(Upbeat music) >> Okay, welcome back everyone, to theCUBE's Coverage of Red Hat Summit 2021 virtual I'm John Furrier, your host of theCUBE got two great guests from Deloitte Consulting Dave Knight who manages the Red Hat Relationship, Lee he's the lead there, and Mike Bourgeois who's the Public Sector Managing Director both from Deloitte Consulting LLP official name. Guys, great to come on, and we were just talking before camera about all the stories. Great to have you on theCUBE, thanks for coming on. >> Yeah, thanks for having me. >> Like I said we were just talking about all the stories from the transition from pre-COVID, COVID. Now we've got a view into post-COVID. I want to dig into that 'cause there's a lot of things happening. You guys have been in the trenches, front lines bringing solutions, but before we get into that, can you guys just introduce yourself share your roles at Deloitte and give us a quick overview of what you work on. >> Yeah, so again, thanks for having us John Dave Knight I'm a solution architect and Global Red Hat Alliance Manager for Deloitte. I've got responsibility for making sure that play nicely in the sandbox together or we've got a joint customer and solutions to deliver to those customers. >> Hi everyone, thanks for having us John, I'm a Managing Director Mike Bushwa out of Boston Texas. I am coming up on year 20 and Public Sector Consulting. My area of expertise is large state government systems that serve the needs of millions of citizens and thousands of state workers, good to be here. >> Yeah. Great to have you. And I wanted to chime in with you right away because Mike you are living in probably one of the hottest markets Public Sector. I've been following that for many, many years, generations actually from the early computer industry GSA contracts, all these contracts you've got all the Public Sector, they move very slowly but now the pandemic, there was no place to hide. Everything got pulled back, disruption, you can't just shut down critical infrastructure and critical services. People had to move fast. What was your experience and how is it now give us a taste of some of the challenges and the landscape. >> You bet John, so we talked a little bit before we started this, but my 20 year consulting career, I can't think of anything really in close to this, other than maybe Y2K and as Dave mentioned the Affordable Care Act Legislation in 2009, though that was a much smaller scale as it turned out to be. So I would be remiss not to share examples of extraordinary challenges our clients have had related to the pandemic. Department of Labor and Health and Human Service Agencies for example, responded to the pandemic in rapid timeframe that were rarely seen in government. Citizens that were used to coming in appealed offices, We're now required to do most things virtually. Deloitte has been privileged to assist clients with digital solutions across the country in response to this unprecedented event. And so I'd like to share just a couple of examples. The first is for Department of Labor, the pandemic contributed to millions of layoffs throughout the country Department of Labor workers found called volumes increasing by a 1000% in some cases, the amount of increased volume required agencies across the country hire temporary workers to help out. Millions of new unemployment claims needed to be filed in benefits rapidly provided to citizens of name. So the big challenge was the agency had to figure out how to rapidly file claims into the unemployment system, rather than requiring new citizens to use an external web application they were really unfamiliar, the agency needed more efficient approach. The approach we used was to create an internal web application that enabled workers to file unemployment insurance claims on behalf of citizens. Workers collected the necessary data from citizens and claims were filed into the system. The application enabled workers to focus on filing claims rather than sort of a technical support role showing how to people use an external web application. More citizen were served in much less time, claims are filed efficiently by train workers which resulted in benefits being received in a much more timely fashion. And so a second example is, with Department of Human Services. So one stay as mentioned Citizens were used to going into field offices but suddenly they were told you can't come into the field office. So once they provided a 100% virtual application and the important part here is certification solution for the Disaster Supplemental Nutrition Assistance Program or DSNAP for short. this application was stood up in two weeks, families who needed food assistance can now apply and be certified for benefits remotely. Today over 50,000 cases have certified and citizens receiving food nutrition assistance. Back to you John. >> So, I mean obviously there's some great use cases you got, basically I got to work at home, new architecture there you got to have a new workflows. I mean, this poses some real challenges. How did you guys put it together? I mean, Dave take us through where this all fits in with the Red Hat, because obviously now it's new deployment new capabilities have to be deployed for the pandemic. How does this bring together the partnership with Red Hat? >> Yeah, so great question and it really plays to the strength of both Deloitte and Red Hat, right? The success stories that Mike has illustrated show how we can quickly pivot as a firm to delivering these types of solutions and help our customers think through innovative ways to solve the problems. So, I mean the prime example that Mike just gave, everything used to be done in offices. Now it's all done remotely cause you can't go to the office even if you want to. And that is very much aligned with the innovation we get with our partnership with Red Hat, right? They've led the way in open source and some of the technologies that we've leveraged that our solutions include, answerable for automation, some of the middleware products, and I would say one of the cornerstones is the OpenShift Platform. Now that allows us to greatly accelerate the development and delivery of those solutions to our customers. Sort of again, aligning our innovative thinking with Red Hats Innovative Technologies. >> What would you say if someone said, "what's the partnership strengths and what needs specifically are you addressing with customers and customer needs?" >> So I, again, I think our lean towards innovation is a common thread across both firms and where we have our greatest strength. We like to take our customers on a journey but it's not our journey, it's their journey, right? So we help them figure out where they want to go and how they want to get there in a way that aligns with their business goals, their budgets all the sort of factors that drive those things and Red Hat is very open to that approach. They sort of invented the crowdsourcing of open source they made it into a business model. They've developed that from literally nothing. And that aligns very nicely with us. That's one of the key strengths. We also are firm believers in open source again to the degree that our customers like the leverage that to drive their journeys. And we're seeing that, especially in the Public Sector Space as being a key driver of the technologies they employ. >> Mike, I want to come back to you on this open ma component open question, open source, open to technology open innovation out in the open as Red Hat calls it. How does Red Hat open source software, address the needs for your customers for security and on-premise considerations. >> I'll talk a little bit about open source principles in general still the open source principles of transparency meritocracy community problem solving and collaboration. These are on its of both software innovation as well as organizational transformation. One of the highest demand transformation needs that I'm seeing in the market is the desire to adopt innovative technology, and most importantly, moving workloads to the cloud. It's no longer a thought, it is an imperative moving workloads to the cloud, on new deals hosted in the cloud, on an existing, is it large systems let Deloitte help us get to the cloud. So I believe the key to success embracing the cloud is recognizing first the need for change in people, processes and technology. The vehicle for this transformation is DevSecOps and innovative open source platforms, such as the OpenShift platform that Dave mentioned. OpenShift focuses on people, processes and technology and the security conversation becomes even easier. I mean, I see Linux was around for years, and we've always used Linux on our Java based workloads now we can have the conversation about saying, Hey, well that se Linux operating system we've been using for years now, there's this really cool Container Management Platform that we can solve real problems like auto scaling, in my Health and Human Services career, I can remember every year when open enrollment comes around systems engineers are teed up, and ready to manually add those to a BMR cluster or something like that. Well, now we don't have to do these things. We can rely on Kubernetes so auto scale, and then and get rid of those instances when workload demands seven resolved. So it's a really cool technology kind of behind the scenes. It's not the dog and pony show sometimes but in the end it helps the clients and Deloitte remain consistent with those service level agreements. >> That's a great example about the open enrollment illustrates the fact that, you got to provision more stuff to take that load on it. It's always hard in Public Sector you might not have the speed. So I got to follow up and ask you, you guys have had wins in the Public Sector lately with Red Hat, you guys Deloitte and Red Hat