>> Narrator: Live from San Francisco It's theCUBE. Covering RSA Conference 2020, San Francisco. Brought to you by Silicon Angled Media >> Hi everyone, welcome to theCUBE's coverage here at RSA Conference 2020. I'm John Furrier, host of theCUBE We're on the floor getting all the data, sharing it with you here, Cube coverage. Got the best new generation shift happening as cloud computing goes to the whole other level. Multi-cloud, hybrid cloud changing the game. You're seeing the companies transition from an on-premises to cloud architecture. This is forcing all the companies to change. So a new generation of security is here and we've got a great guest, so a hot start-up. Masha Sedova, co-founder of Elevate Security. Welcome to theCUBE, thanks for joining us. >> Thank you so much for having me, John. >> So the next generation in what will be a multi-generational security paradigm, is kind of happening right now with the beginning of, we're seeing the transition, Palo Alto Networks announced earnings yesterday down 13% after hours because of the shift to the cloud. Now I think they're going to do well, they're well positioned, but it highlights this next generation security. You guys are a hot start-up, Elevate Security. What is the sea change? What is going on with security? What is this next generation paradigm about? >> Yeah, so it's interesting that you talk about this as next generation. In some ways, I see this as a two-prong move between, yes, we're moving more into the cloud but we're also going back to our roots. We're figuring out how to do asset management right, we're figuring out how to do patching right, and for the first time, we're figuring how to do the human element right. And that's what where we come in. >> You know, the disruption of these new shifts, it also kind of hits like this, the old expression, 'same wine, new bottle', all this, but it's a data problem. Security has always been a data problem, and we've seen some learnings around data. Visualization, wrangling, there's a lot of best practices around there. You guys are trying to change the security paradigm by incorporating a data-centric view with changing the behavior of the humans and the machines and kind of making it easier to manage. Could you share what you guys are doing? What's the vision for Elevate? >> Yeah, so we believe and we've seen, from our experience being practitioners, you can't change what you can't measure. If you don't have visibility, you don't know where you're going. And that's probably been one of the biggest pain-point in the security awareness space traditionally. We just roll out training and hope it works. And it doesn't, which is why human error is a huge source of our breaches. But we keep rolling out the same one-size fits all approach without wanting to measure or, being able to. So, we've decided to turn the problem on its head and we use existing data sets that most organizations who have a baseline level of maturity already have in place. Your end point protections, your DLP solutions, your proxies, your email security gateways and using that to understand what your employees are doing on the network to see if user generated incidents are getting better over time or getting worse. And using that as the instrumentation and the level of visibility into understanding how you should be orchestrating your program in this space. >> You know, that's a great point. I was just having a conversation last night at one of the cocktail parties here around RSA and we were debating on, we talk about the kind of breaches, you mentioned breaches, well there's the pure breach where I'm going to attack and penetrate the well fortified network. But then there's just human error, an S3 bucket laying open or some configuration problem. I guess it's not really a breach, it's kind of an open door so the kind of notion of a breach is multifold. How do you see that, because again, human error, insider threats or human error, these are enabling the hackers. >> Yeah >> This is not new. >> Yeah. >> How bad is the problem? >> It depends on what report you read. The biggest number I've seen so far is something like 95% of breaches have human error. But I honestly, I couldn't tell you what the 5% that don't include it because if you go far enough back, it's because a patch wasn't applied and there is a human being involved there because there is vulnerability in code, that's probably a secure coding practice when you're a development organization. Maybe it's a process that wasn't followed or even created in the first place. There's a human being at the core of every one of these breaches and, it needs to be addressed as holistically as our technologies and our processes right now in the space. >> The evolution of human intelligence augmented by machines will certainly help. >> That's it, yeah. >> I mean, I've got to ask you, obviously you're well-funded. Costanova Ventures well known in the enterprise space, Greg Sands and the team there, really strong, but you guys entered the market, why? I mean you guys, you and your founder both at Salesforce.com. Salesforce gurus doing a lot of work there. Obviously you've seen the large scale, first wave of the cloud. >> Yeah >> Why do the start-up? What was the problem statement you guys were going after? >> So, my co-founder and I both came from the world of being practitioners and we saw how limited the space was and actually changing human behavior, I was given some animated PowerPoints, said use this to keep the Russians out of your network, which is a practical joke unless your job is on the line, so I took a huge step back and I said, there are other fields that have figured this out. Behavioral science being one of them, they use positive reinforcement, gamification, marketing and