves its customers over the next few years? >> I think, simply put, you know, the tailwinds we have behind us. You know, we're on the precipice of two billion dollars in revenue. You know, we've got now line of sight to three and four here pretty quickly. We definitely think that the fabric is going to allow us to continue to scale and grow. You know, through that partner community. But quite frankly, I am amazed just in my time here, you know, how partners have embraced and really wrapped a business practice, in a service is first business practice, you know around that fabric. So, we're really excited about the opportunity that we have at hand. I think the fabric is going to continue to, you know, change the game, right. It's not about, you know, products. It's about delivering an integrated solution. >> Speaking of the fabric. I was kind of thinking of pivoting on what you were saying Peter, about differentiation. When partners have choices of companies to work with, you guys have been in this place for a really long time. >> We have, yup. >> But, besides the fabric, what are some of, maybe the other top two differentiators where a partner may be coming into the program that's, I get it, for with this partnership with Fortinet, we can go and really revolutionize customers in any industry >> You know, we're really unique in the market because we serve from the S&B to the mid-market, to the enterprise and some of the largest service provider brands. And that affords our partner community to be extremely diverse, and we want to be very easy to work with. So I think more than anything, my goal is to be simple and predictable in nature, and ensure that we're driving a very margin rich solution. You know, a lot of companies in the market will be enterprise focused or mid-market focused, and so, you know, we're really keen on establishing clear routes to market with our partner community. Aligning and investing where they fit. And then taking advantage of some of, even the vertical opportunities that the partners present based on those capabilities. >> I was, we were chatting a little bit earlier about education and that was one of the things I was reading, that, in some articles, that some of your guys did. And it's been awhile since I've been in college, and it just, it's so remarkable how, you know, smart classrooms, and it's BYOD, and how vulnerable school districts are for, obvious reasons we won't go into, for political reasons. But, even from a security perspective, I'm curious if there's any kind of, maybe, favorite example that you have of a partner, customer, through the channel in education that has really been able to facilitate a digital business transformation with the under pending of security, security transformation. >> I actually was just in a partner meeting, and we were talking about that very topic. And they had established with a, one of the top five largest school districts in the United States. A, you know, a fully deployed wireless mesh network. That they, once that was deployed, then they really were able to underpin it with, you know, the fortigate, fortios, and really be able to deliver the security posture back through that wireless infrastructure. You know, you make a really good point. We're seeing more and more internet connected devices. A lot of those internet connected devices are very low end in terms of their overall price point. And so these organizations, they're not necessarily pushing out vulnerabilities to it. And in patches in remediation. And that's why IOT security is so important in that kind of K through 12 example, right. Leveraging fortios, connecting to both land and wireless land capabilities, and it really, that's a great use case of how the fabric can impact a customer. >> So as you imagine the world of partnership in a play in the future, will they be more purveyors of hardware, purveyors of software, purveyors of services? How do you think the ecosystem's going to evolve as Fortinet expands it's footprint? >> Sure. That's a really good question. And quite frankly, I spend a lot of my time thinking about that. I feel, I truly feel like we have an obligation and a responsibility to help our partners through this digital transformation into where we think things are going to go. Things are moving towards security as a service. Things are moving towards, you know, on demand, you know, pay as you go, consumption modeling, right. And we have to put our partners in a situation to be able to deliver some goods and services to our customer based the way they want to buy, and make sure that they're driving value after the transaction. Because, you know, selling to the transaction is probably going to be a dying, you know, breed. It's really important that partners have the capabilities to install, deploy and support on the ongoing basis, in which is really becoming a best practice in the security space. >> And one of the other things about digital business is that historically businesses have been aligned by the arrangement of their assets so you can look at a transportation company and say, oh, that company is transportation assets, or financial services company and say, oh, that company is financial services assets. But digital business starts changing that. Because when you bring programmability and digital orientation to a lot of these assets, you reduce the specificity of those assets which increases mobility across businesses. >> That's right. >> How do you think the opportunity of helping partners transform in this business way is going to increase the noise or complexity or the interconnectedness and the potential conflicts within partners, as they go after? As their expertise, and their relationships becomes more fungible. >> That's a, I mean, that's really good point. We deal and we want to ensure that we've got a programmatic way to handle, you know, channel conflicts. Right, I mean at the end of the day. Partner brings us >> But also channel opportunity >> And channel opportunity, that's right. You know, so it's really about being consistent in how you treat, you know, the partner community and having really set rules. But, you know, digital transformation, if anything else, the