(upbeat music) >> Hello, welcome to theCUBE studios of Palo Alto California for RSA conference keynote coverage and conference coverage. I'm Sean for your host of theCUBE. We're breaking down the keynote of RSA day one kickoff. We had Mark Nunnikhoven, who's the distinguished cloud strategist at Lacework. Mark former cube alumni and expert and security has been on many times before, Mark great to see you. Thanks for coming on and helping me break down RSA conference 2021 virtual this year. Thanks for joining. >> Happy to be here. Thanks for having me John. >> You know, one of the things Mark about these security conferences is that interesting, RSA was the last conference we actually did interviews physically face to face and then the pandemic went down and it was a huge shutdown. So we're still virtual coming back to real life. So and they're virtual this year, so kind of a turn of events, but that was kind of the theme this year in the keynote. Changing the game on security, the script has been flipped, connectivity everywhere, security from day one being reinvented. Some people were holding onto the old way some people trying to get on there, on the future wave. Clearly you got the laggards and you've got the innovators all trying to kind of, you know, find their position. This has been obvious in this keynote. What's your take? >> Yeah and that was exactly it. They use that situation of being that last physical security conference, somewhat to their advantage to weave this theme of resiliency. And it's a message that we heard throughout the keynote. It's a message we're going to hear throughout the week. There's a number of talks that are tying back to this and it really hits at the core of what security aims to do. And I think aims is really the right word for it because we're not quite there yet. But it's about making sure that our technology is flexible that it expands and adapts to the situations because as we all know this year, you know basically upended everything we assumed about how our businesses were running, how our communities and society was running and we've all had to adapt. And that's what we saw at the keynote today was they acknowledged that and then woven into the message to drive that home for security providers. >> Yeah and to me one of the most notable backdrops to the entire thing was the fact that the RSA continues to operate from the sell out when Dell sold them for alright $2 billion to a consortium, private privately private equity company, Symphony Technology Group. So there they're operating now on their own. They're out in the wild, as you said, cybersecurity threats are ever increasing, the surface area has changed with cloud native. Basically RSA is a 3000 person startup basically now. So they've got secure ID, the old token business we all have anyone's had those IDs you know it's pretty solid, but now they've got to kind of put this event back together and mobile world Congress is right around the corner. They're going to try to actually have a physical event. So you have this pandemic problem of trying to get the word out and it's weird. It's kind of, I found it. It's hard to get your hands around all the news. >> It is. And it's, you know, we're definitely missing that element. You know, we've seen that throughout the year people have tried to adapt these events into a virtual format. We're missing those elements of those sorts of happenstance run-ins I know we've run into each other at a number of events just sort of in the hall, you get to catch up, but you know as part of those interactions, they're not just social but you also get a little more insight into the conference. Hey, you know, did you catch this great talk or are you going to go catch this thing later? And we're definitely missing that. And I don't think anyone's really nailed this virtual format yet. It's very difficult to wrap your head around like you said, I saw a tweet online from one InfoSec analyst today. It was pointed out, you know, there were 17 talks happening at the same time, which you know, in a physical thing you'd pick one and go to it in a virtual there's that temptation to kind of click across the channels. So even if you know what's going on it's hard to focus in these events. >> Yeah the one conference has got a really good I think virtual platform is Docker con, they have 48 panels, a lot of great stuff there. So that's one of more watching closest coming up on May 27. Check that one out. Let's get into this, let's get into the analysis. I really want to get your thoughts on this because you know, I thought the keynote was very upbeat. Clearly the realities are presenting it. Chuck Robbins, the CEO of Cisco there and you had a bunch of industry legends in there. So let's start with, let's start with what you thought of Rowan's keynote and then we'll jump into what Chuck Robbins was saying. >> Sure yeah. And I thought, Rohit, you know, at first I questioned cause he brought up and he said, I'm going to talk about tigers, airplanes and sewing machines. And you know, as a speaker myself, I said, okay, this is either really going to work out well or it's not going to work out at all. Unfortunately, you know, Rohit head is a professional he's a great speaker and it worked out. And so he tied these three examples. So it was tiger king for Netflix, at World War II, analyzing airplane damage and a great organization in India that pivoted from sewing into creating masks and other supplies for the pandemic. He wove those three examples through with resiliency and showed adaptation. And I thought it was really really