>>From around the globe. It's the cube covering Fortinet security summit brought to you by Fortinet. >>Okay. Welcome back everyone. To the cubes, coverage of Fortinets championship golf tournament, we're here for the cybersecurity summit. David got a great guest, Ruby cutoff CEO, and co-founder of Tufin great to have you on. Thank you for coming on the cube. We were chatting before. Came on. Camera, big talk. You just gave it. Thanks mom. Thanks >>For having me >>Not a bad place here. Golf tournament, golf and cybersecurity, kind of go together. You know, keep the ball in the middle of the fairway. You know, don't let it get out of bounds, you know, >>And it's a beautiful place. So, uh, very happy to be here and be a premier sponsor of the event. >>Congratulations and a good, good to have you on let's get into the cybersecurity. We were talking before we came on camera around how transformation is really hard. We went to the cloud is really hard refactoring. You're just really hard, but security is really, really hard. That's true. So how do you look at how security is perceived in companies? Is there dynamics that are being amplified by the rapid moved movement to the cloud? You seeing apps being developed really fast changes fast. What's the, what's the barometer of the industry right now? Sure, >>Sure. It's interesting. And this hasn't really changed in the past, but we've seen like exacerbated getting worse and worse. I think a lot of companies security is actually seen as a blocker and frankly security is probably the most hated department in the organization because a lot of times, first of all, the security says no, but also they just take their time. So if you think about organizations, enterprises, they run on top of their enterprise applications. They have applications that their own in-house developers are writing, and those developers are changing their apps all the time. They're driving change in it as well. So you end up having dozens of change requests from developers want to open connectivity. You want to go from point a to point B on the network. They open a ticket. It reaches the network security team that ticket might take several days until it's implemented in production. So the level of service that security provides the application teams today is really not very high. So you can really understand why security is not, um, looked upon favorably by the rest of the organization. >>And some organizations. My perception is, is that, you know, the hardcore security teams that have been around for awhile, they've got standards and they're hardcore, a new app comes in, it's gotta be approved. Something's gotta get done. And it's slower, right? It slows people down the perception. It could be slow. How is it changing? Yes, >>So it changing because when you're moving to the cloud and a lot of organizations are adopting the cloud in many ways, private cloud, public cloud hybrid cloud, you know, they're working in cloud native environments and those environments, you know, the developers are, they own the keys to the kingdom, right? They're managing AWS Azure, Google cloud to managing get hub. You know, they got the place to themselves. So they're pushing changes in their apps without asking it for permission. So they're suddenly exposed to this is how fast it can really be. And while anything that they do in the on-prem or sort of traditional applications is still moving very slowly unless they're using an automated approach to policy. So one of the things that I spoke about today is the need for organizations to adopt a policy centric approach. So they need to define a policy of who can talk to whom and what conduct to what across the entire organizational network, whether it's firewalls routers, which is cloud platforms. >>And then once you have that policy, you can start automated based on the policy. So the concept is somebody opens a ticket, a developer wants to make a change. They want a ticket in service. Now remedy that ticket reaches, uh, some system that's going to check for compliance against the policy. If you're able to immediately tell if that change is compliant or not, then you're able to make that split-second decision, which might take an analyst a couple of days, and then you can design the perfect minimal change to implement on the network. That is really agile, right? That's what developers want to see. And a lot of security departments are really struggling with that today. >>Why, why are they? That seems like a no brainer because policy-based innovation has been around in the network layer for many, many years decades. Right? We'll see, makes things go better, faster. Why would they be against it? Where were they? >>Yeah. So they're not really against it. I think it's just the sheer complexity and size of today's networks is nothing compared to where it was 10 years ago. So you have tens to hundreds of firewalls in large enterprises, thousands of routers and switches, load balancers, private cloud SDN, like NSX and ACI public cloud Kubernetes. It's just a plethora of networking. So we're thinking of it as proliferation of networking is getting worse and worse, especially with IOT and now moving to the cloud. So it is just so complex that if you don't have specialized tools, there's absolutely no way they'll, you'll be able to. >>So your talk must so gone over well, because I do a lot of interviews and I hear developers talking about shift left, right? Which is, you know, basically vernacular for do security in the dev CIC D pipelining. So while you're there rather than having to go fix the bugs later, this seems to be a hot trend. People like it, they want it, they want to check it off, get it done, move on this policy-based automation, help them here. >>It does in some ways, I mean, so you need a policy for the cloud as well, but there's a different challenge that I see altogether