hi everybody welcome back to boston you're watching thecube's coverage of reinforce 2022 last time we were here live was 2019. had a couple years of virtual merit bear is here she's with the office of the cso for aws merit welcome back to the cube good to see you thank you for coming on thank you so much it's good to be back um yes cso chief information security officer for folks who are acronym phobia phobic yeah okay so what do you do for the office of the is it ciso or sizzo anyway ah whatever is it sim or theme um i i work in three areas so i sit in aws security and i help us do security we're a shop that runs on aws i empathize with folks who are running shops it is process driven it takes hard work but we believe in certain mechanisms and muscle groups so you know i work on getting those better everything from how we do threat intelligence to how we guard rail employees and think about vending accounts and those kinds of things i also work in customer-facing interactions so when a cso wants to meet awssc so that's often me and then the third is product side so ensuring that everything we deliver not just security services are aligned with security best practices and expectations for our customers so i have to ask you right off the bat so we do a lot of spending surveys we have a partner etr i look at the data all the time and for some reason aws never shows up in the spending metrics why do you think that is maybe that talks to your strategy let's double click on that yeah so first of all um turn on guard duty get shield advanced for the you know accounts you need the 3k is relatively small and a large enterprise event like this doesn't mean don't spend on security there is a lot of goodness that we have to offer in ess external security services but i think one of the unique parts of aws is that we don't believe that security is something you should buy it's something that you get from us it's something that we do for you a lot of the time i mean this is the definition of the shared responsibility model right everything that you interact with on aws has been subject to the same rigorous standards and we aws security have umbrella arms around those but we also ensure that service teams own the security of their service so a lot of times when i'm talking to csos and i say security teams or sorry service teams own the security of their service they're curious like how do they not get frustrated and the answer is we put in a lot of mechanisms to allow those to go through so there's automation there are robots that resolve those trouble tickets you know like and we have emissaries we call them guardian champions that are embedded in service teams at any rate the point is i think it's really beautiful the way that customers who are you know enabling services in general benefit from the inheritances that they get and in some definition this is like the value proposition of cloud when we take care of those lower layers of the stack we're doing everything from the concrete floors guards and gates hvac you know in the case of something like aws bracket which is our quantum computing like we're talking about you know near vacuum uh environments like these are sometimes really intricate and beautiful ways that we take care of stuff that was otherwise manual and ugly and then we get up and we get really intricate there too so i gave a talk this morning about ddos protection um and all the stuff that we're doing where we can see because of our vantage point the volume and that leads us to be a leader in volumetric attack signatures for example manage rule sets like that costs you nothing turn on your dns firewall like there are ways that you just as a as an aws customer you inherit our rigorous standards and you also are able to benefit from the rigor with which we you know exact ourselves to really you're not trying to make it a huge business at least as part of your your portfolio it's just it's embedded it's there take advantage of it i want everyone to be secure and i will go to bad to say like i want you to do it and if money is a blocker let's talk about that because honestly we just want to do the right thing by customers and i want customers to use more of our services i genuinely believe that they are enablers we have pharma companies um that have helped enable you know personalized medicine and some of the copic vaccines we have you know like there are ways that this has mattered to people in really intimate ways um and then fun ways like formula one uh you know like there are things that allow us to do more and our customers to do more and security should be a way of life it's a way of breathing you don't wake up and decide that you're going to bolt it on one day okay so we heard cj moses keynote this morning i presume you were listening in uh we heard a lot about you know cool tools you know threat detection and devops and container security but he did explicitly talked about how aws is simplifying the life of the cso so what are you doing in that regard and what's that that's let's just leave it there for now i talk to c sales every day and i think um most of them have two main concerns one is how to get their organization to grow up like to understand what security looks like in a cloudy way um and that means that you know your login monitoring is going to be the forensics it's not going to be getting into the host that's on our side right and that's a luxury like i think there are elements of the cso job that have changed but that even if you know cj didn't explicitly call them out these are beauties things like um least privilege that you can accomplish using access analyzer and all these ways that inspector for example does network reachability and then all of these get piped to security hub and there's just ways that make it more accessible than ever to be a cso and to enable and embolden your people the second side is how csos are thinking about changing their organization so what are you reporting to the board um how are you thinking about hiring and um in the metrics side i would say you know being and i get a a lot of questions that are like how do we exhibit a culture of security and my answer is you do it you just start doing it like you make it so that your vps have to answer trouble tickets you may and and i don't mean literally like every trouble ticket but i mean they are 100 executives will say that they care about security but so what like you know set up your organization to be responsive to security and to um have to answer to them because it matters and and notice that because a non-decision is a decision and the other side is workforce right and i think um i see a lot of promise some of it unfulfilled in folks being hired to look different than traditional security folks and act different and maybe a first grade teacher or an architect or an artist and who don't consider themselves like particularly technical like the gorgeousness of cloud is that you can one teach yourself this i mean i didn't go to school for computer science like this is the kind of thing we all have to teach ourselves but also you can abstract on top of stuff so you're not writing code every day necessarily although if you are that's awesome and we love debbie folks but you know there's there's a lot of ways in which the machine of the security organization is suggesting i think cj was part to answer your question pointedly i think cj was trying to be really responsive to like all the stuff we're giving you all the goodness all the sprinkles on your cupcake not at all the organizational stuff that is kind of like you know the good stuff that we know we need to get into so i think so you're saying it's it's inherent it's inherently helping the cso uh her life his life become less complex and i feel like the cloud you said the customers are trying to become make their security more cloudy so i feel like the cloud has become the first line of defense now the cso your customer see so is the second line of defense maybe the audit is the third line what does that mean for the role of the the cso how is that they become a compliance officer what does that mean no no i think actually increasingly they are married or marriable so um when you're doing so for example if you are embracing [Music] ephemeral and immutable infrastructure then we're talking about using something like cloud formation or terraform to vend environments and you know being able to um use control tower and aws organizations to dictate um truisms through your environment you know like there are ways that you are basically in golden armies and you can come back to a known good state you can embrace that kind of cloudiness that allows you to get good to refine it to kill it and spin up a new infrastructure and that means though that like your i.t and your security will be woven in in a really um lovely way but in a way that contradicts certain like existing structures and i think one of the beauties is that your compliance can then wake up with it right your audit manager and your you know security hub and other folks that do compliance as code so you know inspector for example has a tooling that can without sending a single packet over the network do network reachability so they can tell whether you have an internet facing endpoint well that's a pci standard you know but that's also a security truism you shouldn't have internet facing endpoints you don't approve up you know like so these are i think these can go in hand in hand there are certainly i i don't know that i totally disregard like a defense in-depth notion but i don't think that it's linear in that way i think it's like circular that we hope that these mechanisms work together that we also know that they should speak to each other and and be augmented and aware of one another so an example of this would be that we don't just do perimeter detection we do identity-based fine-grained controls and that those are listening to and reasoned about using tooling that we can do using security yeah we heard a lot about reasoning as well in the keynote but i want to ask about zero trust like aws i think resisted using that term you know the industry was a buzzword before the pandemic it's probably more buzzy now although in a way it's a mandate um depending on how you look at it so i mean you anything that's not explicitly allowed is denied in your world and you have tools and i mean that's a definition if it's a die that overrides if it's another it's a deny call that will override and allow yeah that's true although anyway finish your question yeah yeah so so my it's like if there's if there's doubt there's no doubt it seems in your world but but but you have a lot of capabilities seems to me that this is how you you apply aws internal security and bring that to your customers do customers talk to you about zero trust are they trying to implement zero trust what's the best way for them to do that when they don't have that they have a lack of talent they don't have the skill sets uh that it and the knowledge that aws has what are you hearing from customers in that regard yeah that's a really um nuanced phrasing which i appreciate because i think so i think you're right zero trust is a term that like means everything and nothing i mean like this this notebook is zero trust like no internet comes in or out of it like congratulations you also can't do business on it right um i do a lot of business online you know what i mean like you can't uh transact something to other folks and if i lose it i'm screwed yeah exactly i usually have a water bottle or something that's even more inanimate than your notebook um but i guess my point is we i don't think that the term zero trust is a truism i think it's a conceptual framework right and the idea is that we want to make it so that someone's position in the network is agnostic to their permissioning so whereas in the olden days like a decade ago um we might have assumed that when you're in the perimeter you just accept everything um that's no longer the right way to think about it and frankly like covid and work from home may have accelerated this but this was ripe to be accelerated anyway um what we are thinking about is both like you said under the network so like the network layer are we talking about machine to machine are we talking about like um you know every api call goes over the open internet with no inherent assurances human to app or it's protected by sig v4 you know like there is an inherent zero trust case that we have always built this goes back to a jeff bezos mandate from 2002 that everything be an api call that is again this kind of like building security into it when we say security is job zero it not only reflects the fact that like when you build a terraform or a cloud formation template you better have permission things appropriately or try to but also that like there is no cloud without security considerations you don't get to just bolt something on after the fact so that being said now that we embrace that and we can reason about it and we can use tools like access analyzer you know we're also talking about zero trust in that like i said augmentation identity centric fine grained controls so an example of this would be a vpc endpoint policy where it is a perm the perimeter is dead long live the perimeter right you'll have your traditional perimeter your vpc or your vpn um augmented by and aware of the fine-grained identity-centric ones which you can also reason about prune down continuously monitor and so on and that'll also help you with your logging and monitoring because you know what your ingress and egress points are how concerned should people be with quantum messing up all the encryption algos oh it's stopping created right okay so but we heard about this in the keynote right so is it just a quantum so far off by the time we get there is it like a y2k you're probably not old enough to remember y2k but y2k moment right i mean i can't take you anywhere what should we um how should we be thinking about quantum in the context of security and sure yeah i mean i think we should be thinking about quantum and a lot of dimensions as operationally interesting and how we can leverage i think we should be thinking about it in the security future for right now aes256 is something that is not broken so we shouldn't try to fix it yeah cool encrypt all the things you can do it natively you know like i love talking about quantum but it's more of an aspirational and also like we can be doing high power compute to solve problems you know but like for it to get to a security uh potentially uh vulnerable state or like something that we should worry about is a bit off yeah and show me an application that can yeah and i mean and i think at that point we're talking about homomorphic improvements about another thing i kind of feel the same way is that you know there's a lot of hype around it a lot of ibm talks about a lot you guys talked about in your keynote today and when i really talk to people who understand this stuff it seems like it's a long long way off i don't think it's a long long way off but everything is dog years in tech world but um but for today you know like for today encrypt yourself we will always keep our encryption up to standard and you know that will be for now like the the industry grade standard that folks i mean like i i have i have never heard of a case where someone had their kms keys broken into i um i always ask like awesome security people this question did you like how did you get into this did you have like did you have a favorite superhero as a kid that was going to save the world i um was always the kid who probably would have picked up a book about the cia and i like find this and i don't remember who i was before i was a security person um but i also think that as a woman um from an american indian family walking through the world i think about the relationship between dynamics with the government and companies and individuals and how we want to construct those and the need for voices that are observant of the ways that those interplay and i always saw this as a field where we can do a lot of good yeah amazing merritt thanks so much for coming on thecube great guest john said you would be really appreciate your time of course all right keep it ready you're very welcome keep it right there this is dave vellante for the cube we'll be right back at aws reinforced 2022 from boston keep right there [Music]

>> From theCUBE Studios in Palo Alto and Boston bringing you data driven insights from theCUBE and ETR. This is Breaking Analysis with Dave Vellante. >> After a two year hiatus, AWS re:Inforce is back on as an in-person event in Boston next week. Like the All-Star break in baseball, re:Inforce gives us an opportunity to evaluate the cyber security market overall, the state of cloud security and cross cloud security and more specifically what AWS is up to in the sector. Welcome to this week's Wikibon cube insights powered by ETR. In this Breaking Analysis we'll share our view of what's changed since our last cyber update in May. We'll look at the macro environment, how it's impacting cyber security plays in the market, what the ETR data tells us and what to expect at next week's AWS re:Inforce. We start this week with a checkpoint from Breaking Analysis contributor and stock trader Chip Simonton. We asked for his assessment of the market generally in cyber stocks specifically. So we'll summarize right here. We've kind of moved on from a narrative of the sky is falling to one where the glass is half empty you know, and before today's big selloff it was looking more and more like glass half full. The SNAP miss has dragged down many of the big names that comprise the major indices. You know, earning season as always brings heightened interest and this time we're seeing many cross currents. It starts as usual with the banks and the money centers. With the exception of JP Morgan the numbers were pretty good according to Simonton. Investment banks were not so great with Morgan and Goldman missing estimates but in general, pretty positive outlooks. But the market also shrugged off IBM's growth. And of course, social media because of SNAP is getting hammered today. The question is no longer recession or not but rather how deep the recession will be. And today's PMI data was the weakest since the start of the pandemic. Bond yields continue to weaken and there's a growing consensus that Fed tightening may be over after September as commodity prices weaken. Now gas prices of course are still high but they've come down. Tesla, Nokia and AT&T all indicated that supply issues were getting better which is also going to help with inflation. So it's no shock that the NASDAQ has done pretty well as beaten down as tech stocks started to look oversold you know, despite today's sell off. But AT&T and Verizon, they blamed their misses in part on people not paying their bills on time. SNAP's huge miss even after guiding lower and then refusing to offer future guidance took that stock down nearly 40% today and other social media stocks are off on sympathy. Meta and Google were off, you know, over 7% at midday. I think at one point hit 14% down and Google, Meta and Twitter have all said they're freezing new hires. So we're starting to see according to Simonton for the first time in a long time, the lower income, younger generation really feeling the pinch of inflation. Along of course with struggling families that have to choose food and shelter over discretionary spend. Now back to the NASDAQ for a moment. As we've been reporting back in mid-June and NASDAQ was off nearly 33% year to date and has since rallied. It's now down about 25% year to date as of midday today. But as I say, it had been, you know much deeper back in early June. But it's broken that downward trend that we talked about where the highs are actually lower and the lows are lower. That's started to change for now anyway. We'll see if it holds. But chip stocks, software stocks, and of course the cyber names have broken those down trends and have been trading above their 50 day moving averages for the first time in around four months. And again, according to Simonton, we'll see if that holds. If it does, that's a positive sign. Now remember on June 24th, we recorded a Breaking Analysis and talked about Qualcomm trading at a 12 X multiple with an implied 15% growth rate. On that day the stock was 124 and it surpassed 155 earlier this month. That was a really good call by Simonton. So looking at some of the cyber players here SailPoint is of course the anomaly with the Thoma Bravo 7 billion acquisition of the company holding that stock up. But the Bug ETF of basket of cyber stocks has definitely improved. When we last reported on cyber in May, CrowdStrike was off 23% year to date. It's now off 4%. Palo Alto has held steadily. Okta is still underperforming its peers as it works through the fallout from the breach and the ingestion of its Auth0 acquisition. Meanwhile, Zscaler and SentinelOne, those high flyers are still well off year to date, with Ping Identity and CyberArk not getting hit as hard as their valuations hadn't run up as much. But virtually all these tech stocks generally in cyber issues specifically, they've been breaking their down trend. So it will now come down to earnings guidance in the coming months. But the SNAP reaction is quite stunning. I mean, the environment is slowing, we know that. Ad spending gets cut in that type of market, we know that too. So it shouldn't be a huge surprise to anyone but as Chip Simonton says, this shows that sellers are still in control here. So it's going to take a little while to work through that despite the positive signs that we're seeing. Okay. We also turned to our friend Eric Bradley from ETR who follows these markets quite closely. He frequently interviews CISOs on his program, on his round tables. So we asked to get his take and here's what ETR is saying. Again, as we've reported while CIOs and IT buyers have tempered spending expectations since December and early January when they called for an 8% plus spending growth, they're still expecting a six to seven percent uptick in spend this year. So that's pretty good. Security remains the number one priority and also is the highest ranked sector in the ETR data set when you measure in terms of pervasiveness in the study. Within security endpoint detection and extended detection and response along with identity and privileged account management are the sub-sectors with the most spending velocity. And when you exclude Microsoft which is just dominant across the board in so many sectors, CrowdStrike has taken over the number one spot in terms of spending momentum in ETR surveys with CyberArk and Tanium showing very strong as well. Okta has seen a big dropoff in net score from 54% last survey to 45% in July as customers maybe put a pause on new Okta adoptions. That clearly shows in the survey. We'll talk about that in a moment. Look Okta still elevated in terms of spending momentum, but it doesn't have the dominant leadership position it once held in spend velocity. Year on year, according to ETR, Tenable and Elastic are seeing the biggest jumps in spending momentum, with SailPoint, Tanium, Veronis, CrowdStrike and Zscaler seeing the biggest jump in new adoptions since the last survey. Now on the downside, SonicWall, Symantec, Trellic which is McAfee, Barracuda and TrendMicro are seeing the highest percentage of defections and replacements. Let's take a deeper look at what the ETR data tells us about the cybersecurity space. This is a popular view that we like to share with net score or spending momentum on the Y axis and overlap or pervasiveness in the data on the X axis. It's a measure of presence in the data set we used to call it market share. With the data, the dot positions, you see that little inserted table, that's how the dots are plotted. And it's important to note that this data is filtered for firms with at least 100 Ns in the survey. That's why some of the other ones that we mentioned might have dropped off. The red dotted line at 40% that indicates highly elevated spending momentum and there are several firms above that mark including of course, Microsoft, which is literally off the charts in both dimensions in the upper right. It's quite incredible actually. But for the rest of the pack, CrowdStrike has now taken back its number one net score position in the ETR survey. And CyberArk and Okta and Zscaler, CloudFlare and Auth0 now Okta through the acquisition, are all above the 40% mark. You can stare at the data at your leisure but I'll just point out, make three quick points. First Palo Alto continues to impress and as steady as she goes. Two, it's a very crowded market still and it's complicated space. And three there's lots of spending in different pockets. This market has too many tools and will continue to consolidate. Now I'd like to drill into a couple of firms net scores and pick out some of the pure plays that are leading the way. This series of charts shows the net score or spending velocity or granularity for Okta, CrowdStrike, Zscaler and CyberArk. Four of the top pure plays in the ETR survey that also have over a hundred responses. Now the colors represent the following. Bright red is defections. We're leaving the platform. The pink is we're spending less, meaning we're spending 6% or worse. The gray is flat spend plus or minus 5%. The forest green is spending more, i.e, 6% or more and the lime green is we're adding the platform new. That red dotted line at the 40% net score mark is the same elevated level that we like to talk about. All four are above that target. Now that blue line you see there is net score. The yellow line is pervasiveness in the data. The data shown in each bar goes back 10 surveys all the way back to January 2020. First I want to call out that all four again are seeing down trends in spending momentum with the whole market. That's that blue line. They're seeing that this quarter, again, the market is off overall. Everybody is kind of seeing that down trend for the most part. Very few exceptions. Okta is being hurt by fewer new additions which is why we highlighted in red, that red dotted area, that square that we put there in the upper right of that Okta bar. That lime green, new ads are off as well. And the gray for Okta, flat spending is noticeably up. So it feels like people are pausing a bit and taking a breather for Okta. And as we said earlier, perhaps with the breach earlier this year and the ingestion of Auth0 acquisition the company is seeing some friction in its business. Now, having said that, you can see Okta's yellow line or presence in the data set, continues to grow. So it's a good proxy from market presence. So Okta remains a leader in identity. So again, I'll let you stare at the data if you want at your leisure, but despite some concerns on declining momentum, notice this very little red at these companies when it comes to the ETR survey data. Now one more data slide which brings us to our four star cyber firms. We started a tradition a few years ago where we sorted the ETR data by net score. That's the left hand side of this graphic. And we sorted by shared end or presence in the data set. That's the right hand side. And again, we filtered by companies with at least 100 N and oh, by the way we've excluded Microsoft just to level the playing field. The red dotted line signifies the top 10. If a company cracks the top 10 in both spending momentum and presence, we give them four stars. So Palo Alto, CrowdStrike, Okta, Fortinet and Zscaler all made the cut this time. Now, as we pointed out in May if you combined Auth0 with Okta, they jumped to the number two on the right hand chart in terms of presence. And they would lead the pure plays there although it would bring down Okta's net score somewhat, as you can see, Auth0's net score is lower than Okta's. So when you combine them it would drag that down a little bit but it would give them bigger presence in the data set. Now, the other point we'll make is that Proofpoint and Splunk both dropped off the four star list this time as they both saw marked declines in net score or spending velocity. They both got four stars last quarter. Okay. We're going to close on what to expect at re:Inforce this coming week. Re:Inforce, if you don't know, is AWS's security event. They first held it in Boston back in 2019. It's dedicated to cloud security. The past two years has been virtual and they announced that reinvent that it would take place in Houston in June, which everybody said, that's crazy. Who wants to go to Houston in June and turns out nobody did so they postponed the event, thankfully. And so now they're back in Boston, starting on Monday. Not that it's going to be much cooler in Boston. Anyway, Steven Schmidt had been the face