well done first of all. But as a cloud guy, I was really excited as well that that first example was Netflix. And he was referencing a chaos monkey, which is a chaos engineering tool, which I don't think a lot of security people are exposed to. So we use it very often in cloud building where essentially this tool will purposely blow up things in your environment. So it will down services. It will cut your communications off because the idea is you need to figure out how to react to these things before they happen for real. And so getting keynote time for a tool like that a very modern cloud tool, I thought was absolutely fantastic. Even if that's, you know, not so well known or not a secret in the cloud world anymore, it's very commonly understood, but getting a security audience exposure to that was great. And so you know, Rohit is a pro and it was a good kickoff and yeah, very upbeat, a lot of high energy which was great for virtual keynote. Cause sometimes that's what's really missing is that energy. >> Yeah, we like Rohit too. He's got some, he's got charisma. He also has his hand on the pulse. I think the chaos monkey point you're making is as a great call out because it's been around the DevOps community. But what that really shows I think and puts an exclamation point around this industry right now is that DevSecOps is here and it's never going away and cloud native and certainly the pandemic has shown that cloud scale speed data and now distributed computing with the edge, 5G has been mentioned, as you said, this is a real deal. So this is DevOps. This is infrastructure as code and security is being reinvented in it. This is a killer theme and it's kind of a wake-up call. What's your reaction to that? what's your take? >> Yeah, it absolutely is a wake-up call and it actually blended really well into a Rohit second point, which was around using data. And I think, you know, having these messages put out to the, you know, what is the security conference for the year always, is really important because the rest of the business has moved forward and security teams have been a little hesitant there, we're a little behind the times compared to the rest of the business who are taking advantage of these cloud services, taking advantage of data being everywhere. So for security professionals to realize like hey there are tools that can make us better at our jobs and make us, you know, keep or help us keep pace with the business is absolutely critical because like you said, as much as you know I always cringe when I hear the term DevSecOps, it's important because security needs to be there. The reason I cringe is because I think security should be built into everything. But the challenge we have is that security teams are still a lot of us are still stuck in the past to sort of put our arms around something. And you know, if it's in that box, I'm good with it. And that just doesn't work in the cloud. We have better tools, we have better data. And that was really Rohit's key message was those tools and that data can help you be resilient, can help your organization be resilient and whether that's the situation like a pandemic or a major cyber attack, you need to be flexible. You need to be able to bounce back. >> You know, when we actually have infrastructure as code and no one ever talks about DevOps or DevSecOps you know, we've, it's over, it's in the right place, but I want to get your thoughts and seeing if you heard anything about automation because one of the things that you bring up about not liking the word DevSecOps is really around, having this new team formation, how people are organizing their developers and their operations teams. And it really is becoming programmable and that's kind of the word, but automation scales it. So that's been a big theme this year. What are you hearing? What did you hear on the keynote? Any signs of reality around automation, machine learning you mentioned data, did they dig into automation? >> Automation was on the periphery. So a lot of what they're talking about only works with automation. So, you know, the Netflix shout out for chaos monkey absolutely as an automated tool to take advantage of this data, you absolutely need to be automated but the keynote mainly focused on sort of the connectivity and the differences in how we view an organization over the last year versus moving forward. And I think that was actually a bit of a miss because as you rightfully point out, John, you need automation. The thing that baffles me as a builder, as a security guy, is that cyber criminals have been automated for years. That's how they scale. That's how they make their money. Yet we still primarily defend manually. And I don't know if you've ever tried to beat, you know the robots that are everything or really complicated video games. We don't tend to win well when we're fighting automation. So security absolutely needs to step up. The good news is looking at the agenda for the week, taking in some talks today, while it was a bit of a miss and the keynote, there is a good theme of automation throughout some of the deeper dive sessions. So it is a topic that people are aware of and moving forward. But again, I always want to see us move fast. >> Was there a reason Chuck Robbins headlines or is that simply because there are a big 800 pound gorilla in the networking space? You know, why Cisco? Are they relevant security? Is that signaling that networking is more important? As of 5G at the edge, but is Cisco the player? >> Obviously Cisco has a massive business and they are a huge player in the security industry