(upbeat music) >> Hey, everyone. Welcome to this CUBE Conversation that's part of the AWS startup showcase Season Two, Episode Four. I'm your host Lisa Martin. Chase Doelling joins me, the principles strategist at JumpCloud. Chase, welcome to theCUBE. It's great to have you. >> Chase: Perfect. Well, thank you so much, Lisa. I really appreciate the opportunity to come and hang out. >> Let's talk about JumpCloud. First of all, love the name. This is an open directory platform. Talk to the audience about what the platform is, obviously, the evolution of the domain controller. But give us that backstory? >> Yeah, absolutely. And so, company was started, and I think, from serial entrepreneurs, and after kind of last exit, taking a look around and saying, "Why is this piece of hardware still the dominant force when you're thinking about identities, especially when the world is moving to cloud, and all the different pieces that have been around it?" And so, over the years, we've evolved JumpCloud into an open directory platform. And what that is, is we're managing your identities, the devices that are associated to that, all the access points that employees need just to get their job done. And the best part is, is we're able to do that no matter where they are within the world. >> It seems like kind of a reinvention of how modern IT teams are getting worked done, especially in these days of remote work. Talk to me a little bit about the last couple of years particularly as remote work exploded, and here we are still probably, permanently, in that situation? >> Yeah, absolutely. And I think it's probably going to be one of those situations where we stick with it for quite a while. We had a very abrupt force in making sure that essentially every IT and security team could grapple with the fact of their users are no longer coming into the office. You know, how do we VPN into all of our different resources? Those are very common and unfortunate pain points that we've had over the last couple years. And so, now, people have starting to kind of get into the motion of it, working from home, having background and setups and other pieces. But one of the main areas of concern, especially as you're thinking about that, is how does it relate to my security infrastructure, or kind of my approach to my organization. And making sure that too, on the tail end, that a user's access and making sure that they can get into everything that they need to do in order to get work done, is still happening? And so, what we've done, is we've really taken, evolving and really kind of ripping apart this notion of what a directory was. 'Cause originally, it was just like, great, almost like a phone directory. It's where people lived they're going into all those different pieces. But it wasn't set up for the modern world, and kind of how we're approaching it, and how organizations now are started with a credit card and have all of their infrastructure. And essentially, all of their IP, is now hosted somewhere else. And so, we wanted to take a different approach where we're thinking about, not only managing that identity, but taking an open approach. So, matter where the identity's coming from, we can integrate that into the platform but then we're also managing and securing those devices, which is often the most important piece that we have sitting right in front of us in order to get into that. But then, also that final question, of when you're accessing networks applications, can you create the conditions for trust, right? And so, if you're looking at zero trust, or kind of going after different levels of compliance, ISO, SOC2, whatever that might be, making sure that you have all that put in place no matter where your employees are. So, in that way, as we kind of moved into this remote, now hybrid world, it wasn't the office as the gating point anymore, right? So, key cards, as much as we love 'em, final part, whereas the new perimeter, the kind of the new barrier for organizations especially how they're thinking about security, is the people's identities behind that. And so, that's the approach that we really wanted to take as we continue to evolve and really open up what a directory platform can do. >> Yeah. Zero trust security, remote work. Two things that have exploded in the last couple of years. But as employees, we expected to be able to still have the access that we needed to apps, to the network, to WiFi, et cetera. And, of course, on the security side, we saw massive changes in the threat landscape that really, obviously, security elevates to a board level conversation. So, I imagine zero trust security, remote work, probably compliance, you mentioned SOC2, are some of the the key use cases that you're helping organizations with? >> Those are a lot of the drivers. And what we do, is we're able to combine a lot of different aspects that you need for each one of those. And so, now you're thinking about essentially, the use case of someone joins an organization, they need access to all these different things. But behind the scenes, it's a combination of identity access management, device management, applications, networks, everything else, and creating those conditions for them to do their roles. But the other piece of that, is you also don't want to be overly cumbersome. I think a lot of us think about security as like great biometrics, so I'm going to add in these keys, I'm going to do everything else to kind of get into these secured resources. But the reality of it now, is those secure resources might be AWS infrastructure. It might be other Salesforce reporting tools. It might be other pieces, or kind of IP within the organization. And those are now your crown jewel. And so, if you're not thinking about the identities behind them and the security that you have in order to facilitate that transaction, it becomes a board level conversation very quickly. But you want to do it in a way that people can move forward with their lives, and they're not spending a ton of time battling the systems and procedures you put in place to protect it, but that it's working together seamlessly. And so, that's where, kind of this notion for us of bringing all these different technologies into one platform. You're able to consolidate a lot of those and remove a lot of the friction while maintaining the visibility, and answering the question, of who has access to what? And when did they do that? Those are the most critical pieces that IT and security teams are asking themselves when something happens. And hopefully, on the preventative side and not so much on the redacted side. >> Have you seen the escalation up the C-Suite change of the board in terms of really focusing on how do we do identity management? How do we do single sign on? How do we do device management and network access? Is that all the way up to the C-Suite board level as well? >> It certainly can be. And we've seen it in a lot of different conversations, because now you are thinking about all different portions of the organization. And then, two, as we're thinking about times we're currently in, there's also a cost associated to that. And so, when you start to consolidate all of those technologies into one area, now it becomes much more of total cost optimization types of story while you're still maintaining a lot of the security and basic blocking and tackling that you need for most organizations. So, everything you just mentioned, those are now table stakes for a lot of small, medium, startups to be at the table. So, how do you have access to enterprise level, essentially technology, without the cost that's associated to it. And that's a lot of the trade offs that organizations are facing and having those types of conversations as it relates to business preparedness and how we're making sure that we are putting our best foot forward, and we're able to be resilient in no matter what type, of either economic or security threat that the organization might be looking at. >> So, let's talk about the go-to market, the strategy from a sales and marketing perspective. Where are the customer conversations happening? Are they at the IT level? Are they higher up the stack? >> It's really at, I'd say the IT level. And