of AWS security at all these previous events as the Chief Information Security Officer. Now he's dropped the I from his title and is now the Chief Security Officer at Amazon. So he went with Jesse to the mothership. Presumably he dropped the I because he deals with physical security now too, like at the warehouses. Not that he didn't have to worry about physical security at the AWS data centers. I don't know. Anyway, he and CJ Moses who is now the new CISO at AWS will be keynoting along with some others including MongoDB's Chief Information Security Officer. So that should be interesting. Now, if you've been following AWS you'll know they like to break things down into, you know, a couple of security categories. Identity, detection and response, data protection slash privacy slash GRC which is governance, risk and compliance, and we would expect a lot more talk this year on container security. So you're going to hear also product updates and they like to talk about how they're adding value to services and try to help, they try to help customers understand how to apply services. Things like GuardDuty, which is their threat detection that has machine learning in it. They'll talk about Security Hub, which centralizes views and alerts and automates security checks. They have a service called Detective which does root cause analysis, and they have tools to mitigate denial of service attacks. And they'll talk about security in Nitro which isolates a lot of the hardware resources. This whole idea of, you know, confidential computing which is, you know, AWS will point out it's kind of become a buzzword. They take it really seriously. I think others do as well, like Arm. We've talked about that on previous Breaking Analysis. And again, you're going to hear something on container security because it's the hottest thing going right now and because AWS really still serves developers and really that's what they're trying to do. They're trying to enable developers to design security in but you're also going to hear a lot of best practice advice from AWS i.e, they'll share the AWS dogfooding playbooks with you for their own security practices. AWS like all good security practitioners, understand that the keys to a successful security strategy and implementation don't start with the technology, rather they're about the methods and practices that you apply to solve security threats and a top to bottom cultural approach to security awareness, designing security into systems, that's really where the developers come in, and training for continuous improvements. So you're going to get heavy doses of really strong best practices and guidance and you know, some good preaching. You're also going to hear and see a lot of partners. They'll be very visible at re:Inforce. AWS is all about ecosystem enablement and AWS is going to host close to a hundred security partners at the event. This is key because AWS doesn't do it all. Interestingly, they don't even show up in the ETR security taxonomy, right? They just sort of imply that it's built in there even though they have a lot of security tooling. So they have to apply the shared responsibility model not only with customers but partners as well. They need an ecosystem to fill gaps and provide deeper problem solving with more mature and deeper security tooling. And you're going to hear a lot of positivity around how great cloud security is and how it can be done well. But the truth is this stuff is still incredibly complicated and challenging for CISOs and practitioners who are understaffed when it comes to top talent. Now, finally, theCUBE will be at re:Inforce in force. John Furry and I will be hosting two days of broadcast so please do stop by if you're in Boston and say hello. We'll have a little chat, we'll share some data and we'll share our overall impressions of the event, the market, what we're seeing, what we're learning, what we're worried about in this dynamic space. Okay. That's it for today. Thanks for watching. Thanks to Alex Myerson, who is on production and manages the podcast. Kristin Martin and Cheryl Knight, they helped get the word out on social and in our newsletters and Rob Hoff is our Editor in Chief over at siliconangle.com. You did some great editing. Thank you all. Remember all these episodes they're available, this podcast. Wherever you listen, all you do is search Breaking Analysis podcast. I publish each week on wikibon.com and siliconangle.com. You can get in touch with me by emailing avid.vellante@siliconangle.com or DM me @dvellante, or comment on my LinkedIn post and please do check out etr.ai for the best survey data in the enterprise tech business. This is Dave Vellante for theCUBE Insights powered by ETR. Thanks for watching and we'll see you in Boston next week if you're there or next time on Breaking Analysis (soft music)

(inspiring music) >> Announcer: theCUBE presents HPE Discover 2022. Brought to you by HPE. >> Welcome back to theCUBE's coverage of HPE Discover 2022, from the Venetian in Las Vegas, the first Discover since 2019. I really think this is my 14th Discover, when you include HP, when you include Europe. And I got to say this Discover, I think has more energy than any one that I've ever seen, about 8,000 people here. Really excited to have one of HPE's longstanding partners, Veeam CTO, Danny Allen is here, joined by David Harvey, Vice President of Strategic Alliances at Veeam. Guys, good to see you again. It was just earlier, let's see, last month, we were together out here. >> Yeah, just a few weeks ago. It's fantastic to be back and what it's telling us, technology industry is coming back. >> And the events business, of course, is coming back, which we love. I think the expectations were cautious. You saw it at VeeamON, a little more than you expected, a lot of great energy. A lot of people, 'cause it was last month, it was their first time out, >> Yes. >> in two years. Here, I think people have started to go out more, but still, an energy that's palpable. >> You can definitely feel it. Last night, I think I went to four consecutive events and everyone's out having those discussions and having conversations, it's good to be back. >> You guys hosted the Storage party last night, which is epic. I left at midnight, I took a picture, it was still packed. I said, okay, time to go, nothing good happens after midnight kids. David, talk about the alliance with HPE, how it's evolved, and where you see it going? >> I appreciate it, and certainly this, as you said, has been a big alliance for us. Over 10 years or so, fantastic integrations across the board. And you touched on 2019 Discover. We launched with GreenLake at that event, we were one of the launch partners, and we've seen fantastic growth. Overall, what we're excited about, is that continuation of the movement of the customer's buying patterns in line with HPE's portfolio and in line with Veeam. We continue to be with all their primary, secondary storage, we continue to be a spearhead position with GreenLake, which we're really excited about. And we're also really excited to hear from HPE, unfortunately under NDA, some of their future stuff they're investing in, which is a really nice invigoration for what they're doing for their portfolio. And we see that being a big deal for us over the next 24 months. >> Your relationship with HPE predates the HP, HPE split. >> Mmm. >> Yes. >> But it was weird, because they had Data Protector, and that was a quasi-competitor, or really not, but it was a competitor, a legacy competitor, of what you guys have, kind of modern data protection I think is the tagline, if I got it right. Post the split, that was an S-curve moment, wasn't it, in terms of the partnership? >> It really was. If you go back 10 years, we did our first integration sending data to StoreOnce and we had some blueprints around that. But now, if you look what we have, we have integrations on the primary side, so, 3PAR, Primera, Nimble, all their top-tier storage, we can manage the snapshots. We have integration on the target side. We integrate with Catalyst in the movement of data and the management of data. And, as David alluded to, we integrate with GreenLake. So, customers who want to take this as a consumption model, we integrate with that. And so it's been, like you said, the strongest relationship that we have on the technology alliance side. >> So, V12, you announced at VeeamON. What does that mean for HPE customers, the relationship? Maybe you guys could both talk about that. >> Technology side, to touch on a few things that we're doing with them, ransomware has been a huge issue. Security's been a big theme, obviously, at the conference, >> Dave: Yeah, you bet. and one of the things we're doing in V12 is adding immutability for both StoreOnce and StoreEver. So, we take the features that our partners have, immutability being big in the security space, and we integrate that fully into the product. So a customer checks a box and says, hey, I want to make sure that the data is secure. >> Yeah, and also, it's another signification about the relationship. Every single release we've done has had HPE at the heart of it, and the same thing is being said with V12. And it shows to our customers, the continual commitment. Relationships come and go. They're hard, and the great news is, 10 years has proven that we get through good times and tricky situations, and we both continue to invest, et cetera. And I think there's a lot of peace of mind and the revenue figures prove that, which is what we're really excited about. >> Yeah I want to come back to that, but just to follow up, Danny, on that immutability, that's a feature that you check? It's service within GreenLake, or within Veeam? How does that all work? >> We have immutability now depending on the target. We introduced the ability to send data, for example, into S3 two years ago, and make it immutable when you send it to an S3 or S3 compatible environment. We added, in Version 11, the ability to take a Linux repository and make it, and harden it, essentially make it immutable. But what we're doing now is taking our partner systems like StoreOnce, like StoreEver, and when we send data there, we take advantage of an API flag or whatever it happens to be, that it makes the data, when it's written to that system, can't be deleted, can't be encrypted. Now, what does that mean for a customer? Well, we do all the hard work in the back end, it's just a check box. They say, I want to make it immutable, and we manage how long it's immutable. Because if you made everything immutable forever, that's hugely expensive, right? So, it's all about, how long is that immutable before you age it out and make sure the new data coming in is immutable. >> Dave: It's like an insurance policy, you have that overlap. >> Yes. >> Right, okay. And then David, you mentioned the revenue, Lou bears that out. I got the IDC guys comin' on later on today. I'll ask 'em about that, if that's their swim lane. But you guys are basically a statistical tie, with Dell for number one? Am I getting that right? And you're growing at a faster rate, I believe, it's hard to tell 'cause I don't think Dell reports on the pace of its growth within data protection. You guys obviously do, but is that right? It's a statistical tie, is it? >> Yeah, hundred percent. >> Yeah, statistical tie for first place, which we're super excited about. When I joined Veeam, I think we were in fifth place, but we've been in the leader's quadrant of the Gartner Magic- >> Cause and effect there or? (panelists laughing) >> No, I don't think so. >> Dave: Ha, I think maybe. >> We've been on a great trajectory. But statistical tie for first place, greatest growth sequentially, and year-over-year, of all of the data protection vendors. And that's a testament not just to the technology that we're doing, but partnerships with HPE, because you never do this, the value of a technology is not that technology alone, it's the value of that technology within the ecosystem. And so that's why we're here at HPE Discover. It's our joint technology solutions that we're delivering. >> What are your thoughts or what are you seeing in the field on As-a-service? Because of course, the messaging is all about As-a-service, you'd think, oh, a hundred percent of everything is going to be As-a-service. A lot of customers, they don't mind CapEx, they got good, balance sheet, and they're like, hey, we'll take care of this, and, we're going to build our own little internal cloud. But, what are you seeing in the market in terms of As-a-service, versus, just traditional licensing models? >> Certainly, there's a mix between the two. What I'd say, is that sources that are already As-a-service, think Microsoft 365, think AWS, Azure, GCP, the cloud providers. There's a natural tendency for the customer to want the data protection As-a-service, as well for those. But if you talk about what's on premises, customers who have big data centers deployed, they're not yet, the pendulum has not shifted for that to be data protection As-a-service. But we were early to this game ourselves. We have 10,000, what we call, Veeam Cloud Service Providers, that are offering data protection As-a-service, whether it be on premises, so they're remotely managing it, or cloud hosted, doing data protection for that. >> So, you don't care. You're providing the technology, and then your customers are actually choosing the delivery model. Is that correct? >> A hundred percent, and if you think about what GreenLake is doing for example, that started off as being a financial model, but now they're getting into that services delivery. And what we want to do is enable them to deliver it, As-a-service, not just the financial model, but the outcome for the customer. And so our technology, it's not just do backup, it's do backup for a multi-tenant, multi-customer environment that does all of the multi-tenancy and billing and charge back as part of that service. >> Okay, so you guys don't report on this, but I'm going to ask the question anyway. You're number one now, let's call you, let's declare number one, 'cause we're well past that last reporting and you're growin' faster. So go another quarter, you're now number one, so you're the largest. Do you spend more on R&D in data protection than any other company? >> Yes, I'm quite certain that we do. Now, we have an unfair advantage because we have 450,000 customers. I don't think there's any other data protection company out there, the size and scope and scale, that we have. But we've been expanding, our largest R&D operation center's in Prague, it's in Czech Republic, but we've been expanding that. Last year it grew 40% year on year in R&D, so big investment in that space. You can see this just through our product space. Five years ago, we did data protection of VMware only, and now we do all the virtual environments, all the physical environments, all the major cloud environments, Kubernetes, Microsoft 365, we're launching Salesforce. We announced that at VeeamON last month and it will be coming out in Q3. All of that is coming from our R&D investments. >> A lot of people expect that when a company like Insight, a PE company, purchases a company like Veeam, that one of the things they'll dial down is R&D. That did not happen in this case. >> No, they very much treat us as a growth company. We had 22% year-over-year growth in 2020, and 25% year-over-year last year. The growth has been tremendous, they continue to give us the freedom. Now, I expect they'll want returns like that continuously, but we have been delivering, they have been investing. >> One of my favorite conversations of the year was our supercloud conversation, which was awesome, thank you for doing that with me. But that's clearly an area of focus, what we call supercloud, and you don't use that term, I know, you do sometimes, but it's not your marketing, I get that. But that is an R&D intensive effort, is it not? To create that common experience. And you see HPE, attempting to do that as well, across all these different estates. >> A hundred percent. We focus on three things, I always say, our differentiators, simplicity, flexibility, and reliability. Making it simple for the customers is not an easy thing to do. Making that checkbox for immutability? We have to do a lot behind the scenes to make it simple. Same thing on flexibility. We don't care if they're using 3PAR, Primera, Nimble, whatever you want to choose as the primary storage, we will take that out of your hands and make it really easy. You mentioned supercloud. We don't care what the cloud infrastructure, it can be on GreenLake, it can be on AWS, can be on Azure, it can be on GCP, it can be on IBM cloud. It is a lot of effort on our part to abstract the cloud infrastructure, but we do that on behalf of our customers to take away that complexity, it's part of our platform. >> Quick follow-up, and then I want to ask a question of David. I like talking to you guys because you don't care where it is, right? You're truly agnostic to it all. I'm trying to figure out this repatriation thing, cause I hear a lot of hey, Dave, you should look into repatriation that's happened all over the place, and I see pockets of it. What are you seeing in terms of repatriation? Have customers over-rotated to the cloud and now they're pullin' back a little bit? Or is it, as I'm claiming, in pockets? What's your visibility on that? >> Three things I see happening. There's the customers who lifted up their data center, moved it into the cloud and they get the first bill. >> (chuckling) Okay. >> And they will repatriate, there's no question. If I talk to those customers who simply lifted up and moved it over because the CIO told them to, they're moving it back on premises. But a second thing that we see is people moving it over, with tweaks. So they'll take their SQL server database and they'll move it into RDS, they'll change some things. And then you have people who are building cloud-native, they're never coming back on premises, they are building it for the cloud environment. So, we see all three of those. We only really see repatriation on that first scenario, when they get that first bill. >> And when you look at the numbers, I think it gets lost, 'cause you see the cloud is growing so fast. So David, what are the conversations like? You had several events last night, The Veeam party, slash Storage party, from HPE. What are you hearing from your alliance partners and the customers at the event. >> I think Danny touched on that point, it's about philosophy of evolution. And I think at the end of the day, whether we're seeing it with our GSI alliances we've got out there, or with the big enterprise conversations we're having with HPE, it's about understanding which workloads they want to move. In our mind, the customers are getting much smarter in making that decision, rather than experimenting. They're really taking a really solid look. And the work we're doing with the GSIs on workplace modernization, data center transformation, they're really having that investment work up front on the workloads, to be able to say, this works for me, for my personality and my company. And so, to the point about movement, it's more about decisive decision at the start, and not feeling like the remit is, I have to do one thing or another, it's about looking at that workflow position. And that's what we've seen with the revenue part as well. We've seen our movement to GreenLake tremendously grow in the last 18 months to two years. And from our GSI work as well, we're seeing the types of conversations really focus on that workload, compared to, hey, I just need a backup solution, and that's really exciting. >> Are you having specific conversations about security, or is it a data protection conversation still, (David chuckles) that's an adjacency to security? >> That's a great question. And I think it's a complex one, because if you come to a company like Veeam, we are there, and you touched on it before, we provide a solution when something has happened with security. We're not doing intrusion detection, we're not doing that barrier position at the end of it, but it's part of an end-to-end assumption. And I don't think that at this particular point, I started in security with RSA and Check Point, it was about layers of protection. Now it's layers of protection, and the inevitability that at some point something will happen, so about the recovery. So the exciting conversations we're having, especially with the big enterprises, is not about the fear factor, it's about, at some point something's going to occur. Speed of recovery is the conversation. And so for us, and your question is, are they talking to us about security, or more, the continuity position? And that's where the synergy's getting a lot simpler, rather than a hard demark between security and backup. >> Yeah, when you look at the stock market, everything's been hit, but security, with the exception of Okta, 'cause it got that weird benign hack, but security, generally, is an area that CIOs have said, hey, we can't really dial that back. We can maybe, some other discretionary stuff, we'll steal and prioritize. But security seems to be, and I think data protection is now part of that discussion. You're not a security company. We've seen some of your competitors actually pivot to become security companies. You're not doing that, but it's very clearly an adjacency, don't you think? >> It's an adjacency, and it's a new conversation that we're having with the Chief Information Security Officer. I had a meeting an hour ago with a customer who was hit by ransomware, and they got the call at 2:00 AM in the morning, after the ransomware they recovered their entire portfolio within 36 hours, from backups. Didn't even contact Veeam, I found out during this meeting. But that is clearly something that the Chief Information Security Officer wants to know about. It's part of his purview, is the recovery of that data. >> And they didn't pay the ransom? >> And they did not pay the ransom, not a penny. >> Ahh, we love those stories. Guys, thanks so much for coming on theCUBE. Congratulations on all the success. Love when you guys come on, and it was such a fun event at VeeamON. Great event here, and your presence is, was seen. The Veeam green is everywhere, so appreciate your time. >> Thank you. >> Thanks, Dave. >> Okay, and thank you for watching. This is Dave Vellante for John Furrier and Lisa Martin. We'll be back right after this short break. You're watching theCUBE's coverage of HPE Discover 2022, from Las Vegas. (inspiring music)

from the cube studios in Palo Alto in Boston connecting with thought leaders all around the world this is a cube conversation hello and welcome to the cube conversation here in the Palo Alto studio I'm John four host of the cube we are here at the quarantine crew of the cube having the conversations that matter the most now and sharing that with you got a great guest here Phil Quaid was the chief information security officer of Fortinet also the author of book digital bing-bang which I just found out he wrote talking about the difference cybersecurity and the physical worlds coming together and we're living that now with kovat 19 crisis were all sheltering in place Phil thank you for joining me on this cube conversation so I want to get in this quickly that I think the main top thing is that we're all sheltering in place anxiety is high but people are now becoming mainstream aware of what we all in the industry have been known for a long time role of data cybersecurity access to remote tools and we're seeing the work at home the remote situation really putting a lot of pressure on as I've been reporting what I call at scale problems and one of them is security right one of them is bandwidth we're starting to see you know the throttling of the packets people are now living with the reality like wow this is really a different environment but it's been kind of a disruption and has created crimes of opportunity for bad guys so this has been a real thing everyone's aware of it across the world this is something that's now aware on everyone's mind what's your take on this because you guys are fighting the battle and providing solutions and we're doing for a long time around security this highlights a lot of the things in the surface area called the world with what's your take on this carbon 19 orton s been advocating for architectures and strategies that allow you to defend anywhere from the edge through the core all the way up to the cloud boom so with you know high speed and integration and so all the sudden what we're seeing not just you know in the US but the world as well is that that edge is being extended in places that we just hadn't thought about or our CV that people just hadn't planned for before so many people or telecommunication able to move that edge securely out to people's homes and more remote locations and do so providing the right type of security of privacy if those communications that are coming out of those delicate ears I noticed you have a flag in the background and for the folks that might not know you spent a lot of time at the NSA government agency doing a lot of cutting-edge work I mean going back to you know really you know post 9/11 - now you're in the private sector with Fortinet so you don't really speak with the agency but you did live through a time of major transformation around Homeland Security looking at data again different physical thing you know terrorist attacks but it did bring rise to large-scale data to bring to those things so I wanted to kind of point out I saw the flag there nice nice touch there but now that you're in the private sector it's another transformation it's not a transition we're seeing a transformation and people want to do it fast and they don't want to have disruption this is a big problem what's your reaction to that yeah I think what you're reporting out that sometimes sometimes there's catalysts that cause major changes in the way you do things I think we're in one of those right now that we're already in the midst of an evolutionary trend towards more distributed workforces and as I mentioned earlier doing so with the right type of security privacy but I would think what I think the global camp in debt endemic is showing is that we're all going to be accelerating that that thing is like it's gonna be a lot less evolutionary and a little bit more faster that's what happens when you have major world events like this being 911 fortunate tragedies it causes people to think outside the box or accelerate what they're already doing I think wearing that in that world today yeah it pulls forward a lot of things that are usually on the planning side and it makes them reality I want to get your thoughts because not only are CEOs and their employees all thinking about the new work environment but the chief information security officer is people in your role have to be more aware as more things happening what's on the minds of CISOs around the world these days obviously the pandemics there what are you seeing what are some of the conversations what are some of the thought processes what specifically is going on in the of the chief information security officer yeah I think there's probably a there's probably two different two different things there's the there's the emotional side and there's the analytic side on the emotional side you might say that some Caesars are saying finally I get to show how cyber security can be in an abler of business right I can allow you to to to maintain business continuity by allowing your workers to work from home and trying sustain business and allow you to keep paying their salary is very very important to society there's a very important time to step up as the seaso and do what's helpful to sustain mission in on the practical side you say oh my goodness my job's gotten a whole lot harder because I can rely less and less on someone's physical controls that use some of the physical benefits you get from people coming inside the headquarters facility through locked doors and there's personal congress's and personal identification authentication you need to move those those same security strategies and policies and you need to move it out to this broad eggs it's gotten a lot bigger and a lot more distributed so I want to ask you around some of the things they're on cyber screws that have been elevated to the top of the list obviously with the disruption of working at home it's not like an earthquake or a tornado or hurricane or flood you know this backup and recovery for that you know kind of disaster recovery this has been an unmitigated disaster in the sense of it's been unfor casted I was talking to an IT guy he was saying well we provisioned rvv lands to be your VPNs to be 30% and now they need a hundred percent so that disruption