but I think they're also representative of, you know and this was definitely Chuck's message. They were representative of this idea that security needs to be built in at every layer. So even though, you know I live on primarily the cloud technologies dealing with organizations that are built in the cloud, there is, you know, the reality of that we are all connected through a multitude of networks. And we've seen that with work from home which is a huge theme this year at the conference and the improvements in mobility with 5G and other connectivity areas like Edge and WiFi six. So having a big network player and security player like Cisco in the keynote I think is important just because their message was not just about inclusion and diversity for skills which was a theme we saw repeated in the keynote actually but it was about building security in from the start to the finish throughout. And I think that's a really important message. We can't just pick one place and say this is where we're going to build security. It needs to be built throughout all of our systems. >> If you were a Cicso listening today what was your take on that? Were you impressed? Were you blown away? Did you fall out of your chair or was it just right down the middle? >> I mean, you might fall out of your chair just cause you're sitting in it for so long taken in a virtual event. And I mean, I know that's the big downside of virtual is that your step counter is way down compared to where it should be for these conferences but there was nothing revolutionary in the opening parts of the keynote. It was just, you know sort of beating the drum that has been talked about, has been simmering in the background from sort of the more progressive side of security. So if you've been focusing on primarily traditional techniques and the on-premise world, then perhaps this was a little a bit of an eye-opener and something where you go, wow, there's, you know there's something else out here and we can move things forward. For people who are, you know, more cloud native or more into that automation space, that data space this is really just sort of a head nodding going, yeap, I agree with this. This makes sense. This is where we all should be at this point. But as we know, you know there's a very long tail insecurity and insecurity organizations. So to have that message, you know repeated from a large stage like the keynote I think was very important. >> Well you know, we're going to be, theCUBE will be onsite and virtual with our virtual platform for Amazon web services reinforced coming up in Houston. So that's going to be interesting to see and you compare contrast like an AWS reinforce which is kind of the I there I think they had the first conference two years ago so it's kind of a new conference. And then you got the old kind of RSA conference. The question I have for you, is it a just a position of almost two conferences, right? You got the cloud native AWS, which is really about, oh shared responsibility, et cetera, et cetera a lot more action happening there. And you got this conference here seem come the old school legacy players. So I want to get your thoughts on that. And I want to get your take on just just the cryptographers panel, because, you know, as I'm not saying this as a state-of-the-art that the old guys saying get off my lawn, you know crypto, we're the crypto purists, they were trashing NFTs which as you know, is all the rage. So I, and Ron rivers who wrote new co-create RSA public key technology, which is isn't everything these days. Is this a sign of just get off my lawn? Or is it a sign of the times trashing the NFTs? What's your take? >> Yeah, well, so let's tackle the NFTs then we'll do the contrast between the two conferences. But I thought the NFT, you know Ron and Addie both had really interesting ways of explaining what an NFT was, because that's most of the discussion around the NFT is exactly what are we buying or what are we investing in? And so I think it was Addie who said, you know it was basically you have a tulip then you could have a picture of a tulip and then you could have something explaining the picture of the tulip and that's what an NFT is. So I think, you know, but at the same time he recognized the value of potential for artists. So I think there was some definitely, you know get off my lawn, but also sort of the the cryptographer panels is always sort of very pragmatic, very evidence-based as shown today when they actually were talking about a paper by Schnorr who debates, whether RSA or if he has new math that he thinks can debunk RSA or at least break the algorithm. And so they had a very logical and intelligent discussion about that. But the cryptographers panel in contrast to the rest of the keynote, it's not about the hype. It's not about what's going on in the industry. It's really is truly a cryptographers panel talking about the math, talking about the fundamental underpinnings of our security things as a big nerd, I'm a huge fan but a lot of people watch that and just kind of go, okay now's a great time to grab a snack and maybe move those legs a little bit. But if you're interested in the more technical deeper dive side, it's definitely worth taking in. >> Super fascinating and I think, you know, it's funny, they said it's not even a picture of a tulip it's s pointer to a picture of a tulip. Which is technically it. >> That was it. >> It's interesting how, again, this is all fun. NFTs are, I mean, you can't help, but get an Amber by decentralization. And that, that wave is coming. It's very interesting how you got a