>> From the CUBE studios in Palo Alto in Boston, connecting with thought leaders all around the world, this is a CUBE conversation. Welcome to this CUBE conversation. I'm Lisa Martin, and today I'm talking with Ivanti again, Nayaki Nayyar, their Chief Product Officer EVP is back with us, as is another Cube alumni, Sumedh Thakar, the President and Chief Product Officer of Qualys. Nayaki, sweet, great to have you guys both back on the program. >> Great to be back here, Lisa. I think it's becoming a habit for me to be here, talking to you almost... >> I like it. >> every week. >> Good to be here, thank you for inviting me. >> So, let's go right into some exciting news here, so Ivanti has had a lot of momentum in the last week or so, Nayaki with launch announcements, talk to us about what you're announcing today in terms of an expansion with the Ivanti-Qualys partnership. >> So Lisa, as you remember, this week we had a great week this week with the launch of our Ivanti neurons platform, that really helps our customers address end-to-end management of their endpoints and security of those endpoints. How we can help them, would be called self fuel, self secure and self service the endpoints. And one of the key strengths Ivanti has, in our portfolio, is our ability to manage all the patches. Today, with our Ivanti patch management solution, we patch approximately 1.2 billion patches on an annual basis. So that's a pretty big volume, and we are extremely excited as a part of this launch announcement, to also share the partnership we have with Qualys and how we are extending and helping Qualys with their overall vision for VMDR. >> So Sumedh, let's go right into that, talk to us about the VMDR, vulnerability management has been around for a while, what is VMDR and Qualys perspective? And what are you looking to do with your partnership with Ivanti? >> I should know about vulnerability management being around for a while, I've been 18 years at Qualys, so we've been doing for a long time, and, what's happened is with the hybrid infrastructure exploding and a lot more devices being added and focus shifting from just servers to endpoint, I think that is just a need to be able to do vulnerability management, in addition, also have the ability to do assessment of your devices in terms of inventory, etcetera, so, discovering your devices, being able to do vulnerability assessment, configuration assessment, but also be able to prioritize those vulnerabilities on which one do you really need to patch because you just have way too many vulnerabilities. And then at the end, all of this vulnerability management is not useful if we can't do something about it, and that's where, you need the ability to patch and fix those issues, and this is where VMDR really brings that workflow in a single platform end-to-end, So instead of just throwing a big report of CVEs, we provide the ability to go from detection of the device, to the patching, and this is where Ivanti partnership has been something that has really helped our customers because they bring in that patching piece, and this is one of the most complicated things you do, and because taking a vulnerability and mapping it to a particular patch is very complex to do and that's where the Ivanti partnership is helping us. >> And so, this is an expansion Sumedh, you guys have been doing this for Windows and Linux, and now this is adding Mac support and others. Tell me a little bit more about the additional capabilities that you're enabling. >> What's interesting is that, when we started working on this, this was before the pandemic hit, and COVID has certainly added a very interesting twist to the patching challenge, and the ability for the system admins to suddenly patch 100,000 to 200,000 devices, which are not in your office with a high speed internet anymore, they are sitting in little apartments all over the world with low bandwidth, WiFi connections, etcetera, how do you patch those endpoints? And so when, while the focus of the beginning was a lot more on Windows and Linux, which are more on the server side, with the pandemic hitting, there is a big need now for people also to be able to do their Macs and other endpoints that are now remote and at people's homes, and so obviously, with the success of the patch management capabilities on Windows that we got with Ivanti, they are a natural partner for us to also expand that into being able to do it for the Macs as well, and so, now we're working together to get this done for the Macs. >> So Nayaki, in terms of the announcements from Ivanti that they've been coming out the last week or so, we talked with Jeff Abbott last week about the partnerships and the GTM, talk to me about from a strategic perspective, how does the expansion of the Qualys partnership dial up Ivanti's vision? >> Lisa, when you take a look at what's really happening across every enterprise, every large company, especially during COVID, and post COVID, is what we call this explosive growth of remote workers, as everyone is trying to manage what the transformation to remote working means, the explosive growth of devices that now have to be managed by every IT organization, not to mention how to secure those devices, which is where this partnership with Qualys becomes extremely strategic for us. Now we can extend that overall vision that we have with our Ivanti neurons to discover every device we have, the customers' have, sense any security vulnerabilities, anomalies that are on those devices, prioritize those based on risk-based priority of it and going through priority as we embed more and more AI Amal into it, and get into what we call this auto remediation, remediating all those vulnerabilities, which nicely fits into Qualys's, or our VMDR vision and strategy. So, this truly helps our customers, go beyond just managing the endpoints to now what we call sub securing those endpoints, being able to automatically detect all security vulnerabilities and issues and get closer and closer to the self remediation of those vulnerabilities, and that's why this partnership makes, a great strategic benefit for all of our customers and large enterprise. >> So Sumedh, talk to us about the VMDR lifecycle, give us a picture of where your customers are and that how does this really going to help them deal with the new normal of even more devices going to be remote for a long period of time? >> what's happening now is that, this is being extended to home devices, customers in the past were only looking at enterprise devices that were owned by the organization, and we continuously now see, we can't get a new laptop to the user, or they're using their home device, home desktop, because it's bigger screen, more powerful, whatever it is, so people are starting to do that, and you can't really stop them from doing that if you want to get work done, and so, essentially VMDR is four things, which is, continuous asset inventory discovery, Second is, detection of all security issues, including vulnerabilities and misconfigurations. Third is the prioritization based on the knowledge of the device, and what's running on the device just because you have a severity, five vulnerability or highly exploitable vulnerability does not mean that you need to prioritize that as the first one to patch, and then you need to be able to patch it, and so that's the four elements that make up the VMDR lifecycle, and as customers have no good way to detect what devices are there, what is connecting to the VPN, because now they don't actually, physically see the devices, the traditional network devices that were... office firewalls that are sitting in the office, that were detecting devices are now not useful because everybody's outside the firewall. And so that entire life cycle, is something that customers want to do, because at the end, you want to reduce your risk quickly. And having a single platform that does all of that, is the key benefit that we get from there. >> Talk to me a little about the go-to market, in terms of how are your customers, joint customers buying the solution? >> I think what we've really worked on is typically what happens today is the customers'... different vendors are providing individual pieces, you have to go buy a different inventory solution, a different vulnerability solution, a different prioritization, a different patch solution, so, working with Ivanti, we've really worked on creating a single platform, and this took us a quite a bit of time to really make that engineering integration work, to be able to have Ivanti patch management directly embedded into the Qualys' agent. So that way, customers don't have to deploy another agent, and they don't have to buy different solutions for different consoles, so, from a go-to market perspective, we keep it very simple for our customers, they essentially have a one price for the entire asset and then if they choose to do the patch management, this is something that we sell as a capability that is directly available through Qualys and Ivanti has done a huge amount of work to integrate seamlessly in the back end to help the customer so that they don't have to, buy from one, buy from another and try to integrate it themselves. >> And Lisa if you look at it, it's really a way for customers to handle heterogeneous landscape, patching of heterogeneous landscape that they have, in their environment all the way from the data centers to those endpoints, the Windows devices, Mac devices, Linux devices, and in future, we'll also be supporting multiple other devices and platforms through Qualys VMDR, absolutely. >> Let's talk about the target audience and really understanding, from a security perspective, it's top of mind for the C-suite all the way up to the board, now with COVID and the increase in ransomware, and some of the things, the device spread, that's probably only going to spread even more, Nayaki, starting with you, how are you seeing the customer conversations change? Are you now not just talking to ITs elevated up the stack? Is this a CEO, board level concern that you're helping them to remediate? >> Absolutely, Lisa, this conversation about cyber security challenges, especially as organizations are trying to figure out what this transformation to remote working means, this is really not just limited to an IT organization or a CIO level conversation, this is a C-suite conversation at the CEO level, and in most cases, I'm also seeing this becoming a board conversation and I'm on a couple of boards myself, and this is truly a board conversation where discussing how we help enterprises transform to remote working and cyber security challenges as more and more workers are working from home, securing those devices is top of mind, for pretty much CEOs and the boards, and helping them through the transition is a number one priority. So, this is between the partnership with Qualys and Ivanti, for us to offer this joint solution, and really make it available where they can address the security concerns that they have, in their environment. >> And Sumedh, in terms of target market, we talked with Nayaki and Jeff last week about, from a vertical perspective, they've got a lot of strengths in healthcare and retail, for example, are you looking at any leading edge markets right now, verticals that really are at most risk? Or are you attacking us from a GTM perspective, or in a horizontal way? >> It's not even our choice anymore, because what's happened with remote working in no matter what industry you are in, everybody's workers are working from home essentially, and using laptops and the number of attacks have significantly multiplied because now that this endpoint is outside of your traditional defenses that you have in an office environment, these endpoints are a lot more vulnerable, and they are in a home network, I have devices in my home network for my kids that are running all kinds of fortnight and things like that, that now actually could have access to my work laptop, so that is becoming a big concern and the other realization that you cannot really use enterprise solutions as you have in the past, for patching and securing your endpoint that's not inside the enterprise, because if a single SMB goes vulnerability patches 350 Megs for one device, if you have that patch 1000 devices trying to download that over VPN, it's just not going to work, and it kills the VPN, so that is this big push towards moving into a cloud based method of deploying these patches, So you going to actually get these patches deployed without hitting your VPN environments, and this is really the big thing, and the other day I read something that that asked like, what is accelerating the digital transformation to the cloud for your enterprise? And, there was a CEO and the Sea So and then COVID, so unfortunately, the pandemic has been bad in many ways, but in other ways, it has really helped organizations move more quickly, to get approvals from the board and the management because the other option is just not a choice anymore, which is trying to use on-prem solution so that resistance to cloud based solutions is significantly decreasing because, today, we're all sitting in different locations and meeting every day on video, etcetera and that's really powered by that cloud-based platforms that we have today. >> I call it the COVID catalysts, there are a lot of interesting things that are positive, that are being catalyzed as a result of this massive change. One more question Sumedh for you, in terms of, this enabling VMDR to become a category, a target market for endpoint security, how does this help? >> I think, the more we can provide the customer ability to reduce the number of different steps that they have to go through and the different tools that they have to purchase and multiple agents and multiple consoles that they have to put together, then it just becomes a category in itself because you kind of have that ability to do detection, prioritization and response in a single solution, which is something that nobody else offers today because everybody is focused on just one aspect of it, and so, today the response from our customers has been absolutely tremendous, they are extremely happy to have this ability to very quickly figure out what's wrong, one of the things we didn't talk a lot about, but I would say in patch management process, the biggest challenge and where most time is spent is mapping a CVE to a specific patch that needs to be deployed on a specific machine, because of 64-bit architecture, 32-bit architecture, so, the Ivanti catalog helps us tremendously to help bring the knowledge that we have on the CVEs to that catalog, and then give our customers a way to be able to get those patches deployed in a very, very quick way, and so that essentially is just created this new category, when you have this end-to-end ability on a single platform. So whether it comes from Qualys or somebody else, I think the need is there to say, when I'm looking at patch management, I want the discovery of vulnerability and patching all of that to be done together. >> And that speed is absolutely critical. So in terms of the general availability, Sumedh, is this available now, when do customers get access? >> So with the partnership with Ivanti, VMDR in general has been available now for our customers for a couple of months, but now with the enhanced partnership, it was available for Windows or is currently available for Windows and now we are working with Ivanti for the next few months to get the Mac version out, so, we would think about in the next couple of quarters, we will have that available through Qualys VMDR, the ability to patch the Macs as well. >> Excellent. Nayaki let's go ahead and take this home with you, in terms of give me kind of an overall, round this out, the expansion of the partnership, the importance of helping customers in these disparate environments, and the momentum that this gives Ivanti for the rest of the year and going into 2021? >> This really rounds our entire Ivanti's vision and strategy, reservoir, our ability to discover every asset customers have on their endpoints and point assets as devices, being able to manage those devices holistically and to secure those devices, and also do service management of those devices and I had mentioned this, we are the only vendor in the market, that can do all of this end-to-end all the way from discovery, to security, to service managing the devices which... and the partnership with Qualys really helps as round it off across the board is full lifecycle of endpoint management, device management, and also enables us to extend to the natural adjacencies of IoT with Ivanti neurons, vision and strategy and truly get into a world of what we call self healing and self securing, the autonomous edge that we really strive to in the longer term. >> Congratulations both of you on this expansion of the partnership, we thank you for taking the time to explain to us the value in it, the challenges that this going to solve for your customers, Nayaki it's always great to have you on the program, thank you for joining me. >> Thank you, thank you Lisa and Sumedh, absolutely a great pleasure talking to all of you. >> Thank you for inviting me and good seeing both of you and I look forward to seeing you guys again. Have a good day >> Yeah, Sumedh. Great to meet you as well. For my guests, I'm Lisa Martin, you're watching this CUBE conversation. (upbeat music)

>>From Las Vegas. It's the cube covering Qualis security conference 2019 you buy quality. >>Hey, welcome back. You're ready. Jeff Frick here with the cube. We're in Las Vegas at the Bellagio, at the quality security conference. It's the 19th year they've been doing this. It's our first year here and we're excited to be here and it's great to have a veteran who's been in this space for so long, to give a little bit more of a historical perspective as to what happened in the past and where we are now and what can we look forward to in the future. So coming right off his keynote is Felipe korto, the chairman and CEO of Qualys. Phillip, great to see you. Thank you. Same, same, same for me. Absolutely. So you touched on so many great, um, topics in your conversation about kind of the shifts of, of, of modern computing from the mainframe to the mini. We've heard it over and over and over, but the key message was really about architecture. If you don't have the right architecture, you can't have the right solution. So how has the evolution of architects of architectures impacted your ability to deliver security solutions for your clients? >>So now that's a very good question. And in fact, you know, what happened is that we started in 1999 with a vision that we could use exactly like a salesforce.com this nascent internet technologies and apply that to security. And uh, so, and mod when you have applied that to essentially changing the way CRM was essentially used and deployed in enterprises and with a fantastic success as we know. So for us, the, I can say today that 19 years later the vision was right. It took a significant longer because the security people are not really, uh, warm at the idea of silently, uh, having the data in their view, which was in place that they could not control. And the it people, they didn't really like at all the fact that suddenly they were not in control anymore of the infrastructure. So we had a lot of resistance. >>I, wherever we always, I always believe, absolutely believe that the, the cloud will be the cloud architecture to go back. A lot of people make the confusion. That was part of the confusion that for people it was a cloud, that kind of magical things someplace would you don't know where. And when I were trying to explain, and I've been saying that so many times that well you need to look at the cloud like compute that can architecture which distribute the competing power far more efficiently than the previous one, which was client server, which was distributing the convening power far better than of course the mainframes and the mini computers. And so if you look at their architectures, so the mainframe were essentially big data centers in uh, in Fort Knox, like settings, uh, private lines of communication to a dump terminal. And of course security was not really issue then because it's security was built in by the IBM's and company. >>Same thing with the mini computer, which then was instead of just providing the computing power to the large, very large company, you could afford it. Nelson and the minicomputer through the advanced in semiconductor technology could reduce a foot Frank. And then they'll bring that computing power to the labs and to the departments. And was then the new era of the digital equipment, the prime, the data general, et cetera. Uh, and then kind of server came in. So what client server did, again, if you look at the architecture, different architecture now silently servers, the land or the internal network and the PC, and that was now allowing to distribute the computing power to the people in the company. And so, but then you needed to, so everybody, nobody paid attention to security because then you were inside of the enterprise. So it started inside the walls of the castle if you prefer. >>So nobody paid attention to that. It was more complex because now you have multiple actors. Instead of having one IBM or one digital equipment, et cetera, suddenly you have the people in manufacturing and the servers, the software, the database, the PCs, and on announcer, suddenly there was the complexity, increasing efficiency, but nobody paid attention to security because it wasn't a needed until suddenly we realized that viruses could come in through the front door being installed innocently. You were absolutely, absolutely compromised. And of course that's the era of the antivirus which came in. And then because of the need to communicate more and more now, Senator, you could not stay only in your castle. You needed to go and communicate to your customers, to your suppliers, et cetera, et cetera. And now he was starting to open up your, your castle to the world and hello so now so that the, the bad guy could come in and start to steal your information. >>And that was the new era of the forward. Now you make sure that those who come in, but of course that was a little bit naive because there were so many other doors and windows, uh, that people could come in, you know, create tunnels and create these and all of that trying to ensure your customers because the data was becoming more and more rich and more, more important or more value. So whenever there is a value, of course the bad guys are coming in to try to sell it. And that was that new era of a willing to pay attention to security. The problem has been is because you have so many different actors, there was nothing really central there that was just selling more and more solutions and no, absolutely like 800 vendors bolting on security, right? And boating on anything is short-lived at the end of the day because you put more and more weight and then you also increase the complexity and all these different solutions you need. >>They need to talk together so you have a better context. Uh, but they want the design to talk together. So now you need to put other system where they could communicate that information. So you complicated and complicated and complicated the solution. And that's the problem of today. So now cloud computing comes in and again, if you look at the architecture of cloud computing, it's again data centers, which is not today I've become thanks to the technology having infinite, almost competing power and storage capabilities. And like the previous that I sent her, the are much more fractured because you just one scale and they become essentially a little bit easier to secure. And by the way, it's your fewer vendors now doing that. And then of course the access can be controlled better. Uh, and then of course the second component is not the land and the one, it's now the internet. >>And the internet of course is the web communications extremely cheap and it brings you an every place on the planet and soon in Morris, why not? So and so. Now the issue today is that still the internet needs to be secure. And today, how are we going to secure the internet? Which is very important thing today because you see today that you can spoof your email, you can spoof your website, uh, you can attack the DNS who, yes, there's a lot of things that the bad guys still do. And in fact, they've said that leverage the internet of course, to access everywhere so they take advantage of it. So now this is obviously, you know, I created the, the trustworthy movement many years ago to try to really address that. Unfortunately, the quality's was too small and it was not really our place today. There's all the Google, the Facebook, the big guys, which in fact their business depend on the internet. >>Now need to do that. And I upload or be diabetic, criticized very much so. Google was the first one to essentially have a big initiative, was trying to push SSL, which everybody understand is secret encryption if you prefer. And to everybody. So they did a fantastic job. They really push it. So now today's society is becoming like, okay, as I said, you want to have, as I said it all in your communication, but that's not enough. And now they are pushing and some people criticize them and I absolutely applaud them to say we need to change the internet protocols which were created at a time when security, you were transferring information from universities and so forth. This was the hay days, you know, of everything was fine. There was no bad guys, you know, the, he'd be days, if you like, of the internet. Everybody was free, everybody was up and fantastic. >>Okay. And now of course, today this protocol needs to be upgraded, which is a lot of work. But today I really believe that if you put Google, Amazon, Facebook altogether, and they can fix these internet protocols. So we could forget about the spoofing and who forgot about all these phishing and all these things. But this is their responsibility. So, and then you have now on the other side, you have now very intelligent devices from in a very simple sensors and you know, to sophisticated devices, the phone, that cetera and not more and more and more devices interconnected and for people to understand what is going. So this is the new environment and whether we always believe is that if you adopt an architecture, which is exactly which fits, which is similar, then we could instead of bolting security in, we can now say that the build security in a voting security on, we could build security in. >>And we have been very proud of the work that we've done with Microsoft, which we announced in fact relatively recently, very recently, that in fact our agent technologies now is bundled in Microsoft. So we have built security with Microsoft in. So from a security perspective today, if you go to the Microsoft as your secretly center, you click on the link and now you have the view of your entire Azure environment. Crazier for quality Sagent. You click on a second link and now you have the view of your significant loss posture, crazy of that same quality. Say Sagent and then you click on the third name with us. Nothing to do with quality. It's all Microsoft. You create your playbook and you remediate. So security in this environment has become click, click, click, nothing to install, nothing to update. And the only thing you bring are your policies saying, I don't want to have this kind of measured machine expose on the internet. >>I want, this is what I want. And you can continuously audit in essentially in real time, right? So as you can see, totally different than putting boxes and boxes and so many things and then having to for you. So very big game changer. So the analogy that I want you that I give to people, it's so people don't understand that paradigm shift is already happening in the way we secure our homes. You put sensors everywhere, you have cameras, you have detection for proximity detection. Essentially when somebody tried to enter your home, all that data is continuously pumped up into an incidence restaurant system. And then from your phone, again across the internet, you can change the temperature of your rooms. You can do what you can see the person who knocks on the door. You can see its face, you can open the door, close the door, the garage door, you can do all of that remotely, another medically. >>And then if there's a burglar then in your house to try to raking immediately the incidents or some system called the cops or the far Marsha difficult fire. And that's the new paradigm. So security has to follow that paradigm. And then you have interesting of the problem today that we see with all the current secretly uh, systems, uh, incidents, response system. They have a lot of false positive, false positive and false negative are the enemy really of security. Because if you are forced visited, you cannot automate the response because then you are going to try to respond to something that is not true. So you are, you could create a lot of damage. And the example I give you that today in the, if you leave your dog in your house and if you don't have the ability, the dog will bark, would move. And then the sensors would say intruder alert. >>So that's becomes a false positive. So how do you eliminate that? By having more context, you can eliminate automatically again, this false positives. Like now you take a fingerprint of your dog and of these voice and now the camera and this and the sensors and the voice can pick up and say, Oh, this is my dog. So then of course you eliminate that for solar, right? Right. Now even if another dog managed to enter your home through a window which was open or whatever for soul, you will know her window was up and but you know you cannot necessarily fix it and the dog opens. Then you will know it's a, it's a, it's not sure about, right? So that's what security is evolving such a huge sea of change, which is happening because of all that internet and today companies today, after leveraging new cloud technology, which are coming, there's so much new technology. >>What people understand is where's that technology coming from? How come silently we have, you know, Dockers netics all these solutions today, which are available at almost no cost because it's all open source. So what happened is that, which is unlike the enterprise software, which were more the Oracle et cetera, the manufacturer of that software today is in fact the cloud public cloud vendors, the Amazon, the Google, the Facebook, the Microsoft. We suddenly needed to have to develop new technology so they could scale at the size of the planet. And then very shrewdly realized that effective that technology for me, I'm essentially going to imprison that technology is not going to evolve. And then I need other technologies that are not developing. So they realized that they totally changed that open source movement, which in the early days of opensource was more controlled by people who had more purity. >>If you prefer no commercial interests, it was all for the good of the civilization and humankind. And they say their licensing model was very complex. So they simplified all of that. And then nothing until you had all this technology coming at you extremely fast. And we have leverage that technology, which was not existing in the early days when when socials.com started with the Linux lamp pour called what's called Linux Apache. My SQL and PHP, a little bit limiting, but now suddenly all this technology, that classic search was coming, we today in our backend, 3 trillion data points on elastic search clusters and we return inflammation in a hundred milliseconds. And then onto the calf cabin, which is again something at open source. We, we, we, and now today 5 million messages a day and on and on and on. So the world is changing and of course, if that's what it's called now, the digital transformation. >>So now enterprises to be essentially agile, to reach out to the customers better and more, they need to embrace the cloud as the way they do, retool their entire it infrastructure. And essentially it's a huge sea of change. And that's what we see even the market of security just to finish, uh, now evolving in a totally different ways than the way it has