advertisements have figured out how to engage the human element, just look around the RSA floor, and there's so many learnings of how we make decisions as human beings that can be applied into changing people's behaviors in security. So that's what we did. >> And what was the behavior you're trying to change? >> Yeah, so the top one's always that our attackers are getting into organizations, so, reducing phishing click-throughs an obvious one, increasing reporting rates, reducing malware infection rates, improving sensitive data handling, all of which have ties back to, as I was mentioning earlier, security data sources. So, we get to map those and use that data to then drive behavior change that's rooted in concepts like social proof, how are you doing compared to your peers? We make dinner decisions on that and Amazon buying decisions on that, why not influence security like that? >> So building some intelligence into the system, is there a particular market you're targeting? I mean, here people like to talk in segments, is there a certain market that you guys are targeting? >> Yeah, so the amazing thing about this is, and probably no surprise, the human element is a ubiquitous problem. We are in over a dozen different industries and we've seen this approach work across all of those industries because human beings make the same mistakes, no matter what kind of company they're in. We really work well with larger enterprises. We work well with larger enterprises because they tend to have the data sets that really provides insights into human behavior. >> And what's the business model you guys envision happening with your service product? >> We sell to enterprises and security, the CISO and the package as a whole, gives them the tools to have the voice internally in their organization We sell to Fortune 1000 companies, >> So it's a SAAS service? >> Yeah, SAAS service, yeah. >> And so what's the technology secret sauce? (laughing) >> Um, that's a great question but really, our expertise is understanding what information people need at what time and under what circumstances, that best changes their behavior. So we really are content diagnostic, we are much more about the engine that understands what content needs to be presented to whom and why. So that everyone is getting only the information they need, they understand why they need it and they don't need anything extra-superfluous to their... >> Okay, so I was saying on theCUBE, my last event was at, CIO's can have good days and bad days. They have good days, CISOs really have good days, many will say bad days, >> Masha: Yeah, it's a hard job. >> So how do I know I need the Elevate Solution? What problem do I have, what's in it for me? What do I get out of it? When do I know when to engage with you guys? >> I take a look at how many user generated incidents your (mumbles) responding to, and I would imagine it is a large majority of them. We've seen, while we were working at Salesforce and across our current customers, close to a 40% reduction rate in user generated incidents, which clearly correlates to time spent on much more useful things than cleaning up mistakes. It's also one of the biggest ROI's you can get for the cheapest investment. By investing a little bit in your organization now, the impact you have in your culture and investing in the future decision, the future mistakes that never get made, are actually untold, the benefit of that is untold. >> So you're really kind of coming in as a holistic, kind of a security data plane if you will, aggregating the data points, making a visualization in human component. >> You've got it. >> Now, what's the human touchpoint? Is it a dashboard? Is it notifications? Personalization? How is the benefit rendered for the customer? >> So we give security teams and CSOs a dashboard that maps their organization's strengths and weaknesses. But for every employee, we give personalized, tailored feedback. Right now it shows up in an email that they get on an ongoing basis. We also have one that we tailor for executives, so the executive gets one for their department and we create an executive leaderboard that compares their performance to fellow peers and I'll tell you, execs love to win, so we've seen immense change from that move alone. >> Well, impressive pedigree on your entrepreneurial background, I see Salesforce has really kind of, I consider real first generation cloud before cloud actually happened, and there's a lot of learn, it was always an Apple case, now it's AWS, but it's it's own cloud as we all know, what are the learnings that you saw from Salesforce that you said hey, I'm going to connect those dots to the new opportunity? What's the real key there? >> So, I had two major aha's that I've been sharing with my work since. One, it's not what people know, but it's what they do that matters, and if you can sit with a moment and think about that, you realize it's not more training, because people might actually know the information, but they just choose not to do it. How many people smoke, and they still know it kills them? They think that it doesn't apply to them, same thing with security. I know what I need to do, I'm just not incentivized to do it, so there's a huge motivation factor that needs to be addressed. That's one thing that I don't see a lot of other players on the market doing and one thing we just really wanted to do as well. >> So it sounds like you guys are providing a vision around using sheet learning and AI and data synthesis wrangling and all that good stuff, to be an assistant, a personal assistant to security folks, because it sounds like you're trying to make their life easier, make better decisions. Sounds like you guys are trying to distract away all these signals, >> You're right. >> See what to