working together and get some wins under your belt, on around cloud and cloud and technology obviously with the pandemic has needs there. Are you guys seeing any particular sector challenges specifically around Public Sector as it goes this next level a lot of modernization happening we're seeing that, but any challenges that you're seeing, can you give some examples of how these challenges are being addressed? First talk about the challenges and then give some examples of how they're overcoming them. >> So I can jump in here with this one then, and Mike I think you probably have some maybe Public Sector specific examples, but one of the things that I think is common across all industries is resource constraints, right? And particularly as we look for human resources and not in the HR sense, but developers, CIS admins those types of resources as Mike said, the cloud is here to stay, right? And it's not something that people are thinking about it's de facto part of the conversation. And that's great, but it leads to silos of skills which puts further sort of strain on a limited pool of resources within most sites IT organization. So something like an OpenShift, something like an Ansible solves problems related to resource constraints, because they're skills that are portable across cloud environments, right? If you can manage OpenShift you can manage OpenShift on-prem, you can manage it recently released AWS version of that ROSA on the Azure version of that. So it's no matter where you're running it you've got a common set of skills and access sort of a force multiplier, same thing with Ansible automation, right? If you can write scripts, with an Ansible you can do those repeatable tasks in a much more efficient fashion. And again sort of multiplying the capacity of your existing workforce. >> So you've got an operating leverage there. I mean, this is what you're getting at is that, Public Sector and other commercial areas they kind of got to get used to this fact that, you get some leverage here, you get some operating leverage. >> More or less has always been a thing in IT. And it's not relenting that's for sure. >> It's been more at the more, with less has always been kind of a tagline for budget cuts, right? You can squeeze more out of the investment. Here it's kind of like do more with less than the sense of there's more net new things happening with leverage. So, I mean, do you agree with that? What's your take on that? >> Yeah, I think that's exactly right. It's more with less from a resource perspective, right? Typically it was budget, but no money is just another resource. Now we're getting into the personnel side of it. The other thing I would say is, something like an OpenShift Platform allows the Mike's point around DevOps, it allows the developers to develop, right? I have an article in wired.com about this, where developers are saddled with meetings and they have to become concerned with infrastructure and they have traditionally and security. And I am I doing all these things that aren't related to development. If you have a good DevOps Platform in place the security folks can build guard rails into the platform and the developers can just go develop which is what they want to do in the first place. Yeah exactly, that's another riff on the more, with less, again in a resource, the human resource way versus the budget way. >> Yeah, and that really is where OpenShift ties in. Mike what's your take on this? Because with this kind of program ability infrastructure as code DevSecOps kind of modern developers, Public Sector loves that, because they just want to build the new apps. They got to modernize. So change the infrastructure once. And then a lot of ma many benefits on top of it. It's almost like, it sounds like an operating system to me. >> Yeah, lots of thoughts going around my head right now but I'll say the more with less to me when I'm having client conversations is imagine a world of higher innovation, more technology at lower costs, right? I mean, so CIO is light up when I explained to them the orders of magnitude cost savings on top of the innovation introduced to their environment. So when moving workloads to the cloud is not as easy as just packaging up a binary and dropping in on a name, your cloud provider, right? There's an entire, a blueprinting strategy. There's a Cloud Native Architecture, modernization discussion, so we do those sorts of things, at Deloitte and we work with clients very closely to do that. I want to say teaming with Red Hat allows us to be proactive with our design and reference architecture validation. The Collaborative Partnership in Relationship allows us to connect senior engineers from Deloitte and Red Hat. So we have low level strategic discussions, we validate our assumptions and optimize to use a Red Hat technology. What we're doing in Public Sector is separating the monolithic application into layers. And whenever it comes to technologies like Ansible, like OpenShift, like Jenkins, all of these things that any application needs and Public Sector, we're saying out to the account teams across the country, look this is a slower layer DevOps Platform. And by the way, you can run any .Net or Java based workload on it. So we're trying to make opinionated reference architecture so that regardless of the solution, we can just go to market with that platform that tried and true production application. So I'll give a quick example John, if now's a convenient time regarding, well, one of the things that we've done for particular state client. >> Definitely yeah, give the use cases we love those. >> Yes so one of the impactful modernization that struck my mind was the State of Washington. They've mentioned the affordable care act earlier, there are two major things that came out of that. One was the eligibility and enrollment systems had to be modified across all 50 states. But the second thing and the primary driver behind the affordable care act was health insurance exchange. A way for millions of citizens to have access to healthcare using Subsidized Health Insurance Plans. So in Washington and health benefits exchange is that health insurance exchange, State of Washington has been a client of Deloitte since 2012. The solution was originally designed using closed source proprietary products. There are three drivers for change. The first is the API gateway was end of life and needed to be replaced. Number two was the client wanted it to move health benefit exchange to the cloud from an on-premise hosting arrangement. And third is reducing cost of those solution with innovative products. So the agency was looking for a platform that provided flexibility, auto-scaling and performance and lower cost of ownership. So we worked with the agency and we evaluated a variety of API Management and Integration Platforms after reviewing the outcomes for each proof of concept the agency decided to move forward with Red Hats, three skill API Management Platform, Red Hat Fuse for Integration and OpenShift Container Platform that offered the auto-scaling continuous integration tools and out of the box monitoring and reporting capabilities proactively monitor the health of the solution. I often describe a little bit of OpenShift as a data center or DevSecOps in the box. It just is all there. You don't need to add layers on top of OpenShift install and configure it, tune it and just you're off and running in a short amount of time. So three outcomes I'll mention, go ahead, John. >> NO continue, I thought you were finished. So on the outcomes side, the first outcome the agency substantially lower the cost of ownership using commercially supported open source while increasing access to innovative emerging technology. So the agency wanted a solution not only to meet their current needs, but extend the solution going forward. The beautiful thing about OpenShift is you can drop a container images into the platform without installing an operating system. It's all just there and it's spreading to be extended. The number two outcome cloud migration. Deloitte work collaboratively with the agencies and infrastructure and managed services team to successfully migrate the health benefit exchange to the cloud. And the last thing a bit obvious, but that's successful release, working collaboratively with our client. We were able to migrate the solution within 100 days from making the products decision. The cut over to the new solution was seamless with minimal downtime and zero production issues or exceptionally proud of that. >> Great stuff, great use case. And again, those are great business examples. Dave, I want to get this last question to you and Mike can chime in too. As Red Hat Summit evolves, and we're hearing the theme here at the event about transformation is the innovation, Innovation is about scale. When you hear the words like in a box or Hybrid Cloud you hear about an operating environment. So it's an opportunity to set the table for the next generation, this is what I see. What do you guys see as people talk about Hybrid Cloud and soon to be Multiple Cloud? Because you guys you said have tough relationships. You deal with IBM and Red Hat and you probably deal with other people. Clients want, from what we hear they want back to the Multi Vendor Open Connection Distributed Environment. That's what they want. So how does your relationship evolve, given all this is happening? How do you see the future, please chime in. >> Thanks, that's a fantastic question. I actually think the market is coming catching up to where I've been thinking for quite a while. And that is the Hybrid is kind of where it's at. A lot of customers have been in some sort of Hybrid mode as part of the step or a journey to the cloud, getting all the way to the cloud. But I think we're seeing some transition. I know customers