been, which in the past, the market of security was essentially the market for the enterprise. And I'm bringing you my, my board, my board town solutions that you have to go and install and make work, right? And then you had the, the antivirus essentially, uh, for all the consumers and so forth. So today when we see the marketplace, which is fragmenting in four different segments, which is one is the large enterprise which are going to essentially consolidate those stock, move into the digital transformation, leveraging absolutely dev ops, which isn't becoming the new buyer and of course a soak or they could improve, uh, their it for, to reach out to more customers and more effectively than the cloud providers as I mentioned earlier, which are building security in the, no few use them. >>You don't have to worry about infrastructure, about our mini servers. You need, I mean it is, it's all done for you. And same thing about security, right? The third market is going to be an emergence of a new generation of managed security service providers, which are going to take to all these companies. We don't have enough resources. Okay, don't worry, I'm going to help you, you know, do all that digital transformation. And that if you build a security and then there's a totally new market of all these devices, including the phone, et cetera, which connects and that you essentially want to all these like OT and IOT devices that are all now connected, which of course presents security risk. So you need to also secure them, but you also need to be able to also not only check their edits to make sure that, okay, because you cannot send people anymore. >>So you need to automate the same thing on security. If you find that that phone is compromised, you need to make, to be able to make immediate decisions about should I kill that phone, right? Destroyed everything in it. Should I know don't let that phone connect anymore to my networks. What should I do? Should I, by the way detected that they've downloaded the application, which are not allowed? Because what we see is more and more companies now are giving tablets, do the users. And in doing so now today's the company property. So they could say, okay, you use these tablets and uh, you're not allowed to do this app. So you could check all of that and then automatically remote. But that again requires a full visibility on what you are. And that's why just to finish, we make a big decision about a few, three months ago that we have, we build the ability for any company on the planet to automatically build their entire global HSE inventory, which nobody knows what they have in that old networking environment. >>You don't know what connects to have the view of the known and the unknown, totally free of charge, uh, across on premise and pawn cloud containers, uh, uh, uh, whether vacations, uh, OT and IOT devices to come. So now there's the cornerstone of security. So with that totally free. So, and then of course we have all these additional solutions and we're build a very scalable, uh, up in platform where we can take data in, pass out data as well. So we really need to be and want to be good citizen here because security at the end of the day, it's almost like we used to say like the doctors, you have to have that kind of apricot oath that you cannot do no arm. So if you keep, if you try to take the data that you have, keep it with you, that's absolutely not right because it's the data of your customers, right? >>So, and you have to make sure that it's there. So you have to be a good warning of the data, but you have to make sure that the customer can absolutely take that data to whatever he wants with it, whatever he needs to do. So that's the kind of totally new field as a fee. And finally today there is a new Ash culture change, which is, which is happening now in the companies, is that security has become fronted centers, is becoming now because of GDPR, which has a huge of financial could over you challenge an impact on a company. A data breach can have a huge financial impact. Security has become a board level. More and more social security is changing and now it's almost like companies, if they want to be successful in the future, they need to embrace a culture of security. And now what I used to say, and that was the, the conclusion of my talk is that now, today it DevOps, uh, security compliance, people need to unite. Not anymore. The silos. I do that. This is my, my turf, my servers. You do that, you do this. Everybody in the company can work. I have to work together towards that goal. And the vendors need to also start to inter operate as well and working with our customers. So it's a tall, new mindset, which is happening, but the safes are big. That's what I'm very confident that we're now into that. Finally, we thought, I thought it would have happened 10 years ago, quite frankly. And uh, but now today's already happening. >>She touched on a lot, a lot there. And I'll speak for another two hours if we could. We could go for Tara, but I want to, I want to unpack a couple of things. We've had James Hamilton on you to at AWS. Um, CTO, super smart guy and it was, it was at one of his talks where it really was kind of a splash, a wet water in the face when he talked about the amount of resources Amazon could deploy to just networking or the amount of PhD power he could put on, you know, any little tiny sub segment of their infrastructure platform where you just realize that you just can't, you can't compete, you cannot put those kinds of resources as an individual company in any bucket. So the inevitability of the cloud model is just, it's, it's the only way to leverage those resources. But because of that, how has, how has that helped you guys change your market? How nice is it for you to be able to leverage infrastructure partners? Like is your bill for go to market as well as feature sets? And also, you know, because the other piece they didn't talk about is the integration of all these things. Now they all work together. Most apps are collection of API APIs. That's also changed. So when you look at the cloud provider GCP as well, how does that help you deliver value to your customers? >>Yeah, but the, the, the, the club, they, they don't do everything. You know, today what is interesting is that the clubs would start to specialize themselves more and more. So for example, if you look at Amazon, the, the core value of Amazon since the beginning has been elastic computing. Uh, now today we should look at Microsoft. They leverage their position and they really have come up with a more enterprise friendly solution. And now Google is trying to find also their way today. And so then you have Addy Baba, et cetera. So these are the public cloud, but life is not uniform like is by nature. Divers life wants to leave lunch to find better ways. We see that that's what we have so many different species and it just ended up. So I've also the other phenomena of companies also building their own cloud as well. >>So the word is entering into a more hybrid cloud. And the technology is evolving very fast as well. And again, I was selling you all these open source software. There's a bigger phenomenon at play, which I used to say that people don't really understand that much wood, but it's so obvious is if you look at the printing price, that's another example that gives the printing price essentially allowed, as we all know, to distribute the gospel, which has some advantage of, you know, creating more morality, et cetera. But then what people don't know for the most part, it distributed the treaties of the Arabs on technology, the scientif treaties, because the archives, which were very thriving civilization at the time, I'd collected all the, all the, all the information from India, from many other places and from China and from etc. And essentially at the time all of Europe was pretty in the age they really came up and it now certainty that scientific knowledge was distributed and that was in fact the seeds of the industrial revolution, which then you're up cat coats and use that and creating all these different technologies. >>So that confidence of this dimension of electricity and all of that created the industrial revolution seeded by now, today what is happening is that the internet is the new printing press, which now is distributing the knowledge that not to a few millions of people to billions of people. So the rate today of advancing technology is accelerating and it's very difficult. I was mentioning today, we know today that work and working against some quantum computing which are going to totally change things. Of course we don't know exactly how and you have also it's clear that today we could use genetic, uh, the, the, the, if you look at DNA, which stores so much information, so little place that we could have significant more, you know, uh, memory capabilities that lower costs. So we have embarked into absolutely a new world where things are changing. I've got a little girl, which is 12 years old and fundamentally that new generation, especially of girls, not boys, because the boys are still on, you know, at that age. >>Uh, they are very studious. They absorb so much information via YouTube. They are things like a security stream. They are so knowledgeable. And when you look back at history 2000 years plus ago in Greece, you at 95 plus percent of the population slaves. So a few percent could start to think now, today it's totally changed. And the amount of information they can, they learn. And this absolutely amazing. And you know, she, she's, I would tell you the story which has nothing to do with computing, but as a button, the knowledge of, she came to me the few, few weeks ago and she said, Oh daddy, I would like to make my mother more productive. Okay. So I said, Oh, that's her name is Avia, which is the, which is the, the, the either Greece or Zeus weathered here. And so I say, Evie, I, so that's a good idea. >>So how are you going to do it? I mean, our answer, I was flawed, but that is very simple. Just like with, for me, I'm going to ask her to go to YouTube to learn what she needs to learn. Exactly. And she learns, she draws very well. She learns how to draw in YouTube and it's not a gifted, she's a nice, very nice little girl and very small, but all her friends are like that. Right? So we're entering in a word, which thing are changing very, very fast. So the key is adaptation, education and democracy and democratization. Getting more people access to more. Absolutely. It's very, very important. And then kind of this whole dev ops continuous improve that. Not big. That's a very good point that you make because that's exactly today the new buyer today in security and in it is becoming the DevOps shipper. >>Because what? What are these people? There are engineers which suddenly create good code and then they want to of course ship their code and then all these old silos or you need to do these, Oh no, we need to put the new server, we don't have the capacity, et cetera. How is that going to take three months or a month? And then finally they find a way through, again, you know, all the need for scale, which was coming from the Google, from the Facebook and so forth. And by the way, we can shortcut all of that and we can create and we can run out to auto-ship, our code. Guess what are they doing today? They are learning how to secure all of that, right? So again, it's that ability to really learn and move. And today, uh, one of the problem that you alluded to is that, which the Amazon was saying is that their pick there, they have taken a lot of the talent resources in the U S today because of course they pay them extra to me, what? >>Of course they'll attract that talent. And of course there's now people send security. There's not enough people that even in, but guess what? We realized that few years ago in 2007, we'll make a big decision who say, well, never going to be able to attract the right people in the Silicon Valley. And we've started to go to India and we have now 750 people. And Jack Welch used to say, we went to India for the cost and discover the talent. We went to India for the talent and we discover the cost. And there is a huge pool of tenants. So it's like a life wants to continue to leave and now to, there are all these tools to learn, are there, look at the can Academy, which today if you want to go in nuclear physics, you can do that through your phone. So that ability to learn is there. So I think we need just more and more people are coming. So I'm a very optimistic in a way because I think the more we improve our technologies that we look at the progress we're making genetics and so everywhere and that confidence of technology is really creating a new way. >>You know, there's a lot of conversations about a dystopian future and a utopian future with all these technologies and the machines. And you know what? Hollywood has shown us with AI, you're very utopian side, very optimistic on that equation. What gives you, what gives you, you know, kind of that positive feeling insecurity, which traditionally a lot of people would say is just whack a mole. And we're always trying to chase the bad guys. Generally >>speaking, if I'm a topian in in a way. But on the other end, you'd need to realize that unfortunately when you have to technological changes and so forth, it's also create factors. And when you look at this story in Manatee, the same technological advancement that some countries to take to try to take advantage of fathers is not that the word is everything fine and everything peaceful. In fact, Richard Clark was really their kid always saying that, Hey, you know that there is a sinister side to all the internet and so forth. But that's the human evolution. So I believe that we are getting longterm. It's going to. So in the meantime there's a lot of changes and humans don't adapt well to change. And so that's in a way, uh, the big challenge we have. But I think over time we can create a culture of change and that will really help. And I also believe that probably at some point in time we will re-engineer the human race. >>All right, cool. We'll leave it there. That's going to launch a whole nother couple hours. They leave. Congratulations on the event and a great job on your keynote. Thanks for taking a few minutes with us. Alrighty. It's relief. I'm Jeff. You're watching the cube where the Qualice security conference at the Bellagio in Las Vegas. Thanks for watching. We'll see you next time.

>>from Las >>Vegas. It's the cues covering quality security Conference 2019 by quality. Hey, welcome back already, Jefe Rick here with the Cube were in Las Vegas at the Bellagio at the Kuala Security Conference. It's the 19th year they've been doing this. It's our first year here, and we're excited to be here. And it's great to have a veteran who's been in this space for so long to give a little bit more of historical perspective as to what happened in the past. Where we are now, what can we look forward to in the future? So coming right off its keynote is Felipe Quarto, the chairman and CEO of Qualities felt great. See, >>Thank you. Same. Same same for me. >>Absolutely. So you touched on so many great topics in your conversation about kind of the shifts of of modern computing, from the mainframe to the mini. We've heard it over and over and over. But the key message was really about architecture. If you don't have the right architecture, you can't have the right solution. How is the evolution of architects of architectures impacted your ability to deliver security solutions for your clients >>So no That's a very good question. And in fact, you know what happened is that we started in 1999 with the vision that we could use exactly like Salesforce. They'll come this nascent Internet technologies and apply that to security. And s and Marc Benioff applied that essentially changing the way serum was essentially used and deployed in enterprises and with a fantastic success as we know. So for us, the I can't say today that 19 years later the vision was right. It took a significant longer because the security people are not really, uh, warm at the idea of Senate Lee, uh, having the data interview which was in place that they could not control. And the i t people, they didn't really like a toll. The fact that certainly they were not in control anymore of the infrastructure. So whether a lot of resistance, I wever, we always I always believe, absolutely believe that the cloud will be the architecture to go back. A lot of people make the confusion That was part of the confusion that for people it was a cloud, that kind of magical things someplace would you don't know where and when I was trying to explain, and I've been saying that so many times that well, you need to look at the club like a computer that can architecture which distribute the computing power for more efficiently than the previous one, which was Clyde Server, which was distributing the computing power for better then, of course, the mainframes and minicomputers. And so if you look at their architecture's so the mainframe were essentially big data centers in in Fort Knox, like setting private lines of communication to damn terminal. And of course, security was not really an issue then, because it's a gritty was building by the IBM said company simply with the minicomputer, which then was, instead of just providing the computing power to the large, very large company could afford it. Now 70 the minicomputer through the advance and say, My conductor technology could reduce the food frank. And then I'll bring the company power to the labs and to the departments. And that was then the new era of the dish, your equipment, the primes, that General et cetera, Uh, and then conservative. So what client service did again? If you look at the architecture, different architectures now, incidently servers LAN or the Internet network and the PC, and that was now allowing to distribute the computing power to the people in the company. And so, but then you needed to so everybody. Nobody paid attention to security because then you were inside of the enterprise. So it starts inside the wars of the castle if you prefer. So nobody paid attention to that. It was more complex because now you have multiple actors instead of having one IBM or one desert equipped. But its center said, You have the people manufacturing the servers. The software that that obeys the PC is an unannounced excellently there was the complexity increased significantly, but nobody paid attention to security because it was not needed. Until suddenly we realized that viruses could come in through the front door being installed innocent. You were absolutely, absolutely compromised. And of course, that's the era of the anti VARS, which came in and then because of the need to communicate more more. Now, Senator, you could not stay only in your castle. You need to go and communicate your customers to your suppliers, et cetera, et cetera. And now you were starting to up and up your your castle to the word and a low now so that the bad guy could come in and start to steal your information. And that's what the new era of the far wall. Now you make sure that those who come in But of course, that was a bit naive because there were so many other doors and windows that people could come in, you know, create tunnels and these and over that transfer, insure your custard. Because the day I was becoming more, more rich and more more important, more value. So whatever this value, of course, the bad guys are coming in to try to sell it. And that was that new era off a win. Each of attention to security. The problem is being is because you have so many different actors. There was nothing really central there. Now. I just suddenly had Maura and more solutions, and now absolutely like 800 vendors. Boarding on security and boating on anything is shortly at the end of the day because you put more more weight, and then you also increasing complexity in all these different solutions. Didn't they need to talk together? So you have a better context, but they weren't designed to talk together. So now you need to put other system where they could communicate that information. So you complicated, complicated, complicated the solution. And that's the problem of today. So now cloud computing comes in and again. If you look at the architecture of cloud computing, it's again Data centers, which not today, have become, thanks to the technology, having infinite, almost company power and storage capabilities. And like the previous data center, there are much more fracture because you just once gave and they become essentially a bit easier to secure. And by the way, it's your fewer vendors now doing that. And then, of course, the access can be controlled better on then. Of course, the second component is that the land and the one it's now the Internet and the Internet, of course, eyes the Web communications extremely cheap, and it brings you in every place on the planet and soon in Morse. Why no so and so now. The issue today is that still the Internet needs to be secure, and today how are you going to secure the Internet? Which is very important thing today because you see today that you can spoof your image, you can spoof your website. You could attack the Deanna's who? Yes, there's a lot of things that the bad guy still do in fact, themselves that ever is the Internet, of course, to access everywhere, so they take advantage of it. So now this is obviously, you know, I created the trustworthy movement many years ago to try to really address that. Unfortunately, qualities was too small, and it was not really our place. Today there's all the Google, the Facebook, the big guys which contract their business, depend on the Internet. Now need to do that and I upload will be been criticised very much so. Google was the 1st 1 to essentially have a big initiative. I was trying to Bush SSL, which everybody understands secret encryption, if you prefer and to everybody. So they did a fantastic job, really push it. So now today's society is becoming like okay, it's a said. You want to have this a settle on your communication, but that's not enough. And now they're pushing and some people criticize them, and I absolutely applaud them to say we need to change the Internet protocols which were created at the time when security you were transferring information from universities. And so for these was a hay days, you know, if everything was fine, there's no bad guys. No, The heebie day is if you like arranging that everybody was free, Everybody was up in fantastic. Okay. And now, of course, today, these poor cold this to be a graded, which is a lot of work. But today I really believe that if you put Google Amazon Facebook altogether and they can fix these internet for records so we could forget about the spoofing and we forget about all these fishing and all this thing this is there responsibility. So and then you have now on the other side, you have now a very intelligent devices from in a very simple sensors and, you know, too sophisticated devices the phone, et cetera, and Maura and more Maur devices interconnected and for people to understand what is being so This is the new environment. And whether we always believe is that if you adopt an architecture which is exactly which fits which is similar, then we could instead of bolting security in, we can also have the build security in voting signal on. We could be in security in. And we have been very proud of the work that went down with my car itself, which we announce, in fact, reluctantly recently, very recently, that, in fact, our agent technologies now it's banned erred in Microsoft. So we have been security with Microsoft in So from a security perspective today, if you go to the Microsoft as your security center, you click on a link, and now you have the view. If you're in tar, is your environment courtesy of record? It's agent. You click on a second link, and now you have the view of your secret cameras. First year, crazy of the same qualities agent. And then you click on the third inning with us. Nothing to do with quite it's It's old Mike ourself you create your playbook and Yuri mediates The security in this environment has become quickly, quick, nothing to in store, nothing to update, and the only thing you bring. All your policies saying I don't want to have this kind of machine exposed on the Internet on what this is what I want and you can continuously owed it essentially in real time, right? So, as you can see, totally different than putting boxes and boxes and so many things. And then I think for you, so very big game changer. So the analogy that I want you that I give to people it's so people understand that paradigm shift. It's already happening in the way we secure our homes. You put sensors everywhere, your cameras of detection, approximately detection. Essentially, when somebody tried to enter your home all that day, that's continuously pumped up into an incident response system. And then from your phone again across the Internet, you can change the temperature of your rooms. You can do it. You can see the person who knocks on the door. You can see its face. You can open the door, close the door, the garage door. You can do all of that remotely and automatically. And then, if there's a burglar, then in your house, who's raking immediately that the incidence response system called the cops or the farmer shirt? If good far. And that's the new paradigm. So security has to follow that product, and then you have interesting of the problem today that we see with all the current security systems incidents Original system developed for a positive force. Positive and negative are the enemy reedy off security? Because if you have forced positive, you cannot automate the response because then you're going to try to respond to something that is that true? So you are. You could create a lot of damage. And the example. I give you that today in the if you leave your dog in your house and if you don't have the ability the dog would bark would move, and then the senses will say intruder alert. So that's become the force. Pretty. So how do you eliminate that? By having more context, you can eliminate automatically again this false positives, like now you, I think a fingerprint of fuel dog and of his voice. And now the camera and this and the sensors on the voice can pick up and say, Oh, this is my dog. So then, of course, you eliminate that forces right now, if if another dog managed to return your home through a window which was open or whatever for so what do we know? A window was open, but you know you can't necessarily fix it on the dog weapons, then you will know it. Sze, not yours. So that's what securities avoiding such a huge sea of change which is happening because of all that injured that end today Companies today after leverages nuclear technology which are coming, there's so much new to college. What people understand is where's that technology coming from? How come silently we have doctors cybernetics a ll these solutions today which are available at almost no cost because it's all open source So what happened is that which is unlike the enterprise software which were Maur the oracle, et cetera, the manufacturer of that software today is in fact the cloud bubbly club Sanders, the Amazon, the Google, the Facebook, the macro self which shouldn't be needed to have to develop new technology so they could scale at the size of the planet. And that very shrewdly realized that if I keep the technology for me, I'm essentially going to imprison. The technology is not going to evolve. And then I need other technologies that I'm not developing. So they realize that they totally changed that open source movement, which in the early days of happens offers more controlled by people who had more purity. If you prefer no commercial interests, it was all for the good, off the civilization and humankind. And they say they're licensing Modern was very complex or the simplified all of that. And then Nelson and you had all this technology coming at you extremely fast. And we have leverage that technology, which was not existing in the early days when when such was not come started with the eunuchs, the lamb, pork or what's called leaks. Apache mice Fewer than Petri limiting Announcer Tiel This technology, like elasticsearch, was coming. We index today now back and three trillion points or less excerpts, clusters, and we return information in 100 minutes seconds and then on the calf campus, which is again something that open source way Baker Now today, five million messages a day and on and on and on. So the word is changing. And of course, if that's what it's called now, the dish transformation now enterprises to be essentially a joy to reach out to the customers better and Maur, they need to embrace the cloud as well, >>right? I >>do retool their entire right infrastructure, and it's such A. It's a huge sea of change, and that's what we see even the market of security just to finish now, evolving in a totally different ways than the way it has Bean, which in the positive market of security was essentially the market for the enterprise. And I'm bringing you might my board, my board, towns, traditions that you have to go in installed and make work. And then you had the the anti virus, essentially for all the consumers and so forth. So today, when we see the marketplace, which is fragmenting in four different segments, which is one is the large enterprise which are going to essentially constantly data start moving to the transformation. Leveraging absolutely develops, which isn't becoming the new buyer. And, of course, so they could improve their I t. For to reach out to more customers and more effectively than the current providers. As I mentioned earlier, which are building security in the knife, you use them. You don't have to worry about infrastructure about how many servers you need, amenities. It's all done for you and something about security. The third market is going to be in an emergence of a new generation of managed Grannie service providers which are going to take all these companies. We don't have enough resources. Okay, Don't worry. I'm going to help you, you know, duel that digital transformation and help you build the security. And then there's a totally new market of all these devices, including the phone, et cetera, which connects and that you essentially I want to all these i, o t and I ot devices that are or now connected, which, of course, present security risk. So I need to also secure them. But you also need to be able to also not only check their health to make sure that okay, because you cannot send people read anymore. So you tournament simply on security. If you find that that phone is compromised, you need to make to be able to make immediate decisions about Should I kill that phone? Destroyed everything in it. Should I Now don't let that phone connect any more to my networks. What should I do? Should I, by the way, detected that they've done with the application which another loud Because what we see is more and more companies are giving tablets to their users and in doing so now, today's the company property so they could say, OK, you use these tablets and you're not allowed to do that so you could check all of that and then automatically. But that again requires full visibility in what you are. And that's why just to finish, we make a big decision about the few three months ago that were We build the ability for any company on the planet to automatically build their targetable itis it eventually, which nobody knows what they have. That old networking environment. You don't know what connects to have the view of the known and the unknown totally free of charge across on premise and pawned crowd continues Web obligations or to united devices to come. So now that's the cornerstone of securities with that totally free. So and then, of course, you have all these additional solutions, and we're being very scalable up in platform where we can take data, a passel data as well. So we really need to be and want to be good citizen here because security at the end of it, it's almost like we used to say, like the doctors, you have to have that kind of feeble court oath that you can do no arms. So if you keep if you try to take the data that you have, keep it with you, that's all.