so, by that, I mean the builders, the implementers, everyone that's responsible for putting devices in people's hands, and making sure that they can do their job effectively. And so, those are their, I'd say the IT admins the world as well as the managed service providers who support those organizations, making sure that we can enable them to making sure that their organizations or their client organizations have all the tools that their disposable to make sure that they have the security or the policies, and the technology behind them to enable all those different practices. >> Let's unpack the benefits from an IT perspective? Obviously, they're getting one console that they can manage at all. One user identity for email, and devices, and apps, and things. You mentioned regardless of location, but this is also regardless of operating system, correct? >> That's correct. And so, part of taking an open approach, is also the devices that you're running on. And so, we take a cross OS approach. So, Mac, Windows, Linux, iPhone, whatever it might be, we can make sure that, that device is secure. And so, it does a couple different things. So, one, is the employees have device choice, right? So, I'm a Mac person coming in. If forced into a Windows, it'd be an interesting experience. But then, also too, from the back end, now you have essentially one platform to manage your entire fleet. And also give visibility and data behind what's happening behind those. And then, from the end user perspective as well, everything's tied together. And so, instead of having, what we'll call user ID schizophrenia, it might be one employee, but hundreds of different identities and logins just to get their work done. We can now centralize that into one person, making sure you have one password to get into your advice, get into the network, to get into your single sign on. We also have push MFA associated with that. So, you can actually create the conditions for your most secured access, or you understand, say, "Hey, I'm actually in the office. I'm going to be a hybrid employee. Maybe I can actually relax some of those security concerns I might have for people outside of the network." And all we do, is making sure that we give all that optionality to our IT admins, manage service providers of the world to enable that type of work for their employees to happen. >> So, they have the ability to toggle that, is critically important in this day and age of the hybrid work model, that's probably here to stay? >> It is, yeah. And it's something that organizations change, right? Our own organizations, they grow, they change different. New threats might emerge, or same old existing threats continue to come back. And we need to just have better processes and automations put within that. And it's when you start to consolidate all of those technologies, not only are you thinking about the visibility behind that, but then you're automating a lot of those different pieces that are already tightly coupled together. And that actually is truly powerful for a lot of the IT admins of the world, because that's where they spend a lot of time, and they're able to spend more time helping users tackling big projects instead of run rate security, and blocking, and tackling. That should be enabled from the organization from the get go. >> You mentioned automation. And I think that there's got to be a TCO reduction aspect here with respect to security and IT practices. Can you talk about that a little bit? >> Yeah, absolutely. Let's think about the opposite of that. Let's say we have a laundry list of technology that we need to go out and source. One is, great, where the identity is, so we have an identity provider. Now, we need to make sure that we have application access that might look like single sign on. Now, we need to make sure, you are who you are no matter where you are in the world. Well, now we need multifactor authentication and that might involve either a push button, or biometrics. And then, well, great the device's in front of us, that's a huge component, making sure that I can understand, not only who's on the device, but that the device is secure, that there's certificates there, that there's policies that ensure the proper use of that wherever it might be. Especially, if I'm an employee, either, it used to be on the the jet center going between flying anywhere you need. Now, it's kind of cross country, cross domain, all those different areas. And when you start to have that, it really unlocks, essentially IT sprawl. You have a lot of different pieces, a lot of different contracts, trying to figure out one technology works, but the other might not. And you're now you're creating workarounds for all these different pieces. So, the opposite of that, is essentially, let's take all those technologies and consolidate that into one platform. So, not only is it cheaper essentially, looking after that and understanding all the different technologies, but now it's all the other soft costs around it that many people don't think about. It's all the other automations. It's all the workarounds that you didn't have to do in the first place. It's all the other pieces that you'd spend a lot of time trying to wire it together. Into the hopes of that, it creates some security model. But then again, you lose a lot of the visibility. So, you might have an incident happen over here, or a trigger, or alert, but it's not tied to the rest of the stack. And so, now you're spending a lot of time, especially, either trying to understand. And worse timing, is if you have an incident and you're trying to understand what's happening? Unraveling all of that as it happens, becomes impossible, especially if it's not consolidated with one platform. So, there's not only the hard cost aspect of bringing all that together, but also the soft costs of thinking about how your business can perform, or at least optimize for a lot of those different standard processes, including onboarding, offboarding, and everything else in between. >> Yeah. On the soft cost side, I can imagine. I can see huge benefits for HR onboarding, offboarding. I can see benefits for the employee experience period, which directly relates to the customer experience. So, in terms of the business impact that JumpCloud can make, it seems to be pretty horizontal across any type of organization? >> It is, and especially as you mentioned HR. Because when you think about, where does the origin of someone's identity start? Well, typically, it starts with a resume and that might be in applicant tracking software. Now, we're going to get hired, so we're going to move into HR, because, well, everyone likes payroll, and we need that in our lives, right? But now you get into the second phase, of great, now I've joined the organization. Now, I need access to all of these different pieces. But when you look at it, essentially horizontally, from HR, all the way into the employee experience, and their whole life cycle within the organization, now you're touching multiple different teams And that's one of the other, I'd say benefits of that, is now you're actually bringing in HR, and IT, and security, and everyone else that might be related within these kind of larger use cases of making work happen all coming under. And when they're tightly integrated, it's also a lot more secure, right? So, you're not passing notes along. You're not having a checklist of other stuff, especially when it relates to something as important as someone's identity, which is more often than not, the most common attack vector for people to go after. Because they know it's the keys to the kingdom. There's going to be a lot of different attempts, maybe malware and other pieces, but a lot of it comes back into, can I impersonate, or become the person that I want within the organization, because it's the identity allows you to access all those different pieces. And so, if it's coming from a disjointed process or something that's not as tightly as it could be, that's where it really opens up a lot of different vectors that organizations don't think about. >> Right, and those vectors are only growing and multiplying as we know, and here to stay. When you're in customer conversations what