thing that makes Fortinet so unique, is we are an engineering company. Security is very complicated. And the good news is that the heart of what we do is technology. The feedback we continue to get from our partners is that our technology is second to none. So we win on the technology side. And now with the momentum that we're seeing with the, you know, the fabric or the alliance programs, the momentum that we're seeing in the marketplace, and really kind of being prepared for this shift of technology by introducing the fabric concept. You know, we're really excited about the opportunity for our partners and the role they're going to play in the coming years. >> So as we kind of, you know, wrap things up here. I'll go back to where we started off with John and talking about the strength and numbers. And some things that I wrote down that I think Patrice shared this morning. Nearly 18,000 new customers acquired in 2017. >> That's right. >> What are your, as the channel chief. What are your hopes and dreams for what that number will look like at the end, by the end of 2018? >> You know, at the end of the day, I want to be able to drive and enable to channel organization to go take advantage of the tailwinds in the market, right. We want to go, continue to drive market share in the S&B, that's going to be partner-led. We want to go expand in the fabric, you know, within the mid-market. And we want to be very opportunistic in the enterprise, to go knock down some of the largest logos. You know, I'm mostly, the opportunity we have in the U.S. alone is really quite significant. And we're really excited to see, you know, as, you know, we just exceed the half a billion dollar mark in Q4 for the first time as a company, and so as we start, you know, planning in future quarters. It's really exciting to be a part of the momentum we have here at Fortinet. >> And I think the momentum is tangible. You can feel it here. You can hear it behind us in the expo. So >> It's quite exciting. >> We thank you so much John for stopping by to keep sharing >> Thank you. Thanks for having us. >> Absolutely. Sharing your insights and how the, I'm feeling another tagline with the fabric of our lives, but I think somebody else beat you guys to it. Cotton maybe? Anyway, thanks so much John for sharing what's going on in the channel and we wish you a great show. >> Thank you. Thank you very much. >> And for my co-host, Peter Burris, I'm Lisa Martin. You've been watching the Cube live from Fortinet Accelerate 2018. Stick around, we'll be right back. (light techno music)

>> Announcer: Live from Las Vegas, it's theCUBE, covering Fortinet Accelerate 18, brought to you by Fortinet. (upbeat techno music) >> Welcome to Fortinet 20... Welcome to Fortinet Accelerate 2018. I haven't had enough caffeine today. I'm Lisa Martin. I'm joined by my co-host, Peter Burris. Peter, it's theCUBE's second time here at Fortinet Accelerate. We were here last year. Great to be back with you. Some exciting stuff we have heard in the keynote this morning. Cyber security is one of those topics that I find so interesting, 'cause it's so transformative. It permeates every industry, everybody, and we heard some interesting things about what Fortinet is doing to continue their leadership in next generation security. Some of the themes that popped up really speak to the theme of this year's event, which is Strength in Numbers. Ken Xie, their CEO, shared some great, very strong numbers for them. 2017, they reached 1.8 billion in billing, which is a huge growth over the previous year. They acquired nearly 18,000 new customers in 2017, and another thing that I thought was very intriguing was that they protect 90% of the global S&P 100. They have over 330,000 customers, and they share great logos: Apple, Oracle, Coca Cola, et cetera. So, great trajectory that they're on. From a security perspective, digital transformation, security transformation, they have to play hand in hand. What are some of the things that you are seeing and that you're looking forward to hearing on today's show? >> Well, I always liked this show. This is the second year, as you said, that we've done this. One of the reasons I like it is because security is very complex, very hard, highly specialized, and Fortinet does a pretty darn good job of bringing it down to Earth and simplifying it so that people could actually imagine themselves becoming more secure, as a consequence of taking actions along the lines of what Fortinet's doing. So, there's clearly a strong relationship between the notion of digital business and the notion of digital security. The way we describe the difference between a business and digital business is that a digital business uses its data assets differently, and in many respects, it is through security concepts and constructs that you go about privatizing, or making unique, your data, so that it doesn't leave your network when you don't want it to, so it can't be subject to ransomware, so that it isn't compromised in some way by a bad actor. So there's a very, very strong relationship between how we think about digital assets and how we think about security, and what Fortinet's overall approach is is to say, "Look, let's not focus just on the device. "Let's look at the entire infrastructure "and what needs to happen to collect data, "to collect information, across the whole thing," what we call a broad approach as opposed to a deep approach. A broad approach to looking at the problem, with partnerships and working with customers in a differentiated way, so that we can help our clients very quickly recognize, attend, and make problems go away. >> One of the things, too, that is interesting is, you know, we hear so much talk at many other shows about digital transformation, DX, everyone's doing it. They're on some journey. There's now such amorphous environments with Multi-Cloud, IoT, opens the-- It spreads the attack surface. I thought they did a great job this morning of really articulating that very well. I'd love to hear your perspective, and we have some of their customers that are going to be talking to us today, but what is the mix of security transformation as a facilitator or an enabler of true