>> Narrator: From Las Vegas, it's theCUBE, covering Qualys Security Conference 2019, brought to you by Qualys. >> Hey, welcome back, everybody. Jeff Rick here with theCUBE. We're in Las Vegas at the Bellagio at the Qualys Security Conference. They've been doing this for 19 years. They've been in this business for a long time, seen a lot of changes, so we're happy to be here. Our next guest works for Caterpillar. He is Brian Rossi, the senior security manager vulnerability management. Brian, great to see you. >> Thanks for having me. >> So I was so psyched, they had an interview, a gentleman from Caterpillar a few years ago, and it was fascinating to me how far along the autonomous vehicle route Caterpillar is. And I don't think most people understand, right? They see the Waymo cars driving around, and they read about all this stuff. But Caterpillar's been doing autonomous vehicles for a super long time. >> A really long time, a really long time, 25-plus years, pioneering a lot of the autonomous vehicle stuff that's out there. And we've actually, it's been cool, had an opportunity to do some security testing on some of the stuff that we're doing. So, even making it safer for the mines and the places that are using it today. >> Yeah, you don't want one of those big-giant dump-truck things to go rogue. (laughing) >> Off a cliff. Yeah, no, bad idea. >> Huge. Or into a bunch of people. All right, so let's jump into it. So, vulnerability management. What do you focus on, what does that mean exactly? >> So, for me, more on the traditional vulnerability management side. So I stay out of the application space, but my group is focused on identifying vulnerabilities for servers, workstations, endpoints that are out there, working with those IT operational teams to make sure they get those patched and reduce as many vulnerabilities as we can over the course of a year. >> So we've done some stuff with Forescout, and they're the kings of vulnerability sniffing-out. In fact, I think they have an integration with Qualys as well. So, is it always amazing as to how much stuff that gets attached to the network that you weren't really sure was there in the first place? >> Yes, absolutely. (laughs) And it's fun to be on the side that gets to see it all, and then tell people that it's there. I think with Qualys and with some of the other tools that we use, right? We're seeing these things before anybody else is seeing them and we're seeing the vulnerabilities that are associated with them, before anyone else sees them. So it's an interesting job, to tell people what's out there when they didn't even know. >> Right, so another really important integration is with ServiceNow, and you're giving a talk I believe tomorrow on how you use both Qualys and ServiceNow together. Give us kind of the overview of what you're going to be talking about. >> Absolutely, so the overview is really what our motto has been all year, right? Is put work where people work. So what we found was that with our vulnerability management program, we're doing scanning, we're running reports, we're trying to communicate with these IT operational teams to fix what's out there. But that's difficult when you're just sending spreadsheets around and you're trying to email people. There's organizational changes, people are moving around. They might not be responsible for those platforms anymore. And keeping track of all that is incredibly difficult in a global scale, with hundreds of thousands of assets that people are managing. And so we turned to ServiceNow and Qualys to really find a way to easily communicate, not just easily, but also timely, communicate those vulnerabilities to the teams that are responsible for doing it. >> Right, so you guys already had the ServiceNow implementation obviously, it was something that was heavily used. You're kind of implying that that was the screen that a lot of people had open on their desktop all the time. >> We lucked out that we were early in the implementation with ServiceNow. So, Caterpillar was moving from a previous IT service management solution to ServiceNow so we got in on the ground floor with the teams that were building out the configuration management database. We got in with the ground floor with the teams who were operationalizing, using ServiceNow to drive their work. We had the opportunities to just build relationships with them, take those relationships, ask them how they want that to work, and then go build it for them. >> Right, it's so funny because everyone likes to talk about single pane of glass, and to own that real estate that's on our screens that we sit and look at all day long, and it used to be emails. It's not so much email anymore, and ServiceNow is one of those types of apps that when you're in it, you're working it, that is your thing. And it's one thing to sniff out the vulnerabilities and find vulnerabilities, but you got to close the loop. >> Brian: You got to, absolutely. >> And that's really where the ServiceNow piece fits. >> And it's been great. We've seen a dramatic reduction in the number of vulnerabilities that are getting fixed over the course of a 30-day period. And I think it simply is because the visibility is finally there, and it's real-time visibility for these groups. They're not receiving data 50 days after we found it. We're getting them that data as soon as we find it, and they're able to operationalize it immediately. >> Right, and what are some of the actions that are the higher frequency that you've found, that you're triggering, that this process is helping you mitigate? >> I would say, actually, what it's really finding is some of our oldest vulnerabilities, a lot of stuff that people have just let fall off the plate. And they're isolated, right? They may have run patching for a specific vulnerability six months ago, but there was no view to tell them whether or not they got everything. Or maybe it was an asset that was off the network when they were patching, and now it's back on the network. So we're getting them the real-time visibility. Stuff that they may have missed, that they would have never seen before, without this integration. >> So I'd love to get your take on one of the top topics that came in the keynote this morning, both with Dick Clark as well as Philippe, was IoT-5G and the increasing surface-area, attack surface area, vulnerability surface area. You guys, Caterpillar's obviously well into internet of things. You've got a lot of connected devices. I'm sure you're excited about 5G, and I'm sure in a mining environment, or those types of environments are just prime 5G opportunities. Bad news is, your attack surface just grew exponentially. >> Yeah. >> So you're in charge of keeping track of vulnerabilities. How do you balance the opportunity, and what you see that's coming with 5G and connected devices and even a whole other rash of sensors, compared to the threat that you have to manage? >> Certainly in the IoT space it's unique. We can't do the things to those devices that we would do with normal laptops' assets, right? So I think figuring out unique ways to actually deal with them is going to be the hardest part. Finding vulnerabilities is always the easiest thing to do, but dealing with them is going to be the hard part. 5G is going to bring a whole new ballgame to a lot of the technology that we use. Our engineering groups are looking at those, and we're going to be partnering with them all the way through their journey on how to use 5G, how to use IoT to drive better services for our customers, and hopefully security will be with them the whole way. >> Right, the other piece that didn't get as much talk today, but it's a hot topic everywhere else we go is Edge, right? And this whole concept of, do you move the data, do you move the data to the computer or the computer to the data? I'm sure you guys are going to be leveraging Edge in a big way, when you're getting more of that horsepower closer to the sites. There's a lot of challenges with Edge. It's not a pristine data center. There are some nasty environmental conditions and you're limited in power, connectivity, and some of these other things. So when you think about Edge in your world, and maybe you're not thinking of it, but I bet you are, how are you seeing that, again, as an opportunity to bring more compute power closer to where you need it, closer to these vehicles? >> So I think, I wish I had our other security division here with me to talk about it. We're piloting a lot of those things, but that's been a big piece of our digital transformation at Caterpillar, is really leveraging data from those connected devices that are out in the field. And we actually, our Edge has to be brought closer to home. Our engineers pack so much into the little space they have on the devices that are out there, that they don't have room to actually calculate on that data that's out in the field, right? So we are actually bringing the Edge a little closer to home, in order for us to provide the best service for our customers. >> Right, so another take on digital transformation. You talked about Caterpillar's digital transformation. You've been there for five years now. Before that you were at State Farm. Checking on your LinkedIn, right? State Farm is the business of actuarial numbers, right? Caterpillar has got big heavy metal things, and yet you talk about digital transformation. How did you guys, how are you thinking about digital transformation in this heavy-equipment industry that's in construction? Probably not what most people think of as a digital enterprise, but in fact you guys are super aggressively moving in that direction. >> Yeah, and for us, from a securities perspective, it's been all about shift-left, right? We have to get embedded with these groups when they're designing these things. We have to be doing threat models. We have to be doing pen testing. We have to be doing that secure life cycle the entire way through the product. Because with our product line, unlike State Farm where we could easily just make a change to an application so that it was more secure, once we produce these vehicles, and once we roll them out and start selling them, they're out there. And we build our equipment to last, right? So there's not an expectation that a customer is going to come back and say, "I'm ready to buy a new truck two years from now," because of security vulnerability. >> Jeff: Right, right. >> So, yeah, it's a big thing for us to get as early in the development life cycle as possible and partner with those groups. >> I'm curious in terms of the role of the embedded software systems in these things now, compared to what it was five years ago, 10 years ago 'cause you do need to upgrade it. And we've seen with Teslas, right? You get patches and upgrades and all types of things. So I would imagine you're probably a lot more Tesla-like than the Caterpillar of 20 years ago. >> Moving in that direction, and that is the goal, right? We want to be able to get the best services and the most quality services to our customers as soon as possible. >> Right, very cool. Well, Brian, next time we talk, I want to do it on a big truck. >> Okay. >> A big, yellow truck. >> Let's do it. >> I don't want to do it here at the Bellagio. >> Let's do it, all right. >> Okay, excellent. Well, thanks for-- >> Thank you. >> For taking a few minutes, really appreciate it. >> Absolutely. >> All right, he's Brian, I'm Jeff, you're watching theCUBE. We're at the Bellagio in Las Vegas, not on a big yellow truck, out in the middle of nowhere digging up holes and moving big dirt around. Thanks for watching. We'll see you next time. (upbeat techno music)

>> Announcer: From Las Vegas, it's theCUBE. Covering Qualys Security Conference 2019. Brought to you by Qualys. >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at the Bellagio Hotel in Las Vegas, at the Qualys Security Conference. This conference has been going on for 19 years. It's our first time to be here. We're excited to be here, but it's amazing that they've just been clipping along through wave after wave after wave. They've got some new announcements today and we're excited to get the full rundown here. Our next guest is Chris Carlson, the VP of Strategy from Qualys. Chris, great to meet you. >> Great, thanks, great to be here. >> Yeah, so you just got out of your session. How did your session go? >> Yeah, it was fantastic. In fact, that's the great thing about a Qualys Security Conference, because we have the ability to not only interact with our customers and partners, but actually showcase what's new, but also what we're working on coming in the future. >> Jeff: Right. >> And that's really important for us at Qualys because we get the feedback from the customers early, and we can work very closely with them to find the right set of solutions and the right products for their use in their environment and programs. >> Now, the security landscape has changed quite a bit over the last two decades, and Phillipe's keynote, I mean he is right on the edge in terms of really appreciating cloud and the benefits of cloud. You guys have a lot of great integration partners. You know, did you have to re-architect this thing, at some point down the road? I mean it's pretty amazing that you've been at it for two decades and still really sitting in a good spot here as kind of the cloud and IOT and 5G and this next big wave of innovation starts to hit. >> Well that's right, and I think that's why it starts with that vision, but it's not just a vision of where the market is going, but the vision of where technology is going. So when Qualys started, they started in the cloud, and they started with the cloud delivered architecture. And that was really, maybe early for a lot of first customers. 20 years ago security was maybe not as much, and put security in the cloud, that's where all the bad guys are. But it's really that architecture vision technology that allowed us to not only innovate quickly on a platform, but as our customers grew, as our customers moved to the cloud, as our customers moved to IOT and OT and mobile computing and those aspects, we're already there. >> Jeff: Right, right. >> We're already there. So and that is what really the advantage for us is, we don't have to re-architect our platform, we can layer on new capabilities and new services, new products leveraging the existing architecture that we've developed in the cloud. >> Yeah, it's really little bit of good fortune, a little bit of luck, a little bit of smarts, right. >> I think it's maybe a lot of experience and smarts from that. >> Well, it's just funny right, 'cause we had John Chambers on not that long ago, and his kind of computing waves, he was using kind of 10 year waves as kind of the starting points. And Phillipe's were a little bit longer, but it's the same kind of story with mainframes and minis and client server and now cloud, but as he said, and as you've reinforced, if you don't architect it to be able to do that at the beginning, you can't necessary repurpose it for this new application. It's really architecture-specific, and without that kind of vision, you're not going to be able to take advantage. >> That's right. >> Of these kind of new waves. >> Exactly, and I think that architecture breaks down into different levels. So one is systems architecture, but there's also the design architecture. So the technologies that we're using on our platform today aren't the same 20 years ago. We've swapped out those technologies. We use new modern technologies. Technically, like Kafka streaming blasts to do real-time event streaming. Cassandra for object data store. Those did not exist five or six years ago. But from our architecture that we're collecting lightweight data from our customers, and analyzing it in our cloud platform. Doesn't matter if we have one million events, a billion events, a hundred billion events, the platform can scale the process of those. >> Right. The other piece clearly that you've mentioned two or three vocabulary words right there is the open source component. You know, the open source has grown dramatically since the early days of Linux, both in terms of market acceptance as well as kind of new opportunities for things like Kafka to be able to grab that type of , integrate it into your product set and really drive a whole bunch of extra value. >> Yeah, that's right. I think we benefit as Qualys is using some of these open source technologies and we do contribute back, because we work with those teams. If there's any defects or performance enhancements, we do that. But while we've benefited from some of the open source technologies, our customers have benefited as well. Now they've benefited from new technology architectures, but in some cases they've benefited from new security problems. So if you get commercial off-the-shelf software, the vendor produces a security patch, they test that patch and they can apply the patch. In many cases with some open source software it's not like that. The customer has to get the software, compile it, make sure it works. Maybe it doesn't fix the vulnerability, and that's why in that case for them open-source technology can improve some of their IT systems and their business initiatives, but it puts a challenge on security to keep up with all the security risks that are happening across the board. >> Right. So one of the big announcements today was the VMDR. >> That's right. >> Tell us all about it. >> Great, so VMDR stands for Vulnerability Management Detection and Response, and that really is a capability that we've actually had in the platform itself, but the feedback from our customers were that internally their own people, their own process and their own tools created these artificial silos that prevented them from actually doing security detection and remediation at scale quickly. We have all these capabilities in the Qualys platform anyway, but with this new VMDR bundle we're bringing it together with new automation, new workflow, new orchestration, new user interfaces that actually reduce the time to remediate down to near zero in some cases. So, we had an example of a live attack that happened two years ago, WannaCry with EternalBlue, and many companies did nothing for two months. So they had the right tools, but maybe the data silos to go from one application to another application, to one team to another team just increased that length of when they could remediate. Our customers that had Qualys already had that data within the Qualys platform. We can tell them what assets they have, what the vulnerabilities were, that WannaCry was a big thing happening. And then with our patch management they can click one button and then just fix those assets easily. >> Jeff: Right, right. >> That was two years ago. Now this summer something called Blue Key. So Blue Key and Deja Blue is another attack that's happening, is going on right now. People don't know about it. Well, maybe not you. (laughing) Maybe if you're a Windows. >> I got nothing, I got nothing. >> Maybe if he has a Windows Operating System he's being attacked right now, I don't know about that. But a lot of our customers here, they're struggling with that every day. Not that Qualys can't tell them where it is, but they have to rely on another team to actually fix it. And that's what's so exciting about VMDR, Vulnerability Management Detection and Response, is the D and the R, the detection and the response allow them to remediate in a full life-cycle very quickly, very effectively, and with a high confidence that it has actually corrected those issues. >> Yeah, it's really interesting. You know, kind of the application versus platform conversation. You guys are integration partners with ServiceNow. Fred Luddy's been on many, many times, and tells a great story. You know, he wanted to build a platform, but you can't go to market with a platform. You got to go to market with an application, hopefully get some traction, and over time he started adding more applications, and it was pretty interesting listening to you guys. >> Well, I was actually going to stop you right there if you don't mind. >> No. >> The marketing people go to market with the platform. The marketing people say, "Hey version one is a platform." >> To their customers? But nobody's got a line-item to buy a new platform today, right. >> Exactly, and that's sort of the disconnect. >> Right. >> Really with normal enterprise sales models and technology. The marketing sales disconnect versus the technical reality that customers depend on for their environment. >> But if you do it right, then you can build that application stack, and I think in their earnings call, your guys last earnings call, you defined seven specific applications that sit on this platform that enabled in you to bundle and have kind of multi-application integration in the new VDMR. >> Yes, that's right, and I think that the difference with Qualys is they knew that the architecture was important. So our vulnerability management was an application on the architecture when it first launched 20 years ago. >> Right. >> And that really helped us going forward. So from the earnings call it's seven product capabilities on our lightweight agent, but the entire Qualys platform has 19 different product capabilities, in the same platform using the same user interface model and the VMDR takes many of those and bring it together in that single bundle on a per asset basis. >> Okay great, thanks for that clarification. Slight shift of focus. Another thing that came up in Philippe's keynote was kind of re-architecting the sales side and the market bundles that you guys are going to go to market with over time. And he broke it down into really only four big buckets of categories. Cloud providers, I think managed security service providers, enterprises, and I can't remember what the the last one was. Oh, OT and IOT vendors. >> Chris: IOT, correct, yes. >> So as you kind of look forward in the way that you're going to develop your products to go to market, how is that impacting your strategy, and are you seeing that start to play out in the marketplace? >> Yes, when we look at security technology and actually part of his keynote, he had this slide that had, you couldn't zoom in, because there's a million logos on this slide, security companies. And you go to some of the security shows, there's 800 vendors in the exhibit hall. >> Jeff: Oh yeah, we go to RSAC. I mean that that's why, it's chaos, right. >> So it's crazy, it's crazy. And there was an analyst that actually said a couple years ago that whenever there's a new threat, there's a new tech. Here's a new threat vector, now there's five new startups. And is that new threat vector super narrow, and it's only a feature, or is it a product, but our view of Qualys was a little bit different in that while the buying centers may be different, while some of the assets may be different, an OT asset versus a cloud asset versus the endpoint asset, the ability to discover it, identify it, categorize it, assess it, prioritize and remediate it is the same. That is the same. So whether it is a PLC on a shop floor from a car manufacturing, or a ecommerce web server that's running in a public cloud, or an end-user machine, the process to identify assess and remediate is exactly the same through us at Qualys with their platform. Different sensors for different asset types, normalized security data and different remediation approaches for different asset types, but all the same platform. >> But it sounds like you're doing some special stuff with Azure. >> Chris: Yes. >> So, tell us a little bit about kind of what's special about that relationship, what's special about that solution. >> Yeah, and that integration was announced two weeks ago at Microsoft Ignite, which is a big Microsoft show, and that really is a close partnership that we have with Microsoft. We actually did an early integration with them four years ago, but this is a lot deeper. And that really is Phillipe's and Qualys vision that security needs to be built in and not bolted on. >> Jeff: Right. >> That if you take, let's take a car for example. When you buy a car, you don't buy the car without a seat belt, an airbag, maybe a radio. You don't buy it without tires, it all comes together. You don't buy a car, then go to the seatbelt shop, and then buy a car and then go to the airbag shop. It all comes together, and that's what we're very excited about this announcement with Microsoft and Azure is that the vulnerability assessment is powered by Qualys already built into Azure. So there may be a whole set of customers that know nothing about Qualys, know nothing about our 20-year history, know nothing about our conference. they go to Microsoft Azure's, the security center, and it goes, "Assess your vulnerabilities," click a button and there's the vulnerability information. So this opens up a new capability for customers that they may not have used, but more importantly bringing security into IT without them knowing that they're doing security. And that is very powerful. >> So is it like a white label, under the covers or? >> So, it's not a white label, it's a joint integration. >> Chris: Okay. >> And it's a Microsoft Azure. >> Chris: So they eventually have, probably is in the bottom of the report. >> Powered by Qualys, powered by Qualys, right, so we got to have that name in there. >> Right, right, right, good. >> And what's exciting about Microsoft Ignite is that we had a lot of Microsoft IT and dev people come up to our Qualys booth and say, hey I don't know much about Qualys, but I get this report of things that I need to fix, tell me more about what you're doing and how can we help that fix faster. >> Chris: Right. >> And it's really about speed. Time to market, time to acquire customers, time to service customers, but more importantly time to produce new technology, time to secure the new technology, and lastly, unfortunately, time to respond to security events that may have happened in your network. >> And I presume they can buy more of the suite through the, and run it on the Azure stack. >> Yes, that's right. In fact, all of our capabilities can go on there from it, and that really is a strong partnership. In fact the group product manager for Azure is speaking at Qualys Security Conference just later today. That really shows a testament of the deep integration of partnership that we have with them. >> All right, Chris, before I let you go, you're the strategy guy. So as you look down the road in your crystal ball, I won't say more than three years, two years, three years, four years. What are some of the things you're keeping an eye on, what are the things you're excited about, what are the things you're a little concerned about? >> Well, I think that the things that we're excited about is a vision that Philippe and of course Ahmet has painted for it, is that the computing environment is accelerating dramatically, it's fragmenting dramatically. 