do you describe as maybe the top three differentiators of JumpCloud compared to the competition? >> Well, I think a lot of it is we take an open approach. And so, by that, I mean, it's one we're not locking into, I'd say different vendors or other areas. We're really looking into making sure that we can work within your environment as it stands today, or where you want to migrate in the future. And so, this could be a combination of on-prem resources, cloud resources, or nothing if you're starting a company from today. And the second, is again, coming back into how we're looking at devices. So, we take a cross OS approach that way, no matter what you're operating on, it all comes back from the same dashboard. But then, finally, we leverage a ton of different protocols to make sure it works with everything within your current technology stack, as well as it continues to elevate and evolve over time. So, it could be LD app and Radius, and Sam, and skim, and open ID Connect, and open APIs. And whatever that might be, we are able to tie in all those different pieces. So, now, all of a sudden, it's not just one platform, but you have your whole business tied into as that gives you some flexibility too, to evolve. Because even during the pandemic and the shift for remote, there's a lot of technology choices that shifted. A lot of people are like, "Okay, now's the time to go to the cloud." There might be other events that organizations change. There's other things that might happen. So, creating that flexibility for organizations to move and make those calls, is essentially how we're differentiating ourselves. And we're not locking you into this, walled garden of technology that's just our own. We really want to make sure that we can operate, and be that glue, so that way, no matter what you're trying to do and making sure that your work is being done, we can help facilitate that. >> Nice. No matter what happens. Because boy, at this day, anything's possible. One more question for you about your AWS partnership. Talk to me a little bit about that? >> Yeah, absolutely. So, we are preferred ADP identity provider and SSO provider for AWS. And so, now rebranded under their identity center. But it's crucial for a lot of our organizations and joint customers because again, when we think about a lot of organization IP and how they operate as a business, is tied into AWS. And so, really understanding, who has the right level of access? Who should be in there or not? And when too, you should challenge in making sure that actually there's something fishy there. Like let's make sure that they're not just traveling to Europe on a sabbatical, and it's really who they are instead of a threat actor. Those are some of the pieces when we're thinking about creating that authentication, but then also, the right authorization into those AWS resources. And so, that's actually something that we've been very close to, especially, I'd say that the origins of a company. Because a lot of startups, that's where they go. That's where they begin their journey. And so, we meet them where they are, and making sure that we're protecting not only everything else within their organization, but also what they're trying to get into, which is typically AWS >> Meeting customers where they are. It's all about that. Chase, thank you so much for joining me on the program talking about JumpCloud, it's open directory platform. The benefits, the capabilities, what's in it for IT, HR, security, et cetera. We appreciate all of your insights and time. Where do you want to point folks to go to learn more? >> Well, absolutely. Well, thank you so much for having us. And I'd say, if you're curious about any and all these different technologies, the best part is everything I talked about is free up to 10 users, 10 devices. So, just go to jumpcloud.com. You can create an organization, and it's great for startups, people at home. Any size company that you're at, we can help support all of those different facets in bringing in those different types of technologies all into one roof. >> Awesome. Chase, thank you so much. This is awesome, go to jumpcloud.com. For Chase Doelling, I'm Lisa Martin. We want to thank you so much for giving us some of your time and watching this CUBE Conversation. (upbeat music)

(electronic music) >> Hello everybody, welcome back to Boston. This is Dave Vellante and you're watching theCUBE's continuous coverage of AWS re:Inforce 2022. We're here at the convention center in Boston where theCUBE got started in May of 2010. I'm really excited. Lena Smart is here, she's the chief information security officer at MongoDB rocket ship company We covered MongoDB World earlier this year, June, down in New York. Lena, thanks for coming to theCUBE. >> Thank you for having me. >> You're very welcome, I enjoyed your keynote yesterday. You had a big audience, I mean, this is a big deal. >> Yeah. >> This is the cloud security conference, AWS, putting its mark in the sand back in 2019. Of course, a couple of years of virtual, now back in Boston. You talked in your keynote about security, how it used to be an afterthought, used to be the responsibility of a small group of people. >> Yeah. >> You know, it used to be a bolt on. >> Yep. >> That's changed dramatically and that change has really accelerated through the pandemic. >> Yep. >> Just describe that change from your perspective. >> So when I started at MongoDB about three and a half years ago, we had a very strong security program, but it wasn't under one person. So I was their first CISO that they employed. And I brought together people who were already doing security and we employed people from outside the company as well. The person that I employed as my deputy is actually a third time returnee, I guess? So he's worked for, MongoDB be twice before, his name is Chris Sandalo, and having someone of that stature in the company is really helpful to build the security culture that I wanted. That's why I really wanted Chris to come back. He's technically brilliant, but he also knew all the people who'd been there for a while and having that person as a trusted second in command really, really helped me grow the team very quickly. I've already got a reputation as a strong female leader. He had a reputation as a strong technical leader. So us combined is like indestructible, we we're a great team. >> Is your scope of responsibility, obviously you're protecting Mongo, >> Yeah. >> How much of your role extends into the product? >> So we have a product security team that report into Sahir Azam, our chief product officer. I think you even spoke to him. >> Yeah, he's amazing. >> He's awesome, isn't he? He's just fabulous. And so his team, they've got security experts on our product side who are really kind of the customer facing. I'm also to a certain extent customer facing, but the product folks are the absolute experts. They will listen to what our customers need, what they want, and together we can then work out and translate that. I'm also responsible for governance risk and compliance. So there's a large portion of our customers that give us input via that program too. So there's a lot of avenues to allow us to facilitate change in the security field. And I think that's really important. We have to listen to what our customers want, but also internally. You know, what our internal groups need as well to help them grow. >> I remember last year, Re:invent 2021, I was watching a talk on security. It was the, I forget his name, but it was the individual who responsible for data center security. And one of the things he said was, you know, look it's not at the end of the day, the technology's important but it's not the technology. It's how you apply the tools and the practices and the culture- >> Right. That you build in the organization that will ultimately determine how successful you are at decreasing the ROI for the bad guys. >> Yes. >> Let's put it that way. So talk about the challenges of building that culture, how you go about that, and how you sustain that cultural aspect. >> So, I think having the security champion program, so that's just, it's like one of my babies, that and helping underrepresented groups in MongoDB kind of get