is causing I was an under forecast so in cyber as you guys are always planning in and protecting has there been some things that have emerged that are now top of mind that are 100 percent mindshare base or new solutions or new challenges why keep quite done what we're referring to earlier is that yep any good see so or company executive is going to prepare for unexpected things to a certain degree you need it whether it be spare capacity or the ability to recover from something an act of God as you mentioned maybe a flood or tornado or hurricane stuff like that what's different now is that we have a disruption who which doesn't have an end date meaning there's a new temporal component that's been introduced that most companies just can't plan for right even the best of companies that let's say Ronald very large data centers they have backup plans where they have spare fuel to run backup generators to provide electricity to their data centers but the amount of fuel they have might only be limited to 30 days or so it's stored on-site we might think well that's pretty that's a lot of for thinking by storing that much fuel on site for to allow you to sort of work your way through a hurricane or other natural disaster what we have now is a is a worldwide crisis that doesn't have a 30-day window on it right we don't know if it's gonna be 30 days or 120 days or or you know even worse than that so what's different now is that it's not just a matter of surging in doing something with band-aids and twine or an extra 30 days what we need to do is as a community is to prepare solutions that can be enduring solutions you know I have some things that if the absent I might like to provide a little color what those types of solutions are but that that would be my main message that this isn't just a surge for 30 days this is a surge or being agile with no end in sight take a minute explain some of those solutions what are you seeing whatever specific examples and solutions that you can go deeper on there yeah so I talked earlier about the the edge meaning the place where users interact with machines and company data that edge is no longer at the desktop down the hallway it could be 10 miles 450 miles away to where anyone where I'm telling you I'm commuting crumb that means we need to push the data confidentiality things out between the headquarters and the edge you do that with things like a secure secured tunnel it's called VPNs you also need to make sure that the user identification authentication this much is a very very secure very authentic and with high integrity so you do that with multi-factor authentication there's other things that we like that that are very very practical that you do to support this new architecture and the good news is that they're available today in the good news at least with some companies there already had one foot in that world but as I mentioned earlier not all companies had yet embraced the idea of where you're going to have a large percentage of your workforce - until a community so they're not quite so they're there they're reacting quickly to to make sure this edge is better protected by identification and authentication and begins I want to get to some of those edge issues that now translate to kind of physical digital virtualization of of life but first I want to ask you around operational technology and IT OT IT these are kind of examples where you're seeing at scale problem with the pandemic being highlighted so cloud providers etc are all kind of impacted and bring solutions to the table you guys at Foot are doing large scale security is there anything around the automation side of it then you've seen emerge because all the people that are taking care of being a supplier in this new normal or this crisis certainly not normal has leveraged automation and data so this has been a fundamental value proposition that highlights what we call the DevOps movement in the cloud world but automation has become hugely available and a benefit to this can you share your insights into how automation is changing with cyber I think you up a nice question for me is it allowed me to talk about not only automation but convergence so it's let's hit automation first right we all even even pre-crisis we need to be better at leveraging automation to do things that machines do best allow people to do higher-order things whether it's unique analysis or something else with a with a more distributed workforce and perhaps fewer resources automation is more important ever to automatically detect bad things that are about to happen automatically mitigating them before they get or they get to bad you know in the cybersecurity world you use things like agile segmentation and you use like techniques called soar it's a type of security orchestration and you want to eat leverage those things very very highly in order to leverage automation to have machines circum amount of human services but you also brought up on my favorite topics which is ot graceful technology though OTS you know are the things that are used to control for the past almost a hundred years now things in the physical world like electric generators and pipes and valves and things like that often used in our critical infrastructures in my company fort net we provide solutions that secure both the IT world the traditional cyber domain but also the OT systems of the world today where safety and reliability are about most important so what we're seeing with the co19 crisis is that supply chains transportation research things like that a lot of things that depend on OT solutions for safety and reliability are much more forefront of mine so from a cybersecurity strategy perspective what you want to do of course is make sure your solutions in the IT space are well integrated with you solutions in the OT space to the so an adversary or a mistake in cause a working to the crack in causing destruction that convergence is interesting you know we were talking before you came on camera around the fact that all these events are being canceled but that really highlights the fact that the physical spaces are no longer available the so-called ot operational technologies of events is the plumbing the face-to-face conversations but everyone's trying to move to digital or virtual eyes that it's not as easy as just saying we did it here we do it there there is a convergence and some sort of translation this new there's a new roles there's new responsibilities new kinds of behaviors and decision making that goes on in the physical and digital worlds that have to then come together and get reimagined and so what's your take on all this because this is not so much about events but although that's kind of prime time problem zooming it is not the answer that's a streaming video how do you replicate the value of physical into the business value in digital it's not a one-to-one so it's quite possible that that we might look back on this event to cover 19 experience we might look back at it in five or ten years and say that was simply a foreshadowing of our of the importance of making sure that our physical environment is appropriate in private what I mean is that with the with the rapid introduction of Internet of Things technologies into the physical world we're going to have a whole lot of dependencies on the thing inconveniences tendencies inconveniences on things an instrument our physical space our door locks or automobiles paths our temperatures color height lots of things to instrument the physical space and so there's gonna be a whole lot of data that's generated in that cyber in a physical domain increasingly in the future and we're going to become dependent upon it well what happens if for whatever reason in the in the future that's massively disruptive so all of a sudden we have a massive disruption in the physical space just like we're experiencing now with open 19 so again that's why it makes sense now to start your planning now with making sure that your safety and reliability controls in the physical domain are up to the same level security and privacy as the things in your IT delete and it highlights what's the where the value is to and it's a transformation I was just reading an article around spatial economics around distance not being together it's interesting on those points you wrote a book about this I want to get your thoughts because in this cyber internet or digital or virtualization of physical to digital whether it's events or actual equipment is causing people to rethink architectures you mentioned a few of them what's the state of the art thinking around someone who has the plan for this again is in its complex it's not just creating a gateway or a physical abstraction layer of software between two worlds there's almost a blending or convergence here what's your what's your thoughts on what's the state of the art thinking on this area yeah the book that I number of a very esteemed colleagues contribute to what we said is that it's time to start treating cybersecurity like a science let's not pretend it's a dark art that we have to relearn every couple years and what what we said in the in the digital Big Bang is that humankind started flourishing once we admitted our ignorance in ultimately our ignorance in the physical world and discovered or invented you can right word the disciplines of physics and chemistry and once we recognize that our physical world was driven by those scientific disciplines we started flourishing right the scientific age led to lots of things whether it would be transportation health care or lots of other things to improve our quality of life well if you fast forward 14 billion years after that cosmic Big Bang which was driven by physics 50 years ago or so we had a digital Big Bang where there was a massive explosion of bits with the invention of the internet and what we argue in the book is that let's start treating cybersecurity like a science or the scientific principle is that we ought to write down and follow a Rousseau's with you so we can thrive in the in the in a digital Big Bang in the digital age and one more point if you don't mind what we what we noted is that the internet was invented to do two things one connect more people or machines than ever imagined in to do so in speeds that were never imagined so the in the Internet is is optimized around speed in connectivity so if that's the case it may be a fundamental premise of cybersecurity science is make sure that your cyber security solutions are optimized around those same two things that the cyber domains are optimized around speed in integration continue from there you can you can build on more and more complex scientific principles if you focus on those fundamental things and speed and integration yeah that's awesome great insight they're awesome I wanted to throw in while you had the internet history lesson down there also was interesting was a very decentralization concept how does that factor in your opinion to some of the security paradigms is that helped or hurt or is it create opportunities for more secure or does it give the act as an advantage yeah I love your questions is your it's a very informed question and you're in a give me good segue to answer the way you know it should be answer yeah the by definition the distributed nature of the Internet means it's an inherently survivable system which is a wonderful thing to have for a critical infrastructure like that if one piece goes down the hole doesn't go down it's kind of like the power grid the u.s. the u.s. electrical power grid there's too many people who say the grid will go down well that's that's just not a practical thing it's not a reality thing the grades broken up into three major grades and there's AB ulis strategies and implementations of diversification to allow the grid to fail safely so it's not catastrophic Internet's the same thing so like my nipple like I was saying before we ought to de cyber security around a similar principle that a catastrophic failure in one partner to start cybersecurity architecture should result in cascading across your whole architecture so again we need to borrow some lessons from history and I think he bring up a good one that the internet was built on survivability so our cybersecurity strategies need to be the same one of the ways you do that so that's all great theory but one of the ways you do that of course is by making your cybersecurity solutions so that they're very well integrated they connect with each other so that you know speaking in cartoon language you know if one unit can say I'm about to fail help me out and another part of your architecture can pick up a slack and give you some more robust security in that that's what a connected the integrated cyber security architecture do for you yeah it's really fascinating insight and I think resiliency and scale are two things I think are going to be a big wave is going to be added into the transformations that going on now it's it's very interesting you know Phil great conversation I could do a whole hour with you and do a fish lead a virtual panel virtualize that our own event here keynote speech thanks so much for your insight one of things I want to get your thoughts on is something that I've been really thinking a lot lately and gathering perspectives and that is on biosecurity and I say biosecurity I'm referring to covet 19 as a virus because biology involves starting a lab or some people debate all that whether it's true or not but but that's what people work on in the biology world but it spreads virally like malware and has a similar metaphor to cybersecurity so we're seeing conversation starting to happen in Washington DC in Silicon Valley and some of my circles around if biology weapon or it's a tool like open-source software could be a tool for spreading cybersecurity Trojans or other things and techniques like malware spear phishing phishing all these things are techniques that could be deployed metaphorically to viral distribution a biohazard or bio warfare if you will will it look the same and how do you defend against the next covet 19 this is what you know average Americans are seeing the impact of the economy with the shelter in place is that what happens again and how do we prevent it and so a lot of people are thinking about this what is your thoughts because it kind of feels the same way as cybersecurity you got to see it early you got to know what's going on you got to identify it you got to respond to it time to close your contain similar concepts what's your thoughts on with BIOS we don't look with all due respect to the the the bio community let me make a quick analogy to the cyber security strategy right cyber security strategy starts with we start as an attacker so I parts of my previous career I'm an authorized had the opportunity to help develop tools that are very very precisely targeted against foreign adversaries and that's a harder job than you think I mean I think the same is true of anyone of a natural-born or a custom a buyer buyer is that not just any virus has the capability to do a lot of harm to a lot of people selling it so it's it's if that doesn't mean though you can sit back and say since it's hard it'll never happen you need to take proactive measures to look for evidence of a compromise of something whether it's a cyber cyber virus or otherwise you have to actively look for that you have to harm yourself to make sure you're not susceptible to it and once you detect one you need to make sure you have a the ability to do segmentation or quarantine very rapidly very very effectively right so in the cyber security community of course the fundamental strategy is about segmentation you keep different types of things separate that don't need to interact and then if you do have a compromise not everything is compromised and then lastly if you want to gradually say bring things back up to recover you can do some with small chunks I think it's a great analogy segmentation is a good analogy to I think what the nation is trying to do right now by warranty kneeing and gradually reopening up things in in segments in actually mention earlier that some of the other techniques are very very similar you want to have good visibility of where you're at risk and then you can automatically detect and then implement some some mitigations based on that good visibility so I agree with you that it turns out that the cyber security strategies might have a whole lot in common with biohazard I address it's interesting site reliability engineers which is a term that Google coined when they built out their large-scale cloud has become a practice that kind of mindset combined with some of the things that you're saying the cyber security mindset seemed to fit this at scale problem space and I might be an alarmist but I personally believe that we've been having a digital war for many many years now and I think that you know troops aren't landing but it's certainly digital troops and I think that we as a country and a global state and global society have to start thinking about you know these kinds of things where a virus could impact the United States shut down the economy devastating impact so I think Wars can be digital and so I may be an alarmist and a conspirators but I think that you know thinking about it and talking about it might be a good thing so appreciate your insights there Phil appreciated what one other point that might be interesting a few years back I was doing some research with the National Lab and we're looking for novel of cybersecurity analytics and we hired some folks who worked in the biology the bio the biomedical community who were studying a biome fires at the time and it was in recognition that there's a lot of commonality between those who are doing cybersecurity analytics and those reviewing bio biology or biomedical type analytics in you know there was a lot of good cross fertilization between our teams and it kind of helps you bring up one more there's one more point which is what we need to do in cybersecurity in general is have more diversity of workforces right now I don't mean just the traditional but important diversities of sex or color but diversity of experiences right some of the best people I've worked with in the cyber analytics field weren't computer science trained people and that's because they came in problems differently with a different background so one of the things that's really important to our field at large and of course the company my company fort net is to massively increase the amount of cyber security training that's available to people not just the computer scientists the world and the engineers but people in other areas as well the other degree to non-greek people and with that a you know higher level of cyber security training available to a more diverse community not only can we solve the problem of numbers we don't have enough cybersecurity people but we can actually increase our ability to defend against these things I have more greater diversity of thought experience you know that's such a great point I think I just put an exclamation point on that I get that question all the time and the skills gap is should I study computer science and like actually if you can solve problems that's a good thing but really diversity about diversity is a wonderful thing in the age of unlimited compute power because traditionally diversity whether it was protocol diversity or technical diversity or you know human you know makeup that's tend to slow things down but you get higher quality so that's a generalization but you get the point diversity does bring quality and if you're doing a data science you don't want have a blind spot I'm not have enough data so yeah I think a good diverse data set is a wonderful thing you're going to a whole nother level saying bringing diversely skill sets to the table because the problems are diverse is that what you're getting at it is it's one of our I'll say our platforms that we're talking about during the during the covered nineteen crisis which is perhaps there's perhaps we could all make ourselves a little bit better by taking some time out since we're not competing taking some time out and doing a little bit more online training where you can where you can either improve your current set of cybersecurity skills of knowledge or be introduced to them for the first time and so there's one or some wonderful Fortinet training available that can allow both the brand-new folks the field or or the the intermediate level folks with you become higher level experts it's an opportunity for all of us to get better rather than spending that extra hour on the road every day why don't we take at least you know 30 of those 60 minutes or former commute time and usually do some online soccer security treaty feel final question for you great insight great conversation as the world and your friends my friends people we don't know other members of society as they start to realize that the virtualization of life is happening just in your section it's convergence what general advice would you have for someone just from a mental model or mindset standpoint to alleviate any anxiety or change it certainly will be happening so how they can better themselves in their life was it is it thinking more about the the the experiences is it more learning how would you give advice to folks out there who are gonna come out of this post pandemic certainly it's gonna be a different world we're gonna be heightened to digital and virtual but as things become virtualized how can someone take this and make a positive outcome out of all this I I think that the future the future remains bright earlier we talked about sci-fi the integration of the cyber world in the physical world that's gonna provide great opportunities to make us more efficient gives us more free time detect bad things from happening earlier and hopefully mitigating those bad things from happening earlier so a lot of things that some people might use as scare tactics right convergence and Skynet in in robotics and things like that I believe these are things that will make our lives better not worse our responsibilities though is talking about those things making sure people understand that they're coming why they're important and make sure we're putting the right security and privacy to those things as these worlds this physical world and the soccer worlds converged I think the future is bright but we still have some work to do in terms of um making sure we're doing things at very high speeds there's no delay in the cybersecurity we put on top of these applications and make sure we have very very well integrated solutions that don't cause things to become more complex make make things easier to do certainly the winds of change in the big waves with the transformations happening I guess just summarize by saying just make it a head win I mean tailwind not a headwind make it work for you at the time not against it Phil thank you so much for your insights I really appreciate this cube conversation remote interview I'm John Ford with the cube talking about cybersecurity and the fundamentals of understanding what's going on in this new virtual world that we're living in to being virtualized as we get back to work and as things start to to evolve further back to normal the at scale problems and opportunities are there and of course the key was bringing it to you here remotely from our studio I'm John Ferrier thanks for watching [Music]

>>live from San Francisco. It's the queue covering our essay conference 2020 San Francisco Brought to you by Silicon Angle Media >>Hey, welcome back here. Ready? Jeff Frick here with the Cube. We're in our 2020 the biggest security conference in the country, if not the world. I guess there's got to be 50,000 people. We'll get the official word tomorrow. It's our sixth year here and we're excited to be back. I'm not sure why. It's 2020. We're supposed to know everything at this point in time with the benefit on inside. We got two people that do. You know a lot. We're excited to have him. My left is Chris Bets is the SVP and chief security officer for Centurylink. Chris, Great to see you. And to his left is Chris Smith, VP Global security Services for Centurylink. Welcome. >>Thank you for having me. >>Absolutely. You guys just flew into town >>just for the conference's great To be here is always a really exciting space with just a ton of new technology coming out. >>So let's just jump into it. What I think is the most interesting and challenging part of this particular show we go to a lot of shows you 100 shows a year. I don't know that there's one that's got kind of the breadth and depth of vendors from the really, really big the really, really small that you have here. And, you know, with the expansion of Moscone, either even packing more women underneath Howard Street, what advice do you give to people who are coming here for the first time? Especially on more than the buyer side as to how do you navigate this place >>when I when I come here and see So I'm always looking at what the new technologies are. But honestly, having a new technology is not good enough. Attackers are coming up with new attacks all the time. The big trick for me is understanding how they integrate into my other solutions. So I'm not so I'm not just focused on the technology. I'm focused on how they all fit together. And so the vendors that have solutions that fit together that really makes a difference in my book. So I'm looking for for products that are designed to work with each other, not just separate >>from a practice standpoint. The theme of IRA say this year is the human element, and for us, if you look at this floor, it's overwhelming. And if you're a CSO of an average enterprise, it's hard to figure out what you need to buy and how to build a practice with all of the emerging tools. So for us core to our practice, I think any mature, 30 security practices having a pro services capability and consulting capability that can be solved this all together, that helps you understand what to buy, what things to piece together and how to make it all work >>right. And it's funny, the human element that is the kind of the global theme. And what's funny is for all the technology it sounds like. Still, the easiest way in is through the person, whether it's a phishing attack or there's a myriad of ways that people are getting him to the human. So that's kind of a special challenge or trying to use technology to help people do a better job. At the end of the day, sometimes you're squishy ISS or easier access point is not a piece of technology, but it's actually a person. It's >>often because We asked people to do the wrong things. We're having them. Focus on security steps. Use email. Security is an easy to grasp example way all go through training every year to teach folks how to make sure that they avoid clicking on the wrong emails for us more often than a year. So the downside of that is arresting people to take a step away from their job and try to figure out how to protect themselves. And is this a bad emails that are really focusing on the job? So that's why it's so important to me to make sure that we've got solutions that help make the human better and frankly, even worse in security. We don't have the staff that we need. And so how do we help Make sure that the right tools are there, that they work together. They automate because asking everybody to take those steps, it's just it's a recipe for disaster because people are going to make mistakes >>right? Let's go a little deeper into the email thing. A friend of mines and commercial real estate, and he was describing an email that he got from his banker describing a wire transfer from one of his suppliers that he has a regular, ongoing making relationship with. You know, it's not the bad pronunciation and bad grammar and kind of the things that used to jump out is an obvious. But he said it was super good to the point where thankfully, you know, it was just this time. But, you know, he called the banker like, did you just send me this thing? So you know where this as the sophistication of the bad guys goes up specifically targeting people, how do you try to keep up with how do you give them the tools to know Woe versus being efficient? I'm trying to get my job done. >>Yeah, for me, it starts with technology. That takes a look. We've only got so many security practitioners in the company. Actually. Defend your email example. We've got to defend every user from those kinds of problems. And so how do I find technology solutions that help take the load off security practitioners so they can focus on the niche examples that really, really well crafted emails and help take that load off user? Because users just not gonna be able to handle that right? It's not fair to ask