digital business transformation? How do companies do that when, as we were talking earlier, companies, and even Ken said, Ken Xie, the CEO, that lot of companies have 20 to 30 different disparate security products in place that are pointed at different things that aren't integrated. How does a company kind of reconcile security transformation to-- as an enabler of digital business transformation? >> Yeah, and I think that's going to be one of the major themes we hear today, is the process that customers are, in 2018, going to have to accelerate. Does that ring a bell? (laughs) Accelerate... >> Lisa: That's genius. Somebody should use that. >> This journey (laughs)... Accelerate this journey... >> Yeah. >> To employing security and security-related technologies and services, much more effectively within their business. There's so many ways of answering that question, Lisa, but one of the-- Let's start with a simple one. That, increasingly, a company is providing its value proposition to its customer bases, whether they're small, residential, whether they're a consumer, or whether they're other businesses, through a digital mechanism, and that could be e-commerce, as pedestrian as e-commerce, or perhaps recommendation engines, or it could be increasingly digital services that are providing, effectively, a digital twin in the home, and, so, your security, your ability to provide those services and those capabilities that consumers want, if those fundamental, or those services are fundamentally insecure, then your brand, no matter how good the service is, your brand's going to take a hit. So, when you think about what Google's trying to do with Nest, if you think about, you know, in the home, a lot of the things that are going into the home, Amazon Alexa, there is an enormous amount of attention being paid to, is our platform, is our fabric a source of differentiation-- security fabric a source of differentiation in our business? Are we going to be able to look a consumer in the eye, or a B2B company in the eye, and say, "You'll be able to do things with us "that you can't do with others, "because of our security profile." And, increasingly, that's got to be the way that boards of directors and CEOs, and IT professionals need to think, "What can we do differently and better "than our competitors because of our security profile "and the security assets that we've invested in?" That's not the way a lot of people are thinking today. >> Why do you think that is? Because, I think you're spot on with providing security capabilities as a differentiator. There's a lot of competition, especially in the detection phase. Ken Xie talked about that this morning, and there's a lot of of coopetition that needs to happen to help companies with myriad disparate products, but why do you think that is that this security capability as a differentiator hasn't yet, kind of, boiled up to the surface? >> I think it's a number of reasons. Some good, some, obviously, not so good, but the main one is, is that, historically, when a CFO or anybody looked at the assets, they looked at tangible assets of the company, and data was, kind of, yeah, was out there, and it was, yeah, secure that data, but we were still more worried about securing the devices, because the devices were hard assets. We were worried about securing the server, securing the routers, securing, you know, whatever else, the repeaters, whatever else is in your organization, or securing your perimeters. Well, now, as data moves, because of mobile, and Ken told us, that 90% of the traffic now inside of a typical enterprise is through mobile, or through wireless types of mechanisms as opposed to wired, well, it means, ultimately, that the first step that every business has to take is to recognize data as an asset, and understanding what what we're really trying to secure is the role the data's playing in the business. How we're using it to engage customers, how we're using it to engage other businesses, how employees are using it, and very importantly, whether the security products themselves are sharing data in a way that makes all that better, and in a secure way, themselves, because the last thing you want is a vulnerability inside your security platform. >> Yes. >> So, the main reason is is that the industry, in most businesses, they talk a great game about digital business, but they haven't gotten down to that fundamental. It's about your data, and how you treat data as an asset, and how you institutionalize work around that data asset, and how you invest to improve the value, accrete value to that data asset over an extended period of time. >> Something that I'm interested in understanding, and we've got Phil Quade, their CSO, on, later today. >> Peter: Smart guy. >> How the role of the CSO has had to evolve, and I'd love to hear... And you asked a little bit about this earlier, the Fortinet on the Fortinet story. What are you doing, internally, to secure and provide security that all elements of your business need? Because I imagine a customer would want to understand, "Well, tell us how you're doing it. "If you're the leader in this, "in providing the products and the technologies, "are you doing this internally?" >> Well, I think, look, I think going back to what I was just talking about, and we had a great... We had a great conversation with Ken Xie that's going to show up in the broadcast today, it is... I think every technology executive increasingly needs to look at their potential customers, their peers, and their customers, and say, "Here's what I can do, as a consequence of using my stuff, "that you can't do, because you're not using my stuff." And Phil, Phil Quade, needs to look at other CSOs and say, "Here's what I can do "as a CSO, because I use Fortinet, "that you cannot do as a CSO, because you don't." Now, the role of the CSO is changing pretty dramatically, and there's a lot of reasons for that, but if we think about the number of individuals that, again, we go back to this notion of data as an asset and how we organize our work around that data. We're hearing about how the CIO's role is changing and how the chief digital officer's changing, or the chief data officer or the