on in the tech world are both really important to me. And so the security champion program is purely voluntary. We have over a hundred members. And these are people, there's no bar to join. You don't have to be technical. If you're an executive assistant who wants to learn more about security, like my assistant does, you're more than welcome. Up to, we actually people grade themselves, when they join us, we give them a little tick box. Like five is, I walk in security water. One is, I can spell security but I'd like to learn more. Mixing those groups together has been game changing for us. We now have over a hundred people who volunteer their time, with their supervisors permission, they help us with their phishing campaigns, testing AWS tool sets, testing things like queryable encryption. I mean, we have people who have such an in-depth knowledge in other areas of the business that I could never learn, no matter how much time I had. And so to have them- And we have people from product as security champions as well, and security, and legal, and HR, and every department is recognized. And I think almost every geographical location is also recognized. So just to have that scope and depth of people with long tenure in the company, technically brilliant, really want to understand how they can apply the cultural values that we live with each day to make our security program stronger. As I say, that's been a game changer for us. We use it as a feeder program. So we've had five people transfer from other departments into the security and GRC teams through this Champions program. >> Makes a lot of sense. You take somebody who walks on water in security, mix them with somebody who really doesn't know a lot about it but wants to learn and then can ask really basic questions, and then the experts can actually understand better how to communicate. >> Absolutely. >> To that you know that 101 level. >> It's absolutely true. Like my mom lives in her iPad. She worships her iPad. Unfortunately she thinks everything on it is true. And so for me to try and dumb it down, and she's not a dumb person, but for me to try and dumb down the message of most of it's rubbish, mom, Facebook is made up. It's just people telling stories. For me to try and get that over to- So she's a one, and I might be a five, that's hard. That's really hard. And so that's what we're doing in the office as well. It's like, if you can explain to my mother how not everything on the internet is true, we're golden. >> My mom, rest her soul, when she first got a- we got her a Macintosh, this was years and years and years ago, and we were trying to train her over the phone, and said, mom, just grab the mouse. And she's like, I don't like mice. (Lena laughs) There you go. I know, I know, Lena, what that's like. Years ago, it was early last decade, we started to think about, wow, security really has to become a board level item. >> Yeah. >> And it really wasn't- 2010, you know, for certain companies. But really, and so I had the pleasure of interviewing Dr. Robert Gates, who was the defense secretary. >> Yes. >> We had this conversation, and he sits on a number, or sat on a number of boards, probably still does, but he was adamant. Oh, absolutely. Here's how you know, here. This is the criticality. Now it's totally changed. >> Right. >> I mean, it's now a board level item. But how do you communicate to the C-Suite, the board? How often do you do that? What do you recommend is the right regime? And I know there's not any perfect- there's got to be situational, but how do you approach it? >> So I am extremely lucky. We have a very technical board. Our chairman of the board is Tom Killalea. You know, Amazon alum, I mean, just genius. And he, and the rest of the board, it's not like a normal board. Like I actually have the meeting on this coming Monday. So this weekend will be me reading as much stuff as I possibly can, trying to work out what questions they're going to ask me. And it's never a gotcha kind of thing. I've been at board meetings before where you almost feel personally attacked and that's not a good thing. Where, at MongoDB, you can see they genuinely want us to grow and mature. And so I actually meet with our board four times a year, just for security. So we set up our own security meeting just with board members who are specifically interested in security, which is all of them. And so this is actually off cadence. So I actually get their attention for at least an hour once a quarter, which is almost unheard of. And we actually use the AWS memo format. People have a chance to comment and read prior to the meeting. So they know what we're going to talk about and we know what their concerns are. And so you're not going in like, oh my gosh, what what's going to happen for this hour? We come prepared. We have statistics. We can show them where we're growing. We can show them where we need more growth and maturity. And I think having that level of just development of programs, but also the ear of the board has has helped me mature my role 10 times. And then also we have the chance to ask them, well what are your other CISOs doing? You know, they're members of other boards. So I can say to Dave, for example, you know, what's so-and-so doing at Datadog? Or Tom Killelea, what's the CISO of Capital One doing? And they help me make a lot of those connections as well. I mean, the CISO world is small and me being a female in the world with a Scottish accent, I'm probably more memorable than most. So it's like, oh yeah, that's the Irish girl. Yeah. She's Scottish, thank you. But they remember me and I can use that. And so just having all those mentors from the board level down, and obviously Dev is a huge, huge fan of security and GRC. It's no longer that box ticking exercise that I used to feel security was, you know, if you heated your SOC2 type two in FinTech, oh, you were good to go. You know, if you did a HERC set for the power industry. All right, right. You know, we can move on now. It's not that anymore. >> Right. It's every single day. >> Yeah. Of course. Dev is Dev at the Chario. Dev spelled D E V. I spell Dave differently. My Dave. But, Lena, it sounds like you present a combination of metrics, so, the board, you feel like that's appropriate to dig into the metrics. But also I'm presuming you're talking strategy, potentially, you know, gaps- >> Road roadmaps, the whole nine yards. Yep. >> What's the, you know, I look at the budget scenario. At the macro level, CIOs have told us, they came into the year saying, hey we're going to grow spending at the macro, around eight percent, eight and a half percent. That's dialed down a little bit post Ukraine and the whole recession and Fed tightening. So now they're down maybe around six percent. So not dramatically lower, but still. And they tell us security is still the number one priority. >> Yes. >> That's been the case for many, many quarters, and actually years, but you don't have an unlimited budget. >> Sure >> Right. It's not like, oh, here is an open checkbook. >> Right. >> Lena, so, how does Mongo balance that with the other priorities in the organization, obviously, you know, you got to spend money on product, you got to spend money and go to market. What's the climate like now, is it, you know continuing on in 2022 despite some of the macro concerns? Is it maybe tapping the brakes? What's the general sentiment? >> We would never tap the breaks. I mean, this is something that's- So my other half works in the finance industry still. So we have, you know, interesting discussions when it comes to geopolitics and financial politics and you know, Dev, the chairman of the board, all very technical people, get that security is going to be taken advantage of if we're seeing to be tapping the brakes. So it does kind of worry me when I hear other people are saying, oh, we're, you know, we're cutting back our budget. We are not. That being said, you also have to be fiscally responsible. I'm Scottish, we're cheap, really frugal with money. And so I always tell my team: treat this money as if it's your own. As if it's my money. And so when we're buying tool sets, I want to make sure that I'm talking to the CISO, or the CISO of the company