>> live from New York. It's the Q covering AWS Global Summit 2019 brought to you by Amazon Web service, is >> welcome back here in New York City on stew Minimum. My co host is Corey Quinn. In the keynote this morning, Warner Vogel's made some new announcements what they're doing and also brought out a couple of customers who are local and really thrilled and excited to have on the program the C i O and E V P from Finn Ra here in New York City. Steve Randall, thanks so much for joining us. You're welcome. Thank you. All right, so, you know, quite impressive. You know when when I say one of those misunderstood words out there to talk about scale and you talk about speed and you know, you were you know, I'm taking so many notes in your keynote this 1 500,000 compute note. Seven terabytes worth of new data daily with half a trillion validation checks per day, some pretty impressive scale, and therefore, you know, it's I t is not the organ that kind of sits in the basement, and the business doesn't think about it business and I t need to be in lobster. So, you know, I think most people are familiar with in Rome. But maybe give us the kind of bumper sticker as Thio What dinner is today and you know, the >> the organization. Yeah, I started it Fender and 2013. I thought I was gonna come into a typical regulator, which is, as you alluded to technologies, kind of in the basement. Not very important, not strategic. And I realized very quickly two things. Number one, The team was absolutely talented. A lot of the people that we've got on her team came from start ups and other technology companies. Atypical financial service is and the second thing is we had a major big data challenge on our hands. And so the decision to go to the cloud S I started in March 2013. By July of that year, I was already having dialogue with our board of directors about having to go to the cloud in orderto handle the data. >> Yeah, so you know, big data was supposed to be that bit flip that turned that. Oh, my God. I have so much data to Oh, yea, I can monetize and do things with their data. So give us a little bit of that, That data journey And what? That that you talk about the flywheel? The fact that you've got inside Finneran. >> Yeah. So we knew that we needed the way were running at that time on data warehouse appliances from E, M. C. And IBM. And which a data warehouse appliance. You go back 10 15 years. That was where big data was running. But those machines are vertically scalable, and when you hit the top of the scale, then you've got to buy another bigger one, which might not be available. So public cloud computing is all about horizontal scale at commodity prices to things that those those data data warehouse appliance didn't have. They were vertical and proprietary, inexpensive. And so the key thing was to come up to select the cloud vendor between Google, IBM, You know, the usual suspects and architect our applications properly so that we wouldn't be overly vendor dependent on the cloud provider and locked in if you will, and that we could have flexibility to use commodity software. So we standardized in conjunction with our move to the public cloud on open source software, which we continue today. So no proprietary software for the most part running in the cloud. And we were just very smart about architect ing our systems at that point in time to make sure that those opportunities prevailed. And the other thing I would say, this kind of the secret of our success Is it because we were such early adopters we were in the financial service industry and a regulator toe boots that we had engineering access to the cloud providers and the big, big date open source software vendors. So we actually had the engineers from eight of us and other firms coming in to help us learn how to do it, to do it right. And that's been part of our culture ever since. >> One thing that was, I guess a very welcome surprise is normally these keynotes tend to fall into almost reductive tropes where first, we're gonna have some Twitter for pet style start up talking about all the higher level stuff they're doing, and then we're gonna have a large, more serious company. Come in and talk about how we moved of'em from our data center into the cloud gay Everyone clap instead, there was it was very clear. You're using higher level, much higher level service is on top of the cloud provider. It's not just running the M somewhere else in the same way you would on premise. Was that a transitional step that you went through or did you effectively when you went all in, start leveraging those higher service is >> okay. It's a great question. And ah, differentiator for us versus a lot. A lot of the large organizations with a legacy footprint that would not be practical to rewrite. We had outsourced I t entirely in the nineties E T s and it was brought back in source in in house early in this decade. And so we had kind of a fresh, fresh environment. Fresh people, no legacy, really other than the data warehouse appliances. So we had a spring a springboard to rewrite our abs in an agile way to be fully cloud enabled. So we work with eight of us. We work with Cloudera. We work with port works with all the key vendors at that time and space to figure out how to write Ah wraps so they could take most advantage of what the cloud was offering at that time. And that continues to prevail today. >> That that's a great point because, you know so often it's that journey to cloud. But it's that application modernization, that journey. Right. So bring us in little inside there is. You know how it is. You know, what expertise did Finn Ra have there? I mean, you don't want to be building applications. It is the open stuff source. The things wasn't mature enough. How much did they have toe help work, you know, Would you call it? You know, collaboration? >> Yeah. The first year was hard because I would have, you know, every high performance database vendor, and I see a number of them here today. I'm sure they're paddling their AWS version now, but they had a a private, proprietary database version. They're saying if you want to handle the volumes that you're seeing and predicting you really need a proprietary, they wouldn't call it proprietary. But it was