are starting to ask me more and more about Hybrid solutions for a variety of reasons, right? The easy workloads for the most part have either been moved or be are being moved, or at least there's a strategy and a plan to get them moved. And now we're starting to be asked about some of the more difficult architecture type questions, right? The workloads that are a little bit more sticky to the on-premise model. And so Hybrid becoming more of the endpoint as opposed to a step along the journey. The other big thing is some repatriation, right? Workloads coming off of cloud. Maybe they seem like good candidates but for whatever reason, the cost drivers or other things weren't realized, let's get them back on premise. Maybe it's a regulatory thing and new regulations are making folks uncomfortable. So I see Hybrid as a pretty interesting next wave of cloud, Deloitte as a far or we're skilling up or tooling up in order to address the needs of our customers, again are starting to ask us these really challenging questions about Hybrid Cloud and Hybrid Cloud Architectures. >> Yeah and just the key point there is that you think about it like with the way you're discussing it, it's a platform, not a tool, right? So if you think about it like a platform then you can move things around and look at architectures and changes of how resources and workloads are deployed and then what data you're getting from it. Whether you bring it to a factory, for instance you say, Hey, okay, we're going to put it on prem because it's a factory or whatever, and you need more data. What was the changeover? This is like a day to operations kind of mindset. What's your comment on that? >> Well I mean I have actually going back three years now, one of the marketing lines that we developed internally, was moved to a platform, not a provider. But because you get that flexibility, now, the reality is what works stay where they're put for a variety of reasons. But I think one of those reasons could be, because they're put in places where they tend to not want to move, right? So if we could put them into a platform where, there is some portability built into the platform, I think we might have a different sort of outcomes for customers. And I think architecture is absolutely the key, right? That to me is the secret sauce here. >> Mike set up for you to close us out here, platform, Public Sector, Hybrid, that's what they want. It's an ideal scenario for anyone in Public Sector and in general, and why wouldn't you want to have a great platform that's it can be programmed, and rearchitected at will for the benefit of the business powered by software. What's your thoughts? >> Yeah, all good points and I will agree with Dave that Hybrid is certainly evolving. Eight years ago, Hybrid was consuming and address validation API in the cloud and not custom coding that, but today I do agree that Hybrid Cloud is all about a vehicle a way of moving workloads across data centers. It's an architecture that is encapsulated by something like an OpenShift so that you can federate your workloads across data centers. You can put them in one or easily moved them to the other. Maybe that's for a variety of reasons. It could be compute and storage is being reduced by one provider versus the other. So the solutions were we're designing today, they are data center agnostic, we're not being tied to data centers anymore. The best design solutions, you can just let them move in their easy manner. So that that's my take on Hybrid Cloud. And I would say the and Red Hat are making investments to help us advance that thinking help us advance those solutions. We had Deloitte have created a Red Hat OpenShift lab environment, and we've done this purposely to validate reference architectures to show account teams the way we have delivered the very very large accounts to show them what DevSecOps to means from a product perspective and to give them opinionated processes to be successful in delivering these large type solutions. >> Dave, Mike, thanks for coming on, and I appreciate you guys coming on theCUBE and sharing the perspective on the Red Hat Relationship with Deloitte Consulting. Thanks for coming on. >> Thank you. >> Thank you, John. >> This is CUBE Coverage of Red Hat Summit 2021, am John for your host, thanks for watching.

>>live from Atlanta, Georgia. It's the Q covering Answerable Fest 2019. Brought to you by Red Hat. >>Hey, welcome back, everyone. It's the cubes. Live coverage here in Atlanta, Georgia, for answerable fast. Part of redheads. Big news. Ansel Automation Platform was announced. Among other things, they're great products. I'm John for ear, with my coast to minimum, but two great guests. You unpack all the automation platform features and benefits. Walter Bentley, senior manager. Automation Practicing red hat and vj Job Olu, director of Red Hat Consulting Guys Thanks for coming on. Thanks. So the activity is high. The buzz this year seems to be at an inflection point as this category really aperture grows big time seeing automation, touching a lot of things. Standardization. We heard glue layer standard substrate. This is what answer is becoming so lots of service opportunity, lot of happy customers, a lot of customers taking it to the next level. And a lot of customers trying to consolidate figure out hadn't make answerable kind of a standard of other couples coming in. You guys on the front lines doing this. What's the buzz? What's the main store? What's the top story going on around the service is how to deploy this. What are you guys seeing? >>So I think what we're seeing now is customers. Reactor building automation. For a long time, I have been looking at it at a very tactical level, which is very department very focused on silo. Whether country realizes with this modern develops and the change in how they actually go to the market, they need to bring the different teams together. So they're actually looking at watching my enterprise automation strategy be how to actually take what I've learned in one organization. And I still roll it across the enterprise so that now struggling and figuring out how to be scared, what we have, how do we change the culture of the organization to collaborate a lot more and actually drive automation across enterprise? >>Walter One of the things we've been we've talked about all the time in the Cube, and it's become kind of cliche. Digital transformation. Okay, I heard that before, and three things people process, technology, process and capability you guys have done You mentioned the siloed having capabilities that's been there. Check was done very, very well as a product technology Red hat in the portfolio. Great synergies. We talked about rail integration, all the benefits there. But the interesting thing this year that I've noticed is the people side of the equation is interesting. The people are engaged, is changing their role because automation inherently changes there, function in the organization because it takes away probably the mundane tasks. This is a big part of the equation. You guys air hitting that mark. How do you How are you guys seeing that? How you accelerating that has that changing your job, >>right? So customers are now economy realizing that going after automation in a very tactical manner is not exactly getting them what they want as a far as a return on investment in the automation. And what they're realizing is that they need to do more. And they're coming to us and more of an enterprise architectural level and say we want to talk mortgage grander strategy. And what they're coming to realize is that having just one small team of people that were calling the Dev Ops team is not gonna be ableto drive that adoption across the organization. So what we're trying to do is work with customers to show them how they collaboration in the culture of peace is huge. It's a huge part of adopting automation. Answerable is no longer considered a emerging tech anymore. And and I when I say that, I mean a lot of organizations are using answerable in many different ways. They're past that point, and now they're moving on to the next part, which is what is our holistic strategy and how we're gonna approach automation. And And we wanted leverage danceable, unanswerable tower to do that. >>Does that change how you guys do your roll out your practices in some of your programs? >>Well, we did have to make some adjustments in the sense of recognizing that the cultural piece is a pivotal part of it, and we can go in and we can write playbooks and rolls, and we can do all those things really great. But now we need to go in and help them structure themselves in a way where they can foster that collaboration and keep a moment. >>And I'll actually add on to that so reactive, large, open innovation labs three years ago, and what we have to learn doing that is using labs and allows practices to actually help customers embrace new culture and change. How they actually operate has actually helped us take those practices and bring it into our programs and kind of drive that to our customers. So we actually run our automation adoption program and the journey for customers through those practices that we actually learned in open innovation loves like open practice, library, even storming priority sliders and all of those modern techniques. So the goal is to help our customers understand those practices and actually embrace them and bring them into the organization to drive the change that that's looking for within the organization. >>A. J. Is there anything particular for those adoption practices when you're talking about Cloud? Because the communication amongst teams silos, you know, making things simpler is something that we absolutely do need for cloud. So I'm just curious how you connect kind of the cloud journey with the automation journey. >>So