that's supplying it, and saying are you giving me the really the best value? You know, how can we maybe even partner with you as a database platform? How could we partner with you, X company, to, you know, maybe we'll give you credits on our platform. If you look to moving to us and then we could have a partnership, and I mean, that's how some of this stuff builds, and so I've been pretty good at doing that. I enjoy doing that. But then also just in terms of being fiscally responsible, yeah, I get it. There's CISOs who have every tool that's out there because it's shiny and it's new and they know the board is never going to say no, but at some point, people will get wise to that and be like, I think we need a new CISO. So it's not like we're going to stop spending it. So we're going to get someone who actually knows how to budget and get us what the best value for money. And so that's always been my view is we're always going to be financed. We're always going to be financed well. But I need to keep showing that value for money. And we do that every board meeting, every Monday when I meet with my boss. I mean, I report to the CFO but I've got a dotted line to the CTO. So I'm, you know, I'm one of the few people at this level that's got my feet in both camps. You know budgets are talked at Dev's level. So, you know, it's really important that we get the spend right. >> And that value is essentially, as I was kind of alluding to before, it's decreasing the value equation for the hackers, for the adversary. >> Hopefully, yes. >> Right? Who's the- of course they're increasingly sophisticated. I want to ask you about your relationship with AWS in this context. It feels like, when I look around here, I think back to 2019, there was a lot of talk about the shared responsibility model. >> Yes. >> You know, AWS likes to educate people and back then it was like, okay, hey, by the way, you know you got to, you know, configure the S3 bucket properly. And then, oh, by the way, there's more than just, it's not just binary. >> Right, right. >> There's other factors involved. The application access and identity and things like that, et cetera, et cetera. So that was all kind of cool. But I feel like the cloud is becoming the first line of defense for the CISO but because of the shared responsibility model, CISO is now the second line of defense >> Yes. Does that change your role? Does it make it less complicated in a way? Maybe, you know, more complicated because you now got to get your DevSecOps team? The developers are now much more involved in security? How is that shifting, specifically in the context of your relationship with AWS? >> It's honestly not been that much of a shift. I mean, these guys are very proactive when it comes to where we are from the security standpoint. They listen to their customers as much as we do. So when we sit down with them, when I meet with Steve Schmidt or CJ or you know, our account manager, its not a conversation that's a surprise to me when I tell them this is what we need. They're like, yep, we're on that already. And so I think that relationship has been very proactive rather than reactive. And then in terms of MongoDB, as a tech company, security is always at the forefront. So it's not been a huge lift for me. It's really just been my time that I've taken to understand where DevSecOps is coming from. And you know, how far are we shifting left? Are we actually shifting right now? It's like, you know, get the balance, right? You can't be too much to one side. But I think in terms of where we're teaching the developers, you know, we are a company by developers for developers. So, we get it, we understand where they're coming from, and we try and be as proactive as AWS is. >> When you obviously the SolarWinds hack was a a major mile- I think in security, there's always something in the headlines- >> Yes. But when you think of things like, you know, Stuxnet, you know, Log4J, obviously Solarwinds and the whole supply chain infiltration and the bill of materials. As I said before, the adversary is extremely capable and sophisticated and you know, much more automated. It's always been automated attacks, but you know island hopping and infiltrating and self-forming malware and really sophisticated techniques. >> Yep. >> How are you thinking about that supply chain, bill of materials from inside Mongo and ultimately externally to your customers? >> So you've picked on my third favorite topic to talk about. So I came from the power industry before, so I've got a lot of experience with critical infrastructure. And that was really, I think, where a lot of the supply chain management rules and regulations came from. If you're building a turbine and the steel's coming from China, we would send people to China to make sure that the steel we were buying was the steel we were using. And so that became the H bomb. The hardware bill of materials, bad name. But, you know, we remember what it stood for. And then fast forward: President Biden's executive order. SBOs front and center, cloud first front and center. It's like, this is perfect. And so I was actually- I actually moderated a panel earlier this year at Homeland Security Week in DC, where we had a sneak CISA, So Dr. Allen Friedman from CISA, and also Patrick Weir from OWASP for the framework, CISA for the framework as well, and just the general guidance, and Snake for the front end. That was where my head was going. And MongoDB is the back-end database. And what we've done is we've taken our work with Snake and we now have a proof of concept for SBOs. And so I'm now trying to kind of package that, if you like, as a program and get the word out that SBOs shouldn't be something to be afraid of. If you want to do business with the government you're going to have to create one. We are offering a secure repository to store that data, the government could have access to that repository and see that data. So there's one source of truth. And so I think SBOs is going to be really interesting. I know that, you know, some of my peers are like, oh, it's just another box to tick. And I think it's more than that. I definitely- I've just, there's something percolating in the back of my mind that this is going to be big and we're going to be able to use it to hopefully not stop things like another Log4j, there's always going to be another Log4j, we know that. we don't know everything, the unknown unknown, but at least if we're prepared to go find stuff quicker than we were then before Log4j, I think having SBOs on hand, having that one source of truth, that one repository, I think is going to make it so much easier to find those things. >> Last question, what's the CISO's number one challenge? Either yours or the CISO, generally. >> Keeping up with the fire hose that is security. Like, what do you pick tomorrow? And if you pick the wrong thing, what's the impact? So that's why I'm always networking and talking to my peers. And, you know, we're sometimes like meerkats, you know. there's meerkats, you see like this, it's like, what do we talk about? But there's always something to talk about. And you just have to learn and keep learning. >> Last question, part B. As a hot technology company, that's, you know, rising star, you know not withstanding the tech lash and the stock market- >> Yeah. >> But Mongo's growing, you know, wonderfully. Do you find it easier to attract talent? Like many CISOs will say, you know, lack of talent is my biggest, biggest challenge. Do you find that that's not the challenge for you? >> Not at all. I think on two fronts, one, we have the champions program. So we've got a whole internal ecosystem who love working there. So the minute one of my jobs goes on the board, they get first dibs at it. So they'd already phoning their friends. So we've got, you know, there's ripple effects out from over a hundred people internally. You know, I think just having that, that's been a game changer. >> I was so looking forward to interviewing you, Lena, thanks so much for coming. >> Thank you, this was a pleasure. >> It was really great to have you. >> Thank you so much. Thank you. >> You're really welcome. All right, keep it right there. This is Dave Villante for theCUBE. We'll be right back at AWS Re:inforce22 right after this short break.