them. And like you said, it was just poorly time that helped attack. So how do we help? Make sure that we're taking that technology load off, identify the threats in advance and protect them. And so I think one of the biggest things that Chris and I talk a lot about is how to our solutions help make it easier for people to secure themselves instead of just providing only technology technology advantage, >>our strategy for the portfolio and it sort of tied to the complexity. CN This floor is simplicity. So from our perspective, our goal is a network service provider is to deliver threat free traffic to our customers even before it gets to the human being. And we've got an announcement that we launched just a week ago in advance of the show called Rapid Threat Defense. And the idea is to take our mature threat Intel practice that Chris has a team of folks focused on that. We branded black Lotus labs and Way built a machine learning practice that takes all the bad things that we see out in the network and protects customers before it gets to their people. >>So that's an interesting take. You have the benefit of seeing a lot of network traffic from a lot of customers and not just the stuff that's coming into my building. So you get a much more aggregated approach, so tell us a little bit more about that. And what is the Black Lotus Labs doing? And I'm also curious from an industry point of view, you know, it's just a collaboration with the industry cause you guys are doing a lot of traffic. There's other big network providers carrying a lot of traffic. How well do you kind of work together when you identify some nasty new things that you're doing the horizon? And where do you draw the line between better together versus still independent environment? >>When we're talking about making the Internet safer, it's not really to me a lot about competitive environment. It's really about better together. That's one of things I love about the security community. I'm sure you see it every year when you're here. You're talking security practitioners how across every industry security folks work together to accomplish something that's meaningful. So as the largest world's largest global I P we get to see a ton of traffic, and it's really, really interesting we'll be able to put together, you know, at any given point in time. We're watching many tens of thousands of probable malware networks. We're protecting our customers from that. But we're also able to ourselves take down nearly 65 now where networks every month just knock them off the Internet. So identify the command and control, and we take it off the Internet. We work with our partners. We go talk to hosting providers, maybe competitors of ours. And we say, Hey, here's a bad, bad actors bad server that's being used to control now where? Going shut it down. And so the result of that is not only protecting our customers, but more importantly, protecting tens of thousands of customers every month. By removing now where networks that were attacking, that really makes a difference. To me, that's the biggest impact we bring. And so it really is a better together. It's a collaboration story and, of course, for said, we get the benefit of that information as we're developing it as we're building it, we can protect our customers right away while we're building the confidence necessary to take something as dramatic and action as shutting down on our network. Right. Unilaterally, >>Citrix. I was gonna ask you kind of the impact of I o t. Right in this in this crazy expansion of the tax services, when you hear about all the time with my favorite example, somebody told the story of attacking a casino through the connected thermometer in the fish tank in the lobby, which may or may not be true, is still a great story. Great story. But I'm curious, you know, looking at the network, feeding versus the devices connecting that's really in an interesting way to attack this proliferation of attack services. You're getting it before it necessarily gets to all these new points of presence doing it based on the source. For >>us, that's the only way to make it scalable. It is true that automation blocking it before it gets to the azure to a device. It is what will create simplicity and value for our customers. >>Right on the other piece of the automation. Of course, that we hear about all the time is there just aren't enough security professionals, period. So if you don't have the automation. You don't have the machine learning, as you said, to filter low hanging fruit and the focus your resource. If they need to be, you're not going to do it. The bad news is the bad guys, similar tools. So as you look at kind of the increase in speed of automation, the increase in automated connectivity between these devices making decisions amongst each other, how do you see that kind of evolving? But you're kind of role and making sure you stay a step ahead of the bad guys. For >>me, it's not about just automation. It's about allowing smart people to put their brains against hard problems, hard impactful problems and so on. So simply automating is not enough. It's making sure that automation is reducing the the load on people so that they're able to focus on those hard, unique problems really solve all those solutions and, yes, Attackers, Attackers build automation as well. And so if we're not building faster and better than we're falling behind, so like every other part of this race, it's about getting better, faster and why it's so important that technology work together because we're constantly throwing out more tools and if they don't work better together, even if we got incremental automation, these place way still miss overall because it's end to end that we need to defend ourselves and our customers >>layered on what he said. For the foreseeable future, you're gonna need smart security people that help protect your practice. Our goal in automation is take the road tasks out of out of the gate. They live so they can focus on the things that provide the most value protecting their enterprise. >>Right when you're looking, you talked about making sure things work together, for you talked about making sure things work together. How do you decide what's kind of on the top of the top of the stack, where everybody wants to own the single pane of glass? Everybody wants to be the control plane. Everybody wants to be that thing that's on your computer all the time, which is how you work your day to day. How do you kind of dictate what are the top level tools while still going out? And, he said, exploring some of these really cutting edge things out around the fringe, which don't necessarily have a full stack solution that you're going to rely on but might have some cool kind of point solutions if you will, or point products to help you plug some new and emerging holes. Yeah, >>yeah. So for us, yeah, we take security capabilities and we build them into the other things that we sell. So it's not a bolt on. So when you buy things from us, whether whether it's bandwidth or whether its SD wan and security comes baked in, so it's not something you have to worry about integrating later. It's an ingredient of the things that we sell in all of the automation that we build is built into our practice, So it's simple for our customers to understand, like, simple and then layered. On top of that, we've got a couple different ways that we bring pro services and consulting to our practice. So we've got a smart group of folks that could lean into staff, augment and sit on site, do just about anything to help customers build a practice from day zero to something more mature. But now we're toying with taking those folks in building them into products and services that we sell for 10 or 20 hours a month as an ingredient. So you get that consulting wrapper on top of the portfolio that we sell as a service provider. >>Get your take on kind of budgets and how people should think about their budgets. And when I think of security, I can't help but think of like insurance because you can't spend all your money on security. But you want to spend the right amount on security. But at the end of the day, you can't be 100% secure, right? So it's kind of kind of working the margins game, and you have to make trade offs in marketing, wants their money and product development, wants their money and sales, wants their money. So what people are trying to assess kind of the risk in their investment trade offs. What are some of the things they should be thinking about to determine what is the proper investment on security? Because it can't just be, you know, locker being 100% it's not realistic, and then all the money they help people frame that. >>Usually when companies come to us in, Centurylink plays in every different segment, all the way down to, you know, five people company all the way to the biggest multinationals on the planet. So that question is, in the budget is a little bit different, depending on the type of customer, the maturity and the lens are looking at it. So, typically, way have a group of folks that we call security account managers those our consultants and we bring them in either in a dedicated or a shared way. Help companies that's us, wear their practices today in what tool sets for use again things that they need to purchase and integrate to get to where they need to be >>really kind of a needs analysis based on gaps as much as anything else. >>That's part of the reason why we try to build prisons earlier, so many of the technologies into our solution so that so that you buy, you know, SD wan from us, and you get a security story is part of it is that that allows you to use the customer to save money and really have one seamless solution that provides that secure experience. We've been building firewalls and doing network based security for going on two decades now, in different places. So at this point, that is a good place that way, understand? Well, we can apply automation against it. We can dump, tail it into existing services and then allow focused on other areas of security. So it helps. From a financial standpoint, it also helps customers understand from where they put their talent. Because, as you talked about, it's all about talents even more so than money. Yes, we need to watch our budgets. But if you buy these tools, how do you know about the talent to deploy them? And easier You could make it to do that simpler. I think the better off right >>typical way had the most success selling security practices when somebody is either under attacker compromised right, then the budget opens right up, and it's not a problem anymore. So we thought about how to solve that commercially, and I'll just use Vitas is an example. We have a big D dos global DDOS practice that's designed to protect customers that have applications out on the Internet that are business critical, and if they go down, whether it's an e commerce or a trading site losing millions of dollars a day, and some companies have the money to buy that up front and just have it as a service. And some companies don't purchase it from us until they're under attack. And the legacy telco way of deploying that service was an order and a quote. You know, some days later, we turned it up. So we've invested with Christine the whole orchestration layer to turn it up in minutes and that months so you can go to our portal. You can enter a few simple commercial terms and turn it on when you need it. >>That's interesting. I was gonna ask you kind of how has cloud kind of changed the whole go to market and the way people think about it. And even then you hear people have stuff that's secure in the cloud, but they mis configured a switch left something open. But you're saying, too it enables you to deploy in a very, very different matter based on you know, kind of business conditions and not have that old, you know, get a requisite get a p o requisition order, install config. Take on another kind of crazy stuff. Okay, so before I let you go, last question. What are your kind of priorities for this show for Centurylink when it's top of mind, Obviously, you have the report and the Black Lotus. What do you guys really prioritizing for this next week? Here for Cisco. >>We're here to help customers. We have a number of customers, a lot of learning about our solutions, and that's always my priority. And I mentioned earlier we just put out a press release for rapid threat defense. So we're here to talk about that, and I think the industry and what we're doing this little bit differently. >>I get to work with Chris Motions Week with customers, which is kind of fun. The other part that I'm really excited about, things we spent a bunch of time with partners and potential partners. We're always looking at how we bring more, better together. So one of the things that we're both focused on is making sure that we're able to provide more solutions. So the trick is finding the right partners who are ready to do a P I level integration. The other things that Chris was talking about that really make this a seamless and experience, and I think we've got a set of them that are really, really interested in that. And so those conversations this week will be exceptionally well, I think that's gonna help build better technology for our customers even six months. >>Alright, great. Well, thanks for kicking off your week with the Cube and have a terrific week. Alright. He's Chris. He's Chris. I'm Jeff. You're watching the Cube. Where? The RSA Conference in downtown San Francisco. Thanks for watching. See you next time. >>Yeah, yeah.

>> Is and who we are today as as a country, as a universe. >> Narrator: Congratulations Reggie Jackson, (inspirational music) you are a CUBE alumni. (upbeat music) >> Announcer: Live from Las Vegas it's theCUBE covering Splunk.Conf19. Brought to you by Splunk. >> Okay, welcome back everyone it's theCUBE's live coverage here in Las Vegas for Splunk.Conf19. I am John Furrier host of theCUBE. It's the 10th Anniversary of Splunk's .Conf user conference. Our 7th year covering it. It's been quite a ride, what a wave. Splunk keeps getting stronger and better, adding more features, and has really become a powerhouse from a third party security standpoint. We got a C-SO in theCUBE on theCUBE today. Chief Information Security, John Frushour Deputy Chief (mumbles) New York-Presbyterian The Award Winner from the Data to Everywhere Award winner, welcome by theCube. >> Thank you, thank you. >> So first of all, what is the award that you won? I missed the keynotes, I was working on a story this morning. >> Frushour: Sure, sure. >> What's the award? >> Yeah, the Data Everything award is really celebrating using Splunk kind of outside its traditional use case, you know I'm a security professional. We use Splunk. We're a Splunk Enterprise Security customer. That's kind of our daily duty. That's our primary use case for Splunk, but you know, New York Presbyterian developed the system to track narcotic diversion. We call it our medication analytics platform and we're using Splunk to track opioid diversion, slash narcotic diversions, same term, across our enterprise. So, looking for improper prescription usage, over prescription, under prescription, prescribing for deceased patients, prescribing for patients that you've never seen before, superman problems like taking one pill out of the drawer every time for the last thirty times to build up a stash. You know, not resupplying a cabinet when you should have thirty pills and you only see fifteen. What happened there? Everything's data. It's data everything. And so we use this data to try to solve this problem. >> So that's (mumbles) that's great usage we'll find the drugs, I'm going to work hard for it. But that's just an insider threat kind of concept. >> Frushour: Absolutely. >> As a C-SO, you know, security's obviously paramount. What's changed the most? 'Cause look at, I mean, just looking at Splunk over the past seven years, log files, now you got cloud native tracing, all the KPI's, >> Frushour: Sure. >> You now have massive volumes of data coming in. You got core business operations with IOT things all instrumental. >> Sure, sure. >> As a security offer, that's a pretty big surface area. >> Yeah. >> How do you look at that? What's your philosophy on that? >> You know, a lot of what we do, and my boss, the C-SO (mumbles) we look at is endpoint protection and really driving down to that smaller element of what we complete and control. I mean, ten, fifteen years ago information security was all about perimeter control, so you've got firewalls, defense and depth models. I have a firewall, I have a proxy, I have an endpoint solution, I have an AV, I have some type of data redaction capability, data masking, data labeling capability, and I think we've seen.. I don't think security's changed. I hear a lot of people say, "Oh, well, information security's so much different nowadays." No, you know, I'm a military guy. I don't think anything's changed, I think the target changed. And I think the target moved from the perimeter to the endpoint. And so we're very focused on user behavior. We're very focused on endpoint agents and what people are doing on their individual machines that could cause a risk. We're entitling and providing privilege to end users today that twenty years ago we would've never granted. You know, there was a few people with the keys to the kingdom, and inside the castle keep. Nowadays everybody's got an admin account and everybody's got some level of privilege. And it's the endpoint, it's the individual that we're most focused on, making sure that they're safe and they can operate effectively in hospitals. >> Interviewer: What are some of the tactical things that have changed? Obviously, the endpoint obviously shifted, so some tactics have to change probably again. Operationally, you still got to solve the same problem: attacks, insider threats, etc. >> Frushour: Yeah. >> What are the tactics? What new tactics have emerged that are critical to you guys? >> Yeah, that's a tough question, I mean has really anything changed? Is the game really the game? Is the con really the same con? You look at, you know, titans of security and think about guys like Kevin Mitnick that pioneered, you know, social engineering and this sort of stuff, and really... It's really just convincing a human to do something that they shouldn't do, right? >> Interviewer: Yeah. >> I mean you can read all these books about phone freaking and going in and convincing the administrative assistant that you're just late for meeting and you need to get in through that special door to get in that special room, and bingo. Then you're in a Telco closet, and you know, you've got access. Nowadays, you don't have to walk into that same administrative assistant's desk and convince 'em that you're just late for the meeting. You can send a phishing email. So the tactics, I think, have changed to be more personal and more direct. The phishing emails, the spear phishing emails, I mean, we're a large healthcare institution. We get hit with those types of target attacks every day. They come via mobile device, They come via the phishing emails. Look at the Google Play store. Just, I think, in the last month has had two apps that have had some type of backdoor or malicious content in them that got through the app store and got onto people's phones. We had to pull that off people's phones, which wasn't pretty. >> Interviewer: Yeah. >> But I think it's the same game. It's the same kind to convince humans to do stuff that they're not supposed to do. But the delivery mechanism, the tactical delivery's changed. >> Interviewer: How is Splunk involved? Cause I've always been a big fan of Splunk. People who know me know that I've pretty much been a fan boy. The way they handle large amounts of data, log files, (mumbles) >> Frushour: Sure. >> and then expand out into other areas. People love to use Splunk to bring in their data, and to bring it into, I hate to use the word data leg but I mean, Just getting... >> Yeah >> the control of the data. How is data used now in your world? Because you got a lot of things going on. You got healthcare, IOT, people. >> Frushour: Sure, sure. >> I mean lives are on the line. >> Frushour: Lives are on the line, yeah. >> And there's things you got to be aware of and data's key. What is your approach? >> Well first I'm going to shamelessly plug a quote I heard from (mumbles) this week, who leads the security practice. She said that data is the oxygen of AI, and I just, I love that quote. I think that's just a fantastic line. Data's the oxygen of AI. I wish I'd come up with it myself, but now I owe her a royalty fee. I think you could probably extend that and say data is the lifeline of Splunk. So, if you think about a use case like our medication analytics platform, we're bringing in data sources from our time clock system, our multi-factor authentication system, our remote access desktop system. Logs from our electronic medical records system, Logs from the cabinets that hold the narcotics that every time you open the door, you know, a log then is created. So, we're bringing in kind of everything that you would need to see. Aside from doing something with actual video cameras and tracking people in some augmented reality matrix whatever, we've got all the data sources to really pin down all the data that we need to pin down, "Okay, Nurse Sally, you know, you opened that cabinet on that day on your shift after you authenticated and pulled out this much Oxy and distributed it to this patient." I mean, we have a full picture and chain of everything. >> Full supply chain of everything. >> We can see everything that happens and with every new data source that's out there, the beauty of Splunk is you just add it to Splunk. I mean, the Splunk handles structured and unstructured data. Splunk handles cis log fees and JSON fees, and there's, I mean there's just, it doesn't matter You can just add that stream to Splunk, enrich those events that were reported today. We have another solution which we call the privacy platform. Really built for our privacy team. And in that scenario, kind of the same data sets. We're looking at time cards, we're looking at authentication, we're looking at access and you visited this website via this proxy on this day, but the information from the EMR is very critical because we're watching for people that open patient records when they're not supposed to. We're the number five hospital in the country. We're the number one hospital in the state of New York. We have a large (mumbles) of very important people that are our patients and people want to see those records. And so the privacy platform is designed to get audit trails for looking at all that stuff and saying, "Hey, Nurse Sally, we just saw that you looked at patient Billy's record. That's not good. Let's investigate." We have about thirty use cases for privacy. >> Interviewer: So it's not in context of what she's doing, that's where the data come in? >> That's where the data come in, I mean, it's advanced. Nurse Sally opens up the EMR and looks at patient Billy's record, maybe patient Billy wasn't on the chart, or patient Billy is a VIP, or patient Billy is, for whatever reason, not supposed to be on that docket for that nurse, on that schedule for that nurse, we're going to get an alarm. The privacy team's going to go, "Oh, well, were they supposed to look at that record?" I'm just giving you, kind of, like two or three uses cases, but there's about thirty of them. >> Yeah, sure, I mean, celebrities whether it's Donald Trump who probably went there at some point. Everyone wants to get his taxes and records to just general patient care. >> Just general patient care. Yeah, exactly, and the privacy of our patients is paramount. I mean, especially in this digital age where, like we talked about earlier, everyone's going after making a human do something silly, right? We want to ensure that our humans, our nurses, our best in class patient care professionals are not doing something with your record that they're not supposed to. >> Interviewer: Well John, I want to hear your thoughts on this story I did a couple weeks ago called the Industrial IOT Apocalypse: Now or Later? And the provocative story was simply trying to raise awareness that malware and spear phishing is just tactics for that. Endpoint is critical, obviously. >> Sure. >> You pointed that out, everyone kind of knows that . >> Sure. >> But until someone dies, until there's a catastrophe where you can take over physical equipment, whether it's a self-driving bus, >> Frushour: Yeah. >> Or go into a hospital and not just do ransom ware, >> Frushour: Absolutely. >> Actually using industrial equipment to kill people. >> Sure. >> Interviewer: To cause a lot of harm. >> Right. >> This is an industrial, kind of the hacking kind of mindset. There's a lot of conversations going on, not enough mainstream conversations, but some of the top people are talking about this. This is kind of a concern. What's your view on this? Is it something that needs to be talked about more of? Is it just BS? Should it be... Is there any signal there that's worth talking about around protecting the physical things that are attached to them? >> Oh, absolutely, I mean this is a huge, huge area of interest for us. Medical device security at New York Presbyterian, we have anywhere from about eighty to ninety thousand endpoints across the enterprise. Every ICU room in our organization has about seven to ten connected devices in the ICU room. From infusion pumps to intubation machines to heart rate monitors and SPO2 monitors, all this stuff. >> Interviewer: All IP and connected. >> All connected, right. The policy or the medium in which they're connected changes. Some are ZP and Bluetooth and hard line and WiFi, and we've got all these different protocols that they use to connect. We buy biomedical devices at volume, right? And biomedical devices have a long path towards FDA certification, so a lot of the time they're designed years before they're fielded. And when they're fielded, they come out and the device manufacturer says, "Alright, we've got this new widget. It's going to, you know, save lives, it's a great widget. It uses this protocol called TLS 1.0." And as a security professional I'm sitting there going, "Really?" Like, I'm not buying that but that's kind of the only game, that's the only widget that I can buy because that's the only widget that does that particular function and, you know, it was made. So, this is a huge problem for us is endpoint device security, ensuring there's no vulnerabilities, ensuring we're not increasing our risk profile by adding these devices to our network and endangering our patients. So it's a huge area. >> And also compatible to what you guys are thinking. Like I could imagine, like, why would you want a multi-threaded processor on a light bulb? >> Frushour: Yeah. >> I mean, scope it down, turn it on, turn it off. >> Frushour: Scope it down for its intended purpose, yeah, I mean, FDA certification is all about if the device performs its intended function. But, so we've, you know, we really leaned forward, our CSO has really leaned forward with initiatives like the S bomb. He's working closely with the FDA to develop kind of a set of baseline standards. Ports and protocols, software and services. It uses these libraries, It talks to these servers in this country. And then we have this portfolio that a security professional would say, "Okay, I accept that risk. That's okay, I'll put that on my network moving on." But this is absolutely a huge area of concern for us, and as we get more connected we are very, very leaning forward on telehealth and delivering a great patient experience from a mobile device, a phone, a tablet. That type of delivery mechanism spawns all kinds of privacy concerns, and inter-operability concerns with protocol. >> What's protected. >> Exactly. >> That's good, I love to follow up with you on that. Something we can double down on. But while we're here this morning I want to get back to data. >> Frushour: Sure. >> Thank you, by the way, for sharing that insight. Something I think's really important, industrial IOT protection. Diverse data is really feeds a lot of great machine learning. You're only as good as your next blind spot, right? And when you're doing pattern recognition by using data. >> Frushour: Absolutely. >> So data is data, right? You know, telecraft, other data. Mixing data could actually be a good thing. >> Frushour: Sure, sure. >> Most professionals would agree to that. How do you look at diverse data? Because in healthcare there's two schools of thought. There's the old, HIPAA. "We don't share anything." That client privacy, you mentioned that, to full sharing to get the maximum out of the AI or machine learning. >> Sure. >> How are