all of the journey program that actually created, whether it's a contender adoption program or the automation adoption program, we actually followed the same practices. So whether you're actually focused on a specific automation to, like, answerable or actually embarking on hybrid multicolored journey. We actually use the same practices so the customers don't have toe learn new things every time you have to go from one product, one of the so that actually brings a consistent experience to customers in driving change within the organization. So let's picture whether it is focusing automation focused on cloud migrating to the cloud. The practices remained the same, and the focus is about not trying to boil the ocean on day one. Try to break it into manageable chunks that give it a gun back to the business quickly learned from the mistakes that you make in each of the way and actually build upon it and actually be successful. >>So, Walter, I always love when we get to talk to the people that are working straight with customers because you come here to the conference, it's like, Oh, it's really easy Get started. It doesn't matter what role or what team you're in. Everybody could be part of it. But when you get to the actual customers, they're stumbling blocks. You know what are some of those things? What are some of the key things that stop people from taking advantage of all the wonderful things that all the users here are doing >>well. One of the things that I've identified and we've identified as a team is a lot of organizations always want to blow the ocean. And when and when it comes down to automation, they feel that if they are not doing this grand transformation and doing this this huge project, then they're not doing automation. And the reality is is that we're Trent with showing them that you can break things up into smaller chunks, as Visi alluded to. And even if you fail, you fail fast and you can start over again because you're dealing with things in a smaller chunk. And we've also noticed that by doing that, we're able to show them to return on investment faster so they can show their leadership, and their leadership can stand behind that and want to doom. Or so that's one of the areas. And then I kind of alluded to the other area, which is you have to have everybody involved. You want just subject matter experts riding content to do the automation. You don't want that just being one silo team. You want to have everybody involved and collaborate as much as possible. >>Maybe can you give us an example? Is about the r A y How fast to people get the results and, you know, prove toe scale this out. >>So with the automation adoption journey, what we're able to do is is that we come in and sit down with our customers and walk them through how to properly document their use cases. What the dependencies, What integration points, possibly even determining what is that? All right, ranking for that use case. And then we move them very quickly in the next increment. And in the next increment, we actually step them through, taking those use cases, breaking them down into minimum viable products and then actually putting those in place. So within a 90 day or maybe a little bit more than a little bit more than the 90 day window, were able to show the customer in many different parts of the organization how they're able to take advantage of automation and how the return on investment with hopes of obviously reducing either man hours or being able to handle something that is no a mundane task that you had to do manually over and over again. >>What are some of the things that people get confused about when they look at the breath of what's going on with the automation platform? When I see tool to platform, transitions are natural. We've seen that many times in the industry that you guys have had product success, got great community, that customers, they're active. And now you've got an ecosystem developing so kind of things air popping on all cylinders here. >>So the biggest challenge that we're actually being seeing customers is they actually now come to realize that it's very difficult to change the culture of the organization right there, actually embarking on this journey and the biggest confusion that is, how do we actually go make those changes? How do we bring some of the open practice some of the open source collaboration that Riddle had into the organization so they actually can operate in a more open source, collaborative way, and what we have actually learned is we actually have what we call its communities of practice within Red Hack. It is actually community off consultants, engineers and business owners. The actual collaborate and work together on offering the solutions to the market. So we're taking those experiences back to our customers and enabling them to create those communities of practice and automation community that everybody can be a part off. They can share experiences and actually learn from each other much easier than kind of being a fly on the wall or kind of throwing something or defense to see what sticks and what does not. >>What's interesting about the boiling the ocean comment you mentioned Walter and B J is your point. There is, is that the boil? The ocean is very aspirational. We need change rights. That's more of the thing outcome that they're looking for. But to get there is really about taking those first steps, and the folks on the front lines have you their applications. They're trying to solve or manage. Getting those winds is key. So one of things that I'm interested in is the analytics piece showing the victory so in the winds early is super important because that kind of shows the road map of what the outcome may look like versus the throw the kitchen, sink at it and, you know, boil the ocean of which we know to the failed strategy. Take us through those analytics. What are some of the things that people tend to knock down first? What are some of the analytical points that people look at for KP eyes? Can you share some insight into that? >>Sure, sure. So we always encourage our customers to go after the platform first. And I know that may sound the obvious, but the platform is something that is pretty straightforward. Every organization has it. Every organization struggles with provisioning, whether of a private cloud, public cloud, virtualization, you name it. So we have the customer kind of go after the platform first and look at some of their day to operations. And we're finding that that's where the heaviest return on investment really sits. And then once you get past that, we can start looking like in the end, work flows. You know, can they tie service now to tower, to be able to make a complete work flow of someone that's maybe requesting a BM, and they can actually go through that whole workflow by by leveraging tower and integration point like service. Now those air where we're finding that the operators of these systems going getting the fastest benefit. And it also, of course, benefits the business at the end of the day because they get what they need a lot fast. >>It's like a best practice and for you guys, you've seen that? Yes, sir. Docked with that out of E. J. What's your comment on all this? >>So going back to the question on metrics Automation is great, but it does not provide anybody to the business under the actually show. What was the impact, whether it's from a people standpoint, cost standpoint or anything else. So what we try to drive is enable customers. You can't build the baseline off where they are today, and as they're going through the incremental journey towards automation, measure the success of that automation against the baseline. And that actually adds the other way back to the customer. As a business you didn't get to see. I was creating a storage land. I was doing it probably 15 times a month. Take it or really even automated. It spend like a day created a playbook. I'll save myself probably half, of course, and that could be doing something that's better. So building those metrics and with the automation analytics that actually came in the platform trying those bass lines. So the number of executions, actually the huge value they'll actually be ableto realize the benefits of automation and measure the success off within enterprise. >>So I'm a customer prospect, like I want to get a win. I don't want to get fired. I won't get promoted. Right, I say, Okay, I gotta get a baseline and knock down some playbooks. Knock that down first. That what you're gonna getting it. That's a good starting. >>Starting. Understand your baseline today. Plan your backlog as to what you want to knock down. And once you know them down, build a dashboard as to what the benefits were, what the impact was actually built upon it. You actually will see an incremental growth in your success with automation. >>And then you go to the workflow and too, and that's your selling point for the next level. Absolutely good playbook. Is that the automation programs that in a nutshell or is that more of a best practice >>those components of the ah, the automation adoption journey that we allow the customer to kind of decide how they want their journey to be crafted. Of course, we have a very specific way of going about and walking them through it. But we allowed in the kind of crap that journey and that is those the two components that make up the automation. >>We're gonna put you guys on the spot with the tough question We heard from G. P. Morgan yesterday on the Kino, which I thought was very compelling. You know, days, hours, two minutes. All this is great stuff. It's real impact. Other customers validate that. So, congratulations. Can you guys share any anecdotal stories? You know, the name customers? Just about situations Where customs gone from this to this old way, new way and