pay attention to. >> And make it more relevant, yeah. Well think about what Fitbit did for your own personal fitness. It curates a personal relationship based on a whole bunch of data. How you're doing, goals you've set, and all of a sudden, a couple of miles walk leads to an immense lifestyle change. Same thing with security, yeah. >> That's interesting, I love the Fitbit analogy because if you think about the digital ecosystem of an enterprise, it used to be siloed, IT driven, now with digital, everything's connected so technically, you're instrumenting a lot of things for everything. >> Yeah. >> So the question's not so much instrumentation, it's what's happening when and contextually why. >> That's it, why, that's exactly it. Yeah, you totally got it. >> Okay. I got it. >> Yeah, I can see the light bulb. >> Okay, aha, ding ding. All right, so back to the customer pain point. You mentioned some data points around KPI's that they might or things that they might want to call you so it's incidents, what kind of incidents? When do I know I need to get you involved? Will you repeat those again? >> There's two places where it's a great time to involve. Now, because of the human element is, or think about this as an investment. If you do non-investor security culture, one way or another, you have security culture. It's either hurting you or it's helping you and by hurting you, people are choosing to forego investing security processes or secure cultures and you are just increasing your security debt. By stepping in to address that now, you are actually paying it forward. The second best time, is after you realize you should have done that. Post-breaches or post incidents, is a really great time to come in and look at your culture because people are willing to suspend their beliefs of what good behavior looks like, what's acceptable and when you look at an organization and their culture, it is most valuable after a time of crisis, public or otherwise, and that is a really great time to consider it. >> I think that human error is a huge thing, whether it's as trivial as leaving an S3 bucket open or whatever, I think it's going to get more acute with service meshes and cloud-native microservices. It's going to get much more dynamic and sometimes services can be stood up and torn down without any human knowledge, so there's a lot of blind spots potentially. This brings up the question of how does the collaboration piece, because one of the things about the security industry is, it's a community. Sharing data's important, having access to data, how do you think about that as the founder of a start-up that has a 20 mile steer to the future around data access, data diversity, blind spots, how do you look at that and how do you advise your clients to think about that? >> I've always been really pro data sharing. I think it's one of the things that has held us back as an industry, we're very siloed in this space, especially as it relates to human behavior. I have no idea, as a regular CISO of a company, if I am doing enough to protect my employees, is my phishing click (mumbles), are my malware download rates above normal, below or should I invest more, am I doing enough? How do I do compared to my peers and without sharing industry stats, we have no idea if we're investing enough or quite honestly, not enough in this space. And the second thing is, what are approaches that are most effective? So let's say I have a malware infection problem, which approach, is it this training? Is it a communication? Is it positive reinforcement, is it punishment? What is the most effective to leverage this type of output? What's the input output relation? And we're real excited to have shared data with Horizon Data Breach Report for the first time this year, to start giving back to the communities, specifically to help answer some of these questions. >> Well, I think you're onto something with this behavioral science intersection with human behavior and executive around security practices. I think it's going to be an awesome, thanks for sharing the insights, Miss Masha on theCUBE here. A quick plug for your company, (mumbles) you're funded, Series A funding, take us through the stats, you're hiring what kind of positions, give a plug to the company. >> So, Elevate Security, we're three years old. We have raised ten million to date. We're based in both Berkeley and Montreal and we're hiring sales reps on the west coast, a security product manager and any engineering talent really focused on building an awesome data warehouse infrastructure. So, please check out our website, www.elevatesecurity.com/careers for jobs. >> Two hot engineering markets, Berkeley I see poaching out of Cal, and also Montreal, >> Montreal, McGill and Monterey. >> You got that whole top belt of computer science up in Canada. >> Yeah. >> Well, congratulations. Thanks for coming on theCUBE, sharing your story. >> Thank you. >> Security kind of giving the next generation all kinds of new opportunities to make security better. Some CUBE coverage here in San Francisco, at the Moscone Center. I'm John Furrier, we'll be right back after this break. (upbeat music)