CSO. We've got a lot of folks that are kind of circling each other about what really and truly is the fundamental thing that we're trying to generate a return on. >> Lisa: Right. >> When I think about the job of a chief, the job of a chief is to take capital from the board, capital from the ownership, and create net new value, and whether it's a CIO doing that, or anybody. And, so, what Phil's job, or what the CSO's job is is to also find ways to show how investments in the business's security is going to create a differentiating advantage over time. Working with the chief digital officer, the chief data officers and others, but there's a lot of complexity in who does what, but at the end of the day, the CSO's job is to make sure that the data and access to the data is secure, and that the data and the ability to share the data supports the business. >> You mentioned the word "complexity" in the context of the CSO and some of the senior roles, where data is concerned. One of the things I'm interested to hear from some of our guests today, those at Fortinet, and we've got the CSO on we mentioned, and we've also got John Madison, their Senior Vice President of Products and Solutions. We've got their global strategist on security, Derek Manky, but we also have some customers. One from Tri-City, and another from Clark County School District, which is here in Vegas, and I'm curious to understand how they're dealing with complexity in their infrastructure. You know, we talked so much about, and they... have already started today, about Cloud, IoT, multi-cloud, mobile, as you talked about. As the infrastructure complexity increases, how does that change the role of the C-Suite to facilitate the right changes and the right evolution to manage that complexity in a secure way. So I'm very interested to hear how that internal complexity on the infrastructure side is being dealt with by the guys and the gals at the top who need to ensure that, to your point, their data and information assets are protected. We've got some great examples, I think, we're going to hear today, in three verticals in particular: education, healthcare, and financial services. And education really intrigued me because it's been a long time since I've been in college, but there's this massive evolution of smart classrooms, it's BYOD, right? And, there's so many vulnerabilities that are being brought into a school district, so I'd love to understand how do you protect data in that sense when you have so many devices that are connecting to an environment that just drives up complexity, and maybe opens... Perforates their perimeter even more. >> Well, I mean, you know, one of the... We're as a nation, we are living through a recent experience of some of the new tensions that a lot of the school districts are facing, and it could very well be, that voice or facial recognition or other types of things become more important, so I, look. Large or small, well-funded, not well-funded, young or old, consumer or business, all companies are going to have to understand and envision what their digital footprint's going to look like. And as they envision what that digital footprint, companies or institutions, as they envision what that digital footprint's going to look like and what they want to achieve with that digital footprint, they're going to have to make commensurate investments in security, because security used to be, as Ken said when he talked about the three stages, security used to be about perimeter. So, it was analogous to your building. You're either in your building or you're not in your building. You're in your network, or you're not in your network. But, today, your value proposition is how do you move data to somebody else? Today, your security profile is who is inside your building right now? Are they doing things that are good or bad? It's not a "I know everybody, I know where they are, "and I know what they're doing." We are entering into the world where digital business allows us to envision or to execute a multitude of more complex behaviors, and the security platform has to correspondingly evolve and adjust, and that is a hard problem. So, listening to how different classes of companies and different classes of institutions are dealing with this given different industries, different budgets, different levels of expertise, is one of the most important things happening in the technology industry right now. >> Yeah, it's that, how do you get balance between enabling what the business needs to be profitable and grow and compete, and managing the risk? >> And, how... and what is a proper level of investment? Do I have too many vendors, do I have not enough vendors? All those... all of those issues, it's increasing, we have to get-- We have to make our security capacity, our security capabilities, dramatically more productive. And that is going to be one of the major gates on how fast all of these technologies evolve. Can we introduce new AI? Can we introduce faster hardware? Can we introduce new ways of engaging? Can we bring biology and kind of that bio-to-silicon interface and start building things around that? Well, there's a lot of things that we can do, but if we can't secure it, we probably shouldn't do it. >> Lisa: Absolutely. >> So, a security profile is going to be one of the very natural and necessary, reasonable gates on how fast the industry evolves over the next 20-30 years. And that's going to have an enormous bearing and impact on how well we can solve some of the complex problems that we face. >> Well, I'm excited to co-host today with you, Peter. I think we're going to have some great, very informative conversations from some of Fortinet's leaders, to their customers, to their channel partners, and really get a great sense of the things that they're seeing in the field and how that's going to be applied internally to really have security be that enabler of true business transformation. >> Peter: Excellent. >> Alright. Well, stick around. I'm Lisa Martin. Let's hope I don't screw up the outro. Hosting with Peter all day. We're excited that you're joining us live from Fortinet Accelerate 2018. Stick around. We'll be right back. (upbeat techno music)