throw some numbers around Shearson Samantha >>is not a public reference, but I like to give you a customer. Exactly. Retail company. When we first actually went and ran a discovery session, it took them 72 days to approach in an instance. And the whole point was not because it took that long. It because every task haven't s l. A We're actually wait for the Acela manually. Go do that. We actually went in >>with our 72 hours, two days, two days, >>actually, going with the automation? We Actually, it was everybody was working on the S L. A. We actually brought it down to less than a day. So you just gave the developers looking to code 71 days back for him to start writing code. So that's the impact that we see automation bringing back to the customers, right? And you'll probably find the use causes across everywhere. Whether J. P. Morgan Chase you actually had the British Army and everyone here on states talking about it. It is powerful, but it is powerful relief you can measure and learn from it >>as the baseline point. Get some other examples because that's that's, uh, that's 70 days is that mostly delay its bureaucracy. It's It's so much time. >>It's manual past and many of the manual tasks that actually waiting for a person to do the task >>waterfall past things sound, although any examples you can >>yes, so the one example that always stands out to me and again, it's a pretty interviewing straight forward. Is Citrix patching? So we work with the organization. They were energy company, and they wanted to automate patching their searches environment, patching this citrus environment took six weekends and it took at least five or six engineers. And we're talking about in bringing an application owners, the folks who are handling the bare metal, all all that whole window. And by automating most of the patching process, we were able to bring it down to one weekend in one engineer who could do it from home and basically monitor the process instead of having to be interactive and active with it. And to me, that that was a huge win. Even though it's, you know, it's such dispatching. >>That's the marketing plan. Get your weekends back. Absolutely awesome. Shrimp on the barbecue, You know, Absolutely great job, guys. Thanks for the insight. Thanks. Come on. The key. Really appreciate it. Congratulations. Thank you. Thanks for sharing this queue here. Live coverage. Danceable fest. Where the big news is the ass. Full automation platform. Breaking it down here on the Q. I'm John. First to Minutemen. We're back with more coverage after this short break

(upbeat music) >> Okay, we're here talking about how you can better understand and manage the risks associated with the digital supply chain. How in this day and age where software comes from so many different places and sources throughout the ecosystem, how can organizations manage the risks associated with our dependence on software? And with me now are two great guests, Andrea Hall, who is a specialist solution architect and project manager for security and compliance at Red Hat. She's going to focus on public sector. And Andrew Block who's a distinguished architect at Red Hat Consulting, folks welcome. >> Welcome >> Thank you. Thanks for having us. >> You're very welcome. Andrea, let's start with you. Let's talk about regulations. What exists today that we should be aware of that organizations should be paying attention to? >> Oh sure, so the thing that comes to mind first being in the US is the presidential executive order on cybersecurity that came out a few months ago. Organizations are really paying attention to that. And in the US, it's having a ripple effect with policy, but we're also seeing policy considerations pop up in other countries, Australia and England. The supply chain is a big focus right now, of course, but we see these changes coming down the road as more and more government organizations are trying to secure their critical infrastructure. >> Is there kind of a leadership, or probably in other words, is somebody saying seeing what the UK does and say, okay, we're going to follow that template? Or is it just a variety and a mish mash with no sort of consolidation? How is that sort of playing out? >> I see a lot of organizations kind of basing their requirements on (indistinct) However, each organization has its own nuances. Each agency has its own nuances to how it wants them implemented. >> Andrew, maybe you could chime in here. What are you seeing when you talk to customers that are tuned into this issue? >> You know, as Andrea had just mentioned having that north star in terms of regulations is so fundamentally great for them because many of them especially in regulate industries, look to these regulations on how they apply their own policies. So at least it has some guidance on how to move forward because as we all know the secure software supply chain is getting news every day and how they react to it is something that I know all their leaders are asking themselves, especially those IT leaders. >> Andrea, when I talk to practitioners, sometimes they're frustrated. They understand they have to comply. They know new regulations are coming out, but sometimes it's hard for them to keep up. It would be helpful if you're sitting across the table from somebody who's frustrated and they ask you, what are your expectations? What are the trends in regulations? How do you see the current regulations evolving to specifically accommodate the digital supply chain and the security exposures and corollary requirements there? >> We see a lot of organizations struggling in the sense of trying to understand what the policy actually wants. Definitions are still a little bit vague, but implementation is also difficult because sometimes organizations will add more tools to their toolkit, adding a layer of complexity there. Really automation has to be pulled in. That's key to implementing this instead of adding more workload and more burden to your folks. It's really important for these organizations to pull stakeholders in the organization together. So the IT leaders bring together the developers, the security operations sit at the same table, talk about whether or not what needs to be implemented or what's proposed to be implemented, will affect the mission or in any way or disrupt operations. It's important for everybody to be on the same page so it doesn't slow anything down as you're trying to roll it out. >> And one of the things here is that we're seeing a lot of change with these new regulations and with a lot of organizations, any type of change is scary. And that is one area that they're looking for guidance not only in the tooling, but also how they apply it in the organization. >> I'll add on. >> Please. >> I'll add onto that and say, organizations really need to take into account the people side of things too. People need to understand what the impact is to the organization, so that they don't try to find the loopholes, they're buying into what needs to be done. They understand the why behind it. You for example, if you walk into your house, you normally close the door behind you. Security needs to be seen as that, as well, that's the culture and it's the habit. And it's ingrained in the fabric of the organization to live this way, not just implement the tools to do it. >> Right, and the number of doors you have in your infrastructure are a lot more than just a couple. Andrew mentioned sort of guidance and governments are obviously taking a more active role. I mean, sometimes I'm a cynic. I mean, the president Biden signs an executive order, but swipe of a pen doesn't really give us enough to go on. Do you think Andrea, that we're going to see new guidance from governments in the very near future? What are you expecting? >> I expect to see more conversations happening. I know that agencies who developed the policies are pulling together stakeholders and getting input. But I do see in the not too distant future, that mandates will be rolling out, yes. >> Well, so Andrew of course, Andrea, if you have a thought on this as well, but how do you see organizations dealing with adopting these new policies. >> Slowly, don't boil the ocean is one thing I tell a lot to every one of them, because a lot of these tooling, a lot of these concepts are foreign to them, brand new. How they adopt those and how they implement them, needs to be done in a very agile fashion, very slow and prescriptive. Go ahead and try to find one area of improvement and go ahead and work upon it and build upon it. Because not only does that normally make your organization more successful and secure, but also helps your organization just from a more out standpoint. One thing that you need to emphasize is that don't blame anyone. 