in the cloud. And one of the challenges that we're saying is that there's actually a political divide. You have network security folks who are managing, you know, firewalls routers, switches, and maybe the hub to the cloud. And then inside the spokes inside the cloud itself, you have a different team, cloud operators, cloud security folks. And those two teams don't really talk to each other. Some companies have set up centers of excellence, where they're trying to bring all the experts together. But most companies, network security, folks who want to understand what's happening inside the cloud are sort of given the Heisman. They're not invited to meetings. Um, and there's lack of which I think is tragic because it's not going to go over well. So there's huge challenges in security in the cloud. And unless these two departments are going to talk to each other and work together, we're not going to get anywhere near the level of security that we need. >>The cloud team, the cloud guys, if you will, you know, quote guys or gals and the security guys and gals, they're not getting along. What's the, what's the, is it historical? Just legacy structures? Is it more of my department? I own the keys to the kingdom. So go through me kind of the vibe, or is it more of just evolution of the, developer's going to say, I'm going to go around you like shadow it, um, created the cloud. Is there like a shadow security, but trend around this? >>Yeah, there is. And I think it stems from what we covered in the beginning, which is, you know, app developers are now used to and trained to fear security. Every change they want on the on-prem network takes a week, right? They're moving to the cloud. Suddenly they're able to roam freely, do things quickly. If network security folks come by and say, oh, we want to take a look at those changes. What they're hearing, the music is all we're going to slow you down. And the last thing cloud guys want to hear is that we're going to slow you down. So they have they're fearfully. You know, they're, they're rightly afraid of what's going to happen. If they enable a very cumbersome and slow process, we got to work differently. Right? So there's new paradigms with dev DevSecOps where security is built into the CIC pipeline, where it doesn't slow down app developers, but enables compliance and visibility into the cloud environments at the same time. Great stuff. >>Great insight. I want to ask you your, one of your things in your top that I found interesting. And I like to have you explain it in more detail is you think security can be an enabler for digital transformation. Digital transformation can kick the wrong yeah. With transforming. Okay. Everyone knows that, but security, how does security become that enabler? >>So, I mean, today security is a, um, as a blocker to digital transformation. I think anybody that claims, Hey, we're on a path to digital transformation. We're automated, we're digitally transformed. And yet you asked the right people and you find out every change takes a week on the network. You're not digitally transformed, right? So if you adopt a, a framework where you're able to make changes in a compliant secure matter and make changes in minutes, instead of days, suddenly you'll be able to provide a level of service to app developers like they're getting in the cloud, that's digital transformation. So I see the network change process as pretty much the last piece of it that has not been digitally transformed yet. >>And this is where a lot of opportunity is. Exactly. All right. So talk about what you guys are doing to solve that problem, because you know, this is a big discussion. Obviously security is on everyone's mind. They're reactive to proactive that buying every tool they can platforms are coming out. You're starting to see a control plane. You're starting to see things like collective intelligence networks forming, uh, what's the solution to all this, >>Right? So what we've developed is a security policy layer that sits on top of all the infrastructure. So we've got, uh, four products in the two for an orchestration suite where we can connect to all the major firewalls, router, switches, cloud platforms, private cloud SDN. So we see the configuration in all those different platforms. We know what's happening on the ground. We build a typology model. That is one of the industry's best apology models that enables us to query and say, okay, from point a to point B, which firewalls, router switches and cloud platforms will you traverse. And then we integrate it with ticketing system, like a remedy or service now, so that the user experiences a developer opens a ticket for a change that ticket gets into Tufin. We check it against the policy that was defined by the security managers, the security manager defined a policy of who can talk to whom and what conducted what across the physical network and the cloud. >>So we can tell within a split second, is this compliant or not? If it's not compliant, we don't waste an engineer's time. We kick it back to the original user. But if it is compliant, we use that typology model to perform network change design. So we design the perfect minimal change to implement an every firewall router switch cloud platform. And then the last mile is we provision that change automatically. So we're able to make a change in minutes, instead of days would dramatically better security and accuracy. So the ROI on Tufin is not just security, but agility balanced with security at the same time. So you like the rules of the road, >>But the roads are changing all the time. That's how do you keep track of what's going on? You must have to have some sort of visualization technology when you lay out the topology and things start to be compliant, and then you might see opportunity to do innovative buckets. Hey, you know, I love this policy, but I'm, I'm going to