5g might be a complete game-changer across the board. We have some of our large customers that have a project that they call Data Center Zero. 17 data centers, in two years, no data centers at all. I say that in their corporate offices they have laptops and printers, that's it. How do you secure and assess an environment that is ephemeral and that is virtual and that is remote, and that's where the Qualys platform architecture can move along with those customers. Our very largest customers are the ones leading the charge, not only developing new capabilities, but also using them as they come out. So I think that's what we're very excited about. I think that's some areas that we're working deeper with our customers on, is at the end of the day, it's people, process, and tools. And we're working on the technology capability and stack that can also influence and make the process better, but ultimately the people have to come in and understand that security has to be built in, we have to shift left, integrate it into the dev cycle to really reduce that attack surface and have a stronger, more secure enterprise. >> All right Chris, well, think you're going to be busy for the next couple years. >> It's a exciting time, it's an exciting time for Qualys. >> All right, well again, congrats on the event. >> Thanks very much. >> Thanks for having us. Can't believe it's been here for 19 years and we haven't been here yet. So again, thanks for having us and congrats on all your success. >> Great, fantastic Jeff. >> All right, he's Chris, I'm Jeff. You're watching theCUBE. We're at the Qualys Security Conference in Las Vegas. Thanks for watching. We'll see you next time. (upbeat music)

>>from Las >>Vegas. It's the cues covering quality security Conference 2019 Bike. Wallace. Hey, welcome back It ready? Geoffrey here with the Cube were at the Bellagio in Las Vegas. It's actually raining outside, which is pretty odd, but through the desert is happy. We're here at the Kuala Security Conference. Been going on for 19 years. It's our first time here. We're excited to be here, but we got a really familiar Gaston. She's been on a number of times that Nutanix next, conferences and girls who code conferences, etcetera. So we're happy to have back Wendy Pfeifer. She's the C I O of Nutanix and as of August, early this year, a board member for quality. So great to see you. >>Nice to see you again, too. So it's raining outside. I'll have to get out. >>I know it's pretty, uh, pretty cool, actually. School coming in on the plane. But let's let's jump into a little bit from your C I, Oh, roll. We're talking a lot about security and in the age old thing came up in the keynote. You know, there's companies that have been hacked, and then there's companies that have been hacked and don't know it yet, but we're introducing 1/3 type of the company. Here is one of the themes which is that you actually can prevent, you know, not necessarily getting hacked, but kind of the damage and destruction and the duration once people get in. I'm just curious from your CEO >>hat. How >>do you look at this problem? That the space is evolving so quickly? How do you kind of organize your your thoughts around it? >>Yeah, for me. First of all, um, it starts with good architecture. So whether it's our own products running or third party products running, we need to ensure that those products are architected for resilience. And that third kind of company, the Resilient company, is one that has built in architecture er and a set of tools and service is that are focused on knowing that we will be hacked. But how can we minimize or even eliminate the damage from those hacks? And in this case, having the ability to detect those hacks when their incoming and to stop them autonomously is the key to HQ Wallace's play and the key to what I do as CEO at Nutanix, >>right? So one of the other things that keeps coming up here is kind of a budget allocation to security within the CEO budget on. And I think Mr Clark said that, you know, if you're doing 3% or less, you're losing, and you gotta be spending at least 8%. But I'm curious, because it to me is kind of like an insurance story. How much do you spend? How much do you allocate? Because potentially the downside is enormous. But you can't spend 100% of your budget just on security. So how do you think about kind of allocating budget as a percentage of spin versus the risk? >>Well, I love that question. That's part of the art of being a C i O A. C. So, you know, first of all, we have ah mixed portfolio of opportunities to spend toe hold to divest at any one time, and I t portfolio management has been around for 30 years, 40 years, almost as long as some of the people that I know. However, um, we always have that choice, right? We're aware of risk, and then we have the ability to spend. Now, of course, perfect security is to not operate at all. But that's about that's, you know, swinging too far the wrong way on Dhe. Then we also have that ability, maybe to not protect against anything and just take out a big old cyber security policy. And where is that policy might help us with lawsuits? It wouldn't necessarily have help us with ongoing operations. And so it's somewhere in the middle, and I liked some of the statistics that they share today. One of the big ones for me was that companies that tend to build resilient worlds of cybersecurity tend to spend about 10% of their total I t operating budgets on cyber security. That makes sense to me, and that reflects my track record at Nutanix and elsewhere, roughly in that amount of spending. Now you know, checking the box and saying, Well, we're spending 10% on cybersecurity doesn't really buy us that much, and also we have to think about how we're defining that spend on cyber security. Part of that spend is in building resilient architectures and building resilient code. And uh, that's sort of a dual purpose spend, because that also makes for performance code it makes for scalable, supportable code, et cetera. So you know, we can do well by doing good in this >>case. So again, just to stay on that beam permit, it went. So when you walk the floor at R S. A. And there's 50,000 people and I don't even know how many vendors and I imagine your even your I T portfolio now around security is probably tens of products, if not hundreds, and certainly tens of vendors again. How do you How do you? You kind of approach it. Do you have trusted advisors around certain point solutions? Are you leveraging? You know, system integrators or other types of specialists to help? You kind of sort through and get some clarity around this just kind of mess. >>Well, all of us actually are looking for that magic discernment algorithm. Wouldn't it be great if >>you could just >>walk up to a vendor and apply the algorithm? And ah ha. There's one who's fantastic. We don't have that, and so we've got a lot of layers of ingest. I try to leave room in my portfolio for stealth and emerging technologies because generally the more modern the technology Is the Mauritz keeping pace with the hackers out there and the bad guys out there? Um, we do have sort of that middle layer that surround the ability for us to operate at scale because we also have to operate these technologies. Even the most cutting edge technology sometimes lack some of the abilities for us to ingest them into our operations. And then they're sort of the tried and true bedrock that hopefully is built into products we consume. Everything from public Cloud service is to, uh, you know, hardware and so on. And so there's this range of choices. What we have to dio ultimately is we use that lens of operations and operational capability. And first of all, we also ensure that anything we ingest meets our design standards and our design standards include some things that I think are fascinating. I won't go into too much detail because I know how much you love this detail. But you know, things like are the AP eyes open? What is integration look like? What's the interaction design look like? And so those things matter, right? Ultimately, we have to be able to consume the data from those things, and then they have to work with our automation, our machine learning tools. Today at Nutanix, for example, you know, we weigh like toe. I'm happy to say we catch, you know, most if not all of any of the threats against us, and we deal with well over 95% of them autonomously. And so were a living example of that resilient organization that is, of course, being attacked, but at the same time hopefully responding in a resilient way. We're not perfect knock on wood, but we're actively engaged. >>So shifting gears a little bit a bit a bit now to your board hat, which again, Congratulations. Some curious. You know, your perspective on kind of breaking through the clutter from the from the board seat Cos been doing this for 19 years. Still relatively small company. But, you know, Philippe talked a lot about kind of company. Percy's me industry security initiatives that have to go through what are some of the challenges and opportunities see sitting at the board seat instead of down in the nitty gritty down the CEO. >>Well, first of all, um, quality is financially a well run responsible organization and one of Philippe and the leadership teams. Goals has always been toe operate profitably and tow. Have that hedge on DSO. What that means is that as consumers, we can count on the longevity of the organization and the company's ability to execute on its road map. It's the road map that I think is particularly attractive about Wallace. You know, I am who I am. I'm an operator. I'm a technologist. And so although I'm a board member and I care about all dimensions of the company, the most attractive component is that this this road map in those 19 years of execution are now coming to fruition at exactly the right time. For those of us who need these tools in these technologies to operate, this is a different kind of platform and its instrumented with machine learning with a I. At a time when the Attackers and the attacks are instrumented that way as well as as you mentioned, we have a lot of noise in the market today, and these point solutions, they're gonna be around for a while, right? We operate a messy and complex and wonderful ecosystem. But at the same time, the more that we can streamline, simplify on and sort of raised that bar. And the more we can depend on the collected data. From all of these point tools to instrument are automated responses, the better off we'll be. And so this is, Ah, platform whose whose time has come and as we see all of the road map items sort of coming to fruition. It's really, really exciting. And it's, you know, just speaking for a moment of someone who's been a leader in various technology companies in the security and, you know, technology space for some time. One of the most disappointing things about many technology startups is that they don't build in that that business strength. Thio have enough longevity and have enough of a hedge to execute on that brilliant vision. And so many brilliant ideas have just not seen the light of day because of a failure to execute. In this case, we have a company with a track record of execution that's monetized the build out of the platform, and now also these game changing technologies are coming to fruition. It's it's really, really exciting to be a part of it. >>So Wendy, you've mentioned a I machine learning Probably get checked. The transfer of a number of times 85 times is this interview. So it's really interesting, you know, kind of there's always a lot of chatter in the marketplace, But you talked about so many threats coming in and we heard about Mickey noticed. Not really for somebody sitting in front of a screen anymore to pay attention, this stuff. So when you look at the opportunity of machine learning and artificial intelligence and how that's going to change the role of the CEO and specifically and security when if you can share your thoughts on what that opens up >>absolutely s so there's kind of two streams here I'd love to talk about. The first is that we've had this concern as we've moved to Public Cloud and I t that i t people would be left behind. But in fact, after sort of ah little Dev ops blip where non i t people were writing code that was them consumed by enterprises were now seen the growth of I t. Again and what this relates to is this In the past, when we wanted to deploy something in public cloud. We had to be able Thio compose an express infrastructure as code. And, um, folks who are great at infrastructure are actually pretty lousy at writing code, and so that was a challenge. But today we have low code and know code tools, things like work Otto, for example, that my team uses that allow us to express the operational processes that we follow sort of the best practices and the accumulated knowledge of these I t professionals. And then we turn the machine on that inefficient code and the machine improves and refines the code. So now, adding machine learning to the mix enables us to have these I t professionals who know more than you'd ever imagine about storage and compute and scaling and data and cybersecurity and so on. And they're able to transform that knowledge into code that a machine can read, refine and execute against. And so we're seeing this leap forward in terms of the ability of some of these tools. Thio transform how we address the scale and the scope in the complexity of these challenges. And so on the one side, I think there's new opportunity for I T professionals and for those who have that operational expertise to thrive because of these tools on the other side, there's also the opportunity for the bad guys in the in the cyberspace. Um, Thio also engage with the use of thes tools. And so the use of these tools, that sort of a baseline level isn't enough. Now we need to train the systems, and the systems need to be responsive, performance resilient. And also, they need to have the ability to be augmented by to be integrated with these tools. And so suddenly we go from having this utopian. Aye, aye. Future where you know, the good looking male or female robot, you know, is the nanny for our kids, um, to something much more practical that's already in place, which is that the machine itself, the computer itself is refining in augmenting the things that human beings are doing and therefore able to be first of all, more responsive, more performance, but also to do that layer of work that is not unique to human discernment. >>Right? We hear that over and over because the press loved to jump on the general. May I think it's much more fun to show robots than then Really, the applied A I, which is lots of just kind of like Dev ops. Lots of little improvements. Yeah, lots of little places. >>Exactly. Exactly. You know, I mean, I kind of like the stories of our robot overlords, you know, take it over to. But the fact is, at the end of the day, these machine, it's just math. It's just mathematics. That's all it is. It's compute. >>So when you find let you go, I won't touch about women in tech. You know, you're a huge proponent of women in tech. You're very active on lots of boards and cure with Adriaan on the girls and Tech board where we last where we last sat down. Um, and you're making moves now. Obviously, you've already got a C title. Now you're doing more bored work. I just wonder if you can kind of share your thoughts of how this thing's kind of movement is progressing. It seems to have a lot of of weight behind it, but I don't know if the numbers air really reflecting that, but you're you're on the front lines. What can you shares? You know, you're trying to help women. That's much getting detect. But to stay into tech, I think, is what most of the stats talk about. >>Yeah, I've got a lot of thoughts on this. I think I'll try to bring our all the vectors together. So I recently was awarded CEO of the year by the Fisher Center for Data and Analytics and thank you very much. And the focus there is on inclusive analytics and inclusive. Aye, aye. And And I think this this is sort of a story that that makes the point. So if we think about all of the data that is training these technology tools and systems, um, and we think about the people who are creating these systems and the leaders who are our building, these systems and so on, for the most part, the groups of people who are working on these things technologists, particularly in Silicon Valley. They're not a diverse set of people. They're mostly male. They're overwhelmingly male. Many are from just a handful of of, um, you know, countries and groups, right? It's it's It's mainly, you know, Caucasian males, Indian males and Asian males. And and because of that, um, this lack of diverse thinking and diverse development is being reflected in the tools in ways that eventually will build barriers for folks who don't share those characteristics. As an example, Natural language processing tooling is trained by non diverse data sets, and so we have challenges with that. For example, people who are older speak a little bit more slowly and have different inflections in general on how they speak. And the voice recognition tools don't recognize them as often. People who have heavy accents, for example, are just not recognized. Yes, you know, I always have a phone, Um, and this is my iPhone and I have had an iPhone for 10 years. Siri, my, you know, helpful Agent has been on the phone in all those years. And in all of those years, um, I have had a daughter named Holly H O l L Y. And every time that I speak Thio, I dictate to Syria to send a message on. I use my daughter's name. Holly. Syria always responds with the spelling. H o L I. The Hindu holiday. Now, in 10 years, Siri has never learned that. When I say Holly, I'm most likely mean my daughter >>was in the context of the sentence. >>Exactly. Never, ever, ever. Because, you know Siri is an Aye aye, if you will. That was built without allowing for true user input through training at the point of conversation. And so s So that's it. That's bad architecture. There's a lot of other challenges with that architecture that reflect on cybersecurity and so on. One tiny example. But I think that, um now more than ever, we need diverse voices in the mix. We need diverse training data. We need, you know, folks who have different perspectives and who understand different interaction design to be not only as a tech entrepreneurs, builders and leaders of country of companies like, you know, girls in tech Support's educating women supporting women entrepreneurs. I'm I'm also on the board of another group called Tech Wald. That's all about bringing US combat veterans into the technology workforce. There's another diverse group of people who again can have a voice in this technology space. There are organizations that I work with that go into the refugee that the permanent refugee camps and find technically qualified folks who can actually build some of this training data for, ah, you know, analytics and a I We need much, much more of that. So, you know, my heart is full of the opportunity for this. My my head's on on fire, you know, and just trying to figure out how can we get the attention of technology companies of government leaders and and before it's too late, are training data sets are growing exponentially year over year, and they're being built in a way that doesn't reflect the potential usage. I was actually thinking about this the other day. I had an elderly neighbor who ah, spoke with me about how excited he waas that he he no longer could drive. He wasn't excited about that. He no longer could drive. He couldn't see very well and couldn't operate a car. And he was looking forward to autonomous vehicles because he was gonna have a mobility and freedom again. Right? Um, but he had asked me to help him to set up something that he had on his computer, and it was actually on his phone. But he there was their voice commands, but But it didn't understand him. He was frustrated. So he said, Could you help me. And I thought, man, if his mobile phone doesn't understand him, how's the autonomous vehicle going to understand him so that the very population who needs these technologies the most will will be left out another digital divide? And and, um, now is the moment while these tools and technologies are being developed, a word about Wallace. You know, when I was recruited for the board, um, you know, they already had 50 50 gender parity on the board. It wasn't even a thing in my interviews. We didn't talk about the fact that I am female at all. We talked about the fact that I'm an operator, that I'm a technologist. And so, um, you know that divide? It was already conquered on HK. Wallace's board that's so not true for many, many other organizations and leadership teams is particularly in California Silicon Valley. And so I think there's a great opportunity for us to make a difference. First of all, people like me who have made it, you know, by representing ourselves and then people of every gender, every color, every ethnicity, immigrants, et cetera, um, need to I'm begging you guys stick with it, stay engaged don't let the mean people. The naysayers force you to drop out. Um, you know, reconnect with your original values and stay strong because that's what it's gonna take. >>It's a great message. And thank you for your passion and all your hard work in the space. And the today it drives better outcomes is not only the right thing to do and a good thing to do that it actually drives better outcomes. >>We see that. >>All right, Wendy, again. Always great to catch up. And congratulations on the award and the board seat and look forward to seeing you next time. Thank you. All right, She's windy. I'm Jeff. You're watching the Cube with a quality security conference at the Bellagio in Las Vegas. Thanks for watching. We'll see you next time.