you guys looking at that data, diverse data, the sharing? Cause in security sharing's good too, right? >> Sure, sure, sure. >> What's your thoughts on sharing data? >> I mean sharing data across our institutions, which we have great relationships with, in New York is very fluid at New York Presbyterian. We're a large healthcare conglomerate with a lot of disparate hospitals that came as a result of partnership and acquisition. They don't all use the same electronic health record system. I think right now we have seven in play and we're converging down to one. But that's a lot of data sharing that we have to focus on between seven different HR's. A patient could move from one institution to the next for a specialty procedure, and you got to make sure that their data goes with them. >> Yeah. >> So I think we're pretty, we're pretty decent at sharing the data when it needs to be shared. It's the other part of your question about artificial intelligence, really I go back to like dedication analytics. A large part of the medication analytics platform that we designed does a lot of anomaly detections, anomaly detection on diversion. So if we see that, let's say you're, you know, a physician and you do knee surgeries. I'm just making this up. I am not a clinician, so we're going to hear a lot of stupidity here, but bare with me. So you do knee surgeries, and you do knee surgeries once a day, every day, Monday through Friday, right? And after that knee surgery, which you do every day in cyclical form, you prescribe two thousand milligrams of Vicodin. That's your standard. And doctors, you know, they're humans. Humans are built on patterns. That's your pattern. Two thousand milligrams. That's worked for you; that's what you prescribe. But all of the sudden on Saturday, a day that you've never done a knee surgery in your life for the last twenty years, you all of a sudden perform a very invasive knee surgery procedure that apparently had a lot of complications because the duration of the procedure was way outside the bounds of all the other procedures. And if you're kind of a math geek right now you're probably thinking, "I see where he's going with this." >> Interviewer: Yeah. >> Because you just become an anomaly. And then maybe you prescribe ten thousand milligrams of Vicodin on that day. A procedure outside of your schedule with a prescription history that we've never seen before, that's the beauty of funneling this data into Splunk's ML Toolkit. And then visualizing that. I love the 3D visualization, right? Because anybody can see like, "Okay, all this stuff, the school of phish here is safe, but these I've got to focus on." >> Interviewer: Yeah. >> Right? And so we put that into the ML Toolkit and then we can see, "Okay, Dr. X.." We have ten thousand, a little over ten thousand physicians across New York Presbyterian. Doctor X right over here, that does not look like a normal prescriptive scenario as the rest of their baseline. And we can tweak this and we can change precision and we can change accuracy. We can move all this stuff around and say, "Well, let's just look on medical record number, Let's just focus on procedure type, Let's focus on campus location. What did they prescribe from a different campus?" That's anomalous. So that is huge for us, using the ML Toolkit to look at those anomalies and then drive the privacy team, the risk teams, the pharmacy analytics teams to say, "Oh, I need to go investigate." >> So, that's a lot of heavy lifting for ya? Let you guys look at data that you need to look at. >> Absolutely. >> Give ya a (mumbles). Final question, Splunk, in general, you're happy with these guys? Obviously, they do a big part of your data. What should people know about Splunk 2019, this year? And are you happy with them? >> Oh, I mean Splunk has been a great partner to New York Presbyterian. We've done so much incredible development work with them, and really, what I like to talk about is Splunk for healthcare. You know, we've created, we saw some really important problems in our space, in this article. But, we're looking, we're leaning really far forward into things like risk based analysis, peri-op services. We've got a microbial stewardship program, that we're looking at developing into Splunk, so we can watch that. That's a huge, I wouldn't say as big of a crisis as the opioid epidemic, but an equally important crisis to medical professionals across this country. And, these are all solvable problems, this is just data. Right? These are just events that happen in different systems. If we can get that into Splunk, we can cease the archaic practice of looking at spreadsheets, and look up tables and people spending days to find one thing to investigate. Splunk's been a great partner to us. The tool it has been fantastic in helping us in our journey to provide best in-class patient care. >> Well, congratulations, John Frushour, Deputy Chief Information Security Officer, New York Presbyterian. Thanks for that insight. >> You're welcome. >> Great (mumbles) healthcare and your challenge and your opportunity. >> Congratulations for the award winner Data to Everything award winner, got to get that slogan. Get used to that, it's two everything. Getting things done, he's a doer. I'm John Furrier, here on theCube doing the Cube action all day for three days. We're on day two, we'll be back with more coverage, after this short break. (upbeat music)

(upbeat music) >> Announcer: From New York, it's The Cube. Covering ESCAPE/19. (upbeat music) >> Welcome back to The Cube coverage New York City for the inaugural multi-cloud conference. The first one ever in the industry. It's called Escape 2019. We're in New York so escaping from New York, escaping from cloud, that's the conversation. All the thought leaders are here and executives. People thinking about the next generation architecture and talk tracks are all here. Fritz Wetschnig who's the Chief Information Security Officer for Flextronics. >> Flex, yes. >> Flex, thank you for coming on. Love to have CISOs on because security seems to be always the top conversation. You got a very busy job. >> I do yes. (laughing) >> You're under a lot of pressure all the time >> It's fun, it's still fun for me. So, yeah, a CISO, it's always like security's top in mind, right, of everyone now these days. But it's still one of the most interesting jobs. The most interesting for my job is, I learn so much about our business and to have insight into so many things that's actually really great. >> You know, one of the things I was just talking about on a Cube conversation was, you know, how data is a really important part of it and how data backup and recovery was built on old thinking around, you know, data centers failing, floods, hurricanes, electricity gets outages, but the biggest disruption in business today is security, security threats and so that's cybersecurity pressure is causing CISOs to be mindful of the best architecture the best platform. Do we have the right tools? So I want to get your thoughts. How are you thinking about that as an organization, because are you building in-house developers? Are you, how are you organizing, how are you gearing up to fight the battles that need to be fought? >> So, I am with the company, So Flex is a big manufacturing company, right. 26 billion, so we have a lot of P2P business not consumer business, which is I believe a different perspective of security versus actually like a consumer company facing, so and I'm in a security team for 15 years, so we built it up like security operations and all those kind of things we do, right. >> You're old school. >> I am old school learned everything and that, right? >> But you're lot are IOT, I mean, you're Industrial IOT. >> Oh yeah, Industrial IOT it's one of the topics but coming back to you, you're right, data is actually the center even for our business, data is getting more and more center, right. You collect data from the machine, you collect data actually for the business actually to do make more decisions, right. And it could be predictive maintenance, could be inventory management. There could be a lot of things, right. You have to think about it. So, and the funny thing is, I'm real, I'm the CISO now for 5 years, 15 years with the security team, 20 years with the company, So I rebuilt the team always like every three, four years like as a kind of rebirth of the team. We renew, we add new skills, right. And cloud is one of the things, which I think it's a fundamental change and the change is actually, it's actually on the development side. What it means with that is the security team has to move to serve the developers. And the problem with the old school was always like it's afterthought. So why is security such an issue? Because we had to do patching after we found vulnerabilities, right. And then old network is not secure you need to wrap something around it like we did firewalls. So it was always an afterthought. Now with the cloud, it's changing because you have a lot of different things to do but basically we need to enable developers to be very quick and deploy their software very quickly, so I think it's a fundamental change in the way you have to think about security. >> And yeah, that brings up the good question I would love to ask you 'cause you've given, again you're not a consumer, like Capital One with in-house, they had their own channel, they weren't hacked. Amazon, actually the firewall was misconfigured, on an SV Bucket but that's a consumer company. You have data though, you're an industrial company, got a lot of industrial IOT. Ransomware folks are targeting data. >> Yes. >> And everyone's a target. Your service area is large. But you probably lock that down in the past. So how are you thinking about all this new stuff? >> So yeah, I mean, IOT it's, I mean, IOT's a problem, as you said, the industrial right. And it's not solved yet completely, right. Because they still have to rethink a lot of the vendors providing this machinery, which you purchase for twenty five, thirty years, right. They still are old school, right, sometimes, like, the one on Windows you can't upgrade or whatever. So it's basic things they're lacking actually in terms of security. There's still, has to be a shift in this, not just in industry but in a general thinking, how you do that. Yes, I have a big environment, so we locked it down, we use a lot of innovative technologies, actually preventive measurements plus also detective measurements. And you need to create kind of mightily a concept where you actually start, okay, what is if this fails? How we test it? Okay, this fails, do we have other measurements where we can try to prevent, stop those kind of things, right. But ransom is a big one. There's other things, as you know, like hacking, I mean, like Capitol One. >> Malware's a big problem. >> The Capital One was an interesting one in my belief and that's for the cloud is configuration issues, right, which I think it comes with cloud security. It's about policy and configuration management, right. How you manage that and how you think about it, but it's not, it's was not that. >> Automation could have solve that, I mean, that's an open S3 bucket, that's trivial. It wasn't a big, technical. >> Yes and no, if you look at that it was a little bit more in detail, >> Okay. >> So it was actually, their back firewall was misconfigured, which is about security running on a back check, but the misconfiguration was actually is, as (mumbles) force request issue, which means, like, you tricked this firewall into giving you information you shouldn't give information, right. >> John: Okay, so it was a little bit more. So, it was a little bit more granular as people think it was, right. Just as 3-pocket configuration. So it was a little bit more granular, but I think that's the really difficultly comes about whichever security. It's a complex program, right. It's mainly things you have. >> But it was a configuration error? >> It was a configuration. >> It wasn't as dumb as an S3 bucket. >> No, it wasn't dumb. >> But it was a bit more sophisticated, but not that sophisticated, was it? On a scale of 1 to 10. >> It was not sophisticated, but something, it's not easy to solve. So you have to think about it, but you're right, it's still something. >> John: It's an exploit from a corner case. >> Yeah, it's still something you could have. I mean, I'm careful to say you could have avoided it, yes you could, because that's for sure, but I know it's a complex environment, right. >> It's a human, there's humans involved. >> And I don't know the details exactly, we only know that what was published, right, so it's very hard to check. >> Well, it brings up cloud security, so let me ask you, on multi-cloud, this is a multi-cloud conference. What's your definition of multi-cloud? How do you look at the multiple-clouds? >> For me, multiple-cloud is, actually it doesn't matter. We had a good keynote words, it's a bunch of servers, right. That's how I see multi-cloud. It's a bunch of servers. Could be my data centers in a public cloud data centers with different vendors, that's what a cloud is. Where I move my services should be actually independent from the public hyper on premise, whatever it is, right. That's basically how I see it. >> So it doesn't matter, it's infrastructure. >> Yeah. >> On demand, leverage it. >> Leverage it, it could be say, hey today, I spin of this test server, but you know what, today it seems to be a bit cheaper running on (mumbles) verses GBC, let's do it here. Next day, next week we might do it somewhere else, whatever you trigger, whatever what is your requirements. >> So if going to look at that resource at like that, how do you think about the cloud security then, because the configurations, compliance, how do you, how do you stay on top of that? >> So, that's an interesting thing because we have begun to prioritize but we, as you said, no consumer business, so our problem is to find the right skill set, to attract the right people to our company to do that right because this is our, we have some cloud, but it's not yet, there's a journey we are trying to do, as most of the enterprise, so we're looking into startups, manage services, We say, okay what are gaps that we have to maybe have to outsource some of the things and gaps where we need to get internal source of supply. >> What's you're advice to other CISOs out there that are in the B2B space of don't have to deal with the consumer but have to get serious, that is now becoming more industrialized on the IOT side because you guys have been, you know, been there, done that, you have a big footprint on the IOT, 'cause you have a history. But as people get more facilities and they have more virtual offices, more people working, the edge is extending. What's your advice to those CISOs who have to deal with this industrial end IOT edge? >> I think you have to, visibility is the key ingredient is first, right. If you don't know what you have, it's very hard to understand what's a risk portfolio, right. So, you need to find the right toolset, and don't believe you know what you have. It's fantastic what you see when you use the right tool what distance everything is connected. I mean, basically even, like, I found like, this coffee mug, you know. I connect it to devices, right. It's like, not like everyone, not just that they don't understand my coffee mug is connected to (laughing). >> That light bulb's got multithreaded processor. What is that doing? >> So, so there's concerns, I may, but visibility is a key ingredient you have to understand. And then you have to look into how you mitigate a risk. What is a risk about it, right. I mean, if the government goes down, I don't really care, but if my testos goes down and does shut down the production, I really care about that. So you need to understand that the risk and say, how can I mitigate the risk? >> So while I got you here, what's you final question? What's your message to suppliers out there that all want to sell you something? Want to sell you another tool, you know. Want another tool? You know, I got a platform. I got a tool. Buy from me. >> You mean, to sell 750 watches (drowned out by laughter) If you go to ISA conferences, unbelievable, right. >> I want to sell you something. You're the top dog, I promise. >> Don't send me an email. >> Don't send them an email. Are you shrinking suppliers down? Are you looking at some kind of standard API way to deal with them? >> Yes. >> Because, you know, you're probably thinking about platforming, and date of visibility's critical. >> Yes. >> What's you philosophy on how to support video suppliers? >> So usually, honestly, the most time I really go it so for in the weight of technology we built in our company is called the Strategic Partnership Program where we can get for startups, and most of the time we engage, we startups overseas, or as through other channels, right. Where you get introduced, and you review, with the proof of work concept or value, the technology, and we try to keep it like a mini product, very short time, and say, okay, let's show what you can, where your gaps are, and can we get with you guys and can we get you. But don't send me an email, don't call me because I usually not react. I have a job to do. (laughing) >> Yeah, exactly. >> So that's most of the time, whatever we sees, what comes or if, a guy said hey, I found another CISOs tell me there's great technology, you should leap into that. >> And what shows do you go to? What events do you hang out in? What are good events for you in the space, RSA, Red Hat, Black Defcon? Are there certain events you go to that you think are valuable? >> I mean, as a CISO, I go to the RSA Conference, which I should because it's actually very close to me as well, and being part, being out of San Jose, I recommend the BSides, actually. I like the BSides. >> John: The BSides are great. >> The BSides are great. I think they are real, really. And then I try to smaller circles, right. We have our personal round tables. >> BSides for folks watching is an alternative group of community, industry participants, they have kind of a B-side, an A-side, like an album. But it's such a community event. They do hacker funds and a variety of other cool things where people get together, very unstructured kind of, cool conference, in addition to bigger conferences. >> I can recommend this. >> Yeah, awesome. Fritz, thanks for coming on and sharing your insights. >> Thanks. >> Been a pleasure. The Cube coverage in New York City, we're not escaping from New York but this is the Escape Conference, the first multi-cloud conference in the industry, we'll see how it goes. If they're successful, they might be back next year. If not, they won't be. But I think multi-cloud's going to stay. What do you think? >> I am think so too, yes. >> Okay, Fritz, thanks for coming on. I'm John Furrier, thanks for watching. (upbeat music)

>> Live from Barcelona, Spain, it's theCUBE. Covering Cisco Live! Europe. Brought to you by Cisco and its ecosystem partners. >> Welcome back to Cisco Live! in Barcelona. I'm Dave Vellante with my cohost, Stu Miniman. You're watching theCUBE, the leader in live tech coverage. This is day one of a three day segments that we're doing here at Cisco Live Barcelona. Bret Hartman is here as the CTO of Cisco Security Group. And we think of CUBE alone from way back, Bret. >> Way back, way back. >> Great to see you again. >> You bet. >> Thanks for coming on. So we're here to talk about Workload Security. >> Yep. >> What is that? What is Workload Security? >> What is Workload Security? So it's really the whole idea of how people secure applications today because applications aren't built the way they used to be. It's not the idea that you have an application that's just sitting running on a server anymore. Applications are actually built out of lots and lots of components. Those components may run in a typical data center, they may run in a cloud, they may be part of a SaaS solution, so you got all these different components that need to be plugged together. So the question is how do you possibly secure that when you have all these pieces, containers, and virtualized workloads all working together? That's the big question. >> Written oftentimes by different people with different skillsets. >> Different people, different services, yeah, open source, right. So all that somehow has to come together and you have to figure out how to secure it. That's question. >> And so what did you used to do with applications security? You used to just kind of figure it out at the end and bolt it on, is that? >> Pretty much, I mean, historically, people would do their best to secure their application. It would be kind of monolithic or three-tier, the web tier, app tier, database and that sort of thing. And then you'd also depend a lot on the infrastructure. You'd depend on firewalls, you'd depend on things on the edge to protect the application. The problem is there's not so much of an edge anymore when in that world I described you can't really rely so much on that infrastructure anymore. That's the shift of the world we know of. >> So what's the prescription today? How do you solve that problem? >> You know, there's a lot of ad hoc work. And so this whole notion, a lot of people talk about devsecops these days or sometimes it's devopssec, or there's all these different versions of that. But the whole idea of the devops world, the way people build applications today, and the security world, the security ops world are either coming together or colliding or crashing, right. And so it's getting those things to work. So right now, the way devops and secops works today is not particularly well. Lot of manual work, a lot of kind ad hoc scripts. But I will say probably over the last year, there's a lot more awareness that we need to figure this out to be able to merge these two things together. That's kind of the next stage. >> Bret, bring us inside that a little bit because if you listen to the devops people it's we got to do CICD. >> Yep. >> We need to move fast. And there was the myth out there, oh well, am I fast or am I secure? >> Right. >> I was reading some research recently and they said actually that's false trade off. Actually you can move fast and be more secure. But you raised a risk because you said if these are two separate things, and they're not working in lob step and it's not secure every step of the way in that part of your methodology then you're definitely going to break security. >> That's exactly right, and there's a basic question of how much of a responsibility the developers have to provide security anyway? I mean, historically, we don't really necessarily trust developers to care that much about security. Now as to your point, these days without the way people develop software today, they need to care more about 'em. But typically, it was the security operations folks. That was their responsibility. The developers could do whatever they wanted and the security folks kept them safe. Well, again, as you said you can't do that anymore. So the developers have to pull security into their development processes. >> Yeah, when I go to some of the container shows or the serverless shows, the people in the security space are like chanting up on stage, security is everyone's responsibility. >> Right. >> Which hasn't traditionally been the case. >> It has not, and so it's really what companies are working on now is how do the security operations people fit into that development process? And what are the tools? And again, it's a long, complicated set of infrastructure and other sorts of tools, but that's sort of the point. At Cisco, we're really working on evolving the security products and technology, so exactly it fits into that process, that's the goal. >> So I'm sure there's a maturity model, or a spectrum >> Yeah >> When you go out and talk to customers. Maybe we could poke at that a little bit. >> Sure. >> Describe that. So you're really talking about a world where it's team a sport. The regime is everybody's got to be involved. But oftentimes they're working for different people. >> Yep. >> Some are working for the CIO maybe some the CTO, some the CSO, maybe some other line of business. >> Different companies, contractors, providers, all that. >> Yeah. Right, partners. So what does that spectrum look like, and how are you helping customers take that journey? >> Yeah, so not surprisingly, companies that are born in the cloud, they're like this is old news. It's like this how they deal with it every day. A lot of those companies have the lower risk deployments anyway. The organizations that are really early days on this are the ones that have lots of existing investment in all that data center stuff. And they're trying to figure out how this is going to work. You talk to a typical bank, for example, their core business processes of how they protect money, they're not going to move to the cloud, right? So how did they evolve? And they, by the way, they have to deal with compliance requirements on all this other stuff. They can't play too fast and loose. So that's an example of something that's early days. But they are also working a lot in terms of evolving, moving to the cloud and having to be able to support that too. >> So when you engage with clients, I presume you try to assess kind of where they're at. >> Yep. >> And then figure out where they want to go and then how to best get 'em there. So what is Cisco's role in helping them get there? >> And so first of all, of course I represent the business group that builds the security products, right. So a lot of this and the reason why my group is so interested in this, and our security group at Cisco is so interested, is this really represents the future of security. This idea of having it much more embedded into the applications as opposed to purely being in the infrastructure. So what we're seeing for typical customers, like if I roll the clock back a year ago, and we talked about things like devsecops, they were like yeah, kind of an interesting problem, the one we just talked about, but it's like not quite ready for it. Now this is, I think every CSO, Chief Security Office, I talked to, very aware, have active engagements about how they're working with their devops groups. And are actively seeking for tools and technology to support them. So to me that's a good sign that it's... The world is moving in this direction. And as a security vendor, we need to evolve too. So that means things like evolving the way firewalls work, for example. It's not just about firewalls sitting at the edge. It means distributing firewall functionality. It means moving functionality into the pubic cloud, like AWS, and Google, and Azure. It means moving security up into the application itself. So it's a very different world than just a box sitting on the edge. That's the journey, and we're on that journey, too. And the industry is. I mean, it's not a solved problem for exactly how to do that. >> If we go back the early days, we were talking about that when theCUBE started in 2010, security really wasn't a board level topic back then. >> True. Or at least not for every company. There was certainly some companies >> Yeah, for sure. >> But now it's like you're right, every company cares about it. >> Right, and it comes up at every quarterly meeting, certainly every annual meeting. So what should ... How should the technical C side, the CIO, CTO, if they're invited into the board meeting, how should they be communicating to the board about security? >> That's a tough one. >> What should be the key messages? >> And to your point, I mean typically these days for most major corporations in the world, the Chief Security Officer is often presenting at every board meeting because cyber risk is such a big, big part of that risk. And this is a challenge, right, because to try to communicate all the tech required to manage that risk to a board, not so easy, right. It's like trying count how many malware threats stopped. It's like what'll they do with that? If you talk to our Chief Security Officer, Steve Martino here at Cisco, I mean, he talks a lot about first of all, having visibility. Being able to show how much visibility. How much can we see? And then how much can we control and show that the organization is making more and more progress in terms of just seeing what's out there so you don't have broke devices, and then putting controls in place. So you need some pretty big animal pictures, communication of being able to manage that, but you can never come in and say, yep guaranteed, we're secure. Or give it a number, it kind of has no meaning. >> But strategy, visibility, response mechanisms, preparedness, what the response protocol is that's the level of, it sounds like >> It's showing maturity of the >> level of communications. >> processes, really, and the ability to take that on as opposed to getting into the weeds of all the metrics that, it just don't. >> So, Bret, we've had multi vendors for a long time and even in the network space there's a lot of different pieces of the environment. How is multi cloud different from a security standpoint? >> Yeah, so the issue there, and kind of what I was hinting at, we talk about the way people build applications is that all those vendors, they all do security differently. Every one does security differently. It's all good, I mean. And for example, Amazon, Google, Microsoft, they're all making massive investments to secure their own clouds, which is awesome, but they're all also different. And then you have the SaaS vendors. You talk to Salesforce, Dropbox and Box, they have different security mechanisms. And then, of course, you have different ones in the enterprise. So from a Chief Security Officer's standpoint, reporting to the board, they want one policy. We want to protect sensitive corporate data. And then you have maybe 100 different security policies across all this mess. That's why it's different. Trying to manage the complexity and get the policies to work and get, of course all those platforms, you can't force it all to be the same. So a lot of what we're working on are really tools to do that. So you can, fitting back into that devops process, you can define high-level policies of how do you control that data and then map it to all those different platforms. That's the goal, that's how we get there, make progress. >> So you had a picture up in the keynotes today. It had users, devices kind of on one side of the network. And then applications and data on the other side of the network. And then the network in the middle and all those pieces fitting in. How does that affect how you think about security? We've talked a lot about applications, securing the applications. Are you thinking similarly about the data, or the devices, or even the users? Bad user behavior will trump great security every time. Where do those other pieces fit into the context? >> Well, of course, that's a big reason why we just acquired Duo Security. >> Yikes. >> Very significant acquisition there, which is exactly around trust of human beings as well as the devices. A key component that Cisco didn't have before that and fits in exactly to that point. I was a key strategic piece of that, of trust, defining trust. And yeah, that fits in. Obviously we already do lots on the device side. We do things like the Identity Service Engine to enforce access with the network. We have more and more on the applications side. Not so much in the data side yet. I mean, but as we move up the stack into the application it'll be around data too. But the network is a natural conversions point there. And the whole idea of having security embedded right into that network is of course why I'm at Cisco, right. That security is a critical thing that needs to be embedded in everything that Cisco does. >> Well, you've got an advantage in that you can do the ePacket inspection, you're in the network. I mean, that's fundamental. >> Security is really all about visibility. You don't have visibility, you have nothing. And Cisco has this incredible footprint, incredible telemetry across the world. I mean, all the statistics around Talos you probably seen. It's huge, right. And that's a big advantage that we have to really provide security. >> Awesome. Well, Brent, thank you for coming back on theCUBE. It's great to see you again. >> My pleasure. >> 'Preciate the update. >> Glad to see you again. >> All right, keep it right there everybody. Stu Miniman and Dave Vellante. You're watching theCUBE from Cisco Live! Barcelona. Stay right there, we'll be right back. (upbeat music)