work on my policy because sure. Got to up your game on policy and continue to iterate. Is that how do they, how do your customers Daniel? >>So listen, we we're, uh, we're not a tiny company anymore. We've grown. We went public in April of 2019 race and capital. We have over 500 employees, we sold over 2000 customers worldwide. So, um, you know, when customers ask us for advice, we come in and help them with consulting or professional services in terms of deployment. And the other piece is we gotta keep up all the time with what's happening with Fortnite. For example, as, as one of our strategic partners, every time fortnight makes the change we're on the beta program. So we know about a code change. We're able to test them the lab we know about their latest features. We got to keep up with all that. So that takes a lot of engineering efforts. We've hired a lot of engineers and we're hiring more. Uh, so it takes a lot of investment to do this at scale. And we're able to deliver that for our customers. >>I want the relationship with 400. I see you're here at the golf tournament. You're part of the pavilion. You're part of the tournament by the way. Congratulations. Great, great, great event. Thank you. What's the relationship with food and air from a product and a customer technology standpoint, >>We're working closely with Fortnite, where they're a strategic partner of ours. We're integrated into their Fordham manager, APIs. We're a fabric ready solution for them. So obviously working closely. Some of our biggest customers are fortnight's biggest customers will get the opportunity to sponsor this event, which is great tons of customers here and very interesting conversations. So we're very happy with that relationship. >>This is good. Yeah. So that ask you, what have you learned? I think you got great business success. Looking back now to where we are today, the speed of the market, what's your big takeaway in terms of how security changed and it continues to be challenging and these opportunities, what was the big takeaway for you? >>Well, I guess if you were like spanning my career, uh, the big takeaway is, uh, first of all, and just in startup world, patients think things come to those away, but also, um, you know, just, you got to have the basics, right? What we do is foundational. And there were times when people didn't believe in what we do or thought, you know, this is minor. This is not important as people move to the cloud, this won't matter. Oh, it matters. It matters not just in on-prem and it matters in the cloud as well. You gotta have a baseline of a policy and you gotta base everything around that. Um, and so w we've sort of had that mantra from day one and we were right. And we're, we're very happy to be where we are today. Yeah. >>And, you know, as a founder, a co-founder of the company, you know, most of the most successful companies I observed is usually misunderstood for a long time. That's true. Jesse's favorite quote on the cube. He's now the CEO of Amazon said we were misunderstood for a long time. I'm surprised it took people this long to figure out what we were doing. And, and that was good. A good thing. So, you know, just having that north star vision, staying true to the problem when there were probably opportunities that you are like, oh, we, you know, pressure or sure. Yeah. I mean, you stayed the course. What was the, what was the key thing? Grit focused. Yes. >>Looking to startup life. It's sorta like being in sales. We, we got told no, a thousand times before we got told yes. Or maybe a hundred times. So, uh, you gotta, you gotta be, um, you got to persevere. You gotta be really confident in what you're doing and, uh, just stay the course. And we felt pretty strongly about what we're building, that the technology was right. That the need of the market was right. And we just stuck to our guns. >>So focus on the future. What's the next five, five years look like, what's your focus? What's the strategic imperative for you guys. What's your, what's your, what do you mean working on? >>So there's several things that on the business side, we're transitioning to a subscription-based model and we're moving into SAS. One of our products is now a SAS based product. So that's very important to us. We also are now undergoing a shift. So we have a new version called Tufin Aurora Tufin Aurora is a transformation. It's our next generation product. Uh, we're rearchitected the entire, uh, underlying infrastructure to be based on microservices so we could be cloud ready. So that's a major focus in terms of engineering, uh, and in terms of customers, you know, we're, we're selling to larger and larger enterprises. And, uh, we think that this policy topic is critical, not just in the on-prem, but in the cloud. So in the next three years, as people move more and more to the cloud, we believe that what we do will be, become even more relevant as organization will straddle on-premise networks and the cloud. So >>Safe to say that you believe that policy based architecture is the key to automation. >>Absolutely. You can't automate what you don't know, and you can't people, like I mentioned this in my talk, people say, oh, I can do this. I can cook up an Ansible script and automate, all right, you'll push a change, but what is the logic? Why did you make that decision? Is it based on something you've got to have a core foundation? And that foundation is the policy >>Really great insight. Great to have you on the cube. You've got great success and working knowledge and you're in the right place. And you're skating to where the puck is and will be, as they say, congratulations on your success. Thank >>You very much. Thanks for having >>Me. Okay. Keep coming here. The Fortinet championship summit day, cybersecurity summit, 40 minutes golf tournament here in Napa valley. I'm John Firmicute. Thanks for watching.