>>from Las Vegas. It's the Q covering quality security conference 2019. You >>bike, Wallace. Hey, Welcome back. You're ready. Geoffrey here with the Cube were in Las >>Vegas at the Kuala Security Conference here at the Bellagio. 19 years they've been doing this conference star first time here, But we've got a real veteran. Has been here for 16 years who can really add some depth and perspective for happy to welcome submit to car. He's a president and chief product officer for cause like >>to see you. Thank you, >>Jeff. Thanks for having me. >>Pleasure. So just, uh, don't lorry before getting ready for this. Um, this day, listening to the earnings call. And you got a really nice shout out in the nights in the Last Rings call and your promotion just to let everybody know what submits got underneath his plate. R and D. Q A ops, product marketing and customer support and adding worldwide field sales ops. You're busy, guy. >>Yeah, you know. But the good thing is, >>no matter who you are, you only have 24 hours in the >>day. That's true. Just as Leo. But I am curious because you've been here for a >>while, you've seen a lot of technology, you know, kind of waves. And yet here you guys still are. You've got an architecture that's built to take advantage of things like open source to take advantage of things. My cloud is you kind of take a breath between customer meetings and running from panel the panel and you think about kind of the journey. You know what? What kind of strikes you that you know, that you guys are still here, Still successful, Still have a founding CEO. It's >>your position. Yeah, It's actually very interesting >>being here for 16 years. Started a software engineer. And, you know, I've been doing a lot of stuff doing a product management now, engineering and all of that. And I think one thing that's really part of the DNA for us and which is really helped us keep growing, is being innovative continuously, right, because five years ago, nobody would have said container technology docker eso, as new security knew in for sexual pattern times have come about. We've just been on our toes and making sure that we are addressing all these different newer areas. And so the key is not so much about what new technology is going to come, because two years from now there was something that we don't even know about right now. What's key is that we build a platform that we keep adding additional capabilities that continue to quickly and nimbly be able to address customer's needs. From that perspective. >>Yeah, we just had Laureano. She talked quite a bit about your kind of customer engagement model being different than the traditional ones, really trying to build a long lasting relationship and to collect that data from the customers to know what their prairies are all about. >>Yeah, >>and, you know, it's because we've been subscription based since day one. You know, this is the not we're not incentivized to go and try to sell our customers big fact, multimillion dollar deals. Then we don't disappear like enterprise sales usually does on perpetual licenses. So we have to earn our keep, and we want to make sure customers are we understand their needs so that they actually buy and purchase only what they are going to use so we can go back and they can grow more. We show the value. Uh, so that's a very different model on, you know, at the end of the day, that is a model of the cloud. So everybody who was in this consumption based model has to ensure that they are every year, going back and showing the value and earning their subscription back. So in that sense, security. Not a lot of vendors have done that for a long time. We've been the ones since the beginning to kind of follow this model, and it's worked very well for us. It's a great model. Customers were happy as we had more solutions. We showed the value, and it's very easy for them to upgrade and get additional value of quality at a very reasonable of you. No cost to them. >>It's interesting. Feli talked about an early conversation that he had with Marc Benioff details Horse and and I would argue that it was really sales force. That kind of cracked the code in terms of enterprising, being comfortable with a cloud based system and, you know, kind of past the security and the trust in this in that, so to make that gamble on the cloud so early, very, very fortunate and for two days. Thea Other thing I think that does not get enough play which you just touched on is a subscription business model forces you to deliver every month they're paying every month you gotta deliver Your mother is a very different relationship than a once a year. You know, not even once year to go get that big lump sum to get the renewal cause you're in bed with them. Every single say absolutely. Yeah, >>so that's really a very interesting model. >>So as you look forward, I know you're just given Ah, talk on, you know, kind of starting to look at the next big wave of trends. How do you get out ahead of it? What are you thinking about? What keeps you up at night would be excited about. >>So the very cool part about that about my job is that I also heard engineering and product Fork Wallace and Security. So we're living that digital transformation that our customers are going through as well. So we have a massive black farm. We have, like, three trillion data points. Every index, we have one million rights per second on Cassandra Clusters. So we are dealing with the same infrastructure innovation that our customers are doing and so died is helping us also learn how the secular own platform what our customers are thinking. Because as they are moving into Dev ops, we have already moved into that. We have learned our lessons, so we relate to what they're going through. And that's really the next big thing is hard to be enabled. Security tools to really be built into the develops stool chain so that we eliminate a lot of the issues upfront before they ever even become an issue. And, you know, my talk this morning was about started with the notion of t t R, which is the time to remediate, and the best time to the mediator is the time of zero, right? If you don't ever let the issue get into your production environment, you never have to worry about fixing it. And that's really the next big thing for us is how do we create a platform that helps customer not the look at security in multiple silos, but to have a single platform where they can go all the way from develops to production to remediation to response all orchestrated to the same platform, >>right? It's pretty interesting, because that was, uh, Richard Clarke. Keynote the author. You know, we used to always break cos down into two buckets. You know, either those that had that have been breached and those that have been breached just don't know about it yet. Yeah. Yeah. And then, you know, he introduced his third concept, which is those that got breached but actually got on it. Remediated it. Maybe not the time, zero, but in a way that it did not become a big issue. Because, let's face it, you're going to get breached at some level. It's How do you keep it from becoming a big, big nightmare? >>Exactly. And that is really the only measure off effectiveness off your security, right? It's not about how many people you have, how many dollars you spend on security, how big your security team is. Harmony renders you have How quickly can you get in there, find and fix any issue that comes up? That's that. That's the living matter. If you can't do that with no people and no, uh, you know, re sources that are being put to it with automation, then that's great. If you do that with 50 people, that's great. We just need to be able to get to that point. And today, off course with hybrid infrastructure, we are realizing quickly, throwing more people that the problem is not really solving the problem. We just cannot keep going. We need to leverage that seem scalable technology that has been used in the digital transformation to provide that similar stuff from a security perspective through the customers as well, >>right? And even if you even if you wanted to hire the people, there aren't enough people, >>and that's another just our people, right? So the other >>thing that you must be really excited about is on the artificial intelligence of machine learning site and a lot of buzz in the press. Talk about robots and machines and this type of stuff. But, as you know, is we know where that robber really hits. The road is applied a I and bring in the power of that technology to specific problems. Complete game changer, I would assume for which you guys could do looking forward. >>Yeah. I mean, uh, you can really only >>have good machine learning and gold. Aye aye, if you really have a massive historic data that you can really mind to find out trends and understand how patterns have evolved, right, so only cloud based solutions can actually do that because they have a large amount of customer telemetry that they can understand and do that. So from that sense, Wallace Black form is absolutely suited for that. But having said that again, all of these have there specific application. So there's vendors were coming out and claiming that machine learning's going to solve world hunger and everything's gonna be great just because your machine learning but no machine learning and the prediction that comes with that on the privatization is one element off your tool kit. You still have to do your devil options still have to fix things. You still have to do a lot of things. But then how do you predict out of all the chaos, how can you try to focus on some things that may become a real problem, which are not now? So that's really the exciting part is to be able to bring that as an additional tool kit for the customer in their arsenal to be ableto respond to threats much faster and better than they have in the past, >>right? It is a cloud based platform. You guys are sitting in the catbird seat for that. What about on the other side? The on the ed side, Another kind of new thing that's coming rapidly. Edges are are messy. They don't have nice, pristine data. Center your environments. There's connectivity, problems, power problems, all types of issues as you look at kind of edge and an I A. T more generally, you know, increasing the threat surface dramatically. How do you How do you kind of think about that? How do you approach it to make it not necessarily a problem, but really an opportunity for follows? >>I mean, that's Ah, that's a great question because there is no magic pill for that, right? It's like you just have to be able to leverage continuous telemetry collection and the collection to be able to see these devices CDs, patterns on. So that's works really well for us because that to be able to do that right in a global organization to almost every organization is global. Global organization has multiple infrastructure, multiple people in different locations, multiple offices. And, uh, if you look at the eye ot architecture, it is about sensors that are pushing down the one common platform which controls them and which updates them and all of that. That's the platform that Wallace's build since the beginning is multiple of these different sensors that are continuously collecting later, pushing it back into our platform. And that's the only way you can get the visibility across your global infrastructure. So in many ways, we are well suited to do that. And which is the big reason why we gave out of a global ideas and then 20 product for free for customers, because we truly believe that that's the first step for them to start to get secure. And because we have the architecture and the platform and become significantly easier for us to be able to give them that gave every day, which is truly wide and not just say I have visibly in my cloudy here. But then container visibly, somewhere there and I ot visibly somewhere else, we bring all of that together in one place. >>All right, Spencer, I know you've got Thio run off >>to your next commitment. We >>could we could keep going, but I think we have to leave it there again. Congrats on your promotion >>and thank you. All right. He submit. I'm Jeff. You're watching the Cuba Think >>Wallace Security conference in Las Vegas. Thanks for watching. We'll see you next time. Thanks.

>>from Las Vegas. It's the cues covering quality security Conference 2019. Bike. Wallace. >>Hey, welcome back it. Ready? Geoffrey here with the Q worth the Bellagio Hotel in Las Vegas for the quality security conference. This thing's been going on for 19 years. I had no idea. It's our first time here, but it's pretty interesting out. Felipe and the team have evolved this security company over a lot of huge technological changes and security changes, and they're still clipping along, doing a lot of cool things in cloud and open source. We're excited of our next guest. She's Laurie McCarthy, the EVP of worldwide field >>operations. Lori, great to see you. >>Thanks. Glad to be here. >>Absolutely. So first off, congratulations in doing some homework for this. I was going through the earnings call. The last turning call, which A was a nice earnings call. You're making money buying back stock. Also, you were promoted or the announcement of your promotion on that call and really some nice, complimentary words from Philippe and the team about the work that you've done actually >>very grateful. Thank you. And >>one of the things we >>talked about, which is unique in your background as you came from a customer. Not It's always a day ago. These shows we have people that I came from customers that went to the vendor, and then we have people that rest of Endor and they went over to the customers. There's a lot of that kind of movement, but he really complimented your execution at CVS as a big reason why you got the promotion that you did. So again. Congrats. But let's talk about, you know, kind of the CVS experience from when you were running it. Not when you're on the quality side. Yeah, that the threats. And CBS is in class nationwide, all kinds of stuff. >>Yeah, well, I mean, you know, just like any other company that's in that health care vertical, you've got so many different things to think about. Additionally, we were also in the retail vertical, so we had a lot of compliance. E's to worry about p c p c i p. I s O. A lot of the programs had been very much, uh, checkbox driven prior to the team that moved in there, including myself, and kind of changed that. So I helped to rebuild the vulnerability program there. And we started to do it in such a way that it was for the sake of security, not just checking a box. And we were really innovated how they do things. A lot of my friends are still there, and they have their own stock now, and we kind of brought everything in house. So a lot of that was outsourced. >>So what was the catalyst to make the change To move from beyond simple compliance and check in the box, Actually making a strategic part of the execution? >>Yeah, at the time and a new sea so had been put into place. And it was someone with that vision, and I think that's what really drove it. I came in just after that and was brought in on the premise that this is what we're going to change and move toward. So I was part of that process from that >>point, right? It clearly, qualities was part of the solution. So what? What did you use calls for their and how is the solution changed? You know, kind of >>so back then when >>you want to call it, >>we're talking. In 9 4010 2011 Right around there. If you opened up the quality platform, you had three things to choose from. Versus today, when you log in, you've got 18 or more, depending. And S O CVS used a little bit of all of that with the mainstay having been the vulnerability management. So I ran to full vulnerability management programs there because we had to keep our pharmacy benefit company and our retail companies separate. So I sort of did double duty, >>Right? So what you doing now on field operations? >>So is the E V p of worldwide for Wallace. I'm running all of the technical account managers for our company way have a unique sales model here, so it's a little different. So everyone in the field to service is our clients rolls up to me, and then that also includes some additional teams, like our federal team, our strategic alliances team and also our subject matter experts >>today. So you said a couple >>times you guys have your account management structure is different than maybe traditional. Kind of >>walk through. Yeah, absolutely. So versus a traditional sales model. We have a salesperson. You have client service person. You have a technical, you know, social architect kind of person. We service our clients all with one person. We have a technical account manager. We break them up into two flavors. We have a presales who are very technical folks that go out and help us get our business. And then those accounts get handed over to our post sales, who are basically the farmers in our business, maintaining and growing our existing clients. What that allows for, which is really special, is we can go in and really build a relationship built on trust and understanding and strategy, because we bring people into our company like myself who have done this, who have sat on that side of the table. So you know, someone comes in and says What? You know, how would you like to buy one of my gizmos? It's a lot different conversation when it's like, Look at what I do with this gizmo like it's amazing. So it's It's kind of a similar feeling that you guys >>have your kind of platform with application strategy enables you to kind of do a land and expand, and in fact you even a something that people can try for free. >>Yeah, absolutely. So we review our model as, like, try and buy. So for both our non clients are freemium service is that we offer our, you know, out of this world for people being able to just log in without even being a client and start to evaluate their environment. And then when they see the value that we bring, it's very easy to translate that into a buy and then likewise, for our clients who sign up for a service or two enabling additional trials and having them work within our new service is as they're being rolled out, is very, very simple, the way our platform is built. So it's just it's a really effortless, very natural progression of business that we that we built. And it's one of the reasons that I work here because as a client, I really enjoyed my relationship with this company because it never felt like I was being sold anything. It always felt like I was being handed solutions to my challenges, and that's what we tried to do. And that's how I lead everyone today is Let's get out, Let's listen, let's strategize and let's see where we fit in with folks, right strategies for, you know, the coming >>future. So must be a team >>approach, though, right? Because one person you know to say, trying to manage the CVS account, that would be, >>Oh, so we have a little bit of a break out in our post side. We have what a new role that I helped get implemented here at the company, which is a major account solution architect they handle are bigger, more complex accounts. So as our platform has matured, so have our clients are bigger. Clients are using more of our platform. They're using it in a more expert way. So we had to answer that with the right kind of people who could speak to that expert level of usage and be able to finance that. So that's a little bit part of it. And on our bigger clients, we do have more of a team approach. We have a product management, a project management organization. The S M E team are subject matter. Experts roll up under me. They're experts in each of our solutions. So it's a sizeable team and they are liaise between product management, engineering our fields and our clients. And that's another support mechanism. And then our support at Wallace is also something that augments our technical account managers jobs on a daily basis. >>So new opportunity with a sure that was recently announced a bundle. Yeah, you're bundled in kind of under the covers, not not really under the covers. So a little bit about how that's gonna work from kind of an account management and and from your kind of point of view, >>So it's It's actually not gonna change much of anything on the way that we are. Mom are our model is a hybrid, right? So we have direct sales that we have indirect sales, even honor in direct sales through partners through relationships like we've just built with azure MSs peas and reach whatever. We still treat every end customer and every partner like a direct customer. So we work very hard to educate her partners, to work with them, to make sure they're successful with our clients. And we're also treating our clients who are through that avenue the same way. So it's it's just gonna blend right in with what we >>d'oh Yeah, that's great, but hopefully it's a sales channel and they get more than they just bought it under the covers and start implementing. >>It's easy for them to jump in with us. And then from there we can build those relationships with perhaps, you know, prospects and folks that aren't our clients now and be able to show them more things that we do. Besides just, you know, the one thing that they might be signing up for at that time, >>right? Right. Okay, great. I want to shift gears a little bit. >>We had windy by front earlier from from Nutanix. When he's a fantastic lady, yes, and she is super super involved in in girls Who Code and women in Tech and trying to drive that kind of forward along a number of parameters everything from the board to getting people jobs, training little girls to staying at staying in the industry. I know that's a big, passionate area of yours. I wonder if you could share some of the activities you guys were doing around women. I could think more specifically, and security is a subset of all tech, but share the some of the activities you have going on. >>So personally, I try to be very involved locally. Four Children. One of them is a daughter. She's too little, quite yet for getting into tact. I have two older sons and s so I try to be really involved in middle school high school. Hey, put me in, Coach, I'll come in and talk to the kids. Generating interest in getting into this field at a young age is what we need to do. They're still aren't enough gals and, honestly, guys heading into our business in college. So I I really take it upon myself as a security professional to try to promote that specifically around women. I'm really pleased that our company supports an organization which I've been a part of for a while, and that's the Executive Woman's Forum, and we sponsor their conference every year, and we sponsor events with them. I personally am part of their mentor program, so that allows me a channel. Thio have ah, unassigned person to work with, and I really enjoy that, and our company itself is just very excellent at promoting and enabling women within our organization. And it's another reason that I really loved working here for the past eight years, >>right? Well, from the top. Because the board, I think, is either for more than half. Yemen, which is certainly half >>women CEO, is very supportive. Our presidents, two men way have a great environment. Thio grow women professionally here in my company, >>right? That's great. So, ah, year from now, when we come back, what are we gonna be talking about? What's kind of on a road map? For the next year, >>we're going to be talking about our data leak efforts, or Sim. We're gonna be talking about our improved Edie, our capabilities that are really gonna put us in the position to be a major player in that market. Um, and who knows? We have such a quick turnaround of innovation here and what we do by the way we do our business. So starting with the technical account manager's boots on the ground with our clients, when we're there listening to all of their challenges, we're also taking that back, and that drives our innovation that the company so we hear what they need, and that's what we provide. So as things changed, we're going to continue to do that digital transformation, of course, is is making that something that we have to be even quicker about. And I think we're doing a good job >>keeping up well. 19 years and counting, making money. Find back, buying back shares to help everyone else's stock delusion. So not that, but nothing but good success. It's all right. Well, Laurie, thanks for taking a few minutes of your day. And again, congratulations on your promotion as well as a terrific event. >>Thank you very much. >>All right. She's Laurie. I'm Jeff. You're watching the Cube with the quality security conference at the Bellagio and lovely >>Las Vegas. Thanks for watching. We'll see you next time.

>> Narrator: From Las Vegas, it's theCUBE. Covering Qualys Security Conference 2019. Brought to you by Qualys. >> Hey, welcome back, you ready with Jeff Frick here with theCUBE. We are at the Qualys Security Conference in Las Vegas. This show's been going on, I think, 19 years. This is our first time here. We're excited to be here, and we've got, there's always these people that go between the vendor and the customer and back and forth. We've had it go one way, now we've got somebody who was at Qualys and now is out implementing the technology. We're excited to welcome Grant Johnson. He is the director of Risk and Compliance for Ancestry. Grant, great to see you. >> Thank you for having me, great to be here. >> Yeah, it is always interesting to me and there's always a lot of people at these shows that go back and forth between, and their creating the technology and delivering the technology versus implementing the technology and executing at the customer side. So, you saw an opportunity at Ancestry, what opportunity did you see and why did you make that move? >> Well it's a good question, I was really happy where I was at, I worked for here at Qualys for a long time. But, I had a good colleague of mine from way back just say, hey look, he took over as the chief information security officer at Ancestry and said, "they've got an opportunity here, do you want it?" I said, "hey sure." I mean, it was really kind of a green field. It was the ability to get in on the ground floor, designing the processes, the environment, the people and everything to, what I saw is really a really cool opportunity, they were moving to the cloud. Complete cloud infrastructure which was a few years ago, you know, a little uncommon so it was just and opportunity to learn a lot of different things and kind of be thinking through some different processes and the way to fix it. >> Right, right, so you've been there for a little while now. Over three years, what was the current state and then what was the opportunity to really make some of those changes, as kind of this new initiative with this new see, so? >> No, yeah, we were traditional. You know, a server data center kind of background and everything like that. But with the way the company was starting to go as we were growing it, really just crazy, just at a crazy clip, to where we really couldn't sustain. We wanted to go global, we wanted to move Ancertry out to Europe and to other environments and just see the growth that was going to happen there, and there just wasn't a way that we could do it with the traditional data center model. We're plugging those in all over the place, so the ideas is, we're going to go to a cloud and with going to the cloud, we could really rethink the way that we do security and vulnerability management, and as we went from a more traditional bottle which is, where you scan and tell people to patch and do things like that, to where we can try to start to bake vulnerability management into the process and do a lot of different things. And you know, we've done some pretty cool things that way, I think as a company and, always evolving, always trying to be better and better every day but it was a lot of fun and it's been really kind of a neat ride. >> So, was there a lot of app redesign and a whole bunch of your core infrastructure. Not boxes, but really kind of software infrastructure that had to be redone around a cloud focus so you can scale? >> Yeah. There absolutely was. We really couldn't lift and shift. We really had to take, because we were taking advantage of the cloud environment, if we just lifted and shifted our old infrastructure in there, it wasn't going to take advantage of that cloud expansion like we needed it to. >> Right. >> We needed it to be able to handle it tide, of high tide, low tide, versus those traffic times when we're high and low. So it really took a rewrite. And it was a lot of really neat people coming together. We basically, at the onset of this right when I started in 2016, our chief technology officer got up and said, "we're going to burn the ships." We have not signed the contract for our data center to renew at 18 months. So we have to go to the cloud. And it was really neat to see hundreds of people really come together and really make that happen. I've been involved in the corporate world for a long time in IT. And a lot of those projects fail. And it was really neat to see a big project like that actually get off the ground. >> Right, right. It's funny, the burning the ship analogy is always an interesting one. (grant laughs) Which you know, Arnold Schwarzenegger never had a plan B. (grant laughs) Because if you have plan B, you're going to fall back. So just commit and go forward. >> A lot of truth to that. Right, you're flying without a net, whatever kind of metaphor you want to use on that one. Yeah, but you have to succeed and there is a lot that'll get it done I think, if you just don't have that plan B like you said. >> Right, so talk about kind of where Ancestry now is in terms of being able to roll out apps quicker, in terms of being able to scale much larger, in terms of being able to take advantages of a lot more attack surface area, which probably in the old model was probably not good. Now those are actually new touch points for customers. >> It's a brave new world on a lot of aspects. I mean, to the first part of that, we're just a few days away from cyber Monday. Which is you know, our normal rate clip of transactions is about 10 to 12 transactions a second. >> So still a bump, is cyber Monday still a bump? >> It's still huge for us. >> We have internet at home now. We don't have to go to work to get on the internet to shop. >> You know, crazy enough, it still is. You know, over the course of the week, and kind of starting on Thanksgiving, we scale to have about 250 transactions a second. So that was one of the good parts of the cloud, do you invest and the big iron and in the big piping for your peak times of the year. Or and it sits, your 7-10% utilization during the rest of the year, but you can handle those peaks well. So I mean, we're just getting into the time of year, so that's where our cloud expansion, where a lot of the value for that has come. In terms, of attack surface, yeah, absolutely. Five years ago, I didn't even know what a container was. And we're taking advantage a lot of that technology to be able to move nimbly. You can't spin up a server fast enough to meet the demands of user online clicking things. You really have to go with containers and that also increases what you really need to be able to secure with people and the process and technology and everything like that. >> Right. >> So it's been a challenge. It's been really revitalizing and really, really neat to me to get in there and learn some new things and new stuff like that. >> That's great. So I want to ask you. It may be a little sensitive, not too sensitive but kind of sensitive right. Is with 23 and Me and Ancestry, and DNA registries, et cetera, it's opened up this whole new conversation around cold case and privacy and blah blah blah. I don't want to get into that. That's a whole different conversation, but in terms of your world and in terms of risking compliance, that's a whole different type of a data set I think that probably existed in the early days of Ancestry.com >> Yeah >> Where you're just trying to put your family tree together. So, how does that increased value, increased sensitivity, increased potential opportunity for problems impact the way that you do your job and the way that you structure your compliance systems? >> Boy. Honestly, that is part of the reason why I joined the company. Is that I really kind of saw this opportunity. Kind of be a part of really a new technology that's coming online. I'd have to say. >> Or is it no different than everyone else's personal information and those types of things? Maybe it's just higher profile in the news today. >> Not it all, no. It kind of inherent within our company. We realized that our ability to grow and stay affable or just alive as a business, we pivot on security. And security for us and privacy is at the fore front. And I think one of the key changes that's done for maybe in other companies that I get is, people from our development teams, to our operations teams, to our security department, to our executives. We don't have to sell security to em. They really get it. It's our customer privacy and their data that we're asking people to share their most personal data with us. We can give you a new credit card. Or, you can get a new credit card number issued. We can't give you a new DNA sequence. >> Right. >> So once that's out there, it's out there and it is the utmost to us. And like I said, we don't have to sell security internally, and with that we've gotten a lot of support internally to be able to implement the kind of things that we needed to implement to keep that data as secure as we can. >> Right, well that's nice to hear and probably really nice for you to be able to execute your job that you don't have to sell securities. It is important, important stuff. >> Grant: Yes, that's absolutely true. >> All right, good. So we are jamming through digital transformation. If we talk a year from now, what's on your plate for the next year? >> We just continue to evolve. We're trying to still continue the build in some of those processes that make us better, stronger, faster, as we go through, to respond to threats. And just really kind of handle the global expansion that our company's undergoing right now. Just want to keep the lights on and make sure that nobody even thinks about security when they can do this. I can't speak for them, but I think we really want to lead the world in terms of privacy and customer trust and things like that. So there are a lot of things that I think we've got coming up that we really want to kind of lead the way on. >> Good, good. I think that is a great objective and I think you guys are in a good position to be the shining light to be, kind of guiding in that direction 'cause it's important stuff, really important stuff. >> Yeah, we hope so, we really do. >> Well Grant, nothing but the best to you. Good luck and keep all that stuff locked down. >> Thank you, thank you so much! Thanks for having me. >> He's Grant, I'm Jeff. You're watching theCube. We're at the Qualys Security Conference at the Bellagio in La Vegas. Thanks for watching. We'll see you next time. (upbeat music)