decentralization wave coming, yet a lot of people want to hang on to the centralized view. Okay, this is an architectural conflict. Is there a balance in your mind as a techie, we look at security, certainly as the perimeter is gone that's not even debate anymore, but as we have much more of a distributed computing environment, is there a need for some sensuality and or is it going to be all decentralized in your opinion? >> Yeah that's actually a really interesting question. It's a great set up to connect both of these points of sort of the cryptographers panel and that contrast between newer conferences and RSA because the cryptographers panel brought up the fact that you can't have resilient systems unless you're going for a distributed systems, unless you're spreading things out because otherwise you're creating a central point of failure, even if it's at hyper-scale which is not resilient by definition. So that was a very interesting and very valid point. I think the reality is it's a combination of the two is that we want resilient systems that are distributed that scale up independently of other factors. You know, so if you're sitting in the cloud you're going multi-region or maybe even multicloud, you know you want this distributed area just for that as Verner from AWS calls it, you know, the reduced blast radius. So if something breaks, not everything does but then the challenge from a security and from an operational point of view, is you need that central visibility. And I think this is where automation, where machine learning and really viewing security as a data problem, comes into play. If you have the systems distributed but you can provide visibility centrally which is something we can achieve with modern cloud technologies, you kind of hit that sweet spot. You've got resilient underpinnings in your systems but you as a team can actually understand what's going on because that was a, yet another point from Carmela and from Ross on the cryptographers panel when it comes to AI and machine learning, we're at the point where we don't really understand a lot of what's going on in the algorithm we kind of understand the output and the input. So again, it tied back to that resiliency. So I think that key is distributed systems are great but you need that central visibility and you only get there through viewing things as a data problem, heavy automation and modern tooling. >> Great great insight, Mark. Great, great call out there. And great point tied in there. Let me ask you a question on your take on the keynote in the conference in general as first day gets going. Do you see this evolving from the classic enterprise kind of buyer supplier relationship to much more of a CSO driven or CXO driven? I need to start building about my teams. I got to start hiring developers, not so much in operation side. I mean, I see InfoSec is these industries are not going away. People are still buying tools and stacking up the tool shed but there's been a big trend towards platforms and shifting left from a developer CICB pipeline standpoint which speaks to scale on the cloud native side and that distributed side. So is this conference hitting that Mark, or you still think there are more hardware and service systems people? What's the makeup? What's the take? >> I think we're definitely starting to a shift. So a great example of that is the CSA. The Cloud Security Alliance always runs a day one or day zero summit at RSA. And this year it was a CSO executive summit. And whereas in previous years it's been practitioners. So that is a good sign I think, that's a positive sign to start to look at a long ignored area of security, which is how do we train the next generation of security professionals. We've always taken this traditional view. We've, you know, people go through the standard you get your CISSP, you hold onto it forever. You know, you do your time on the firewall, you go through the standard thing but I think we really need to adjust and look for people with that automation capability, with development, with better business skills and definitely better communication skills, because really as we integrate as we leave our sort of protected little cave of security, we need to be better business people and better team players. >> Well Mark, I really appreciate you coming on here. A cube alumni and a trusted resource and verified, trusted contributor. Thank you for coming on and sharing your thoughts on the RSA conference and breaking down the keynote analysis, the RSA conference. Thanks for coming on. >> Thank you. >> Well, what we got you here to take a minute to plug what you're doing at Lacework, what you're excited about. What's going on over there? >> Sure, I appreciate that. So I just joined Lacework, I'm a weekend. So I'm drinking from the fire hose of knowledge and what I've found so far, fantastic platform, fantastic teams. It's got me wrapped up and excited again because we're approaching, you know security from the data point of view. We're really, we're born in the cloud, built for the cloud and we're trying to help teams really gather context. And the thing that appealed to me about that was that it's not just targeting the security team. It's targeting builders, it's targeting the business, it's giving them that visibility into what's going on so that they can make informed decision. And for me, that's really what security is all about. >> Well, I appreciate you coming on. Thanks so much for sharing. >> Thank you. >> Okay CUBE coverage of RSA conference here with Lacework, I'm John Furrier. Thanks for watching. (upbeat music)