>> Narrator: From Berlin, Germany, it's theCUBE. Covering Data Works Summit, Europe 2018. Brought to you by, Horton Works. >> Well hello, welcome to theCUBE. I am James Kobielus. I'm the lead analyst within the Wikbon Team at Silicon Angled Media, focused on big data analytics. And big data analytics is what Data Works Summit is all about. We are at Data Works Summit 2018 in Berlin, Germany. We are on day two, and I have, as my special guest here, Pankaj Sodhi, who is the big data practice lead with Accenture. He's based in London, and he's here to discuss really what he's seeing in terms of what his clients are doing with Big DSO. Hello, welcome Pankaj, how's it going? >> Thank you Jim, very pleased to be there. >> Great, great, so what are you seeing in terms of customers adoption of the dupe and so forth, big data platforms, for what kind of use cases are you seeing? GDPR is coming down very quickly, and we saw this poll this morning that John Chrysler, of Horton Works, did from the stage, and it's a little bit worrisome if you're an enterprise data administrator. Really, in enterprise period, because it sounds like not everybody in this audience, in fact a sizeable portion, is not entirely ready to comply with GDRP on day one, which is May 25th. What are you seeing, in terms of customer readiness, for this new regulation? >> So Jim, I'll answer the question in two ways. One was, just in terms of, you know, the adoption of Hadoop, and then, you know, get into GDPR. So in regards to Hadoop adoption, I think I would place clients in three different categories. The first ones are the ones that have been quite successful in terms of adoption of Hadoop. And what they've done there is taken a very use case driven approach to actually build up the capabilities to deploy these use cases. And they've taken an additive approach. Deployed hybrid architectures, and then taken the time. >> Jim: Hybrid public, private cloud? >> Cloud as well, but often sort of, on premise. Hybrid being, for example, with an EDW and product type AA. In that scenario, they've taken the time to actually work out some of the technical complexities and nuances of deploying these pipelines in production. Consequently, what they're in a good position to do now, is to leverage the best of Cloud computing, open so its technology, while it's looking at making the best getting the investment protection that they have from the premise deployments as well. So they're in a fairly good position. Another set of customers have done successful pilots looking at either optimization use cases. >> Jim: How so, Hadoob? >> Yes, leveraging Hadoob. Either again from a cost optimization play or potentially a Bon Sand escape abilities. And there in the process of going to production, and starting to work out, from a footprint perspective, what elements of the future pipelines are going to be on prim, potentially with Hadoop, or on cloud with Hadoop. >> When you say the pipeline in this context, what are you referring to? When I think of pipeline, in fact in our coverage of pipeline, it refers to an end to end life cycle for development and deployment and management of big data. >> Pankaj: Absolutely >> And analytics, so that's what you're saying. >> So all the way from ingestion to curation to consuming the data, through multiple different access spots, so that's the full pipeline. And I think what the organizations that have been successful have done is not just looked at the technology aspect, which is just Hadoop in this case, but looked at a mix of architecture, delivery approaches, governance, and skills. So I'd like to bring this to life by looking at advanced analytics as a use case. So rather than take the approach of lets ingest all data in a data lake, it's been driven by a use case mapped to a set of valuable data sets that can be ingested. But what's interesting then is the delivery approach has been to bring together diverse skill sets. For example, date engineers, data scientists, data ops and visualization folks, and then use them to actually challenge architecture and delivery approach. I think this is where, the key ingredient for success, which is, for me, the modern sort of Hadoob's pipeline, need to be iteratively built and deployed, rather than linear and monolithic. So this notion of, I have raw data, let me come up a minimally curated data set. And then look at how I can do future engineering and build an analytical model. If that works, and I need to enhance, get additional data attributes, I then enhance the pipeline. So this is already starting to challenge organizations architecture approaches, and how you also deploy into production. And I think that's been one of the key differences between organizations that have embarked on the journey, ingested the data, but not had a path to production. So I think that's one aspect. >> How are the data stewards of the world, or are they challenging the architecture, now that GDPR is coming down fast and furious, we're seeing, for example Horton Works architecture for data studio, are you seeing did the data govern as the data stewards of the world coming, sitting around the virtual table, challenging this architecture further to evolve? >> I think. >> To enable privacy by default and so forth? >> I think again, you know the organizations that have been successful have already been looking at privacy by design before GDPR came along. Now one of the reasons a lot of the data link implementation haven't been as successful, is the business haven't had the ability to actually curate the data sets, work out what the definitions are, what the curation levels are. So therefore, what we see with business glossaries, and sort of data architectures, from a GDPR perspective, we see this as an opportunity rather than a threat. So to actually make the data usable in the data lakes, we often talk to clients about this concept of the data marketplace. So in the data marketplace, what you need to have, is well curated data sets. The proper definition such will, for business glossary or a data catalog, underpin by the right user access model, and available for example through a search or API's. So, GDPR actually is. >> There's not a public market place, this is an architectural concept. >> Yes. >> It could be inside, completely inside, the private data center, but it's reusable data, it's both through API, and standard glossaries and meta