>> Announcer: From Las Vegas, it's theCUBE. Covering Qualys Security Conference 2019, brought to you by Qualys. >> Hey welcome back everybody, Jeff Frick here with theCUBE, we're in Las Vegas at the Bellagio, at the Qualys Security Conference, pretty amazing, it's been going on for 19 years, we heard in the keynote. It's our first time here, and we're excited to have our first guest, he was a keynote earlier this morning, the author of nine books, Richard Clarke, National Security and Cyber Risk expert, and author most recently of "The Fifth Domain." Dick, great to see you. >> Great to be with you. >> Absolutely. So you've been in this space for a very long time. >> I started doing cybersecurity in about 1996 or 1997. >> So early days. And preparing for this, I've watched some of your other stuff, and one of the things you said early on was before there was really nothing to buy. How ironic to think about that, that first there was a firewall, and basic kind of threat protection. Compare and contrast that to walking into RSA, which will be in a couple of months in Moscone, 50,000 people, more vendors than I can count on one hand, now there's too much stuff to buy. Do you look at this evolution? What's your take? And from a perspective of the CIO and the people responsible for protecting us, how should they work through this morass? >> Well, the CIO and the CFO, got used to thinking cyber security costs a little bit, 'cause you can only buy, this is 1997, you can only buy antivirus, firewall, and maybe, in 1997, you could buy an intrusion detection system. Didn't do anything, it just went "beep," but you could buy that too. So you had three things in 1997. And so that resulted in the IT budget having to take a tiny little bit of it, and put it aside for security, maybe 2%, 3% of the budget. Well, now, if you're only spending 2 or 3% of your IT budget on security, somebody owns your company, and it's not you (laughs). >> And that's 2 or 3% of the IT budget, that's not the whole budget. >> No, that's the IT budget. What we found in researching the book, is that secure companies, and there are some, there's companies that don't get hacked, or they get hacked, but the hack gets in, immediately contained, identified, quarantined. The damage is done, but it's easily repaired. Companies that are like that, the resilient companies, are spending 8%, 10%, we found companies at 12 and 17%, of their IT budget on security, and to your point, how many devices do you have to buy? You look at the floor at any of these RSA Conventions, Black Hat, or something, now there are 2000 companies at RSA, and they're all selling something, but their marketing message is all the same. So pity the poor CSO as she goes around trying to figure out, "Well, do I want to talk to that company? "What does it do?" We found that the big banks, and the big corporations, that are secure, have not three, anymore, but 75, 80, different, discreet cybersecurity products on their network, most of it software, some of it hardware. But if you've got 80 products, that's probably 60 vendors, and so you got to, for yourself, there's the big challenge, for a CSO, she's got to figure out, "What are the best products? "How do they integrate? "What are my priorities?" And, that's a tough task, I understand why a lot of the people want to outsource it, because it's daunting, especially for the small and medium-size business, you got to outsource it. >> Right, right. So the good news is, there's a silver lining. So traditionally, and you've talked about this, we talk about it all the time too, there's people that have been hacked and know it, and people that have been hacked and just don't know it yet, and the statistics are all over the map, anywhere you grab it, it used to be hundreds of days before intrusions were detected. Kind of the silver lining in your message is, with proper investments, with proper diligence and governance, you can be in that group, some they're trying to get in all the time, but you can actually stop it, you can actually contain it, you can actually minimize the damage. >> What we're saying is, used to be two kinds of companies, those that are hacked and knew it, and those that are hacked that don't, that didn't know it. Now there's a third kind of company. The company that's stopping the hack successfully, and the average, I think, is a 175 days to figure it out, now it's 175 minutes, or less. The attack gets in, there's all the five or six stages, of what's called "the attack killchain," and gets out very, very quickly. Human beings watching glass, looking at alerts, are not going to detect that and respond in time, it's got to be automated. Everybody says they got AI, but some people really do (laughs), and machine learning is absolutely necessary, to detect things out of the sea of data, 75 different kinds of devices giving you data, all of them alarming, and trying to figure out what's going on, and figure out in time, to stop that attack, quarantine it, you got to move very, very quickly, so you've got to trust machine learning and AI, you got to let them do some of the work. >> It's so funny 'cause people still are peeved when they get a false positive from their credit card company, and it's like (laughs), do you realize how many of those things are going through the system before one elevates to the level that you are actually getting an alert? >> So the problem has always been reducing the number of false positives, and identifying which are the real risks, and prioritizing, and humans can't do that anymore. >> Right, right, there's just too much data. So let's shift gears a little bit about in terms of how this has changed, and again, we hear about it over and over, right, the hacker used to be some malicious kid living in his mom's basement, being mischievous, maybe, actually doing some damage, or stealing a little money. Now it's government-funded, it's state attacks, for much more significant threats, and much more significant opportunities, targets of opportunity. You've made some interesting comments in some of your prior stuff, what's the role of the government? What's the role of the government helping businesses? What's the role of business? And then it also begs the question, all these multinational business, they don't even necessarily just exist in one place, but now, I've got to defend myself against a nation state, with, arguably, unlimited resources, that they can assign to this task. How should corporate CIOs be thinking about that, and what is the role, do you think, of the government? >> Let's say you're right. 20 years ago we actually used to see the number of cyber attacks go up on a Friday night and a Saturday night, because it was boys in their mother's basement who couldn't get a date, you know, and they were down there having fun with the computer. Now, it's not individuals who are doing the attacks. It is, as you say, nation states. It's the Russian Army, Russian Intelligence, Russian Military Intelligence, the GRU. The North Korean Army is funding its development of nuclear weapons by hacking companies and stealing money, all over the world, including central banks, in some cases. So, yeah, the threat has changed, and obviously, a nation state is going to be far more capable of attacking, military is going to be far more capable of attacking, so, CISOs say to me, "I'm being attacked by a foreign military, "isn't that the role of the Pentagon "to defend Americans, American companies?" And General Keith Alexander, who used to run Cyber Command, talks about, if a Russian bomber goes overhead, and drops a bomb on your plant, you expect the United States Air Force to intercept that Russian bomber, that's why you pay your taxes, assuming you pay taxes. What's the difference? General Alexander says, whether that's a Russian bomber attacking your plant, or a Russian cyber attack, attacking your plant, and he says, therefore, people should assume the Pentagon will protect them from foreign militaries. That sounds nice. There's a real ring of truth to that, right? But it doesn't work. I mean, how could the Pentagon defend your regional bank? How could the Pentagon defend the telephone company, or a retail store? It can't. It can barely defend itself, and they're not doing a great job of that either, defending the federal government. So, do you really want the Pentagon putting sensors on your network? Looking at your data? No, you don't. Moreover, they can't. They don't have enough people, they don't have enough skills. At the end of the day, whatever the analogy is about how the Defense Department should defend us from foreign military attack, they can't. And they shouldn't, by the way, in my view. The conclusion that that gets you to, is you got to defend yourself, and you can, right now, if you use the technology that exists. The government has a role, sure. It can provide you warnings, it can provide the community with intelligence, it can fund development and stuff, can train people, but it cannot defend your network, you have to defend your network. >> And you have municipalities, I think it's Atlanta, is the one that keeps getting hit, there's-- >> Well Louisiana, just the other night, the whole state of Louisiana government unplugged from the internet, because it was being hit by a ransomware attack. The whole city of Baltimore's been down, the whole city of Atlanta, as you said. There's a real problem here, because people, many of them are paying the ransom, and they pay the ransom, and they get their network back right away. People ask me, "Can I trust these criminals?" Well you can trust them to give you your network back, because they have a reputation to maintain. Think about that. This whole thing about ransomware depends on their reputation, the bad guys' reputation. If they get a reputation for not giving you your network back when you pay, no one's ever going to pay, so they do give it back, and sometimes that's a lot quicker, and a lot cheaper, than saying no and rebuilding your network. But if we give them the money, what are they doing with it? Yeah, they're buying Ferraris to drive round the streets of Moscow, but some of that money is going back into R&D, so they can develop more effective attacks. >> So it's an interesting take, right, so most people, I think, would say that the cybersecurity war is completely always going to be kind of cat and mouse, whack-a-mole, that the bad guys are always a little step ahead, and you're always trying to catch up, just the way the innovation cycle works. You specifically say no, that's not necessarily always true, that there are specific things you can do to, not necessarily have an impenetrable wall, but to really minimize the impact and neutralize these threats, like a super white blood cell, if you will. So what are those things that companies should be doing, to better increase their probability, their chance, of, I don't know, blocking-- >> Depends on the size of the company. >> Absorbing. >> Depends on the size of the company. But I think whether you're a small-to-medium business, or you're an enterprise, you begin in the same place. And I do this with all of my consulting contracts, I sit down with the leadership of the company individually, and I ask every one of them, "What are you worried about? "What could happen? "What could a bad guy do to you "that matters to your company?" 'Cause what matters to one company may not matter to another company. And you can't spend your entire budget defending the network, so let's figure out exactly what risk we're worried about, and what risk we're just kind of willing to tolerate. And then, we can design security around that, and sometimes that security will be outsourced, to a managed security provider. A lot of it means getting into the cloud, because if you're in Amazon or Microsoft's cloud, you've got some security automatically built in, they've got thousands of people doing the security of the cloud, and if your server's in your basement, good luck. (laughs) >> So, as you look forward, now you said you finished the book earlier in the year, it gets published, and it's out, and that's great, but as you said, it's a fast-moving train, and the spaces develops. 10 years from now, we don't want to look at 10 years from now, it's way too long. But as you look forward the next couple, two, three years, what are you keeping an eye on, that's going to be, again, another sea change of both challenge and opportunity in this space? >> The three technologies we talk about in the book, for the three-year time horizon, 'cause I can't get beyond three years, more machine learning on the defense, but also more machine learning on the offense, and where does that balance work out? To whose advantage? Secondly, quantum computing, which, we don't know how rapidly quantum computing will come onto the market, but we do know it's a risk for some people, in that it might break encryption, if the bad guys get their hands on the quantum computer, so that's a worry. But one I think most immediately, is 5G. What 5G allows people to do, is connect millions of things, at high speed, to the internet. And a lot of those things that will be connected are not defended right now, and are outside firewalls, and don't have end-point protection, and aren't really built into networks on a secure network. So I worry about 5G empowering the Internet of Things, and doing what we call expanding the attack surface, I worry about that. >> Right, Richard, well thank you for taking a few minutes, and congrats on the book, and I'm sure within a couple of years the gears will start turning and you'll put pen to paper and kick another one out for us. >> Number 10. >> All right. He's Richard, I'm Jeff, you're watching theCUBE, we're at the Qualys Security Conference at the Bellagio in Las Vegas, thanks for watching, we'll see you next time. (upbeat music)

hi welcome to the cube I'm your host Lisa Martin and we are on the ground at Google with cloud now which is a nonprofit organization for women in cloud computing and converging technologies tonight cloud now is celebrating their fifth annual top women in cloud innovation and we are very excited to be joined by one of the winners of the award tonight Shambhala Bangla who's the vice president global cloud operations and DevOps at Paulus welcome to the cube thank you so you're an award winner tonight tell us about the project that garnered you this prestigious honor I'm happy to share that and actually I'm very thrilled and excited to be here and participating with the other accomplished leaders there were actually two key projects which got me one is the scale in the big data and the complexity dealing with the clouds and it's not one cloud Qualis being the cloud provider for security we manage security products for different customers we are talking about big scale we do three billion scans annually we do about hundred billion detections annually and we do about one trillion security endpoints or data points so how do you manage the scale and bringing new features to the market at her lightning speed is the key so I had three key strategies which got me to the award one is agility visibility and security and being a service provider for security Security's in the forefront all the time for the platforms we also believe in sipping our own champagne we use our own products to make sure our platforms are secure visibility you know things break and when things break at scale Qualis is no different and the strategy I had evolved and the team had executed on was a single pane of glass for you know knowing when things break and how do you quickly fix it an agility how do you deploy regardless whether in you're in Amazon as your or Google cloud platform or software or even your own private cloud on VMware we should be able to deploy our platforms quickly so I had initiated a new DevOps strategy where regardless of your underlying infrastructure how do you quickly deploy your workloads that is the KP how do you fail fast and to top it off the culture is very important transforming the entire operations team being just not a support organization but being that innovation driving organization was the key Wow fantastic you are obviously you're in a very accomplished technologist you're an award winner give us a quick overview of some of the things that are the most influential or have been the most influential to get you to be where you are now this successful female leader in technology two things come to mind first is believe in yourself never think anything is impossible everything is possible always believe in making an impact be that problem solver whether it is within Europe your own organization or whether it is in a cross-functional whether it's a technology problem whether it's a process always believe you can make an impact I love that believe in yourself believe you can make an impact chalma thank you so much for joining my graduations thank youing one of the top women in cloud innovation we're thrilled to have you thank you so much you've been watching the cube I'm your host Lisa Martin and if you know a female that should be featured on our program tweet us at the cube hashtag women in tech and we'll see you next time

(upbeat electronic music plays) >> Hey everyone, welcome back to theCube's coverage of .NEXT 2021 Virtual. I'm John Furrier, hosts of theCube. We have two great guests, Rajiv Mirani, who's the Chief Technology Officer, and Thomas Cornely, SVP of Product Management. Day Two keynote product, the platform, announcements, news. A lot of people, Rajiv, are super excited about the, the platform, uh, moving to a subscription model. Everything's kind of coming into place. How are the customers, uh, seeing this? How they adopted hybrid cloud as a hybrid, hybrid, hybrid, data, data, data? Those are the, those are the, that's the, that's where the puck is right now. You guys are there. How are customers seeing this? >> Mirani: Um, um, great question, John, by the way, great to be back here on theCube again this year. So when we talk to our customers, pretty much, all of them agreed that for them, the ideal state that they want to be in is a hybrid world, right? That they want to essentially be able to run both of those, both on the private data center and the public cloud, and sort of have a common platform, common experience, common, uh, skillset, same people managing, managing workloads across both locations. And unfortunately, most of them don't have that that tooling available today to do so, right. And that's where the platform, the Nutanix platform's come a long way. We've always been great at running in the data center, running every single workload, we continue to make great strides on our core with the increased performance for, for the most demanding, uh, workloads out there. But what we have done in the last couple of years has also extended this platform to run in the public cloud and essentially provide the same capabilities, the same operational behavior across locations. And that's when you're seeing a lot of excitement from our customers because they really want to be in that state, for it to have the common tooling across work locations, as you can imagine, we're getting traction. Customers who want to move workloads to public cloud, they don't want to spend the effort to refactor them. Or for customers who really want to operate in a hybrid mode with things like disaster recovery, cloud bursting, workloads like that. So, you know, I think we've made a great step in that direction. And we look forward to doing more with our customers. >> Furrier: What is the big challenge that you're seeing with this hybrid transition from your customers and how are you solving that specifically? >> Mirani: Yeah. If you look at how public and private operate today, they're very different in the kind of technologies used. And most customers today will have two separate teams, like one for their on-prem workloads, using a certain set of tooling, a second completely different team, managing a completely different set of workloads, but with different technologies. And that's not an ideal state in some senses, that's not true hybrid, right? It's like creating two new silos, if anything. And our vision is that you get to a point where both of these operate in the same manner, you've got the same people managing all of them, the same workloads anyway, but similar performance, similar SaaS. So they're going to literally get to point where applications and data can move back and forth. And that's, that's, that's where I think the real future is for hybrid >> Furrier: I have to ask you a personal question. As the CTO, you've got be excited with the architecture that's evolving with hybrid and multi-cloud, I mean, I mean, it's pretty, pretty exciting from a tech standpoint, what is your reaction to that? >> Mirani: %100 and it's been a long time coming, right? We have been building pieces of this over years. And if you look at all the product announcements, Nutanix has made over the last few years and the acquisitions that made them and so on, there's been a purpose behind them. That's been a purpose to get to this model where we can operate a customer's workloads in a hybrid environment. So really, really happy to see all of that come together. Years and years of work finally finally bearing fruit. >> Furrier: Well, we've had many conversations in the past, but it congratulates a lot more to do with so much more action happening. Thomas, you get the keys to the kingdom, okay, and the product management you've got to prioritize, you've got to put it together. What are the key components of this Nutanix cloud platform? The hybrid cloud, multi-cloud strategy that's in place, because there's a lot of headroom there, but take us through the key components today and then how that translates into hybrid multi-cloud for the future. >> Cornely: Certainly, John, thank you again and great to be here, and kind of, Rajiv, you said really nicely here. If you look at our portfolio at Nutanix, what we have is great technologies. They've been sold as a lot of different products in the past, right. And what we've done last few months is we kind of bring things together, simplify and streamline, and we align everything around a cloud platform, right? And this is really the messaging that we're going after is look, it's not about the price of our solutions, but business outcomes for customers. And so are we focusing on pushing the cloud platform, which we encompasses five key areas for us, which we refer to as cloud infrastructure, no deficiencies running your workloads. Cloud management, which is how you're going to go and actually manage, operate, automate, and get governance. And then services on top that started on all around data, right? So we have unified storage, finding the objects, data services. We have database services. Now we have outset of desktop services, which is for EMC. So all of this, the big change for us is this is something that, you know, you can consume in terms of solutions and consume on premises. As Rajiv discussed, you know, we can take the same platform and deploy it in public cloud regions now, right? So you can now get no seamless hybrid cloud, same operating model. But increasingly what we're doing is taking your solutions and re-targeting issues and problems at workers running native public clouds. So think of this as going, after automating more governance, security, you know, finding objects, database services, wherever you're workload is running. So this is taking this portfolio and reapplying it, and targeting on prem at the edge in hybrid and in christening public cloud in ATV. >> Furrier: That's awesome. I've been watching some of the footage and I was noticing quite a lot of innovation around virtualized, networking, disaster, recovery security, and data services. It's all good. You guys were, and this is in your wheelhouse. I know you guys are doing this for many, many years. I want to dive deeper into that because the theme right now that we've been reporting on, you guys are hitting right here what the keynote is cloud scale is about faster development, right? Cloud native is about speed, it's about not waiting for these old departments, IT or security to get back to them in days or weeks and responding to either policy or some changes, you got to move faster. And data, data is critical in all of this. So we'll start with virtualized networking because networking again is a key part of it. The developers want to go faster. They're shifting left, take us through the virtualization piece of how important that is. >> Mirani: Yeah, that's actually a great question as well. So if you think about it, virtual networking is the first step towards building a real cloud like infrastructure on premises that extends out to include networking as well. So one of the key components of any cloud is automation. Another key component is self service and with the API, is it bigger on virtual networking All of that becomes much simpler, much more possible than having to, you know, qualify it, work with someone there to reconfigure physical networks and slots. We can, we can do that in a self service way, much more automated way. But beyond that, the, the, the notion of watching networks is really powerful because it helps us to now essentially extend networks and, and replicate networks anywhere on the private data center, but in the public cloud as well. So now when customers move their workloads, we'd already made that very simple with our clusters offering. But if you're only peek behind the layers a little bit, it's like, well, yea, but the network's not the same on the side. So now it, now it means that a go re IP, my workloads create new subnets and all of that. So there was a little bit of complication left in that process. So to actual network that goes away also. So essentially you can repeat the same network in both locations. You can literally move your workloads, no redesign of your network acquired and still get that self service and automation capabilities of which cookies so great step forward, it really helps us complete the infrastructure as a service stack. We had great storage capabilities before, we create compute capabilities before, and sort of networking the third leg and all of that. >> Furrier: Talk about the complexity here, because I think a lot of people will look