(upbeat music) >> Woman: From our studios in the heart of Silicon Valley, Palo Alto, California. This is a Cube Conversation. >> Hello and welcome to the Cube studios in Palo Alto, California for another Cube Conversation where we go in depth with thought leaders driving innovation across the tech industry. I'm your host, Peter Burris. One of the biggest challenges that every enterprise face as they try to keep up with competitors today, is how to introduce the speed of adding new digital services, new digital capabilities, new types of customer experience, new types of operational challenges, et cetera, but do so in a way that retains the safety that's associated with traditional ways of doing IT. That leads to a set of tensions that exist between how DevOps, which is really driving that new speed equation, and security, which has been historically the locus of thinking about how to ensure that assets, digital assets don't get misappropriated by the business and by bad actors. So the big challenge is how can we bring people, the technology, and the processes together so we can achieve both the speed as well as the safety that are required to really drive business forward. So to have that conversation, we're joined by a great CEO today, Dan Hubbard who's the CEO of Lacework. Dan, welcome to the Cube. >> Thank you, great to be here. >> So let's start by getting a little bit of about Lacework. Tell us a little bit about Lacework. >> Sure, yeah, so Lacework we're really excited. Recently we raised another round of funding which is going to really allow us to focus totally on this problem which is how do we balance speed and safety in how we secure these modern architectures and infrastructure in cloud security? >> All right, so let's talk about, I mentioned up front that this notion of speed and safety, it's more than just a technology problem. It goes deep into how businesses run their enterprise today. What is the experiences that you see your customers having as they conceive of how to move forward to this new world? >> Yeah, so for cloud migrants what's happening is the development groups and applications are moving to the cloud at a very rapid rate, and every company that they're buying is cloud born, and they're moving at a really quick rate, and they're leaving security behind. So from the people aspect, the security people need to get involved with the developers to figure out how they can work in this, you know coexist in an environment that allows them to deliver obviously both security and speed, or speed and safety. >> So the problem is essentially that we need to move fast as a consequence of competition, and technology change, and achieving, you know being more opportunistic which is a fundamental tenet of agile and business today, but we need to do so in a way that provides the set of assurances that are required by compliance, by law, by new privacy regulations. How are you seeing customers solve this problem generally? How are they even thinking about solving it. >> Yeah, so I think the first thing is how they're not succeeding which is, you know, typically they go to their incumbent vendors, security vendors, and attempt to apply something that is not purpose fit for this new infrastructure, being in cloud and cloud native. So things like taking a firewall and calling it a cloud firewall isn't working. Things like taking traditional technologies like antivirus or next generation antivirus is not working. And what we're seeing working is when you really step back and they really start to understand how people are building and developing their code, pushing it out. What is that build time to runtime environment look like, and what are the services their using, and they need to apply some relatively fundamental security practices to it. How do I get visibility over time in real time? How do I attain compliance that is important to my company, PCI, SOC2, NIST, you know HIPAA, whatever is important to you, and then how can I assure that we haven't had a breach, and if we do, how can we triage that breach? >> So in man respects we are trying to bring tried and true security concepts to this new world, but we need to do so in a way that doesn't drag along the technology limitations or that technologies were necessarily applied to securing an old style of infrastructure. Have I got that right? >> Yeah, absolutely. You know there's a number of things in technologies that are really critical here, but also on the people side. You know we can't bring over some of the old processes, for example change control windows. You can't have a change control window in something that's running, and you're pushing code a thousand times a day. There is no change control window. You're just doing it all the time, but you need to do things in a way that is mapping to the automation and the scale that's happening. In order to do that, you need definitely some technology, and people, and processes. >> So it sounds like what you're suggesting is we have to incorporate security directly into the DevOps process so that we at least feature some notion of a Pareto principle where each new push is at least as secure as the previous one, but ideally we're making things more secure as we go along. >> Yeah, I mean understanding change is really critical because things are changing so quickly. You know what we're seeing in a lot of companies is a shift over to security as a governance and tooling org., and then security engineering which is baked within DevOps teams. Whether it is a guild of people that are connected to the application developers, or right within the stand up, or the group directly. >> But if I think about kind of the outcome of DevOps, the outcome of DevOps really is this kind of more modern approach to thinking about technology resources. Service is a term that's thrown and it means a lot of things to a lot of people, but to a DevOps person, they create something that can then be used as a service by other folks within the organization. One of the fundamental challenges here it seems to me is that historically we've tried to secure the server, or the PC, or the network, or the perimeter, or whatever else it might be, but really this cloud native approach is securing some outcome, some capability, and that's really increasingly what we've got to focus on whether we call it a service or something else. Have I got that right? >> Yeah, absolutely, and you know I think we spent years kind of surrounding the applications in the development, really partly because we may have not been involved, so it was great. We had firewalls, we had defense in depth, multiple layers that we added on top of the next layer, and everything else, and really what needs to happen, it needs to be integrated. And you know, in order to integrate into the services world, it needs to be as a service. So your security needs to be a service that isn't surrounding, it's actually integrating directly, and that's partly from a process perspective, also from a people as we talked about, but also as a technology. It's got to be really baked into the solution. >> So one of the things we've seen in our research of Wikibon is that there are, as we think about how to introduce these new capabilities into this kind of DevOps culture, this DevOps approach to building new IT assets, new business capabilities, that if the solution itself doesn't correspond to a way that DevOps works, it itself gets abandoned. I mean it might integrate at some point in time in the future, but if it doesn't naturally fit into how things operate or how things evolve, then it gets abandoned. How would this new class of security products or services look so that DevOps picks it up, gets the best IP associated with the best security today? >> I think the first one is it can't be intrusive. So you know when you talk about blocking and tackling, it needs to be more about building and engineering than blocking. So you really need to make sure that you're not going to adversely or inadvertently affect the application and the service that's being run. So it's really important to the company. And anytime you introduce that, you're going to get