>> Live from Washington DC, it's theCUBE. Covering AWS Public Sector Summit 2018. Brought to you by Amazon Web Services and it's ecosystem partners. >> Hey, welcome back everyone. This is theCUBE's exclusive coverage live in Washington DC at Amazon Web Services AWS Public Sector Summit. I mean, it's so jam-packed you can't even move. This is like the re:Invent for Public Sector even though it's a summit for Amazon Web Services. I'm here with Dave Vellante, my co-host. Our next guest is John Wood, Chairman and CEO of Telos, and Rick Tracy, Chief Security Officer and the co-inventor of Xacta, it's hot technology. John, great to see you, welcome to theCUBE. >> Thanks guys. >> Thanks for having us. >> I love to get the brain trust here, John you're, like, probably one of the most experienced cyber security gurus in the DC area still standing. (laughing) As we said last time on theCUBE. >> Always, always. >> Okay. (laughing) And you've got some patents here, with some core technology, so first of all, I want to, before we get into some of the cool features of the products, talk about the dynamic of public sector, because Amazon has these summits, and they're kind of like a recycled re:Invent. Small scale, still packed. Talk about what Public Sector Summit is, because this is a completely different ballgame in this world. >> Sure, it's a perfect age for the cloud, and what this summit does, is it provides a great venue for people to come, learn about what works, get best practices, find use cases and just see what the ecosystem's all about in terms of how to make it work with the cloud. >> Rick, so what's your take? >> Well, if there's any doubt about it, what, is it double the size of last year? I think there were 7,000 people here last year and Teresa said today 14,500. So, yeah, I mean, it suits us perfectly because this is our sweet spot. >> So, Dave and I are always amazed by Amazon in general, the slew of announcements, Teresa Carlson picking the reins up where Andy Jassy does that Amazon re:Invent which is just tons of content, so many new announcements. What's your guys take on the hot news for you guys, because you guys are a major sponsor and you're in the ecosystem, you've been doing a lot of business with Amazon. >> Sure. >> What's going on in the business? What's happening with Telos? Why is it so booming right now for you guys? >> Well, I think people realize that there is a way to use automation where security can help drive cloud adoption. So, Rick and I co-authored an article back in 2011 that talked about why the cloud was more secure and it went over kind of like a lead ballon. And then back in 2014 the agency made the decision, the CIA made the decision, arguably the most security conscious organization in the world, to go to the cloud. And so that was a big, big, big, deal. But what we do is we help drive the security automation and orchestration stuff so you can reduce the time it takes to get what's called your authority to operate. And so I think that's a big deal now. The use of automation is being used to enhance the mission, so that the mission owners can get to their mission using the cloud, much more quickly. >> And we heard from the most powerful sentence in the keynote this morning was, "The cloud on it's weakest day is more secure than Client Service Solutions." This is a practitioner saying that, a leader of an agency saying that, not Amazon or not Telos. >> Absolutely. >> And it's because of that automation, right? I mean, that's really a key factor. >> It's because of the automation. It's also because the cloud providers are making sure that they lock down their physical infrastructure. Guards, gates, guns. All of the physical infrastructure and the virtual infrastructure, they do a really good job of that. If you think about it, the US government, unfortunately, 80% of their spend is around maintaining old systems. Well, the cloud providers are keeping modern. Those old systems have a lot of weaknesses from a standpoint of cyber security flaws. So, with a modern technology like the cloud, there's a lot more you can do around automation to lock down much more quickly. >> And the standardization that you get with a cloud makes it's easier as well, because there's not so many variations of things that you have to figure out how to protect. So, the standardized services that everything's built on really helps. >> Yeah, and people are adopting cloud in kind of different ways, which makes it harder, too. But you get the benefits of scale and speed, certainly. But I got to just pick up on some big news that's happened just last night and today. Microsoft Azure suffered an 11 hour downtime across Europe. 11 hours Azure's down, Microsoft Azure. This is a huge concern. Downtime, security, these are issues, I mean, this is just like, so, what's going on with this? >> Well, the truth of the matter is, if you think about where Amazon is today, Amazon is light years ahead of the rest of the cloud guys. The reason for that is they made the decision early on to take the risk around cloud. As a result of that, they have so many lessons learned that are beyond all of the other cloud providers, that that wouldn't happen to Amazon today, because they'll be able to back up, replication and duplication if they have, and their environments. >> How big do you think that lead is? You know, there's a lot of debate in the industry that other guys are catching up. The other side of the coin is, no, actually the flywheel effect is a lot like Secretariat in the stretch run of the Belmont, you were talking about racing before. What's your sense of that lead, even subjectively. >> I think it's between 5 and 10 years. There was a, it was crickets in this world, in the public sector world for cloud up until, literally, the agency decided to adopt. So the CIA made that decision, that was, sort of, the shot heard around the world as it relates to cloud adoption. Not just for public sector but for commercial as well, 'cause if you look at Amazon's ramp up, right after that decision was made, their ramp up has been amazing. >> That was a watershed event, for sure. >> It was, and it was very well documented, I mean, I read the judges ruling on that when IBM tried to stop them and the judge eviscerated IBM. And of course IBM had no cloud at the time, they had to go out and spend two billion dollars on software. John has lots of opinions on that, but okay, so that leaves-- >> I'm on the right side of history on that call. >> I think you are, it was a pretty good call. What about, what should be practitioners be thinking about? You talked about the standardization. Where should they be focused? Is it on response, is it on analytics, is it on training? What should it be? >> Well, from our perspective it is, a lot of the focus is on analytics, right? So, a lot of data that we've helped our customers collect over time for this ATO process that John previously mentioned, our goal with IO, Xacta IO, is to help organizations leverage that data to do more through analytics, so there's this dashboard with ad hoc reporting and analytic capability that's going to allow them to blend asset data with risk-to-threat data, with other sorts of data that they're collecting for ATO, specifically for the ATO process, that they can use now for more robust cyber risk management. So, for me, analytics is huge moving forward. >> And that's a prioritization tool so they can focus on the things that matter, or maybe double-click on that? >> It could be, it could be a prioritization tool, but it could also be a tool that you use to anticipate what might happen, right? So, some analytics will help you determine this asset is vulnerable for these variety of reasons, therefore it has to go to the top of the sack for remediation. But also, using that data over time might help you understand that this plus this plus this is an indication that this bad thing is going to happen. And so, analytics, I think, falls into both categories. Probably it's more the forecasting and predictive is something that's going to come later but as you unmask more data and understand how to apply rules to that data, it will naturally come. So, Rick and I have worked together for many, many years and, over a quarter of a century, so the way I would say it is like this. Xacta 360 helps you to accelerate your authority to operate, but that's a point in time. The holy grail for us as security practitioners is all around continuous monitoring of your underlying risk. So, the data analytics that he's talking about, is where we come about and looking at Xacta IO. So, Xacta IO helps fulfill that mission of continuous compliance, which means that the ATO is no longer just relevant at that moment in time because we can do continuous monitoring now at scale, in hybrid environments, in the cloud, on prem. 'Cause our clients are huge, so they're going to be a combination of environments that they're sitting in, and they need to understand their underlying risk posture. They need to have, they're going to have all kinds of scanners, so we don't really care, we can ingest any kind of scanner that you have with Exact IO. As a result of that, the security professional can spend their time on the analysis and not the pedestrian stuff that's just kind of wasting time, like documentation and all that stuff. >> Yeah, for us, data's a means to an end, right? It's either to get an ATO or to help you understand where you need to be focusing your resources to remediate issues. So, for us, leveraging the data that's produced by many companies that are at this show. Their data is a means to help us get our job done. >> Were you able to have, one follow up, if I may, were you able to have an impact, to me, even, again, subjectively, on that number, whatever that number is, that we get infiltrated, the customer gets infiltrated, it's 300 days before they even realize it. Are you seeing an impact on that as a result of analytics, or is it too early days? >> I would say it's still early. But it's reasonable to expect that there will be benefits in terms of faster detection. And maybe it's not even detection at some point, hopefully, it's anticipating so that you're not detecting something bad already happened, it's avoiding it before it happens. >> Yeah, and let me say it this way, too. You know, if you listen to John Edwards, the CIO from the CIA, he talks about how the reason he loves the cloud is because it used to take the agency about a year to provision a server, now it's a few minutes, right? Well that's great, but if you can't get your authority to operate, 'cause that can take another 18 months, you're not going to get the benefit of the cloud, right? So what we do, is we help accelerate how fast you can get to that ATO so that guys like the agency and anybody else that wants to use the cloud can use it much more quickly, right? >> Yeah, and the continuous integration and all that monitoring is great for security but I've got to ask you a question. Analytics are super important, we all know data analysis now is in the center of the value proposition across the board, horizontally. Not just data warehousing, analytics that are used as instrumentation and variables into critical things like security. So, with that being said, if you believe that, the question is, how does that shape the architecture, if I'm in an agency or I'm a customer, I want to build a cloud architecture that's going to scale and do all those things, be up, not go down, and have security. How does the architecture change with the cloud formula for the decision maker? Because right now they're like, "Oh, should I do multi-cloud, should I just Amazon" So, the data is a critical architectural decision point. How do you guys see that shaping, what's your advice to practitioners around designing the cloud architecture for data in mind. Just use Amazon? (laughs) >> Well, yes. (laughs) Just use Amazon. I mean, all the tools that you need exist here, right, and so-- >> If all the tools you need in the cloud exist here. >> Alright, so rephrase another way. >> But John, the issue is you're not going to have all your stuff in the cloud if you're the air force or if you're the army, because you have 75 years of data that you got to push in. So over the next 10 years there's going to be this "hybrid" environment where you'll have some stuff in the cloud, some stuff in a hybrid world, some stuff on prem, right? >> How I secured that, so that's a great point. So, data's everywhere, so that means you're going to need to collect it and then measure certain things. What's the best way to secure it and then is that where Xacta fits in? I'm trying to put that together if I'm going to design my architecture and then go to procurement, whether it's on premise or multi-cloud. >> Well, there are lots of security products that people use to secure, whether you're on prem or whether you're in the cloud and our platform leverages that information to determine whether things are secure enough. So there's a distinction between cyber risk management and actually securing a database, right? So, there's so many granular point products that exist for different points along the security chain, lifecycle chain, if you will, that our objective is to ingest as much of that information and purpose it in a way that allows someone to understand whether they're actually secure or not. And so it's understanding your security posture, transforming that security information to risk so that you can prioritize, as you were talking about before. >> You're taking a platform mentality as opposed to a point product. >> We're taking an enterprise view of risk. So, the enterprise is, remember, it's on prem, and hybrid and cloud. If all your stuff is in the cloud, Amazon has the answer for you. None of our customers are in that situation. If you're a start up, Amazon's the way to go, period. But all of our customers have legacy. As a result of that it's an enterprise view of risk. That's why companies like Telos partner so well with Amazon because they're all about being close to the customer, they're all about using automation. We are as well. >> Alright, talk about the news you guys have, Xacta IO, you're the co-inventor of it, Jack. Talk about this product. What's the keys, what does it do, where's it applied to, you mentioned a little bit of getting past the authority time point there. What's the product about? The product is about ingesting massive amounts of information to facilitate the ATO process, one, but managing cyber risk more generically because not everybody has an ATO requirement. So, you asked a few seconds ago about, so you're taking a platform approach. Yes, we're blending three separate products that we currently have, taking that functionality and putting it on a very, very, robust platform that can exist on prem, it can exist in the cloud. To enable organizations to manage their cyber risk and if they choose, or they have a requirement, to deal with things like FedRAMP and risk management framework and cyber security framework and iso certification and things of that nature. The point is, not everyone has an ATO requirement but everyone has a need to manage their risk posture. So we're using our ability to ingest lots and lots of data from lots and lots of different sources. We're organizing that data in ways that allow an organization to understand compliance and/or risk and/or security, and visualize all that through some dashboard with ad hoc reporting that let's them blend that data across each other to get better insights about risk posture. >> And to visualize it in a way that makes sense to the user. >> Yes, so, if you're the CEO, you're going to want to see it a certain way. If you're the IT manager, you're going to want to see it a certain way. If you're a risk assessor, you're going to want to see it a different way. So that's kind of what we're talking about. >> I got to ask you one question, I know we got to go, but, a hardcore security practitioner once said to me that hardcore security practitioners, like you guys, when they were kids they used to dream about saving the world. So, I want to know, who's your favorite superhero? >> Superman. >> Superman? >> Spiderman. >> Alright, awesome. (laughing) >> That was a basic question for you guys. >> Thank you very much >> Yeah, that's the hardest question, see they're fast, they know. Star Trek or Star Wars? (laughing) >> Depends on the generation. >> We won't go there. theCUBE have 15 more minutes today. Okay, final question, what's this going to do for your business now you have new, opened up new windows with the new product integration. How's that going to change Telos, what does it do for you guys from a capabilities standpoint? >> Well, the big thing I'd suggest your listeners and your watchers to consider is, there's a new case study that just came out, it's published jointly by the CIA, Amazon and Telos, talking about why working together is really, really, really groundbreaking in terms of this movement to the cloud. 'Cause your public sector listeners and viewers are going to want to know about that because this ATO thing is really a problem. So this addresses a massive issue inside of the public sector. >> And final question, while you're here, just to get your thoughts, obviously there's a big change of the guard, if you will, from old guard to new guard, that's an Amazon term Andy Jassy uses. Also, we all saw the DOD deal, JEDI's right there on the table, a lot of people jockeying, kind of old school policy, lobbying, sales is changing. How is the landscape, from a vendor-supplies to the agencies changed and/or changing with this notion of how things were done in the past and the new school? So, three points, legislatively there's top cover, they understand the need to modernize, which is great. The executive branch understands the need to modernize through the IT modernization act as well as the cyber security executive order. And then lastly, there are use cases now that can show the way forward. Here's the problem. The IT infrastructure out there, the IT guys out there that do business in the government, many of them are not paid to be efficient, they're paid cost plus, they're paid time and material, that's no way to modernize. So, fundamentally, I think our customers understand that and they're going to revolutionize the move forward. >> And the rules are changing big time. Sole source, multi-source, I mean, Amazon's on record, I've got Teresa on record saying, "Look, if we don't want a sole source requirement, let everyone bid fairly." Let's see who wins. Who can bring a secret cloud to the table? No one else has that. >> In terms of past performance and customer use cases they're pretty much in the head, for sure. >> Great, Amazon kicking butt here, Telos, congratulations for a great event, thanks for coming on. >> Thanks a lot guys. >> I appreciate it. >> Alright, CUBE coverage here in DC, this is theCUBE, I'm John Furrier with Dave Vellante. Stay with us, we have more great interviews stacked up all day and all day tomorrow. Actually you have half day tomorrow until two 'o clock Eastern. Stay with us for more, we'll be right back. (upbeat music)

>> Welcome back everybody, Jeff Frick here with theCUBE. We're in downtown San Francisco at LinkedIn's brand new headquarters up here, at Data Privacy Day 2018. We were here last year, the conference is growing, a lot more people here, a lot more activity. We're excited to have a sponsor, Craig Goodwin, he's the Chief Security Officer of CDK Global. Great to see ya. >> Great to be here. >> Absolutely. So for people who aren't familiar, give us a quick kind of overview of what is CDK Global. >> Sure, so CDK Global runs automotive technology. So we enable technology for automotive dealerships, original equipment manufacturers, and we run a lot of the technology across the U.S. and the rest of the world. So, I think last estimate's about $500 billion worth of automotive transactions, whether buying a car, servicing a car, all went through CDK's systems. >> Okay, so it's the systems, it's the business systems for those autmotive companies. It's not like we were just at an autonomous vehicle company the other day, it's not those type of systems. >> Yeah, correct, I mean we're helping with that, right? So a lot of our technology is connecting, with IoT and connected vehicles helping to take in data from those vehicles, to help automotive dealerships, to service the vehicles, or to sell the vehicles. So we ingest that data, and we ingest that technology, but essentially we're talking about the data in the dealerships. >> Okay. So how have you seen things evolve over the last couple years? >> Well definitely with the extra regulation, right? With people and the way that their privacy dynamic is changing, consumers are becoming much more aware of where their data's going, and who's using their data. So we've heard an awful lot today, about the privacy of people's data, and how the industry needs to change. And I think consumers generally are getting much more educated on that, and therefore they're asking companies like ourselves, who deal with their data, to be much more robust in their practices. And we've also seen that in a regulation point of view, right? So governments, the industry, are pushing businesses to be more aware of how they're using consumer's data, which has got to be a positive move in the right direction. >> Jeff: Right, but it's kind of funny, 'cause on the flip side of that coin is people who are willing to give up their privacy to get more services, so you've got kind of the older folks, who've been around for a while, who think of privacy, and then you've got younger folks, who maybe haven't thought about it as much, are used to downloading the app, clicking on the EULA in their phone-- >> Absolutely. >> Follows them everywhere they go. So, is it really more the regulation that's driving the change? Or is just kind of an ongoing maturation process? >> Well I think-- >> Stewardship is I guess what I was saying. >> Yeah, it's a combination of both I would say. And you make a great point there, so if you look at car buying, right? Say 10 years ago, pick a number randomly, but 10 years ago, people wouldn't have been comfortable buying a car online, necessarily. Or definitely not all online. They'd have to touch it somewhere else, feel it physically, right? That's changing, and we're starting to enable that automotive commerce, so that it starts from the online and ends up at a dealership still. So they actually sign the paperwork, but essentially they start that process online. And that's making people more aware, as you say. I think some of the regulation, you look at GDPR in Europe, spoke of that a lot today, naturally. And some of that regulation is helping to drive companies to be more aware. But where I see the biggest problem is with small to medium sized businesses. So I think if you talk to larger business, you were speaking to Michel from Cisco, some of those larger businesses, this privacy thing's been built in from the beginning. Companies like CDK, where we were aware we were dealing with a lot of data, and therefore the GDPR regulations is more of an incremental change. It just ramps up that focus on privacy that was already there from the outset. The biggest problem, and where we see the biggest kind of change here, is in the smaller to medium sized businesses, and that's talking about dealerships, smaller dealership groups, where perhaps they haven't been so aware of privacy, they've been focused on the sales and not necessarily the data and technology, and GDPR for them is a significant step change. And it's down to industry, and larger vendors like ourselves, to reach out to those smaller dealerships, those smaller, medium sized businesses, and help them to work with GDPR to do better. >> But can they fulfill most of their obligations by working with companies such as yours, who have it baked into the product? I would imagine-- >> Yeah! >> I mean, that's the solution, right? >> Absolutely. >> If you're a little person, you don't have a lot of resources-- >> Yep. And I would say it's about sharing in the industry, right? So it's about reaching out. We talked to Cisco today, about how they're building it into their technologies. A lot of the smaller businesses use companies like CDK to enable their technology. So there's an awful lot we can do to help them, but it's not everything, right? So there are areas where we need to educate consumers a lot better, where they need to work with the data and work with where the data goes, in order to understand that full end to end data flow within their systems. We work a lot of the dealerships who perhaps don't understand the data they're collecting, don't understand the gravity of the information that they're collecting, and what that truly means to the consumer themselves. So we need to educate better, we need to reach out as bigger organizations, and teach smaller businesses about what they're doing with the data. >> And was there specific kind of holes in process, or in data management that the GDPR addresses that made a sea change? Or is it really just kind of ramping up the penalties, so you need to really ramp up your compliance? >> Well it really is incremental, right? So if you look at things that we've had in Europe for a long time, the Data Protection Act that was around since 1999, for example, or 1998, apologies. It's a ramp up of that, so it's just increasing the effectiveness. If you look at the 12 points that exist within GDPR, about what you need to know, or a consumer should know about their data, rather than just who's collecting it, it now includes things like when you change that data, when it moves, who it goes to from a third-party perspective, so really it's just about ramping up that awareness. Now, what that means for a business, is that they need to know that they can gather that data quickly. So they need to be clear and understand where their data is going, and CDK's a great example of that. They need to know what data they're sharing with CDK, on what systems it exists, and in fact how they would remove that data if a consumer was asked for that to happen. >> Jeff: (laughs) Who knows, we know in the cloud there is no deleting, right? >> Absolutely. >> It's in the cloud, it's there for everyone. >> That's rough (laughs). >> I mean, it really drives home kind of an AS application agent service provider services, because there's just, I could just see the auto dealership, right? Some guy's got his personal spreadsheet, that he keeps track of his favorite customers, clearly I don't think that's probably falling in compliance. >> Absolutely, yeah, and it can, right? You can work really hard, so it is a process problem. You identified that before, right? There is a lot of process here, technology isn't a golden bullet, it's not going to solve everything, right? And a lot of it is process and mentality driven. So we need to work with people to educate them, and then there's a big emphasis on the consumer as well. I think we focused on business here, but there's a big emphasis on the consumer, for them to begin to understand and be better educated. We heard from some government representatives today, about educating consumers, right? And you mentioned millennials, and the various other groups that exist, and it's important for them to understand where their data is going, and where it's being shared. 