at dev ops movement and say, infrastructure is code when you go to one cloud, it's okay. You can, you can, you know, make things easier. Programmable. When, when you start getting into data center, private data centers, or essentially edges now, cause if it's distributed cloud environment or cloud operations, it's essentially one big cloud operation. So the networks are different. As you said, this is a big deal. Okay. This is sort of make infrastructure as code happen in multiple environments across multiple clouds is not trivial. Could you talk about the main trends and how you guys see this evolving and how you solve that? >> Mirani: Yeah. Well, the beauty here is that we are actually creating the same environment everywhere, right? From, from, from point of view of networking, compute, and storage, but also things like security. So when you move workloads, things with security, posture also moves, which is also super important. It's a really hard problem, and something a lot of CIO's struggle with, but having the same security posture in public and private clouds reporting as well. So with this, with this clusters offering and our on-prem offering competing with the infrastructure service stack, you may not have this capability where your operations really are unified across multicloud hybrid cloud in any way you run. >> Furrier: Okay, so if I have multiple cloud vendors, there are different vendors. You guys are creating a connection unifying those three. Is that right? >> Mirani: Essentially, yes, so we're running the same stack on all of them and abstracting away the differences between the clouds that you can run operations. >> Furrier: And when the benefits, the benefits of the customers are what? What's the main, what's the main benefit there? >> Mirani: Essentially. They don't have to worry about, about where their workloads are running. Then they can pick the best cloud for their workloads. It can seamlessly move them between Cloud. They can move their data over easily, and essentially stop worrying about getting locked into a single, into a single cloud either in a multi-cloud scenario or in a hybrid cloud scenario, right. There many, many companies now were started on a cloud first mandate, but over time realized that they want to move workloads back to on-prem or the other way around. They have traditional workloads that they started on prem and want to move them to public cloud now. And we make that really simple. >> Furrier: Yeah. It's kind of a trick question. I wanted to tee that up for Thomas, because I love that kind of that horizontal scales, what the cloud's all about, but when you factor data into it, this is the sweet spot, because this is where, you know, I think it gets really exciting and complicated too, because, you know, data's got, can get unwieldy pretty quickly. You got state got multiple applications, Thomas, what's your, what can you share the data aspect of this? This is super, super important. >> Absolutely. It's, you know, it's really our core source of differentiation, when you think about it. That's what makes Nutanix special right? In, in the market. When we talk about cloud, right. Actually, if you've been following Nutanix for years, you know, we've been talking a lot about making infrastructure invisible, right? The new way for us to talk about what we're doing, with our vision is, is to make clouds invisible so that in the end, you can focus on your own business, right? So how do you make Cloud invisible? Lots of technology is at the application layer to go and containerize applications, you know, make them portable, modernize them, make them cloud native. That's all fine when you're not talking of state class containers, that the simplest thing to move around. Right. But as we all know, you know, applications end of the day, rely on data and measure the data across all of these different locations. I'm not even going to go seconds. Cause that's almost a given, you're talking about attribution. You can go straight from edge to on-prem to hybrid, to different public cloud regions. You know, how do you go into the key control of that and get consistency of all of this, right? So that's part of it is being aware of where your data is, right? But the other part is that inconsistency of set up data services regardless of where you're running. And so this is something that we look at the cloud platform, where we provide you the cloud infrastructure go and run the applications. But we also built into the cloud platform. You get all of your core data services, whether you have to consume file services, object services, or database services to really support your application. And that will move with your application, that is the key thing here by bringing everything onto the same platform. You now can see all operations, regardless of where you're running the application. The last thing that we're adding, and this is a new offering that we're just launching, which is a service, it's called, delete the dead ends. Which is a solution that gives you visibility and allow you to go and get better governance around all your data, wherever it may live, across on-prem edge and public clouds. That's a big deal again, because to manage it, you first have to make sense of it and get control over it. And that's what data answer's is going to be all about. >> Furrier: You know, one of the things we've we've been reporting on is data is now a competitive advantage, especially when you have workflows involved, um, super important. Um, how do you see customers going to the edge? Because if you have this environment, how does the data equation, Thomas, go to the edge? How do you see that evolving? >> Cornely: So it's yeah. I mean, edge is not one thing. And that's actually the biggest part of the challenge of defining what the edge is depending on the customer that you're working with. But in many cases you get data ingesting or being treated at the edge that you then have to go move to either your private cloud or your public cloud environment to go and basically aggregate it, analyze it and get insights from it. Right? So this is where a lot of our technologies, whether it's, I think the object's offering built in, we'll ask you to go and make the ingest over great distances over the network, right? And then have your common data to actually do an ethics audit over our own object store. Right? Again, announcements, we brought into our storage solutions here, we want to then actually organize it then actually organize it directly onto the objects store solution. Nope. Using things, things like or SG select built into our protocols. So again, make it easy for you to go in ingest anywhere, consolidate your data, and then get value out of it. Using some of the latest announcements on the API forms. >> Furrier: Rajiv databases are still the heart of most applications in the enterprise these days, but databases are not just the data is a lot of different data. Moving around. You have a lot a new data engineering platforms coming in. A lot of customers are scratching their head and, and they want to kind of be, be ready and be ready today. Talk about your view of the database services space and what you guys are doing to help enterprise, operate, manage their databases. >> Mirani: Yeah, it's a super important area, right? I mean, databases are probably the most important workload customers run on premises and pretty close on the public cloud as well. And if you look at it recently, the tooling that's available on premises, fairly traditional, but the clouds, when we integrate innovation, we're going to be looking at things like Amazon's relational database service makes it an order of magnitude simpler for our customers to manage the database. At the same time, also a proliferation of databases and we have the traditional Oracle and SQL server. But if you have open source Mongo, DB, and my SQL, and a lot of post-grads, it's a lot of different kinds of databases that people have to manage. And now it just becomes this cable. I have the spoke tooling for each one of them. So with our Arab product, what we're doing is essentially creating a data management layer, a database management layer that unifies operations across your databases and across locations, public cloud and private clouds. So all the operations that you need, you do, which are very complicated in, in, in, in with traditional tooling now, provisioning of databases backing up and restoring them providing a true time machine capabilities, so you can pull back transactions. We can copy data management for your data first. All of that has been tested in Era for a wide variety of database engines, your choice of database engine at the back end. And so the new capabilities are adding sort of extend that lead that we have in that space. Right? So, so one of the things we announced at .Next is, is, is, is one-click storage scaling. So one of the common problems with databases is as they grow over time, it's not running out of storage capacity. Now re-provisions to storage for a database, migrate all the data where it's weeks and months of look, right? Well, guess what? With Era, you can do that in one click, it uses the underlying AOS scale-out architecture to provision more storage and it does it have zero downtime. So on the fly, you can resize your databases that speed, you're adding some security capabilities. You're adding some capabilities around resilience. Era continues to be a very exciting product for us. And one of the things, one of the real things that we are really excited about is that it can really unify database operations between private and public. So in the future, we can also offer an aversion of Era, which operates on native public cloud instances and really excited about that. >> Furrier: Yeah. And you guys got that two X performance on scaling up databases and analytics. Now the big part point there, since you brought up security, I got to ask you, how are you guys talking about security? Obviously it's embedded in from the beginning. I know you guys continue to talk about that, but talk about, Rajiv, the security on, on that's on everyone's mind. Okay. It goes evolving. You seeing ransomware are continuing to happen more and more and more, and that's just the tip of the iceberg. What do you guys, how are you guys helping customers stay secure? >> Mirani: Security is something that you always have to think about as a defense in depth when it comes to security, right? There's no one product that, that's going to do everything for you. That said, what we are trying to do is to essentially go with the gamut of detection, prevention, and response with our security, and ransom ware is a great example of that, right. We've partnered with Qualys to essentially be able to do a risk assessment of your workloads, to basically be able to look into your workloads, see whether they have been bashed, whether they have any known vulnerabilities and so on. To try and prevent malware from infecting your workloads in the first place, right? So that's, that's the first line of defense. Now not systems will be perfect. Some, some, some, some malware will probably get in anyway But then you detect it, right. We have a database of all the 4,000 ransomware signatures that you can use to prevent ransomware from, uh, detecting ransom ware if it does infect the system. And if that happens, we can prevent it from doing any damage by putting your fire systems and storage into read-only mode, right. We can also prevent lateral spread of, of your ransomware through micro-segmentation. And finally, if you were, if you were to invade, all those defenses that you were actually able to encrypt data on, on, on a filer, we have immutable snapshots, they can recover from those kinds of attacks. So it's really a defense in depth approach. And in keeping with that, you know, we also have a rich ecosystem of partners while this is one of them, but older networks market sector that we work with closely to make sure that our customers have the best tooling around and the simplest way to manage security of their infrastructure. >> Furrier: Well, I got to say, I'm very impressed guys, by the announcements from the team I've been, we've been following Nutanix in the beginning, as you know, and now it's back in the next phase of the inflection point. I mean, looking at my notebook here from the announcements, the VPC virtual networking, DR Observability, zero trust security, workload governance, performance expanded availability, and AWS elastic DR. Okay, we'll get to that in a second, clusters on Azure preview cloud native ecosystem, cloud control plane. I mean, besides all the buzzword bingo, that's going on there, this is cloud, this is a cloud native story. This is distributed computing. This is virtualization, containers, cloud native, kind of all coming together around data. >> Cornely: What you see here is, I mean, it is clear that it is about modern applications, right? And this is about shifting strategy in terms of focusing on the pieces where we're going to be great at. And a lot of these are around data, giving you data services, data governance, not having giving you an invisible platform that can be running in any cloud. And then partnering, right. And this is just recognizing what's going on in the world, right? People want options, customers and options. When it comes to cloud, they want options to where they're running the reports, what options in terms of, whether it be using to build the modern applications. Right? So our big thing here is providing and being the best platform to go and actually support for Devers to come in and build and run their new and modern applications. That means that for us supporting a broad ecosystem of partners, entrepreneur platform, you know, we announced our partnership with Red Hat a couple of months ago, right? And this is going to be a big deal for us because again, we're bringing two leaders in the industry that are eminently complimentary when it comes to providing you a complete stack to go and build, run, and manage your client's applications. When you do that on premises, utilizing like the preferred ATI environment to do that. Using the Red Hat Open Shift, or, you're doing this open to public cloud and again, making it seamless and easy, to move the applications and their supporting data services around, around them that support them, whether they're running on prem in hybrid winter mechanic. So client activity is a big deal, but when it comes to client activity, the way we look at this, it's all about giving customers choice, choice of that from services and choice of infrastructure service. >> Furrier: Yeah. Let's talk to the red hat folks, Rajiv, it's you know, it's, they're an operating system thinking company. You know, you look at the internet now in the cloud and edge, and on-premise, it's essentially an operating system. you need your backup and recovery needs to disaster recovery. You need to have the HCI, you need to have all of these elements part of the system. It's, it's, it's, it's building on top of the existing Nutanix legacy, then the roots and the ecosystem with new stuff. >> Mirani: Right? I mean, it's, in fact, the Red Hat part is a great example of, you know, the perfect marriage, if you will, right? It's, it's, it's the best in class platform for running the cloud-native workloads and the best in class platform with a service offering in there. So two really great companies coming together. So, so really happy that we could get that done. You know, the, the point here is that cloud native applications still need infrastructure to run off, right? And then that infrastructure, if anything, the demands on that and growing it since it's no longer that hail of, I have some box storage, I have some filers and, you know, just don't excite them, set. People are using things like object stores, they're using databases increasingly. They're using the Kafka and Map Reduce and all kinds of data stores out there. And back haul must be great at supporting all of that. And that's where, as Thomas said, earlier, data services, data storage, those are our strengths. So that's certainly a building from platform to platform. And then from there onwards platform services, great to have right out of the pocket. >> Furrier: People still forget this, you know, still hardware and software working together behind the scenes. The old joke we have here on the cube is server less is running on a bunch of servers. So, you know, this is the way that is going. It's really the innovation. This is the infrastructure as code truly. This is what's what's happened is super exciting. Rajiv, Thomas, thank you guys for coming on. Always great to talk to you guys. Congratulations on an amazing platform. You guys are developing. Looks really strong. People are giving it rave reviews and congratulations on, on, on your keynotes. >> Cornely: Thank you for having us >> Okay. This is theCube's coverage of.next global virtual 2021 cube coverage day two keynote review. I'm John Furrier Furrier with the cube. Thanks for watching.

(upbeat music) >> Welcome to this special Cube conversation here in Palo Alto, California. I'm John Furrier, host of theCUBE, we have two special guests, Karim Toubba, CEO of Kenna Security, and Caroline Japic, CMO, Kenna Security. Great to see you guys, thanks for coming on, appreciate you taking the time, appreciate it. >> Thanks for having us. >> So RSA is coming up, big show, security's at the top of the list of all companies. You guys have a very interesting company. Risk based vulnerability management is like the core secret sauce, but there's a lot going on. Take a minute to talk about your company. What do you guys do? Why do you exist? >> Yeah, sure. Thanks for having us. Some, the security landscape as you very well know, pretty crowded space, a lot of different vendors, a lot of technologies that enterprises and organisations have to deal with. What we do has a lot of complexity behind it, but in an app practicality for enterprises is actually quite simple. They have many, many data sources that are finding problems for them, mapping to their attack surface, what are misconfigurations? Where are there vulnerabilities in your network or your host, where there vulnerabilities in your applications, we taking all of that data, specifically from 48 different data sources, we map it to what attackers are doing in the wild, run it through a lens of risk, and then enable the collaboration between I.T. and security, on what to focus on at the tip of the spear with a high degree of fidelity and efficacy so that they know that they can't fix everything, but prioritize the things that matter and are going to move the meter the most. >> So you guys have emerged as one of those kind of new models, the new guard of security, it's interesting, it's been around for 10 years, but yet a lot's changed in 10 years but a lot of evolving. Risk based vulnerability management is the buzzword, R-B- >> V-M >> Okay, really comes from the founder of the company. Why is this becoming an important theme? Because you got endpoints, you got all kinds of predictive stuff with data, you got surface area is growing, but what specifically about this approach makes it unique and popular? >> Yeah, I think what's happening is if you, to really answer that question, you have to look at two different ends of the spectrum in terms of the business, the security side and the IT DevOps and application development side. And at the core of that is what was largely traditional tension. If you think about security teams, operations teams, incident response teams, and if you sit down with them and understand what they do on a day to day basis, beyond the incident response and reaction side, they have a myriad of tools and technologies that discover problems, typically millions of issues. Then you go to the IT side, and the application and DevOps side, and they care about building the next application, making sure the systems are up and running. And what happens is they, we've gotten to the point where they can't possibly fix everything security is asking them to fix, and that's created a lot of tension, people have woken up, started to realize that that tension has to give way to collaboration. And the only way you can do that is enable security to detect all the problems, but then very quickly focus and prioritize on the things that matter, and then go to IT and then tell them specifically what to fix so that they have a high degree of precision and understanding, that the needle will be moved relative to what they're asking them to do. >> So is it the timing of the marketplace and the evolution of the business where it used to be IT that handled it, and now security has gotten broader in its scope, that there's now too many cooks in the kitchen, so to speak? >> Yeah, it's gotten broader in its scope, and there's also been a realization that if you think about the security problem statement, they find all the problems, but if you if you peel back the layers, you quickly realize, they own very little the remediation path. Who fixes-- >> John: They being IT? >> They being security. >> John: Okay. >> Yeah, so it's actually quite fascinating. If you think about who fixes a vulnerability on an operating system like Windows or Linux, it's the IT team. If you think about who fixes or upgrades a Java library or rewrites an application it's DevOps or the application developers, but security's finding all the problems. So they're realizing, as they deploy more tools, find more issues, and increase the amount of data, they've got to get very precise and really enable an entirely new way of collaborating with IT so that they can get them to focus on the things that matter the most. >> Karim, I want to dig into some of the complexity, but first want to get the Caroline on the brand, and the marketing challenge because it's almost an easy job in the sense, because there's a lot of security problems out there to solve, but it's also hard on the other side, is that, where's the differentiation? There's so many vendors out, there's a lot of noise. How are you looking at the marketplace? Because you guys are emerging in with nice, lift on the value proposition, you won some recent awards. How do you view the marketplace? RSA is going to be packed with vendors, it's going to be wall to wall, we get put in the corner, we are going to have small space for theCUBE, but there's a lot there and customers are being bombarded. How are you marketing the value proposition? >> You are right. There's so much noise out there, but we are very clear and precise on the value we bring to our customers, we also let our customers tell the story. So whether it's HSBC, or SunTrust, or Levi, we work with them very closely with those CSOs, with their head of IT to understand their challenges, and then to bring those stories to life so we can help other companies because our biggest challenge is that people just don't know that there's a better solution to this problem. This problem's been around a long time, it's getting worse every day, we're reading about the vulnerabilities that are happening on a regular basis, and we're here to let people know we can fix it, and we can do it in a pretty quick and painless way. >> You had mentioned before we came on camera that when you you're getting known, as the brand gets out there, but when you're in the deals, you win. Could you guys share some commentary on why that's the case? Why are you winning? >> Yeah, by the way, just to piggyback off that a little bit, there is a really interesting paradigm happening within the security space, if you look at the latest publications, I don't know, there are 1400 of us all buzzing around with the same words? I think what Caroline and the team have done an exceptional job on, particularly in relative to the positioning is, we don't want to scare people into looking at Kenna. We want to be more ethereal than that and make them understand that we're ushering in a new way away from tension to an era of collaboration with IT, DevOps and application teams. That's very different than telling somebody in your messaging, Hey, did you hear the latest attack that happened at XYZ? >> Yeah. >> That sort of fear and marketing through FUD, is creating a lot of challenges for organizations, and candidly, is making CISOs and other people in security close the door. >> I've definitely heard that, do you think that's happening a lot? >> I think that's happening a lot. I think we're sort of, I like to think that Caroline and the team are sort of at the forefront of leading that initiative, and you can, and we're doing it in every way possible to really sort of tell a much more positive story about how security can be smarter and spin in a positive light, and in fact, the technology is enabling that, so it's consistent. >> We live in dark times. Unfortunately, a lot of people like, if it bleeds, it leads, and that's a really kind of bad way to look at it. But back to your point about tension and collaborations, I think that's an interesting thread. There's a ton of tension out there, that's real, from the CISO's perspective. Because there's too many teams, I mean, you got, Blue Team, Red Team, IT, governance, compliance, full stack developers, app. So you have now too many teams, too many tools that have been bought and it's like, people have all these platforms, they're drowning in this. How do you guys solve that problem? >> Yeah, it's back to that point of collaboration, and what we've really found that's been interesting in solving that problem, because what we're doing if you step back, is, we're bringing in all these data sources, and where that tension comes in, if you unpack it a little bit, is from different people coming in with different data sources. So IT comes to the table about what to fix, with their own point of view, security comes with their own point of view, application teams come with their own point of view, governance and compliance comes with their point of view. What we do is we come in and even though we're technology, we're really aligning people in process. We're saying, "Look, we're going to to amass all that data, "we're going to very quickly use machine learning "and a bunch of algorithms to sift through "millions of pieces of data "and divine what actually matters." It's empirical, it's evidence based, and we align all the organizations around that filter through risks so that there's agreement on how to measure that, what to prioritize, what to action and what the results look like. And when it turns out that when you get a bunch of people across an organization, to get aligned around data that they all agree with as the source of truth, it gets much easier to get them to really focus on the things that ultimately matter. >> It's a single version of the truth, right? It's a single version that they all can work from. Security isn't telling IT, "This should be your priority today," when they say, "You don't know what my priorities are," is actually the data that's telling them what their priorities are by role, and that's really important and really gets past all the, the friction and the fighting in between the teams. >> Yeah, that's great point, back to my other question when I get back to you Caroline, is what is the success formula look like for you guys? Why are you winning? What are the feedback you're hearing from your customers? Because at the end of the day, references are important, but also, success is a tell sign. So what's the reasons behind the success? >> Yeah, I'll let Karim talk about being face to face with customers, because he does that all the time. But what we're saying is that, the customers are resonating with the story that we're telling, they understand they have the problem we're laying out in a very simple way for, to be able to solve their solution, and that's working. We've redone our positioning, our messaging, we've trained our sales team, people understand the value we can bring, and that's what we're communicating, and that's what's working. >> Karim, please add on that, I want to get more into this. >> Yeah, and on the customer side, what we see and I'll give you a pretty classic example for us with a very large bank that's a customer of ours. We actually started on the security side, right? We sold to their deputy CISO to deploy, and then eventually, they doubled down and then deployed globally across 64 countries. And that happened sponsored by the CIO. Now we're a security company, so you ask the question, well, why did that get driven in that structure? And why did that deal go down ultimately in that way? And what was the real value? The value to the security person was clear, I want to aggregate 10 to 12 different data sources, I want to prioritize, I want to collaborate with IT. The value to the CIO was the CIO happens to own all the application developers and all the IT people and the security people on a global basis. And so what they wanted to do, is they wanted to understand what the risk was for each of the lines of businesses they had within organization so that they can hold the business users accountable to paying a small tax for security, not just developing the next billion dollar high net worth application, which is extremely important to those businesses, but at the same time, ensuring that they're secure. And so that leverage when you start with security, and then branch out in other organizations, especially in large, multinational organizations, is really where the the real value comes into the platform. >> So if I hear you correctly, you come in for security, okay, we can get rid of the noise, help you out, check, win, and then the rest of the organization doesn't have security teams per se, >> Karim: Correct. >> Needs security to be built in from day one. >> Karim: Correct. >> You're providing a cross connect of value to the other teams? >> That's right. >> It's almost like, security is code, if you will. >> Karim: That's right. And nowhere is that more evident in our utilization statistics. So we're a SaaS platform, so of course we, like many other SaaS companies do a bunch of analytics on utilization of our customers, more often than not, in our large scale enterprises, we actually have more IT and non security users logging into Kenna, in a self service model, because they're the ones, back to the point you made earlier, that are actually driving the remediation path. >> Take us through how that works. So say I'm interested, okay, you sold me on it, great, I need the pain relief on the security side, I need the enablement and empowerment on the collaboration side, what do I do? Do I just plug my databases into you? Is it API driven? Are you on Amazon? Are you on Azure? What's cloud? What am I dealing with? Take