essentially ah, very unique solution point solution that would cause vendor dependency. And so and then and then my architects internally, we're saying, No way, Wanna go open source because that's where the innovation and evolution is gonna be fastest. And we're not gonna have vendor Lock in that decision that that took about a year to solidify. But once we went that way, we never looked back. So from that standpoint, that was a good bad, and it made sense. The other element of your question is, how How much of this did we do on our own, rely on vendors again? The kind of dirty little secret of our beginnings here is that we ll average the engineer, you know, So typically a firm would get the sales staff, right. We got the engineers we insisted on in orderto have them teach our engineers how to do these re architectures to do it right. Um and we use that because we're in the financial service industry as a regulator, right? So they viewed us as a reference herbal account that would be very valuable in their portfolio. So in many regards, that was way scratch each other's back. But ultimately, the point isn't that their engineers trained our engineers who trained other engineers. And so when I when I did the, uh um keynote at the reinvented 2016 sixteen one of my pillars of our success was way didn't rely overly on vendors. In the end, we trained 2016 1 5 to 600 of our own staff on how to do cloud architectures correctly. >> I think at this point it's very clear that you're something of an extreme outlier in that you integrate by the nature of what you do with very large financial institutions. And these historically have not been firms that have embraced the cloud with speed and enthusiasm that Fenner has. Have you found yourself as you're going in this all in on the cloud approach that you're having trouble getting some of those other larger financial firms to meet you there, or is that not really been a concern based upon fenders position with an ecosystem? >> Um, I would say that five years ago, very rare, I would say, You know, we've had a I made a conscious effort to be very loud in the process of conferences about our journey because it has helped us track talent. People are coming to work for us as a senior financial service. The regulator that wouldn't have considered it five years ago, and they're doing it because they want to be part of this experience that we're having, but it's a byproduct of being loud, and the press means that a lot of firms are saying, Well, look what Fender is doing in the cloud Let's go talk to them So we've had probably at this 50.200 firms that have come defender toe learn from our experience. We've got this two hour presentation that kind of goes through all the aspects of how to do it right, what, what to avoid, etcetera, etcetera. And, um, you know, I would say now the company's air coming into us almost universally believe it's the right direction. They're having trouble, whether it's political issues, technology dat, you name it for making the mo mentum that we've made. But unlike 45 years ago, all of them recognize that it's it's the direction to go. That's almost undisputed at this point. And you're opening comment. Yeah, we're very much an outlier. We've moved 97 plus percent of our APS 99 plus percent of our data. We are I mean, the only thing that hasn't really been moved to the cloud at this point our conscious decisions, because those applications that are gonna die on the vine in the data center or they don't make sense to move to the cloud for whatever reason. >> Okay, You've got almost all your data in the cloud and you're using open source technology. Is Cory said if I was listening to a traditional financial service company, you know, they're telling me all the reasons that for governance and compliance that they're not going to do it. So you know, why do you feel safe putting your your data in the cloud? >> Uh, well, we've looked at it. So, um, I spent my first year of Finn run 2013 early, 2014 but mostly 2013. Convincing our board of directors that moving our most critical applications to the public cloud was going to be no worse from the information security standpoint than what we're doing in our private data centers. That presentation ultimately made it to other regulators, major firms on the street industry, lobbyist groups like sifma nephi. AP got a lot of air time, and it basically made the point using logic and reasoning, that going to the cloud and doing it right not doing it wrong, but doing it right is at least is secure from a physical logical standpoint is what we were previously doing. And then we went down that route. I got the board approval in 2015. We started looking at it and realizing, Wait a minute, what we're doing here encrypting everything, using micro segmentation, we would never. And I aren't doing this in our private data center. It's more secure. And at that point in time, a lot of the analysts in our industry, like Gardner Forrester, started coming out with papers that basically said, Hey, wait a minute, this perception the cloud is not as safe is on Prem. That's wrong. And now we look at it like I can't imagine doing what we're doing now in a private data center. There's no scale. It's not a secure, etcetera, etcetera. >> And to some extent, when you're dealing with banks and start a perspective now and they say, Oh, we don't necessarily trust the cloud. Well, that's interesting. Your regulator does. In other cases, some tax authorities do. You provided tremendous value just by being as public as you have been that really starts taking the wind out of the sails of the old fear uncertainty and doubt. Arguments around cloud. >> Yeah, I mean, doubts around. It's not secure. I don't have control over it. If you do it right, those are those are manageable risks, I would argue. In some cases, you've got more risk not doing it. But I will caution everything needs to be on the condition that you've got to do it right. Sloppy migration in the cloud could make you less secure. So there there are principles that need to be followed as part of >> this. So Steve doing it right. You haven't been sitting still. One of the things that really caught my attention in the keynote was you said the last four years you've