'Cause quite honestly we had a couple of really good stories today about privacy and security professionals really not having a genuine understanding of where their data is going. So a regular consumer, someone that goes to buy a car, how can we expect them, without education, to really understand about their data? >> Just to jump on it, obviously you're from the U.K., and we hear all the time that there's more closed circuit cameras in London (laughter) than probably any city else-- >> Yep. >> So, don't answer if you don't want to, but, (laughter) from a government point of view, and let's just take public red light cameras, there's so much data. >> Absolutely. >> Is the government in a position? Do they have the same requirements as a commercial institution in how they keep, manage and stay on top of this data? >> Yeah, absolutely. So I think, having come from a government background initially, I think the rules and regulations there are much more constrained, constrictive? then perhaps commercial side is. And I think what you find is a lot of the government regulations are now filtering through into the commercial world. But actually what we're seeing is a bit of a step change. So previously, maybe 15, 20 years ago, the leader in the industry was the government, right? So the government did the regulations, and it would filter through commercial. Actually, what we've seen in the industry now is that it flipped on its head. So a lot of the stuff is originating in the corporate world. We're close to Silicon Valley here, the Facebooks of the world, you know a lot of that stuff is now originating in the commercial side? And we heard from some government people today, you know. The government are having to run pretty fast to try and keep up with that changing world. And a lot of the legislation and regulation now, actually, is a bit historic, right? It's set in the old days, we talk today about data, and watching you move around, and geolocation data, a lot of that legislation dealing with that is probably 10, 15 years old now. And exists in a time before you could track your phone all over the world, right? And so, governments have to do some more work, I think ultimately, look at GDPR, I think ultimately the way to change the industry is from a basis of regulation, but then as we move through it's got to be up to the companies and the commercial businesses to take heed of that and do the right thing, ultimately. >> Jeff: It's just so interesting to watch, I mean my favorite is the car insurance ads where they want to give you the little USB gizmo to plug in, to watch you, and it's like, "Well, you already have "a phone in your pocket"-- >> Yep. >> You know? >> They don't really see it. >> You don't really need to plug it in, and all your providers know what's going on, so, exciting times, nothing but opportunity for you. >> Yeah, absolutely, absolutely, I hope so (laughs). >> Well Craig Goodwin, thanks for taking a few minutes-- >> No, thank you. >> And sharing your insights, appreciate it. >> Appreciate it, thank you. >> Alright, he's Craig, I'm Jeff, you're watching theCUBE, We're at Data Privacy Day 2018, I can't believe it's 2018. Thanks for watching, we'll catch you next time. (bright electronic music)

>> Narrator: Live from New York City, it's the CUBE covering CyberConnect 2017 brought to you by Centrify and the Institute for Critical Infrastructure Technology. >> Okay welcome back everyone. This is the CUBE's live coverage in New York City exclusively with the CyberConnect 2017, it's an inaugural event presented by Centrify. It's not a Centrify event. Centrify one of the fastest growing security startups in Silicon Valley and around the world. It is underwriting this great event bringing industry, government and practitioners together to add value on top of the great security conversations. I'm John Furrier, your host with Dave Vellante, my co-host, my next guest is Bill Mann who's the Chief Product Officer with Centrify. Welcome back to the CUBE, great to see you. >> Hey, great to be here. >> Thanks and congratulations for you guys doing what I think is a great community thing, underwriting an event, not just trying to take the event, make it about Centrify, it's really an organically driven event with the team of customers you have, and industry consultants and practitioners, really, really great job, congratulations. >> Bill: Thank you. >> Alright so now let's get down to the meat of the conversation here at the show in the hallways is general's conversation, General Alexander talking about his experience at the NSA and the Fiber Command Center. Really kind of teasing out the future of what cyber will be like for an enterprise whether it's a slow moving enterprise or a fast moving bank or whatever, the realities are this is the biggest complexity and challenge of our generation. Identity's at the heart of it. You guys were called the foundational element of a new solution that has people have to coming together in a community model sharing data, talking to each other, why did he call you guys foundational? >> I think he's calling us foundational because I think he's realizing that having strong identity in an environment is kind of the keys to getting yourself in a better state of mind and a better security posture. If we look at the kind of the foundational principles of identity, it's really about making sure you know who the people are within your organization, by doing identity assurance so that's a foundational principle. The principle of giving people the least amount of access within an organization, that's a foundational principle. The principle of understanding what people did and then using that information and then adjusting policy, that's a foundational principle. I think that's the fundamental reason why he talks about it as a foundational principle and let's face it, most organizations are now connected to the Cloud, they've got mobile user, they've got outsourced IT so something's got to change, right. I mean the way we've been running security up until now. If it was that great, we wouldn't have had all the threats, right? >> And all kinds of silver bullets have been rolling out, Dave and I were commenting and Dave made a point on our intro today that there's no silver bullet in security, there's a lot of opportunities to solve problems but there's no, you can't buy one product. Now identity is a foundational element. Another interesting thing I want to get your reaction to was on stage was Jim from Aetna, the Chief Security Officer and he was kind of making fun with himself by saying I'm not a big computer science, I was a history major and he made a comment about his observation that when civilizations crumble, it's because of trust is lost. And kind of inferring that you can always connect the dots that trust in fundamental and that email security and most of the solutions are really killing the trust model rather than enhancing it and making it more secure so a holistic view of trust stability and enhancement can work in security. What's your reaction to that? >> So it's a complicated area. Trust is complicated let me just kind of baseline that for the moment. I think that we unfortunately, need to have better trust but the way we're approaching trust at the moment is the wrong way so let me give you a simple example. When we go, when we're at home and we're sleeping in our homes and the doors and windows are closed, we inherently trust the security of our environment because the doors and windows are closed but reality is the doors and windows can be really easily opened right, so we shouldn't be trusting that environment at all but we do so what we need to instead do is get to a place where we trust the known things in our environment very, very well and understand what are the unknown things in our environment so the known things in our environment can be people right, the identity of people, can be objects like knowing that this is really Bill's phone, it's a registered phone and it's got a device ID is better than having any phone being used for access so like I said, trust, it's complicated. >> John: But we don't know it has malware on there though. You could have malware. >> You could have malware on there but look, then you've got different levels of trust, right. You've got zero trust when you don't know anything about it. You've got higher levels of trust when you know it's got no malware. >> So known information is critical. >> Known information is critical and known information can then be used to make trust decisions but it's when we make decisions on trust without any information and where we infer that things are trustworthy when they shouldn't be like the home example where you think the doors are closed but it's so easy to break through them, that's when we infer trust so trust is something that we need to build within the environment with information about all the objects in the environment and that's where I think we can start building trust and that's I think how we have to approach the whole conversation about trust. Going back to your example, when you receive an email from somebody, you don't know if it came from that person right. Yet I'm talking to you, I trust that I'm talking to you, right, so that's where the breakdown happens and once we have that breakdown, society can breakdown as well. >> But going back to your device example so there are situations today. I mean you try to log on to your bank from your mobile device and it says do you want to remember this device, do you want to trust this device? Is that an example of what you're talking about and it might hit me a text with a two factor authentication. >> That's an example, that's absolutely an example of trust and then so there's a model in security called the zero trust model and I spoke about it earlier on today and that model of security is the foundational principles of that is understanding who the user is, understanding what endpoint or device they're coming from and that's exactly what you've described which is understanding the context of that device, the trustworthy of the device, you know the location of that device, the posture of that device. All of those things make that device more trustworthy than knowing nothing about that device and those are the kind of fundamental constructs of building trust within the organization now as opposed to what we've got at the moment is we're implying trust without any information about really trust right. I mean most of us use passwords and most of us use password, password so there's no difference between both of you, right and so how can I trust-- >> I've never done that. >> I know but how can we trust each other if we're using you know, data like that to describe ourselves. >> Or using the data in your Linkedin profile that could be socially engineered. >> Bill: Exactly. >> So there's all kinds of ways to crack the passwords so you brought up the trust so this is a, spoofing used to be a common thing but that's been resolved that some, you know same calling some techniques and other things but now when you actually have certificates being compromised, account compromised, that's where you know, you think you know who that person is but that's not who it is so this is a new dynamic and was pointed out in one of the sessions that this account, real compromises of identity is a huge issue. What are you guys doing to solve that problem? Have you solved that problem? >> We're addressing parts of solving that problem and the part of the problem that we're trying to solve is increasing the posture of multi factor authentication of that user so you know more certainty that this is really who that person is. But the fact of the matter is like you said earlier on, trying to reduce the risk down to zero is almost impossible and I think that's what we have to be all clear about in this market, this is not about reducing risk to zero, it's about getting the risk down to something which is acceptable for the type of business you are trying to work on so implementing MFA is a big part of what Centrify advocates within organizations. >> Explain MFA real quick. >> Oh, multi factor authentication. >> Okay, got it. >> Something that we're all used to when we're using, doing online banking at the moment but unfortunately most enterprises don't implement MFA for all the use cases that they need to be able to implement before. So I usually describe it as MFA everywhere and the reason I say MFA everywhere, it should be for all users, not a subset of the users. >> Should be all users, yeah. >> And it should be for all the accesses when they're accessing salesforce.com for concur so all the application, all the servers that they access, all the VPNs that they access, all the times that they request any kind of privilege command, you should reauthenticate them as well at different points in time. So implementing MFA like that can reduce the risk within the organization. >> So I buy that 100% and I love that direction, I'd ask you then a hard question. Anyone who's an Apple user these days knows how complicated MFA could be, I get this iCloud verification and it sends me a code to my phone which could be hacked potentially so you have all these kinds of complexities that could arise depending upon how complicated the apps are. So how should the industry think about simplifying and yet maintaining the security of the MFA across workloads so application one through n. >> So let me kind of separate the problems out so we focus on the enterprise use case so what you're describing is more the consumer use case but we have the same problem in the enterprise area as well but at least in the enterprise area I think that we're going to be able to address the problems sooner in the market. >> John: Because you have the identity baseline? >> One, we have the identity and there's less applications that the enterprise is using. >> It's not Apple. >> It's not like endpoints. >> But take Salesforce, that's as much of a pain, right. >> But with applications like Salesforce, and a lot of the top applications out there, the SaaS applications out there, they already support SAML as a mechanism for eliminating passwords altogether and a lot of the industry is moving towards using API mechanisms for authentication. Now your example for the consumer is a little bit more challenging because now you've got to get all these consumer applications to tie in and so forth right so that's going to be tougher to do but you know, we're focused on trying to solve the enterprise problem and even that is being a struggle in the industry. It's only now that you're seeing standards like SAML and OWASP getting implemented whereby we can make assertions about an identity and then an application can then consume that assertion and then move forward. >> Even in those situations if I may Bill, there's take the trust to another level which is there's a trusted third party involved in those situations. It might be Twitter, Linkedin, Facebook or Google, might be my bank, it might be RSA in some cases. Do you envision a day where we can eliminate the trusted third party with perhaps blockchain. >> Oh I actually do. Yeah, no, I do, I think the trusted third party model that we've got is broken fundamentally because if a break in to the bank, that's it, you know the third party trust but I'm a big fan of blockchain mainly because it's going to be a trusted end party right so there's going to be end parties that are vouching for Bill's identity on the blockchain so and it's going to be harder to get to all those end minors and convince them that they need to change their or break into them right. So yeah I'm a big fan of the trust model changing. I think that's going to be one of the biggest use cases for blockchain when it comes to trust and the way we kind of think about certificates and browsers and SSL certificates and so forth. >> I think you're right on the money and what i would add to that is looking at this conference, CyberConnect, one theme that I see coming out of this is I hear the word reimagining the future here, reimagining security, reimagining DNS, reimagining so a lot of the thought leaders that are here are talking about things like okay, here's what we have today. I'm not saying throwing it away but it's going to be completely different in the new world. >> Yeah and I think you know the important thing about the past is got to learn from the past and we got to apply some of the lessons to the future and things are just so different now. We know with microservices versus monolithic application architectures you know security used to be an afterthought before but you know, you talk to the average developer now, they want to add security in their applications, they realize that right so, and that's going to, I mean, maybe I'm being overly positive but I think that's going to take us to a better place. >> I think we're in a time. >> We need to be overly positive Bill. >> You're the chief officer, you have to have a 20 mouth stare and I think you know legacy always has been a thing we've heard in the enterprise but I just saw a quote on Twitter on the internet and it was probably, it's in quotes so it's probably right, it's motivating, a motivating quote. If you want to create the future, you've got to create a better version of the past and they kind of use taxis versus Uber obviously to answer of a shift in user behavior so that's happening in this industry. There's a shift of user experience, user expectations, changing internet infrastructure, you mentioned blockchain, a variety of other things so we're actually in a time where the better mouse trap actually will work. If you could come out with a great product that changes the economics and the paradigm or use case of an old legacy. So in a way by theory if you believe that, legacy shouldn't be a problem. >> You know and I certainly believe that. Having a kid who's in middle school at the moment, and the younger generation, to understand security way more than we ever used to and you know, this generation, this coming generation understands the difference between a password and a strong password and mobile be used as a second factor authentication so I think that the whole tide will rise here from a security perspective. I firmly believe that. >> Dave: You are an optimist. >> Well about government 'cause one thing that I liked about the talk here from the general was he was pretty straight talk and one of his points, I'm now generalizing and extrapolating out is that the HR side of government has to change in other words the organizational behavior of how people look at things but also the enterprise, we've heard that a lot in our Cloud coverage. Go back eight years when the Clouderati hit, oh DevOps is great but I can't get it through 'cause I've got to change my behavior of my existing staff. So the culture of the practitioners have to change. >> Bill: Yes, absolutely. >> 'Cause the new generation's coming. >> Oh absolutely, absolutely. I was speaking to a customer this morning who I won't mention and literally they told me that their whole staff has changed and they had to change their whole staff on this particular project around security because they found that the legacy thinking was there and they really wanted to move forward at a pace and they wanted to make changes that their legacy staff just wouldn't let 'em move forward with so basically, all of their staff had been changed and it was a memorable quote only because this company is a large organization and it's struggling with adopting new technologies and it was held back. It was not held back because of product or strategies, >> John: Or willingness. >> Or willingness. It was held back by people who were just concerned and wanted to stick to the old way of doing things and that has to change as well so I think you know, there's times will change and I think this is one of those times where security is one of those times where you got to push through change otherwise I mean I'm also a believer that security is a competitive advantage for an organization as well and if you stick with the past, you're not going to be able to compete in the future. >> Well, and bad user behavior will always trump good security. It was interesting to hear Jim Routh today talk about unconventional message and I was encouraged, he said, you know spoofing, we got DMARC, look alike domains, we got sink holes, display name deception, we've got, you know we can filter the incoming and then he talked about compromised accounts and he said user education and I went oh, but there's hope as an optimist so you've got technologies on the horizon to deal with that even right so you. >> I'm also concerned that the pace at which the consumer world is moving forward on security, online banking and even with Google and so forth that the new generation will come into the workforce and be just amazed how legacy the environments are right, 'cause the new generation is used to using you know, Google Cloud, Google Mail, Google everything and everything works, it's all integrated already and if they're coming to the workplace and that workplace is still using legacy technologies right, they're not going to be able to hire those people. >> Well I'll give you an example. When I went to college, I was the first generation, computer science major that didn't have to use punch cards and I was blown away like actually people did that like what, who the hell would ever do that? And so you know, I was the younger guy coming up, it was like, I was totally looking down. >> Dave: That's ridiculous. >> I would thank God I don't do that but they loved it 'cause they did it. >> I mean I've got the similar story, I was the first generation in the UK. We were the first Mac-Lab in the UK, our university had the first large Mac, Apple Macintosh Lab so when I got into the workplace and somebody put a PC in front of me, I was like hold on, where's the mouse, where's the windows, I couldn't handle it so I realized that right so I think we're at that kind of junction at the moment as well. >> We got two minutes left and I want to ask you kind of a question around the comment you just made a minute ago around security as a competitive advantage. This is really interesting, I mean you really can't say security is a profit center because you don't sell security products if you're deploying state of the art security practices but certainly it shouldn't be a cost center so we've seen on our CUBE interviews over the past year specifically, the trend amongst CCOs and practitioners is when pressed, they say kind of, I'm again generalizing the trend, we're unbundling the security department from IT and making it almost a profit center reporting to the board and or the highest levels, not like a profit center but in a way, that's the word they use because if we don't do that, our ability to make a profit is there so you've brought up competitive strategy, you have to have a security and it's not going to be underneath an IT umbrella. I'm not saying everyone's doing it but the trend was to highlight that they have to break out security as a direct report as if it was a profit center because their job is so critical, they don't want to be caught in an IT blanket. Do you see that trend and your comment and reaction to that statement? >> I see that trend but I see it from a perspective of transparency so I think that taking security out of the large umbrella of IT and given its own kind of foundation, own reporting structure is all about transparency and I think that modern organizations understand now the impact a breach can have to a company. >> John: Yeah, puts you out of business. >> Right, it puts you out of business right. You lose customers and so forth so I think having a security leader at the table to be able to describe what they're doing is giving the transparency for decision makers within the organization and you know, one of my other comments about it being a competitive advantage, I personally think let's take the banking arena, it's so easy to move from bank A to bank B and I personally think that people will stay with a certain bank if that bank has more security features and so forth. I mean you know, savings, interest rates going to be one thing and mortgage rates are going to be one thing but if all things are even. >> It's a product feature. >> It's a product feature and I think that again, the newer generation is looking for features like that, because they're so much more aware of the threat landscape. So I think that's one of the reasons why I think it's a competitive advantage but I agree with you, having more visibility for an organization is important. >> You can't make a profit unless the lights are on, the systems are running and if you have a security hack and you're not running, you can't make a profit so it's technically a profit center. Bill I believe you 100% on the competitive strategy. It certainly is going to be table stakes, it's part of the product and part of the organization's brand, everything's at stake. Big crisis, crisis of our generation, cyber security, cyber warfare for the government, for businesses as a buzz thing and business, this is the Centrify presented event underwritten by Centrify here in New York City. CyberConnect 2017, the CUBE's exclusive coverage. More after this short break. (electronic jingle)