blocked out, or your not going to be involved. The other is that it needs to pair to the tooling that is there. For example, you know our service integrates DarkLink, to Jira, and PagerDuty, and Slack, you know, real modern ways that DevOps work. So it needs to be directly integrated, and lastly the service and the context need to deliver information that serves two audiences, the security people, and the DevOps people, because the DevOps people are often the ones that are triaging, or they know the application and the information, the infrastructure's code, and the security people may not. So they have to work together and provide both of those. >> So as we think about what a modern secure DevOps function's going to look like, give us kind of the picture of what it looks like in three years. How are they going to be working together, and what are they going to be using to do so? >> Yeah, so I don't think there's, like this isn't the end of the SISO. There's still going to be a SISO. It's a incredibly important role. I think they're going to move a little bit more towards governance, compliance, and tooling. They may have a tooling org. You know for us, it's more important that we interoperate with open source and the cloud providers than we do with other vendors. So having tooling to do that is really critical. >> Peter: Especially in the visibility side. >> Absolutely, yeah getting visibility's key, and then there's going to be more security engineers. These are people with DNA in security but also are coders, versus the real deep threat specific environment that we see today. You know I would argue there's probably more people that write code and understand assembler than there is in Python and Go. So you know DevOps people, they don't know what assembler is, or are using assembler, so that is still important. There are still attacks. You need to deconstruct them, you need to understand them, but there's a lot you need to do on the security engineering side, which is really how do I program this service? How do I automate and orchestrate it? >> So today this is kind of where we're going. It makes perfect sense, but that's not where a lot of organizations are today. You mentioned the difference between built in cloud and migrating to the cloud. Give us a little bit of insight, visibility into how some of those migrate to the cloud shops are taking this roadmap as they move forward. >> Yeah, it's super interesting you know? We have customers that span across cloud born, you know more startupy, very tech savvy, and then very traditional, very large Fortune 50 companies. In the latter they're doing a couple things. One is they're trying to figure out how do I migrate a traditional app that's been built in a way, not for the cloud, to the cloud. That's kind of one, and there's all kindsa reasons why you'd want to do that, scale, performance, reliability, et cetera. The second is that they're being told or have initiatives driven from the top called cloud first, which means that everything new has to be that way. It has to be cloud native, and it has to be delivered as a service. And then the last one is that when you actually are building an application, and you're a new company, you're probably going to get acquired by one of these larger companies, which means that a cloud migrant becomes a cloud native company by definition because the company's they're buying. So it kind of spans across those three areas. What we run into though is that especially if they buy a company, they're very modern in how they think. They've got very modern practices, and then the traditional security people are going, oh who are these, what is this new technology? How do we interoperate, how do we take our policies, our practices, our functional organization and map those together? So they're really startin' to figure it out. So I think we're kind of in this middle ground. There is very forward thinking companies that have moved more forward, but still it's very, very early, and we talk to customers, we run workshops with customers, and a lot of it, just bringing the teams together and understanding both worlds, and getting to know what are the DevOps, things that they're working on, what are the security people, how do we meet in the technology, and then in the process side. So It's a little bit all over right now, and I think it's probably going to get worse before it gets better, but I think down the road as people deploy things like Kubernetes and containers, and services that are built a little bit better with resiliency into them, it's going to be a more secure place. >> Dan Hubbard, CEO of Laceworks. Great conversation about speed and safety. Thanks for being on the Cube. >> Thank you very much, nice to be here. >> And once again, I'm Peter Burris. Thank you very much for joining us. Until next time. (upbeat music)

>> Announcer: Live from Orlando Florida. It's the Cube. Covering Pentaho World 2017. Brought to you by Hitachi Vantara. >> Welcome back to the Cube's live coverage of Pentaho World brought to you by Hitachi Vantara. I'm your host, Rebecca Knight along with my co-host, Jim Kobielus. We are joined by Geo Thomas. He is the director of It at Benefits Science a healthcare insurance analytics company. Thanks so much for coming on the Cube, Geo. >> Thank-you, thanks for having me. >> So Benefits Science is a company launched out of MIT, tell our viewers a little bit more about the company. >> Okay, so Benefits Science is a healthcare data analytic company which co-founded by MIT (mumbles). Doctor (mumbles) and Doctor Stephen so far and we have one more partner. We do data analytics on the healthcare side and we work with employers and the brokers to analyze the data and give them dashboards and workbooks, and so that's what we mainly do. And we, yeah. >> So, as you said, you work with employers to save them healthcare dollars. Can you get into the nitty-gritty a little bit more. >> That's exactly right, so what we do is we empower employers to manage their employee benefits. Providing them the data analytic tools and other optimization tools, and we give them a very fine clear picture of how these plans are performing, and how they can optimize their plans in the near future by giving plan optimization tools and (mumbles) algorithms and things like that. >> You refer this as a manage service for your clients or do you provide specifically licensed software that helps them do this for themselves? From their own premises. >> We are a Cloud platform, and we provide our platform as a sub-lease for our clients. So, we get the data from them and we provide data analytic tool by mashing of this data and they use our platform to see those reports and insights and things like that. >> So, healthcare data is a really special kind of complicated when it comes to data because there's so many security and privacy issues related to it, how do you go about it managing this kind of data? >> Healthcare data is a very complex, very huge and we can't expect what comes next and there a lot of regulations and there are a lot of security issues, so we take all these with upmost priority. So, our company is a SOC1, SOC2, certified company. Which covers a lot of regulations by itself. Our employee's, Benefits Science employees, are really very much aware of these heap of rules. And they are all certified. We have lots of internal an external audits and regulations throughout the place so that would cover all this compliance issues, mainly. >> From an operational standpoint, how are you managing the day-to-day, day-in and day-out, do you provide a data warehouse within which you load it and then from which you do the analysis? What's the sense for how you architected your environment and then where how Pentaho plays into the overall picture? >> We take the data. Once we get the data, we measure the data. So, how we do those, we use Pentahos, and then two and two. Because it gives us a very standardized methodology to process this data, so we identify the PHP data. We sample it, scramble it, and then we do the (mumbles). And once the data element is done, and nobody touches any of those PA jobs or the jobs which we created with Pentaho, and we run this in a very secure