me through the engagement. >> Yeah, so we're 100% cloud based platform. Multi cloud, so we can deploy in AWS, we can deploy in Google et cetera. And then what we do is we effectively through a bunch of API's called connectors that are transparent to the customers, we enable them to bring in their data. So this is everything from traditional scanning data like Qualys, Rapid7, Tenable, more, newer data like CrowdStrike, Tanium, DaaS SaaS, software composition analysis tools, WhiteHat, Veracode, Black Duck, Sonatype, you name it. The list goes on, specifically, there's about 48 of them. All of that is basically helps us understand what the totality of the attack surface is. That's very useful for security because they're using multiple tools. We then overlay what we call exploit and tell, this is the data that tells us about what attackers are doing in the wild. Specifically, we have 5 billion pieces of data that tell us about what vulnerabilities are being popped, what's the rate of change, what malware are they being embedded in? That use, that information is used through machine learning to help us prioritize and risk score each of the findings we get from the customer tools. And then where it pivots over to IT, is we then allow them to take all of that data and that metadata and asset criticality into what we call risk meters. So they're basically aligned with where, how IT operates. So for example, if you own all the Linux infrastructure in the cloud, you log in, you'll only see the risk across the infrastructure you own. Whereas if Caroline owns all the endpoint real estate across Windows, she logs in and understands what her risk is across Windows. And then we of course, integrate in the ticketing systems to drive the remediation and report up to executives and then over to security, about what the workflow you-- >> So you guys really focusing not so much on the security knock or the sock, it's more on indexing, if you will, for lack of a better description, the surface area, >> Karim: Correct. >> And getting that prepared from a visibility standpoint to acquire the data. >> Karim: That's right. >> And then leveraging that across-- >> Across the organizations, yeah. >> Did I get that, right? >> It's exactly right. And if you ask, if you again, double click deeper on that, what's fascinating to watch, so we have a an annual, or bi annual report that we do called prioritization or prediction, or P2P. And this is all of our customer data completely anonymized in a warehouse, and then we run a bunch of reports, and lot of the analytics we ran initially were around security. Now we're starting to pivot in IT. If you look at our latest report, one of the most interesting things I found in my time here is that the average large scale enterprise has actually no more than 10% remediation capacity, right? So what does that tell you? That tells you that 90% of the problems are going to go unsolved, which pinpoints why it's even more important to have specific prioritization on the things that matter. >> They solve the right 10%. >> At the right time too, >> At the right time. >> 10% capacity, operating capacity, assuming some automation that might take care of some of the low hanging fruit >> Exactly. >> Through DevOps or automation. You can focus on those 10% at the right time, which by the way, if you use that capacity for the wrong problems at the wrong time, it's wasted capacity. >> Karim: That's right. >> That's what you guys are trying to get at, right? >> Karim: That's exactly right, work smarter, not harder. >> So Kenna security, what's the vision? What's the next step? Why should someone care about working with you guys? Why is it important to engage you guys? What's the big deal? Is it the risk based vulnerability, kind of origination invention, which is the core or the DNA, or is it something bigger? What's the vision? What's the why? Yeah, well look for us, we started, our company was actually founded by a gentleman by the name Ed Bellis, who's the ex chief security officer at Orbitz, and he founded the company out of a need. We started very early in the traditional pure vulnerability space. This was like calling Classic Qualys, Rapid7, Tenable. We then expanded into the application world. So this is starting to take in, moving up stack if you will full stack, as the environment moves to cloud, as the environment moves to containers, as the environment moves to configuration management as the environment moves to a much more ephemeral state, that will drive an entirely new set of data sources that will drive an entirely different new set of priorities all aligned with the same model of risk. So our view of the future is that we are the platform that enables the organization to understand the totality of the attack surface, that enables collaboration across all the groups that deal with technology within enterprises, and allows them to really prioritize and understand risk in a way that not only fosters the collaboration, but gives you that return on investment that candidly ultimately CIOs are looking for. >> Caroline the story from a marketing perspective, what's the story you're trying to tell? >> We started this space, our founder Ed Bellis is the father of risk based vulnerability management and he loves it when I say that, but it's 100% true. We are continuing down this path, I mean, there are so many companies that have this problem that don't know that there's a better way to solve it. And so for now, our mission is to make sure that we're educating those people, they understand what's possible to do today, and then continuing from there, so. >> Well, I really appreciate you guys coming in and introducing and sharing more about Kenna Security, we've been seeing successes. I'm going to ask you about what you guys think about RSA, I'd love to get both you guys to weigh in. But before we get to the RSA kind of what's coming, take a quick minute to plug the company. What do you guys looking to do? You hiring? You just got some funding? Give the quick pitches. >> Yeah, sure, we did. We just closed $48 million series D round. We had all of our investors and a new investor, Sorenson Ventures come in. We also had two strategic investors, Citi and HSBC, because we do quite well, that very good validation. And we're also quite prominent in the financial services vertical, it helps that. And so for us, it's really about scaling, right? Scaling people, scaling the technology, scaling capabilities-- >> John: Across the board. >> Across the board. >> Engineering, obviously. >> Engineering, sales, geographies, it's really about getting the word out there and then being able to follow that up with the feed on the street that matter. >> We're definitely hiring, but we're also growing through OEMs. So we have a relationship with VMware, they're embedding us into their app defense products, and so if you buy app defense from VMware, you are buying Kenna whether you know it or not. >> So you're going to be an ingredient in other products. >> That's right. >> And or direct or indirect, probably some channel ecosystem opportunities? >> That's right. >> So we're growing on the technology partner OEM front, definitely interested in talking to companies that are interested on that front. >> We should do a whole segment on my fascination with what I call tier two or tier 1B clouds, specialty clouds, security clouds. So maybe do that another time. Okay, final question for you guys. RSA is coming this year 2020, and then a series of other events. Cloud Security has been a hot topic since re:Inforce last year was launched, we were there, kicking off theCUBE in security. What do you guys expect this year at RSA? What do you think the big themes are going to be? The hype? The meat on the bone? What's the real deal? What's the hype? What do you guys think is going to happen? >> Karim: I'll let you start. >> Yeah, I can tell you our theme is the right fight club. Because we are focused on the right fight that you need to have every day inside your enterprise. It's not focused on all the vulnerabilities that are hitting you because they're hundreds of thousands of them, millions of them, and there's going to be more every single day, it's about fighting the right fight. So if you come by our booth, you'll see that, it's going to be very exciting-- >> And of course, don't talk about the Fight Club vulnerabilities. (Karim laughs) >> You know the rules of the fight club. >> The first rule is to talk to Kenna about the right fight club. That is the first rule. >> That's cool. >> Yeah, I mean, it's interesting. Every, as you very well know, every year when people walk away from RSA, there's a few blogs that are written about what was the theme this year, I suspect this year's in security specifically, is going to be about AI driven security. We've been starting to see that for a while, it started to bleed into last year's event. I think for us in particular, we have a very particular point of view, and our book point of view is that doesn't matter if it's ML, if it's AI, or what type of algorithms you're running, the question is, what's the value? What is the value when you have 1400 people all screaming to get in the door of an organization? Everybody really has to begin to answer that question fundamentally. And I think the people that have that position in the market are the people that are going to be able to stand out. It's interesting, as always the hype with AI, but it's interesting, I was just trying to figure out when the term there is no perimeter was kind of first coined in theCUBE, I'm thinking probably about five years ago, it really became a narrative and then more recently, with the cloud, the perimeter is dead. Edge is out there. >> Karim: Right. >> So this is, what's the gestation period of real scalable security post perimeter is dead. It's interesting, is it years, is it seems to be hitting this year. It seems to be the point where, okay, I tried everything, now I've got to be data driven or figure out a way to map the surface area. >> That's right. >> End to end. Well, thanks to Kenna Security coming in, a solution for figuring out the vulnerabilities with a real invention. We're going to be covering security at RSA with Kenna Security and others. Thanks for watching, this is theCUBE. (upbeat music)

>> Announcer: Live, from Orlando, Florida, it's theCUBE, covering ServiceNow Knowledge17. Brought to you by ServiceNow. >> We're back. This is Dave Vellante with Jeff Frick. Chris Bedi is here, he's the CIO of ServiceNow. Chris, good to see you again. >> Good to see you as well. >> Yeah, so, lot going on this week, obviously. You said you're getting pulled in a million different directions. One of those, of course, is the CIO event, CIO Decisions, it's something you guys host every year. I had the pleasure of attending parts of it last year. Listened to Robert Gates and some other folks, which was great. What's happened this year over there? >> So, CIO Decisions, it's really where we bring together our forward thinking executives. We keep it intimate, about a hundred, because really it's about the dialogue. Us all learning from each other. It really doesn't matter, the industry, I think we're all after the same things, which is driving higher levels of automation, increase the pace of doing business, and innovating at our companies. So we had Andrew McAfee, MIT research scientist, really helping push the boundaries in our imagination on where machine learning and predictive analytics could go. And then we had Daniel Pink talking about his latest book, To Sell is Human. And really as CIOs, we often find ourselves selling new concepts, new business models, new processes, new analytics, new ways of thinking about things. And so, really trying to help, call it exercise, our selling muscle, if you will. Because we have to sell across, up, down, and within our own teams, and that is a big part of the job. Because as we move into this new era, I think the biggest constraint is actually between our own ears. Our inability to imagine a future where machines are making more decisions than humans, platforms are doing more work on behalf of humans. Intellectually, we know we're headed there, but he really helped to bring it home. >> Well, you know, it's interesting, we talk about selling and the CIOs. Typically IT people aren't known as sales people, although a couple years ago I remember at one of the Knowledges, Frank Slootman sort of challenged the CIO to become really more business people, and he predicted that more business people would become CIOs. So, do you consider yourself a sales person? >> I do. Selling people on a vision, a concept, the promise of automation. You know, technology, people fear it, right? You know, when you're automating people's work the fear and the uncertainty endowed, or what I call the organizational anti-bodies, start to come out. So you have to bust through that, and a large part of that is selling people on a promise of a better future. But, it's got to be real. It's got to be tied to real business outcomes with numbers. It can't be just a bunch of PowerPoint slides. >> So we always like to take the messaging from the main tent and then test it with the practitioners, and this year there's this sort of overall theme of working at lightspeed, you and I have talked about this, how does that resonate with CIOs and how do you put meaning behind that? 'Cause, you know, working at lightspeed, it's like, ooh that sounds good, but how do you put meat on that bone? >> So, the way I think about working at lightspeed is three dimensions, velocity, intelligence, and experience. And velocity is how fast is your company operating? I read a study that said 40% of Fortune 500 companies are going to disappear in the next 10 years. That's almost half, right? But I think what's going to separate the winners from the losers is the pace at which they can adapt and transform. And, with every business process being powered by IT platforms, I think CIOs and IT are uniquely positioned to explicitly declare ownership of that metric and drive it forward. So velocity, hugely important. Intelligence. Evolving from the static dashboards we know today, to real time insights delivered in context that actually help the human make decisions. And, BI in analytics as we know it today, needs to evolve into a recommendation engine, 'cause why do we develop BI in analytics? To make decisions, right? So why can't the platform, and it can, is the short answer, with the ability to rapidly correlate variables and recognize complex patterns, give recommendations to the humans, and I would argue, take it a step further, make decisions for the humans. ServiceNow did a study that said 70% of CIOs believe machines will make more accurate decisions than humans, now we just got to get the other 30% there. And then on experience, I think the right experience changes our behavior. I think we in IT need to be in the business of creating insanely great customer and employee experiences. Too often we lead with the goal of cost reduction or efficiency, and I think that's okay, but if we lead with the goal of creating great experiences, the costs and the inefficiencies will naturally drop out. You can't have a great experience and have it be clunky and slow, it's just impossible. >> And it's interesting on the experience because the changing behavior is the hardest part of the whole equation. And I always think back to kind of getting people off an old solution. People used to say, for start ups, you got to be 10x better or 1/10th the cost. 2x, 3x is not enough to get people to make the shift. And so to get the person to engage with the platform as opposed to firing off the text, or firing off an email, or picking up the phone, it's got to be significantly better in terms of the return on their investment. So now they get that positive feedback loop and, ah, this is a much better way to get work done. >> It has to. And we can't, you know, bring down the management hammer and force people to do things. It's just not the way, you know, people work. And very simple example of an experience driving the right behavioral outcome, so ServiceNow is a software company, very important for us to file patents. The process we had was clunky and cumbersome. You know, we're not perfect at ServiceNow either. So we re-imagined that process, made it a mobile first experience built on our platform, of course. But by simply doing that, there was no management edict, you have to, no coercion, if you will, we saw an 83% increase in the number of patent applications filed by the engineers. So the right experience can absolutely give you the right desired economic behavior. >> You talked about 70% of CIOs believe that machines will make better decisions than humans. We also talked about Andrew McAfee, who wrote a book with Eric Brynjolfsson. And in that book, The Second Machine Age, they talked about that the greatest chess player in the world, when the supercomputer beat Garry Kasparov, he actually created this contest and they beat the supercomputer with a combination of man and other supercomputers. So do you see it as machine, sort of, intelligence augmenting human intelligence, or do you actually see it as machines are going to take over most of the decisions. >> So, I actually think they are going to start to take over some basic decision making. The more complex ones, the human brain, plus a machine, is still a more, you know, advanced, right? Where it's better suited to make that decision. But I also think we need to challenge ourselves in what we call a decision. I think a lot of times, what we call a decision, it's not a decision. We're coming to the same conclusion over and over and over again, so if a computer looked at it, it's an algorithm. But in our brains, we think a human has to be involved and touch it. So I think it's a little bit, it'll challenge us to redefine what's actually a decision which is complex and nuanced, versus we're really doing the same thing over and over again. >> Right, and you're saying the algorithm is a pattern that repeats itself and leads to an action that a machine can do. >> Yeah. >> It doesn't require intuition >> And we don't call that a decision anymore. >> Right, right. So, in thinking about you gave us sort of the dimensions of lightspeed, what are some of the new metrics that will emerge as a result of this thinking? >> Yeah, I don't think any of the old metrics go away. I'll talk about a few. You know, in lightspeed, working at lightspeed, we need to start measuring, for one, back on that velocity vector, what is the percentage of processes in your company that have a cycle time of zero, or near zero. Meaning it just happens instantaneously. We can think of loads of examples in our consumer life. Calling a car with Uber, there's no cycle time on that process, right? So looking at what percentage of your processes have a cycle time of zero. How much work are you moving to the machines? What percentage of the work is the platform proactively executing for you? Meaning it just happens. I also think in an IT context of percentage of self healing events, where the service never goes down because it's resilient enough and you have enough automation and intelligence. But there are events, but the infrastructure just heals itself. And I think, you know, IT itself, we've long looked at IT as a percentage of revenue. I think with all of the automation and cost savings and efficiencies we drive throughout the enterprise, we need to be looking at IT as a margin contribution vehicle. And when we change that conversation, and start measuring ourselves in terms of margin, I think it changes the whole investment thesis, in IT. >> So that's interesting. Are you measured on margin contribution? >> We're doing that right now. I don't, if an IT organization is waiting for the CFO or CEO to ask them about their margin contribution, they're playing defense. I think IT needs to proactively measure all of it's contributions and express it in terms of margin. 'Cause that's the language the CEO, and COO, and CFO are talking about, so meet them in a language that they understand better. >> So how do you do, I mean, you certainly can create some kind of conceptual value flow. IT supports this sort of business process and this business process drives this amount of revenue or margin. >> So I stay away from revenue, because I think any time IT stands up and says, we're driving revenue, it's really hard. Because there's so many external and internal factors that contribute to that. So we more focus on automation, in terms of hours saved, expressing and dollarizing that. Hard dollars, that we're able to take out of the organization and then bubbling that into an operating margin number. >> Okay, so you sort of use the income statement below the revenue line to guide you and then you fit into that framework. >> Absolutely. >> When you talk to other CIOs about this, do they say, hey, that sounds really interesting, how do I get started on that, or? >> I think it resonates really well, because, again, IT as percentage of revenue is an incredibly incomplete metric to measure our contribution. With everything going digital, you want to pour more money into technology. I mean, studies have shown, and Andrew McAfee talked about this, over the last 50, 100 years, the companies that have thrived have poured more, disproportionally more, into technology and innovation than their competitors. So, if we only measure the cost side of the equation we're doing ourselves a disservice. >> And so, how do you get started on this path, I mean, let's call this path, sort of, what we generally defined as lightspeed, measured on margin, how do you get started on that? >> First step is the hardest. But, it's declaring that your going to do it. So we've come up with a framework, you know, that maps at a process level, at a department level, and at a company level, where are we on this journey to lightspeed? If lightspeed is the finish line, where are we? And I define three stages, manual, automated, cloud, before you get to lightspeed. And then, using those same three dimensions of velocity, intelligence, and experience, to tell you where you are. And, the very first thing we did was baseline all of our business processes, every single one, and mapped it. But once you have it mapped on that framework then you can say, how do we advance the ball to the next level? And, it's not going to magically happen overnight. This is hard work. It's going to happen one process at a time, right? But pretty soon everything starts to get faster and I think things will start to really accelerate. >> When you think about, sort of, architecting IT, at ServiceNow versus some other company, I mean, you come into ServiceNow as the CIO, everything runs on ServiceNow, that is part of the mandate, right? But that's not the mandate at every company, now increasingly may be coming that way in a lot of companies, but how is your experience at ServiceNow differ from the some of the traditional G2000? >> Probably the unique part about being the CIO at ServiceNow is actually really fun, in that I get to be customer zero in that I implement our products before all of our customers. You know, get to sit down with the product managers, discuss real business problems that all of our customers are facing, and hopefully be their voice inside the four walls of service now, and be the strategic partner to the product organization. Now implementing everything, our goal is to be the best possible implementation of ServiceNow on the planet. And that's not just demonstrated by go lives, it's demonstrated by, again, the economic and business outcomes we're deriving from using the platform. So, that part is fun, challenging, and hard work all at the same time. >> So how's Jakarta lookin'? >> Fantastic. We're super excited about everything that's coming out, whether it's the communities on customer service, or our software asset management. That's been a pain, right, for IT organizations for a long time, which is these inbound software audits, from other companies, and you're responding to them and it's a fire drill. In my mind, our software asset management transforms software audits from a once a year, twice a year event, to always-on monitoring, where you're just fixing it the whole time. And it's not an event anymore. I mean, the intelligence that we're baking into the platform now, super exciting around the machine learning and the predictive analytics concepts, we have more analytics than we had before, I mean there's just so much in there, that's just exciting. We're already using it, I can't wait for our customers to get a hold of it. >> Well, CJ this morning threw out a number of 30-plus percent performance improvement. I had said to myself, your saying that with conviction, that's 'cause you guys got to be running it yourselves. >> Yeah, we are. >> What are you seeing there? >> That's not a trivial number, and I think the product teams have done a great job really digging in and makin' sure our platform operates at lightspeed. >> One of the things that Jeff and I have been talking about this week, and really this is your passion here, is adoption, how do you get people to stop using all these other tools like email, and kind of get them to use the system? >> I think, showing them the promise of what it can bring. I think it's different conversations at different levels. I think, too, an operator, someone who's using the email to manage their work, they're hungry for a different solution. Life, working, and email, and managing your business that way, it's hard, right? To a mid-level manager, I think the conversation is maybe about the experience, how consumers of their service will be happier and more satisfied. At executive level, it gets maybe more into some of the economic outcomes, of doing it. Because implementing our platform, you know, you're going to burn some calories doing it, not a lot. Our time to value is really really quick, but still, it's a project and it's initiative and it's got to have an outcome tied to it. >> You know, Chris, as you're saying that it's always tough to be stuck kind of half way. You know, you're kind of on the tool internally and it's great. >> We don't use the word tool. >> Excuse me, not the tool. The app, the platform, actually. But then you still got external people that are coming at you through text, email, et cetera. I mean, is part of the vision, and maybe it's already there, I'm not as familiar with the parts I should be, in terms of enabling kind of that next layer of engagement with that next layer of people outside the four walls, to get more of them in it as well. Because the half-pregnant stage is almost more difficult because you're going back and forth between the two. >> And our customer service product does a lot of that. If you look at what Abhijit showed today, which is fantastic, Communities is another modality to start to interact with people. Certainly, we have Connect, part of our platform, is a collaboration app within the overall platform, so you can chat, just like you would with any consumer app, in terms of chatting capabilities, and that mobile first experience. We're thinking about other modalities too. Should you be able to talk to ServiceNow, just like you talk to Alexa, and converse with ServiceNow, Farrell touched on this a little bit, through natural language, right? We all know it's coming, and it's there, it's just pushing in that direction. >> How about the security piece? You know, Shawn shared this morning, you guys are well over year in now, and he talked about that infamous number of 200 plus days-- >> Chris: Nine months, yeah. >> Yeah, compressing that. Are you seeing that internally in your own? >> We are. We use Shawn's product, we're a happy customer. The vulnerability management, the security incident response, and very very similar results. And just like the customer who was on stage said, go live in Iterate, and that's exactly what we did. Everyone has a vulnerability management tool, like a Qualys, that's feeding in. Bring in all those Qualys alerts, our platform will help you normalize them and just start to reduce the level of chaos for the SOC and IT operations. Then make it better, then drive the automation, so we're seeing very similar benefits. >> How do you manage the upgrade side, we've been asking a lot of customers this week in the upgrade cycle. Some say, ah, I'll do in minus one just to sort of let the thing bake a little bit. You guys are in plus one. How do you manage that in production, though? >> Sure, so we upgrade before our customers, and that's part of our job, right? To make sure we test it out before our customers. But I'll say something in general about enterprise software upgrades, which is, there is a cost to them and the cost is associated with business risk. You want to make sure you're not going to disrupt your business. There is some level of regression testing you just have to do. Now, strategies I think that would be wise are automating as much of that testing as you can, through a testing framework, which we're helping our customers do now. And I think with some legacy platforms, that was incredibly expensive and hard and you could never quite get there. Us being a modern cloud platform, you can actually get there pretty quickly to the point where the 80, 90% of your regression testing is automated and you're doing that last 10 to 20%. 'Cause at the end of the day, IT needs to make sure the enterprise is up and running, that's job number one. But that's a strategy we employ to make upgrades as painless as possible. >> That's got to be compelling to a lot of the customers that you talk to, that notion of being able to automate the upgrade process. >> For sure, it is. >> You're eliminating a lot of time and they count that as money. >> It is money, and automating regression testing, it's a decision and a strategy but the investment pays off very very quickly. >> Dave: So there's an upfront chunk that you have to do to figure out how to make that work? >> Just like anything worth doing. >> Dave: Yeah, right. >> Right? >> Excellent. What's left for you at the show? >> What's left for me? I love interacting with customers. I got to talk with a lot of CIOs at CIO Decisions. I actually enjoy walking through the partner pavilion and meeting a lot of our partners and seeing some of the innovation that their driving on the platform. And then just non-stop, I get ideas all day from meeting with customers. It's so fun. >> Dave: Chris, thanks very much for coming to theCube. >> Thank you. >> We appreciate seeing you again. >> Chris: Good seeing you. >> Alright, keep it right there everybody. Jeff and I will be back with our next guest. This is theCube, we're live from Knowledge17. We'll be right back.