>> Announcer: Live, from Washington, DC, it's the cube. Covering dot next conference. Brought to you by Nutanix. >> Welcome back to DC everybody, this is the Nutanix dot next conference #NEXTConf, and this is the cube, the leader in live tech coverage. We go out to the events, we extract the signal from the noise. My name is Dave Vellante, and I'm here with my co-host Stu Miniman. Dr. Arthur Langer is here, he's a professor at Columbia University, and a cube alum. Good to see you, thanks very much for coming on. >> Great to be back. >> Dave: Appreciate your time. So, interesting conversations going on at dot next. People talking about cloud and you hear a lot about virtualization and infrastructure. We're going to up level it a bit. You're giving a talk-- you're hosting a panel today, and you're also giving a talk on strategic IT. Using IT as a competitive weapon. It wasn't that long ago where people were saying does IT matter. We obviously know it matters. What's your research showing, what is your activity demonstrating about IT and how is it a strategic initiative? >> Well, if you were to first look at what goes on on board meetings today, I would say, and I think I mentioned this last time, the three prominent discussions at a board is how can I use technology for strategic advantage, how can I use predictive analytics, and how are you securing and protecting us? And when you look at that, all three of those ultimately fall in the lap of the information technology people. Now you might say digital or other parts of it, but the reality is all of this sits at the heart of information technology. And if you look at many of us in that world, we've learned very efficiently and very good how to support things. But now to move into this other area of driving business, of taking risks, of becoming better marketers. Wow, what an opportunity that is for information technology leadership. >> Dave: So, obviously you believe that IT is a strategic advantage. Is it sustainable though? You know, I was sort of tongue-in-cheek joking about the Nick Car book, but the real premise of his book was it's not a sustainable competitive advantage. Is that true in your view? >> I don't believe that at all. I live and die by that old economics curve called the S curve. In which you evaluate where your product life is going to be. I think if you go back and you look at the industrial revolution, we are very early. I think that the changes, the acceleration of changes brought on by technological innovations, will continue to haunt businesses and provide these opportunities well past our life. How's that? So, if anybody thinks that this is a passing fad, my feeling is they're delusional. We're just warming up. >> So it can be a sustainable competitive advantage, but you have to jump S curves and be willing to jump S curves at the right time. Is that a fair difference? >> Yeah, the way I would say it to you, the S curve is shrinking, so you have less time to enjoy your victories. You know, the prediction is that-- how long will people last on a dow 500 these days? Maybe two, three years, as opposed to 20, 30, 40 years. Can we change fast enough, and is there anything wrong with the S curve ending and starting a new one? Businesses reinventing themselves constantly. Change a norm. >> Professor Langer, one of the challenges we hear from customers is keeping up with that change is really tough. How do you know what technologies, do you have the right skill set? What advice are you giving? How do people try to keep up with the change, understand what they should be doing internally versus turning to partners to be able to handle. >> I think it's energy and culture and excitement. That's the first thing that I think a lot of people are missing. You need to sell this to your organizations. You need to establish why this is such a wonderful time. Alright, and then you need to get the people in, between the millenials and the baby boomers and the gen x's, and you got to get them to work together. Because we know, from research right now, that without question, the millenials will need to move into management positions faster than any of their predecessors. Because of retirements and all of the other things that are going on. But the most important thing, which is where I see IT needing to move in, is you can't just launch one thing. You have to launch lots of things. And this is the old marketing concept, right. You don't bat a thousand. And IT needs to come out of its shell in that area and say I have to launch five, six, eight, 10 initiatives. Some of them will make it. Some of them won't. Can you imagine private equity or venture people trying to launch every company and be successful? We all know that in a market of opportunity, there are risks. And to establish that as an exciting thing So, you know what, it comes back to leadership in many ways. >> Great point, because if you're not having those failures, your returns are going to be minuscule. If you're only investing in things that are sure things, then it's pretty much guaranteed to have low single-digit returns, if that. >> Look what happened at Ford. They did everything pretty well. They never took any of the money, right, but they changed CEO's because they didn't get involved in driverless cars enough. I mean these are the things that we're-- If you're trying to catch up, it's already over. So how do you predict what's coming. And who has that? It's the data. It's the way we handle the data. It's the way we secure the data. Who's going to do that? >> So, that brings me to the dark side of all this enthusiasm, which is security. You see things like IOT, you know the bad guys have AI as well. Thoughts on security, discussions that are going on in the board room. How CIOs should be thinking about communicating to the board regarding security. >> I've done a lot of work in this area. And whether that falls into the CISO, the Chief Information Security Officer, and where they report. But the bottom line is how are they briefing their boards. And once again, anybody that knows anything about security knows that you're not going to keep 'em out. It's going to be an ongoing process. It's going to be things like okay what do we do when we have these type >> response >> How do we respond to that? How do we predict things? How do we stay ahead of that? And that is the more of the norm. And what we see, and I can give you sort of an analogy, You know when the President comes to speak in a city, what do they, you know, they close down streets, don't they? They create the unpredictability. And I think one of the marvelous challenges for IT is to create architectures, and I've been writing about this, which change so that those that are trying to attack us and they're looking for the street to take inside of the network. We got to kind of have a more dynamic architecture. To create unpredictability. So these are all of the things that come into strategy, language, how to educate our boards. How to prepare the next generation of those board members. And where will the technology people sit in those processes. >> Yeah, we've had the chance to interview some older companies. Companies 75, 150 years old, that are trying to become software companies. And they're worried about the AirBnB's of the world disrupting what they're doing. How do you see the older companies keeping pace and trying to keep up with some of young software companies? >> Sure, how do you move 280 thousand people at a major bank, for example. How do you do that? And I think there's several things that people are trying. One is investing in startups with options to obtain them and purchase them. The other is to create, for lack of a better word, labs. Parts of the company that are not as controlled, or part of the predominant culture. Which as we know historically will hold back the company. Because they will just typically try to protect the domain that has worked for them so well. So those are the two main things. Creating entities within the companies that have an ability to try new things. Or investing entrepreneurially, or even intrapreneurally with new things with options to bring them in. And then the third one, and this last one is very difficult, sort of what Apple did. One of the things that has always haunted many large companies is their install base. The fact that they're trying to support the older technologies because they don't want to lose their install base. Well remember what Steve Jobs did. He came in with a new architecture and he says either you're with me or you're not. And to some extent, which is a very hard decision, you have to start looking at that. And challenge your install base to say this is the new way, we'll help you get there, but at some point we can't support those older systems. >> One of my favorite lines in the cube, Don Tapps, God created the world in six days, but he didn't have an install base. Right, because that handcuffs companies and innovation, in a lot of cases. I mean, you saw that, you've worked at big companies. So I want to ask you, Dr. Langer, we had this, for the last 10 years, this consumerization of IT. The Amazon effect. You know, the whole mobile thing. Is technology, is IT specifically, getting less complex or more complex? >> I think it's getting far more complex. I think what has happened is business people sometimes see the ease of use. The fact that we have an interface with them, which makes life a lot easier. We see more software that can be pushed together. But be careful. We have found out with cybersecurity problems how extraordinarily complicated this world is. With that power comes complexities. Block chain, other things that are coming. It's a powerful world, but it's a complicated one. And it's not one where you want amateurs running the back end of your businesses. >> Okay, so let's talk about the role of those guys running. We've talked a lot about data. You've seen the emergence of the chief data officer, particularly in regulated industries, but increasingly in non-regulated businesses. Who should be running the technology show? Is it a business person? Is it a technologist? Is it some kind of unicorn blend of those? >> I just don't think, from what we've seen by trying marketing people, by trying business people, that they can really ultimately grasp the significance of the technical aspects of this. It's almost like asking someone who's not a doctor to run a hospital. I know theoretically you could possibly do that, but think about that. So you need that technology. I'm not caught up on the titles, but I am concerned, and I've written an article in the Wall Street Journal a couple years ago, that there are just too many c-level people floating around owning this thing. And I think, whether you call it the chief technologist, or the executive technical person, or the chief automation individual, that all those people have to be talking to each other, and have to lead up to someone who's not only understanding the strategy, but really understands the back end of keeping the lights on, and the security and everything else. The way I've always said it, the IT people have the hardest job in the world. They're fighting a two-front war. Because both of those don't necessarily mesh nicely together. Tell me another area of an organization that is a driver and a supporter at the same time. You look at HR, they're a supporter. You look at marketing, they're a driver. So the complexities of this are not just who you are, but what you're doing at any moment in time. So you could have a support person that's doing something, but at one moment, in that person's function, could be doing a driving, risk-taking responsibility. >> So what are some of the projects you're working on now? What's exciting you? >> Well, the whole idea of how to drive that strategy, how to take risks, the digital disruption era, is a tremendous opportunity. This is our day for the-- because most companies are not really clear what to do. Socially, I'm looking very closely at smart cities. This is another secret wave of things that are happening. How a city's going to function. Within five, seven years, they're predicting that 75% of the world's population will live in major cities. And you won't have to work in the city and live there. You could live somewhere else. So cities will compete. And it's all about the data, and automation. And how do organizations get closer with their governments? Because our governments can't afford to implement these things. Very interesting stuff. Not to mention the issues of the socially excluded. And underserved populations in those cities. And then finally, how does this mess with cyber risk? And how does that come together to the promotion of that role in organizations. Just a few things, and then way a little bit behind, there's of course block chain. How is that going to affect the world that we live in? >> Just curious, your thoughts on the future of jobs. You know, look about what automation's happening, kind of the hollowing out of the middle class. The opportunities and risks there. >> I think it has to do with the world of what I call supply chain. And it's amazing that we still see companies coming to me saying I can't fill positions. Particularly in the five-year range. And an inability to invest in younger talent to bring them in there. Our educational institutions obviously will be challenged. We're in a skills-based market. How do they adopt? How do we change that? We see programs like IBM launching new collar. Where they're actually considering non-degree'd people. How do universities start working together to get closer, in my opinion, to corporations. Where they have to work together. And then there is, let's be careful. There are new horizons. Space, new things to challenge that technology will bring us. 20 years ago I was at a bank which I won't mention, about the closing of branch banks. Because we thought that technology would take over online banking. Well, 20 years later, online banking's done everything we predicted, and we're opening more branches than ever before. Be careful. So, I'm a believer that, with new things come new opportunities. The question is how do governments and corporations and educational institutions get closer together. This is going to be critical as we move forward. Or else the have nots are going to grow, and that's a problem. >> Alright, we have to leave it there. Dr. Arthur Langer, sir, thanks very much for coming in. To the cube >> It's always a pleasure to be here >> It's a pleasure to have you. Alright, keep it right there everybody, we'll be back with our next guest. Dave Vollante, Stu Miniman, be right back.

>> Announcer: Live, from Las Vegas, Nevada, it's theCUBE, covering Accelerate 2017. Brought to you by Fortinet. Now, here are your hosts, Lisa Martin and Peter Burris. >> Welcome back to theCUBE, I'm Lisa Martin joined by Peter Burris. We have been in Vegas all day at Accelerate 2017. What an exciting, buzz-filled day that we've had, Peter. I feel like we've learned, I've learned a lot myself, but also just that the passion and the opportunity for helping companies become more secure, as security is evolving, is really palpable. >> Well, yeah, I totally agree with you, Lisa. In fact, if there's one kind of overarching theme of what we heard and what we experienced, it's this is one of the first conferences, security conferences, that I've been to, where we spent more time talking about business opportunity, business outcome, the role that security is going to play in facilitating business change. And we spent a lot less time talking about security speed, security feeds, geeking out about underlying security technologies. And I think that portends a pretty significant seismic shift in how people regard security. We'll still always have to be very focused and understand those underlying technologies in the speeds and feeds, but increasingly, the business conversation is creeping into, and in fact, starting to dominate how we regard security. It's past become reviewed in a digital world, it has to become viewed as a strategic business asset, and not just as the thing you do to make sure your devices don't get stolen or appropriated. >> Right, and that context was set from the beginning with the keynotes this morning. The CEO Ken Xie, a lot of folks that we talked to today, said he normally gets quite technical in keynotes, and today kept things really at a business level. >> And we heard that many people thought it was the best keynote they've seen him give in a long time. >> That's right, that's a great point. >> And one of his key messages was that at the end of the day, digital business is not about some new observations on channels or new observations on products. It really is about how you use data to differentiate, differentially create sustained customers. My words, not his, but it's very, very much in line. The difference between any business and digital business is how you use your data. And we heard that over and over and over today, and how security, technologies, and practices, and capabilities have to evolve to focus more on what businesses want to do with data. That is where, certainly Fortinet, sees the market going, and they're trying to steer their customers so that they can take advantages of those opportunities. >> Right, and that's a great point that you made. Their CFO, who we had on the program as well, Drew Del Matto, talked about in his keynote, that it's critical for a company to be able to have digital trust. We talk about trust in lots of different contexts, but what does trust mean to a business? >> As you said, he's the CFO. It's interesting, CFO is typically focused on things like is the ownership getting a return on the capital that they've invested in this company? It was very, to me anyway, refreshing to hear a CFO expressly state data is becoming an increasing feature of the capital stock of the company. And we have to take explicit steps to start to protect it and secure it, because in fact, it's through security that data is turned into an asset. If you don't secure your data, it's everywhere. It's easily copied, it flies around. Data and security-- at least data asset, the concept of data asset, and security, are inextricably bound because it is through security that you create the asset notion of data. The thing that generates value. Because if you don't, it's everywhere. It's easy to copy. I thought he did a wonderful job of starting to tie together the idea of data in business in a very straightforward, tactical, CFO approach. It was a good conversation about where business people are starting to think about how this is going to evolve. >> He also talked about the role of the CSO, and there was a panel during the general session of three CSOs from different industries. That's an interesting evolution as security has evolved from perimeter only to web, to cloud, to-- Now, where we need to be as Ken Xie talked about, we're at this third generation. It's about fabric. He talked about that, and the importance of that, and the capabilities. But it's also interesting to hear security's now a conversation in the boardroom. This is not something that is simply owned by a CIO or CSO, that that role has to facilitate a company becoming a digital army in order to create value from that data. A lot of folks said today, too, that mindset of "If I can't see it, I can't protect it." >> Yeah, we heard that this morning from the CFO, we also heard it from George, the CSO of Azure, Microsoft Azure. We heard the relationship, the evolving role of the CSO, or the Chief Security Officer multiple times today. Security's hard. This is not easy stuff. We can bring a lot of automation, and we can bring a lot of technology to bear on making it easier and simplifying it. And we heard a lot about how that's happening. But this is a hard, hard thing to do, for a lot of reasons. But it's one that must be done, especially in a digital world. And the role, or the impact on the CSO role, is profound. You're not going to have everybody in the organization-- They all have a stake in it, but they're all not going to perform security routines, necessarily. Yet, it's too big, as we heard from George, for one person. We have to start increasingly thinking about security as a strategic business capability that may be championed by the CSO, but is going to be undertaking in a lot of different places. One of the things that the Microsoft gentleman, George-- >> Lisa: George Moore. >> George Moore bought up, was the idea that increasingly, if you do security right, you can secure things at a relatively technical level and present them as services so that other parts of the business can start to consume them, and they become part of their security architecture. And it goes into their products, or it goes into their services, or it goes into how they engage customers. >> Facilitating scale. >> Or whatever else it might be, logistics. I think that that is a very powerful way of thinking about how security's going to work through a fabric, being able to present a hierarchy of security capabilities that go all the way out to your customers and actually allow you to engage your customers at a security conversation level. Which is, we also heard that talked about a little bit today. The role, the brand value of trust, but we still don't have an answer for how that's going to play out. >> If we look at some of the other things that were talked about in Ken's keynote, hyperconnectivity. From the proliferation of mobile and IoT, which IoT devices, there's 20 billion that are predicted to be connected by 2020, which is just a few years away. As that sounds, well it doesn't sound, it is increasing the threat surface, and we are also hearing from some of the folks that were on the program today, Derek Manky being one of them, who wrote a great blog just published recently on Fortinet talking about the major trends that are being seen and the challenges there. I think we're also seeing that companies like Fortinet and their suite of technology alliance partners like Microsoft, like Nazomi, going all the way out to the endpoints and back, that these companies are coming together to collaborate, to start mitigating the risks that are increasingly there with the threat surface being larger. I think there was a lot more positivity than I honestly anticipated. When you hear of all these attacks that it's daily, and that's such a common thing. The collaboration of the technology and the integration is exciting to hear where these companies are going to be able to limit damage. >> And to put one more number on it, the 20 billion devices, but it's what those devices are doing. Again, George Moore from Microsoft Azure talked about I think he said, it was 800 billion events that they're dealing with a day. And in 2017, Microsoft Azure is going to cross a threshold of dealing with one trillion events a day that they have to worry about from a security standpoint. If you think about that industry wide, Microsoft Azure's big, but there are others. We're talking today, probably somewhere, I just estimated, he said, "Yeah, that sounds about right," about five trillion, five trillion events a day that businesses have to worry about in aggregate from a security standpoint. And that number is just going to keep growing exponentially. In a year's time, he talked about three, four, five x. So we're talking about hundreds of trillions of events. >> Staggering numbers. >> Within the next decade or so. There is virtually no way that human beings are set up to deal with those kinds of numbers. It's going to require great technology-- >> Automation. >> That provides great automation. That nonetheless, works with humans so that the discretion that human beings bring, the smarts, and the collaboration that human beings bring to bear. The value that they create stays there. We're going to see more productivity coming out of these incredibly smart people that are doing security, because the tooling's going to improve and make it possible. And if it doesn't happen, then that's going to put a significant break on how fast a lot of this digital business evolution takes place. >> Another point that was quite prevalent among our conversations today, was that there isn't, with the exception maybe of healthcare, it's quite an agnostic problem that enterprises are facing in terms of security threats. When we talked to Derek, he mentioned healthcare being one because that information is so pervasive. It's very personal and private. But something that kind of surprised me, I almost thought we might see or hear about a hierarchy, maybe healthcare, financial services. But really, what everyone talked about today, was that the security threats are really pervasive across all industries. All the way, even to industrial control systems and HVAC systems. Which shows you the breadth of the challenge ahead. But to your point, and some of the points that some of our guests made, it's going to be a combination of the humans and the machines coming together to combat these challenges. >> Well I think what we're seeing is that there's a high degree of data specialization within a lot of industries based on different terms, different tactics, different risk profiles, et cetera. But that many of the algorithms necessary to understand exceptions or deal with anomalies, or one of those other things, are applicable across a lot of different industries. What we are likely to see over the next few years is we're still likely to see some of that specialization by industry, by data. Nonetheless, become featured in the output, but the algorithms are going to be commonly applied. They'll get better and better and better. There's still likely to be some degree of specialization if only because the data itself is somewhat specialized, but the other thing that we heard is that it's pretty clear that the bad guys want to get access. Well, let's put it this way, not all data is of equal value. And the bad guys want to get access to the data that is especially valuable to them. A lot of that data is in healthcare systems. To bring these common algorithms that specialize data to secure the especially challenging problems associated with healthcare is a real, real big issue for a lot of businesses today. Not just healthcare businesses, but people who are buying insurance for their employees, et cetera. >> Exactly, it becomes a pervasive problem. You were mentioning today that this was very much a business conversation versus speeds and fees. We did hear about a couple of technologies moving forward that are going to be key to driving security forward. Analytics, data science, in fact-- We also talked about kind of the difference between security fabric which Fortinet rolled out last year, and a platform and how businesses are kind of mobilized around that, and the differences there. Control versus spreading that out. One of the things that Forinet did about, I think it was in June of last year, was they acquired AccelOps. Bringing in monitoring, bringing in realtime analytics. A lot of our guests talked about the essentialness of that realtime capability to discover, detect, remediate, and clear things up. From a 2017 perspective, besides analytics and data science, what are some of the other things you see here as essential technologies to facilitate where the security evolution trajectory is going? >> I think in many respects, it comes back to some of the things we just talked about. That as digital business increasingly-- Let's step back. The way we define, at Wikibon SiliconANGLE, what digital business is, what differentiates your digital business from any other kind of business is data. It's how you use your data to create and sustain customers. That's a pretty big world. There's a lot of-- You know, most of us operate in the analog world. There's some very interesting ways of turning that analog information into digital information. There's voice, there's photographs, there's a lot of other-- We talked a little bit about industrial internetive things. There's an enormous set of investments being made today to turn the analog world that all of us operate in, and the processes that we normally think about, into digital representations that then can be turned into models for action, models for insight, new software systems that can then have an impact on how the business actually operates. And I think that, if we think the notion of analytics and data science, and by the way, security's one of those places where that set of disciplines have really, really matured through fraud detection and other types of things. But I think what we're going to look at, is as new types of data are created by different classes of business or different classes of industry, or different roles and responsibilities, that that data, too, will have to be made secure. What we're going to see, is as the world figures out new ways of using data to create new types of value, that the security industry is going to have to be moving in lockstep so that security doesn't once again become the function that says no to everything, but rather the function that says, "Yeah, we can do that." We can go from idea to execution really fast, because we know how to make that data secure. >> Well, Peter, it's been such a pleasure, an honor, co-hosting with you today. Thank you so much for sharing the desk with me. >> Absolutely, Lisa. >> Look forward to doing it some other time. And we want to thank you so much for joining us on theCUBE today as well. I want to also point you to some of the upcoming events. Go to SiliconANGLE.tv. Next week, we've got the VTUG Winter Warmer going on. You'll also be able to see that on the website. Women and Data Science with yours truly in early February. And then the Spark Summit in February, Feb 7-9 in Boston. Again, that's SiliconANGLE.tv. For my co-host Peter Burris, I'm Lisa Martin. Thanks so much for watching, and we'll see ya next time. (techno music)