data and so forth, is that correct? >> Correct, so data marketplace is reusable, both internally, for example, to unlock access to data scientists who might want to use the data set and then put that into a data lab. It can also be extended, from an APR perspective, for a third party data market place for exchanging data with consumers or third parties as organizations look at data monetization as well. And therefore, I think the role of data stewards is changing around a bit. Rather than looking at it from a compliance perspective, it's about how can we make data usable to the analysts and the data scientists. So actually focusing on getting the right definitions upfront, and as we curate and publish data, and as we enrich it, what's the next definition that comes of that? And actually have that available before we publish the data. >> That's a fascinating concept. So, the notion of a data steward or a data curator. It's sort of sounds like you're blending them. Where the data curator, their job, part of it, very much of it, involves identifying the relevance of data and the potential reusability and attractiveness of that data for various downstream uses and possibly being a player in the ongoing identification of the monetize-ability of data elements, both internally and externally in the (mumbles). Am I describing correctly? >> Pankaj: I think you are, yes. >> Jim: Okay. >> I think it's an interesting implication for the CDO function, because, rather than see the function being looked at as a policy. >> Jim: The chief data officer. >> Yes, chief data officer functions. So rather than imposition of policies and standards, it's about actually trying to unlock business values. So rather than look at it from a compliance perspective, which is very important, but actually flip it around and look at it from a business value perspective. >> Jim: Hmm. >> So for example, if you're able to tag and classify data, and then apply the right kind of protection against it, it actually helps the data scientists to use that data for their models. While that's actually following GDPR guidelines. So it's a win-win from that perspective. >> So, in many ways, the core requirement for GDPR compliance, which is to discover an inventory and essentially tag all of your data, on a fine grade level, can be the greatest thing that ever happened to data monetization. In other words, it's the foundation of data reuse and monetization, unlocking the true value to your business of the data. So it needn't be an overhead burden, it can be the foundation for a new business model. >> Absolutely, Because I think if you talk about organizations becoming data driven, you have to look at what does the data asset actually mean. >> Jim: Yes. >> So to me, that's a curated data set with the right level of description, again underpinned by the right authority of privacy and ability to use the data. So I think GDPR is going to be a very good enabler, so again the small minority of organizations that have been successful have done this. They've had business laws freeze data catalogs, but now with GDPR, that's almost I think going to force the issue. Which I think is a very positive outcome. >> Now Pankaj, do you see any of your customers taking this concept of curation and so forth, the next step in terms of there's data assets but then there's data derived assets, like machine learning models and so forth. Data scientists build and train and deploy these models and algorithms, that's the core of their job. >> Man: Mhmm. >> And model governance is a hot hot topic we see all over. You've got to have tight controls, not just on the data, but on the models, 'cause they're core business IP. Do you see this architecture evolving among your customer so that they'll also increasingly be required to want to essentially catalog the models and identify curate them for re-usability. Possibly monetization opportunities. Is that something that any of your customers are doing or exploring? >> Some of our customers are looking at that as well. So again, initially, exactly it's an extension of the marketplace. So while one aspect of the marketplace is data sets, you can then combine to run the models, The other aspect is models that you can also search for and prescribe data. >> Jim: Yeah, like pre-trained models. >> Correct. >> Can be golden if they're pre trained and the core domain for which they're trained doesn't change all that often, they can have a great after market value conceivably if you want to resell that. >> Absolutely, and I think this is also a key enabler for the way data scientists and data engineers expect to operate. So this notion of IDs of collaborative notebooks and so forth, and being able to soft of share the outputs of models. And to be able to share that with other folks in the team who can then maybe tweak it for a different algorithm, is a huge, I think, productivity enabler, and we've seen. >> Jim: Yes. >> Quite a few of our technology partners working towards enabling these data scientists to move very quickly from a model they may have initially developed on a laptop, to actually then deploying the (mumbles). How can you do that very quickly, and reduce the time from an ideal hypothesis to production. >> (mumbles) Modularization of machine learning and deep learning, I'm seeing a lot of that among data scientists in the business world. Well thank you, Pankaj, we're out of time right now. This has been very engaging and fascinating discussion. And we thank you very much for coming on theCUBE. This has been Pankaj Sodhi of Accenture. We're here at Data Works Summit 2018 in Berlin, Germany. Its been a great show, and we have more expert guests that we'll be interviewing later in the day. Thank you very much, Pankaj. >> Thank you very much, Jim.