done three re architectures and what I want. Understand? You said each time you got a better price performance, you know, you do think so. How do you make sure you do it right? Yet have flexibility both in an architect standpoint, and, you know, don't you have to do a three year reserves intense for some of these? How do you make sure you have the flexibility to be able to take advantage of you? Said the innovation in automation. >> Yeah. Keep moving forward with. That's Ah, that's a deep technical question. So I'm gonna answer it simply and say that we've architected the software and hardware stack such. There's not a lot of co dependency between them, and that's natural. I t. One on one principle, but it's easier to do in the cloud, particularly within AWS, who kind of covers the whole stacks. You're not going to different vendors that aren't integrated. That helps a lot. But you also have architect it, right? And then once you do that and then you automate your software development life cycle process, it makes switching out anyone component of that stack pretty easy to do and highly automated, in some cases completely automated. And so when new service is our new versions of products, new classes of machines become available. We just slip him in, and the term I use this morning mark to market with Moore's Law. That's what we aspire to do to have the highest levels of price performance achievable at the time that it's made available. That wasn't possible previously because you would go by ah hardware kit and then you'd appreciate it for five years on your books at the end of those five years, it would get kind of have scale and reliability problems. And then you go spend tens of millions of dollars on a new kit and the whole cycle would start over again. That's not the case here. >> Machine learning something you've been dipping into. Tell us the impact, what that has and what you see. Going forward. >> It's early, but we're big believers in machine learning. And there's a lot of applications for at Venera in our various investigatory and regulatory functions. Um, again, it's early, but I'm a big believer that the that the computer stored scale, commodity costs in the public cloud could be tapped into and lever it to make Aye aye and machine learning. Achieve what everybody has been talking about it, hoping to achieve the last several decades. We're using it specifically right now in our surveillance is for market manipulation and fraud. So fraudsters coming in and manipulating prices in the stock market to take advantage of trading early days but very promising in terms of what it's delivered so far. >> Steve want to give you the final word. You know, your thank you. First of all for being vocal on this. It sounds like there's a lot of ways for people to understand and see. You know what Fenner has done and really be a you know, an early indicator. So, you know, give us a little bit. Look forward, you know what more? Where's Finn Ra going next on their journey. And what do you want to see more from, You know, Amazon and the ecosystem around them to make your life in life, your peers better. >> Yes. So some of the kind of challenges that Amazon is working with us and partnering Assan is getting Ah Maur, automated into regional fell over our our industries a little bit queasy about having everything run with a relatively tight proximity in the East Coast region. And while we replicate our data to the to the other East region, we think AIM or co production environment, like we have across the availability zones within the East, would be looked upon with Maur advocacy of that architecture. From a regulatory standpoint, that would be one another. One would be, um, one of the big objections to moving to a public cloud vendor like Amazon is the vendor dependency and so making sure that we're not overly technically dependent on them is something that I think is a shared responsibility. The view that you could go and run a single application across multiple cloud vendors. I don't think anybody has been able to successfully do that because of the differences between providers. You could run one application in one vendor and another application in another vendor. That's fine, but that doesn't really achieve the vendor dependency question and then going forward for Finn or I mean, riel beauty is if you architected your applications right without really doing any work at all, you're going to continuously get the benefits of price performance as they go forward. You're not kind of locked into a status quo, So even without doing much of any new work on our applications, we're gonna continue to get the benefits. That's probably outside of the elastic, massive scale that we take advantage of. That's probably the biggest benefit of this whole journey. >> Well, Steve Randall really appreciate >> it. >> Thank you so much for sharing the journey of All right for Cory cleanups to minimum back with lots more here from eight Summit in New York City. Thanks for watching the cue

>> Narrator: Live from New York, it's theCube! Covering AWS Global Summit 2019, brought to you by Amazon Web Services. >> Welcome back, we're here at the Javits Center in New York City for AWS Summit, I'm Stu Miniman, my cohost is Corey Quinn and happy to welcome to the program Scott Mullins, who's the head of Worldwide Financial Services Business Development with Amazon Web Services based here in The Big Apple, thanks so much for joining us. >> Thanks for having me, Stu, thanks for having me, Corey. >> All right so we had obviously financial services big location here in New York City. We just had FINRA on our program, had a great conversation about how they're using AWS for their environments, but give us a thumbnail if you will about your business, your customers and what you're seeing there. >> Sure, we're working with financial institutions all the way from the newest FinTech startups, all the way to organizations like FINRA, the largest exchanges and brokers dealers like Nasdaq, as well as insurers and the largest banks. And I've been here for five years and in that time period I actually went from being a customer speaking at the AWS Summit here in the Javits Center on stage like Steve Randich was today to watching more