environment in which we put all this transformed data into a data analytical platform. >> When you say scramble, you're referring to masking and anonmyzing the data? >> Correct, yes. >> That's what I assumed, you tell me, that's required by HIPA, that you do it that way? >> Yes, that's correct, yeah, yeah. So, we don't take all the data for the development. We take only the sample data, and then we scramble it and we (mumbles) all this information. >> So, what kind of results have you seen in your company since using Pentaho? >> So, I started in almost one year back and when we started, we had 20 tenants. Now, we have 200 tenants, so that's the summary of recently of what I'm seeing because Pentaho gives us lot of flexibility to standardize and make proper checks and balances throughout the data pipeline and we had created very huge test framework which can run automatically. So, all these things would benefit us to board a client because right now, onboarding a client would take less than a week. >> When you say test run automatically what sort of test are you referring to? >> So, we create test scripts, and we created a test suit framework by using Pentaho Jobs. And we schedule that. That test suit what we do is every, whenever any tenant comes in, developers can create N number of test cases and plug that in. So, it is growing and that will run automatically. Along with the PA jobs. So, that gives us a number of outputs and checks and balances and depending on the results we board the client. >> Saving healthcare dollars, spending healthcare dollars. This is really part of the national conversation. How much does Benefits Science really feel a responsibility to weigh-in on these issues. We heard a lot from the CEO this morning about how Pentaho really views its guiding principles as doing good in the world and bettering society. >> The double bottom line. >> Very true, very true, because as Benefits Science company our vision, our motto is not to just built some software and give to customers and get some money. Our vision is to help people or employers reduce the healthcare cost, so. Our data scientists built this great plan optimization tool or (mumbles) to provide employers to look at, "Okay, these "are the large claimant details, which means we might have "to go and find out the reasons and work with them "to reduce the cost." So, we are giving all the tools for them and another thing is the data (mumbles) analyzer our users love it, because we provided a simplified cube for them to drag and drop and create the reports and they can easily drag a couple of data elements and come up with, "Okay, these are the paid amounts "which we paid last month, and this has to go down." So, they can come up with their own strategies to make it down, at least, for the next year and on. >> In terms of user's being able to, in a self-service basis define their views and their reports. Do you take that intelligence that you gained from users and then bring that back into the basic service in terms of adjusting the data model? The set of canned reports or dashboards you provide? What do you do in that regard? >> Yeah, so we have a custom insight reports. Which will give pretty good idea about what this data meant to be for the customers. Like drag dashboards or large claimants or quality measures so things like that. We also have another data science group works on this AI tools or machine-learning algorithms to provide more predictive analysis. So, that would give users a different perspective of, "Okay, if we do this, we can reduce the cost." >> Is that WECA or? >> No, we are using. That's another thing I want to go back and tell them. There is a WECA here, we probably have to start using it. So, right now, we are not, right now we are using RN Python. There's something called (mumbles). So, that's what we use. >> What are some challenges that you are facing right now? What is keeping you up at night? What do you want the next versions of Pentaho to solve for you? >> I'm Director of IT, so I care about IT more than the business. So, my challenge is always how I can board more clients within a short span of time. The scalability, the security, how we can make it compliant. So, I was listening to that ATO, what are the new things coming in ATO? One of the main thing I was looking at is the scalability that is there is something called Worker Naught, that's got announced in ATO. Which you can scale as a docker, and you can spin off as many dockers as you want, and it will work by itself. That's fantastic, I'm really looking forward to get that scalability into our system. >> So, you're saying your IT environment. Your focused now more and more on a Cloud data environment that takes the application functionality and wraps it as containers? So, that's where you're going? And then you're saying that, I don't want to put words in your mouth, what you're doing is consistent with where Pentaho's going with their overall product platform? >> We are hosting an (mumbles) Cloud with Pentaho. So, Pentaho is also going into that direction. Makes me very happy because we are really looking forward to get that working in the Cloud. The thing is the. The Worker Naught, what they're talking about? Is what we were thinking of implementing on our own. So, now they have their own Worker Naught which we can just take and put it there. So, that's very good news. >> I wanted to ask you about the talent shortage in technology because that is something that the CEO talked about, Karen Perlich talked about, too. Is this real dearth of talent in data science. There was a piece in the New York Times just the other day that talked about how data scientists just a PHD can come out and make a half a million dollars in Silicon Valley. What do you think will be the real change and will get more and more graduates into this field. It seems as though the money should be enticement enough. >> That's a million dollar question though. We are in the same boat. >> You're a Massachusetts' based company, it should be. >> Even with that, we are finding a lot of difficulties to get some good data scientists. Because the moment you pass out as data scientist they're asking half a million, so. >> Literally I saw an article the other day. A good data scientist in Silicon Valley can fetch upwards of a half a million per year, so. Imagine in other regions, and now Massachusetts has no shortage of educated, smart people, but still. >> They have that level, then yes. These tools would help, and. Building that artificial intelligence on top of these tools would help, definitely, to have some sort of, not depending on data scientists so much. That even others can do those kind of things. >> So, you might not need the talent in a way. >> I'm looking forward to that because I was listening to your session in the morning. Very impressed with that because that's where I'm also trying to see where the world is heading to. >> So, you make recommendations to your clients about how they should start structure their healthcare insurance plans or employees. Do you have a capability right now within Benefits Science to basically embed a recommendation engine of that sort to help advisors on your staff to work with clients to recommend the right set of options or approaches pulling from the data, that's already there? >> Yes, that's already there. So, we provide recommendations for clients by using these algorithms. So, we have this plan optimization tool. Which will give you, if you do such and such things this is going to go down in the next year. Or there is a plan designed data. So, whenever an enrollment happens the main thing that they look at is what plan they have to sell at for their set of employees. So, every case is unique. So, we put a lot of historical data information and we put those machine-learning algorithms in there and then we come up with. We clean that model with all this data and we predict for each tenant. So, we have that right now. >> Geo, thanks so much for coming on the Cube. It's been really fun talking to you. >> Thanks for having me. >> I'm Rebecca Knight for Jim Kobielus. We will have more from the Cube's live coverage of Pentaho World, just after this. (calm electronica music)