'Cause a lot of times when you're going through this, you're reassessing your own supply chain. You might find where you could see improvements that need to be done. Don't blame things that may have occurred in the past. See how you can benefit from these lessons learned in the future. >> It's interesting you say that the blame game, I mean it used to be that failure meant you get fired and that's obviously has changed. As many have said, you know you're going to have incidents. It's how you respond to those incidents. What you learn from them. Do you have Andrew, any insights from specifically working with customers on securing their software supply chain? What can you tell us about what leading practitioners are doing today? >> They're going in and not only assessing what their software components consist of. Using tools like an SBOM, a software bill of materials, understand where all the components of their ecosystem and their lineage comes from. We're hearing almost every single day, new vulnerabilities that are being introduced in various software packages. By having that understanding of what is in your ecosystem, you can then better understand how to mitigate those concerns moving forward. >> Andrea, Andrew was just saying, one of the things is you don't just dive in. You've got to be careful. There's going to be ripple effects is what I'm inferring, but at the same time, there's a mandate to move quickly. Are there things that could accelerate the adoption of regulation or even the creation of regulations and that guidance in your view? What could accelerate this? >> As far as accelerating it goes, I think it's having those conversations proactively with the stakeholders in your organization and understanding the environment like Andrew said. Go ahead and get that baseline. And just know that whatever changes you make are maybe going to be audited down the road, because as we were moving towards this kind of third-party verification, that you're actually implementing things in order to do business with another organization. The importance of that, if organizations see that gravity to this, I think they will try to speed things up. I think that if organizations and the people in those organizations understand that why, that I talked about earlier and they understand how things like solar winds or things like the oil disruption that happened earlier this year. The personal effect to cyber events will help your organization move forward. Again, everybody's bought into the concept, everybody's working towards the same goals and they understand that why behind it. >> In addition to that, having tooling available, that makes it easy for them. You have a lot of individuals who this is all foreign, providing that base level tooling that aligns to a lot of the regulations that might be applicable within their real realm and their domain, makes it easier for them to start to complying and taking less burden off of them to be able to be successful. >> So it's a hard problem because Andrew, how do you deal with sort of the comment more tools, okay. But I look at that the Optiv map, if you've seen that. It makes your eyes cross. You've got so many tools, so much fragmentation, you're introducing new tools. Can automation help that? Is there hope for consolidation of that tools portfolio? >> Right now, this space is very emerging. It's very emerging, it's very fluid to be honest, 'cause there is actually mandates only a year or two old. But as they come over the course of time, however, I do see these types of tooling starting to consolidate where right now it seems like every vendor has a tool that tries to address this. It's being able to have the people work together, have more regulations that will come out that will allow us to start to redefine and solidify on certain tools like ISO standards. There are certain ones that I mentioned on as balance previously, there's now a ISO standard on SBOM there wasn't previously. So as more and more of these regulations come out, it makes it easier to provide that recommended set of tooling that organizations can start leveraging instead of vendor A, vendor B. >> Andrea, I said this before I was a cynic, but will give you the last word, give us some hope. I mean, obviously public policy is very important. A partnership between governments and industry, both the practitioners, the organizations that are buying these tools, as well as the technology industry got to work together in an ecosystem. Give us some hope. >> The hope I think will come from realizing that as you're doing this, as you are implementing these changes, you're in a sense trying to prevent those future incidents from happening. There's some assurance that you're doing everything that you can do here. It's a situation, it can be daunting, I'll put it that way. It can be really daunting for organizations, but just know that organizations like Red Hat are doing what we can to help you down the road. >> And really it's just continuing this whole shifting left mentality. The top of supply chain is just one component, but the introducing dev sec ops security at the beginning, that really will make the organizations become successful because this is not just a technology problem, It's a people issue as well. And being able to kind of package them all up together will help organizations as a whole. >> Yeah, so that's a really important point. You hear that term shift left. For years, people say, hey, you can't just bolt security on, as an afterthought, that's problematic. And that's the answer to that problem, right? Is shifting left meaning designing it in at the point of code, infrastructure as code, dev sec ops. That's where it starts, right? >> Exactly, being able to have security at the forefront and then have everything afterwards. Propagate from your security mindset. >> Excellent, okay, Andrea, Andrew, thanks so much for coming to the program today. >> Thank you for having us. >> Very welcome, thanks for watching. This is Dave Vellante for The Cube. Your a global leader in enterprise tech coverage. (soft music)

(upbeat music) >> Okay, we're here talking about how you can better understand and manage the risks associated with the digital supply chain. How in this day and age where software comes from so many different places and sources throughout the ecosystem, how can organizations manage the risks associated with our dependence on software? And with me now are two great guests, Andrea Hall, who is a specialist solution architect and project manager for security and compliance at Red Hat. She's going to focus on public sector. And Andrew Block who's a distinguished architect at Red Hat Consulting, folks welcome. >> Welcome >> Thank you. Thanks for having us. >> You're very welcome. Andrea, let's start with you. Let's talk about regulations. What exists today that we should be aware of that organizations should be paying attention to? >> Oh sure, so the thing that comes to mind first being in the US is the presidential executive order on cybersecurity that came out a few months ago. Organizations are really paying attention to that. And in the US, it's having a ripple effect with policy, but we're also seeing policy considerations pop up in other countries, Australia and England. The supply chain is a big focus right now, of course, but we see these changes coming down the road as more and more government organizations are trying to secure their critical infrastructure. >> Is there kind of a leadership, or probably in other words, is somebody saying seeing what the UK does and say, okay, we're going to follow that template? Or is it just a variety and a mish mash with no sort of consolidation? How is that sort of playing out? >> I see a lot of organizations kind of basing their requirements on (indistinct) However, each organization has its own nuances. Each agency has its own nuances to how it wants them implemented. >> Andrew, maybe you could chime in here. What are you seeing when you talk to customers that are tuned into this issue? >> No as Andrea had just mentioned having that north star in terms of regulations is so fundamentally great for them because many of them especially in regulate industries, look to these regulations on how they apply their own policies. So at least it has some guidance on how to move forward because as we all know the secure software supply chain is getting news every day and how they react to it is something that I know all their leaders are asking themselves, especially those IT leaders. >> Andrea, when I talk to practitioners, sometimes they're frustrated. They understand they have to comply. They know new regulations are coming out, but sometimes it's hard for them to keep up. It would be helpful if you're sitting across the table from somebody who's frustrated and they ask you, what are your expectations? What are the trends in regulations? How do you see the current regulations evolving to specifically accommodate the digital supply chain and the security exposures and corollary requirements there? >> We see a lot of organizations struggling in the sense of trying to understand what the policy actually wants. Definitions are still a little bit vague, but implementation is also difficult because sometimes organizations will add more tools to their toolkit, adding a layer of complexity there. Really automation has to be pulled in. That's key to implementing this instead of adding more workload and more burden to your folks. It's really important for these organizations to pull stakeholders in the organization together. So the IT leaders bring together the developers, the security operations sit at the same table, talk about whether or not what needs to be implemented or what's proposed to be implemented, will affect the mission or in any way or disrupt operations. It's important for everybody to be on the same page so it doesn't slow anything down as you're trying to roll it out. >> And one of the things here is that we're seeing a lot of change with these new regulations and with a lot of organizations, any type of change is scary. And that is one area that they're looking for guidance not only in the tooling, but also how they apply it in the organization. >> I'll add on. >> Please. >> I'll add onto that and say, organizations really need to take into account the people side of things too. People need to understand what the impact is to the organization, so that they don't try to find the loopholes, they're buying into what needs to be done. They understand the why behind it. You for example, if you walk into your house, you normally close the door behind you. Security needs to be seen as that, as well, that's the culture and it's the habit. And it's ingrained in the fabric of the organization to live this way, not just implement the tools to do it. >> Right, and the number of doors you have in your infrastructure are a lot more than just a couple. Andrew mentioned sort of guidance and governments are obviously taking a more active role. I mean, sometimes I'm a cynic. I mean, the president Biden signs an executive order, but swipe of a pen doesn't really give us enough to go on. Do you think Andrea, that we're going to see new guidance from governments in the very near future? What are you expecting? >> I expect to see more conversations happening. I know that agencies who developed the policies are pulling together stakeholders and getting input. But I do see in the not too distant future, that mandates will be rolling out, yes. >> Well, so Andrew of course, Andrea, if you have a thought on this as well, but how do you see organizations dealing with adopting these new policies. >> Slowly, don't boil the ocean is one thing I tell a lot to every one of them, because a lot of these tooling, a lot of these concepts are foreign to them, brand new. How they adopt those and how they implement them, needs to be done in a very agile fashion, very slow and prescriptive. Go ahead and try to find one area of improvement and go ahead and work upon it and build upon it. Because not only does that normally make your organization more successful and secure, but also helps your organization just from a more out standpoint. One thing that you need to emphasize is that don't blame anyone. 'Cause a lot of times when you're going through this, you're reassessing your own supply chain. You might find where you could see improvements that need to be done. Don't blame things that may have occurred in the past. See how you can benefit from these lessons learned in the future. >> It's interesting you say that the blame game, I mean it used to be that failure meant you get fired and that's obviously has changed. As many have said, you know you're going to have incidents. It's how you respond to those incidents. What you learn from them. Do you have Andrew, any insights from specifically working with customers on securing their software supply chain? What can you tell us about what leading practitioners are doing today? >> They're going in and not only assessing what their software components consist of. Using tools like an SBOM, a software bill of materials, understand where all the components of their ecosystem and their lineage comes from. We're hearing almost every single day, new vulnerabilities that are being introduced in various software packages. By having that understanding of what is in your ecosystem, you can then better understand how to mitigate those concerns moving forward. >> Andrea, Andrew was just saying, one of the things is you don't just dive in. You've got to be careful. There's going to be ripple effects is what I'm inferring, but at the same time, there's a mandate to move quickly. Are there things that could accelerate the adoption of regulation or even the creation of regulations and that guidance in your view? What could accelerate this? >> As far as accelerating it goes, I think it's having those conversations proactively with the stakeholders in your organization and understanding the environment like Andrew said. Go ahead and get that baseline. And just know that whatever changes you make are maybe going to be audited down the road, because as we were moving towards this kind of third-party verification, that you're actually implementing things in order to do business with another organization. The importance of that, if organizations see that gravity to this, I think they will try to speed things up. I think that if organizations and the people in those organizations understand that why, that I talked about earlier and they understand how things like solar winds or things like the oil disruption that happened earlier this year. The personal effect to cyber events will help your organization move forward. Again, everybody's bought into the concept, everybody's working towards the same goals and they understand that why behind it. >> In addition to that, having tooling available, that makes it easy for them. You have a lot of individuals who this is all foreign, providing that base level tooling that aligns to a lot of the regulations that might be applicable within their real realm and their domain, makes it easier for them to start to complying and taking less burden off of them to be able to be successful. >> So it's a hard problem because Andrew, how do you deal with sort of the comment more tools, okay. But I look at that the Optiv map, if you've seen that. It makes your eyes cross. You've got so many tools, so much fragmentation, you're introducing new tools. Can automation help that? Is there hope for consolidation of that tools portfolio? >> Right now, this space is very emerging. It's very emergent, it's very fluid to be honest, 'cause there is actually mandates only a year or two old. But as they come over the course of time, however, I do see these types of tooling starting to consolidate where right now it seems like every vendor has a tool that tries to address this. It's being able to have the people work together, have more regulations that will come out that will allow us to start to redefine and solidify on certain tools like ISO standards. There are certain ones that I mentioned on as balance previously, there's now a ISO standard on SBOM there wasn't previously. So as more and more of these regulations come out, it makes it easier to provide that recommended set of tooling that organization is leveraging instead of vendor A, vendor B. >> Andrea, I said this before I was a cynic, but will give you the last word, give us some hope. I mean, obviously public policy is very important. A partnership between governments and industry, both the practitioners, the organizations that are buying these tools, as well as the technology industry got to work together in an ecosystem. Give us some hope. >> The hope I think will come from realizing that as you're doing this, as you are implementing these changes, you're in a sense trying to prevent those future incidents from happening. There's some assurance that you're doing everything that you can do here. It's a situation, it can be daunting, I'll put it that way. It can be really daunting for organizations, but just know that organizations like Red Hat are doing what we can to help you down the road. >> And really it's just continuing this whole shifting left mentality. The top of supply chain is just one component, but the introducing dev sec ops security at the beginning, that really will make the organizations become successful because this is not just a technology problem, It's a people issue as well. And being able to kind of package them all up together will help organizations as a whole. >> Yeah, so that's a really important point. You hear that term shift left. For years, people say, hey, you can't just bolt security on, as an afterthought, that's problematic. And that's the answer to that problem, right? Is shifting left meaning designing it in at the point of code, infrastructure as code, dev sec ops. That's where it starts, right? >> Exactly, being able to have security at the forefront and then have everything afterwards. Propagate from your security mindset. >> Excellent, okay, Andrea, Andrew, thanks so much for coming to the program today. >> Thank you for having us. >> Very welcome, thanks for watching. This is Dave Vellante for The Cube. Your a global leader in enterprise tech coverage. (soft music)

(upbeat music) >> Okay, we're here talking about how you can better understand and manage the risks associated with the digital supply chain. How in this day and age where software comes from so many different places and sources throughout the ecosystem, how can organizations manage the risks associated with our dependence on software? And with me now are two great guests, Andrea Hall, who is a specialist solution architect and project manager for security and compliance at Red Hat. She's going to focus on public sector. And Andrew Block who's a distinguished architect at Red Hat Consulting, folks welcome. >> Welcome >> Thank you. Thanks for having us. >> You're very welcome. Andrea, let's start with you. Let's talk about regulations. What exists today that we should be aware of that organizations should be paying attention to? >> Oh sure, so the thing that comes to mind first being in the US is the presidential executive order on cybersecurity that came out a few months ago. Organizations are really paying attention to that. And in the US, it's having a ripple effect with policy, but we're also seeing policy considerations pop up in other countries, Australia and England. The supply chain is a big focus right now, of course, but we see these changes coming down the road as more and more government organizations are trying to secure their critical infrastructure. >> Is there kind of a leadership, or probably in other words, is somebody saying seeing what the UK does and say, okay, we're going to follow that template? Or is it just a variety and a mish mash with no sort of consolidation? How is that sort of playing out? >> I see a lot of organizations kind of basing their requirements on (indistinct) However, each organization has its own nuances. Each agency has its own nuances to how it wants them implemented. >> Andrew, maybe you could chime in here. What are you seeing when you talk to customers that are tuned into this issue? >> No as Andrea had just mentioned having that north star in terms of regulations is so fundamentally great for them because many of them especially in regulate industries, look to these regulations on how they apply their own policies. So at least it has some guidance on how to move forward because as we all know the secure software supply chain is getting news every day and how they react to it is something that I know all their leaders are asking themselves, especially those IT leaders. >> Andrea, when I talk to practitioners, sometimes they're frustrated. They understand they have to comply. They know new regulations are coming out, but sometimes it's hard for them to keep up. It would be helpful if you're sitting across the table from somebody who's frustrated and they ask you, what are your expectations? What are the trends in regulations? How do you see the current regulations evolving to specifically accommodate the digital supply chain and the security exposures and corollary requirements there? >> We see a lot of organizations struggling in the sense of trying to understand what the policy actually wants. Definitions are still a little bit vague, but implementation is also difficult because sometimes organizations will add more tools to their toolkit, adding a layer of complexity there. Really automation has to be pulled in. That's key to implementing this instead of adding more workload and more burden to your folks. It's really important for these organizations to pull stakeholders in the organization together. So the IT leaders bring together the developers, the security operations sit at the same table, talk about whether or not what needs to be implemented or what's proposed to be implemented, will affect the mission or in any way or disrupt operations. It's important for everybody to be on the same page so it doesn't slow anything down as you're trying to roll it out. >> And one of the things here is that we're seeing a lot of change with these new regulations and with a lot of organizations, any type of change is scary. And that is one area that they're looking for guidance not only in the tooling, but also how they apply it in the organization. >> I'll add on. >> Please. >> I'll add onto that and say, organizations really need to take into account the people side of things too. People need to understand what the impact is to the organization, so that they don't try to find the loopholes, they're buying into what needs to be done. They understand the why behind it. You for example, if you walk into your house, you normally close the door behind you. Security needs to be seen as that, as well, that's the culture and it's the habit. And it's ingrained in the fabric of the organization to live this way, not just implement the tools to do it. >> Right, and the number of doors you have in your infrastructure are a lot more than just a couple. Andrew mentioned sort of guidance and governments are obviously taking a more active role. I mean, sometimes I'm a cynic. I mean, the president Biden signs an executive order, but swipe of a pen doesn't really give us enough to go on. Do you think Andrea, that we're going to see new guidance from governments in the very near future? What are you expecting? >> I expect to see more conversations happening. I know that agencies who developed the policies are pulling together stakeholders and getting input. But I do see in the not too distant future, that mandates will be rolling out, yes. >> Well, so Andrew of course, Andrea, if you have a thought on this as well, but how do you see organizations dealing with adopting these new policies. >> Slowly, don't boil the ocean is one thing I tell a lot to every one of them, because a lot of these tooling, a lot of these concepts are foreign to them, brand new. How they adopt those and how they implement them, needs to be done in a very agile fashion, very slow and prescriptive. Go ahead and try to find one area of improvement and go ahead and work upon it and build upon it. Because not only does that normally make your organization more successful and secure, but also helps your organization just from a more out standpoint. One thing that you need to emphasize is that don't blame anyone. 'Cause a lot of times when you're going through this, you're reassessing your own supply chain. You might find where you could see improvements that need to be done. Don't blame things that may have occurred in the past. See how you can benefit from these lessons learned in the future. >> It's interesting you say that the blame game, I mean it used to be that failure meant you get fired and that's obviously has changed. As many have said, you know you're going to have incidents. It's how you respond to those incidents. What you learn from them. Do you have Andrew, any insights from specifically working with customers on securing their software supply chain? What can you tell us about what leading practitioners are doing today? >> They're going in and not only assessing what their software components consist of. Using tools like an SBOM, a software bill of materials, understand where all the components of their ecosystem and their lineage comes from. We're hearing almost every single day, new vulnerabilities that are being introduced in various software packages. By having that understanding of what is in your ecosystem, you can then better understand how to mitigate those concerns moving forward. >> Andrea, Andrew was just saying, one of the things is you don't just dive in. You've got to be careful. There's going to be ripple effects is what I'm inferring, but at the same time, there's a mandate to move quickly. Are there things that could accelerate the adoption of regulation or even the creation of regulations and that guidance in your view? What could accelerate this? >> As far as accelerating it goes, I think it's having those conversations proactively with the stakeholders in your organization and understanding the environment like Andrew said. Go ahead and get that baseline. And just know that whatever changes you make are maybe going to be audited down the road, because as we were moving towards this kind of third-party verification, that you're actually implementing things in order to do business with another organization. The importance of that, if organizations see that gravity to this, I think they will try to speed things up. I think that if organizations and the people in those organizations understand that why, that I talked about earlier and they understand how things like solar winds or things like the oil disruption that happened earlier this year. The personal effect to cyber events will help your organization move forward. Again, everybody's bought into the concept, everybody's working towards the same goals and they understand that why behind it. >> In addition to that, having tooling available, that makes it easy for them. You have a lot of individuals who this is all foreign, providing that base level tooling that aligns to a lot of the regulations that might be applicable within their real realm and their domain, makes it easier for them to start to complying and taking less burden off of them to be able to be successful. >> So it's a hard problem because Andrew, how do you deal with sort of the comment more tools, okay. But I look at that the Optiv map, if you've seen that. It makes your eyes cross. You've got so many tools, so much fragmentation, you're introducing new tools. Can automation help that? Is there hope for consolidation of that tools portfolio? >> Right now, this space is very emerging. It's very emergent, it's very fluid to be honest, 'cause there is actually mandates only a year or two old. But as they come over the course of time, however, I do see these types of tooling starting to consolidate where right now it seems like every vendor has a tool that tries to address this. It's being able to have the people work together, have more regulations that will come out that will allow us to start to redefine and solidify on certain tools like ISO standards. There are certain ones that I mentioned on as balance previously, there's now a ISO standard on SBOM there wasn't previously. So as more and more of these regulations come out, it makes it easier to provide that recommended set of tooling that organization is leveraging instead of vendor A, vendor B. >> Andrea, I said this before I was a cynic, but will give you the last word, give us some hope. I mean, obviously public policy is very important. A partnership between governments and industry, both the practitioners, the organizations that are buying these tools, as well as the technology industry got to work together in an ecosystem. Give us some hope. >> The hope I think will come from realizing that as you're doing this, as you are implementing these changes, you're in a sense trying to prevent those future incidents from happening. There's some assurance that you're doing everything that you can do here. It's a situation, it can be daunting, I'll put it that way. It can be really daunting for organizations, but just know that organizations like Red Hat are doing what we can to help you down the road. >> And really it's just continuing this whole shifting left mentality. The top of supply chain is just one component, but the introducing dev sec ops security at the beginning, that really will make the organizations become successful because this is not just a technology problem, It's a people issue as well. And being able to kind of package them all up together will help organizations as a whole. >> Yeah, so that's a really important point. You hear that term shift left. For years, people say, hey, you can't just bolt security on, as an afterthought, that's problematic. And that's the answer to that problem, right? Is shifting left meaning designing it in at the point of code, infrastructure as code, dev sec ops. That's where it starts, right? >> Exactly, being able to have security at the forefront and then have everything afterwards. Propagate from your security mindset. >> Excellent, okay, Andrea, Andrew, thanks so much for coming to the program today. >> Thank you for having us. >> Very welcome, thanks for watching. This is Dave Vellante for The Cube. Your a global leader in enterprise tech coverage. (soft music)