and more financial institutions coming forward, talking about their use in the cloud. >> Yeah before we get into technology, one of the biggest trends of moving to cloud is I'm moving from CapEx more to OpEx and oh my gosh there's uncertainty because I'm not locking in some massive contract that I'm paying up front or depreciating over five years but I've got flexibility and things are going to change. I'm curious what you're seeing as the financial pieces of how people both acquire and keep on the books what they're doing. >> Yeah it can be a little bit different, right, then what most people are used to. They're used to kind of that muscle memory and that rhythm of how you procured technology in the past and there can be a stage of adjustment, but cost isn't really the thing that people I think look to the most when it comes to cloud today, it's all about agility and FINRA is a great example. Steve has talked about over and over again over the last several years how they were able to gain such business agility and actually to do more, the fact that they're now processing 155 billion market events every night and able to run all their surveillance routines. That's really indicative of the value that people are looking for. Being able to actually get products to market faster and reducing development cycles from 18 months to three months, like Allianz, one of our customers over in Europe has been able to do. Being able to go faster I think actually trumps cost from the standpoint of what that biggest value driver that we're seeing our customers going after in financial services. >> We're starting to see such a tremendous difference as far as the people speaking at these keynotes. Once upon a time you had Netflix and folks like that on stage telling a story about how they're using cloud to achieve all these amazing things, but when you take a step back and start blinking a little bit, they fundamentally stream movies and yes, produce some awesome original content. With banks and other financial institutions if the ATM starts spitting out the wrong number, that's a different point on the spectrum of are people going to riot in the street. I'm not saying it's further along, people really like their content but it's still a different use case with a different risk profile. Getting serious companies that have world shaking impact to trust public cloud took time and we're seeing it with places like FINRA, Capital One has been very active as far as evangelizing their use of cloud. It's just been transformative. What does that look like, from being a part of that? >> Well you know it's interesting, so you know you just said it, financial services is the business of risk management. And so to get more and when you see more and more of these financial institutions coming forward and talking about their use of cloud, what that really equates to is comfort, they've got that muscle memory now, they've probably been working with us in some way, shape or form for some great period of time and so if you look at last year, you had Dean Del Vecchio from Guardian Life Insurance come out on stage at Reinvent and say to the crowd "Hey we're a 158 year old insurance company but we've now closed our data center and we're fully on AWS and we've completed the transformation of our organization". The year before you saw Goldman Sachs walk out and say "Yeah we've been working with AWS for about four years now and we're actually using them for some very interesting use cases within Goldman Sachs". And so typically what you've seen is that over the course of about a two year to sometimes a four year time period, you've got institutions that are working deeply with us, but they're not talking about it. They're gaining that muscle memory, they're putting those first use cases to begin to scale that work up and then when they're ready man, they're ready to talk about it and they're excited to talk about it. What's interesting though is today we're having this same summit that we're having here in Cape Town in Africa and we had a customer, Old Mutual, who's one of the biggest insurers there, they just started working with us in earnest back in May and they were on stage today, so you're seeing that actually beginning to happen a lot quicker, where people are building that muscle memory faster and they're much more eager to talk about it. You're going to see that trend I think continue in financial services over the next few years so I'm very excited for future summits as well as Reinvent because the stories that we're going to see are going to come faster. You're going to see more use cases that go a lot deeper in the industry and you're going to see it covering a lot more of the industry. >> It's very much not, IT is no longer what people think of in terms of Tech companies in San Francisco building products. It's banks, it's health care and these companies are transitioning to become technology companies but when your entire, as you mentioned, the entire industry becomes about risk management, it's challenging sometimes to articulate things when you're not both on the same page. I was working with a financial partner years ago at a company I worked for and okay they're a financial institution, they're ready to sign off on this but before that they'd like to tour US East one first and validate that things are as we say they are. The answer is yeah me too, sadly, you folks have never bothered to invite me to tour an active AZ, maybe next year. It's challenging to I guess meet people where they are and speak the right language, the right peace for a long time. >> And that's why you see us have a financial services team in the first place, right? Because your financial services or health care or any of the other industries, they're very unique and they have a very specific language and so we've been very focused on making sure that we speak that language that we have an understanding of what that industry entails and what's important to that industry because as you know Amazon's a very customer obsessed organization and we want to work backwards from our customers and so it's been very important for us to actually speak that language and be able to translate that to our service teams to say hey this is important to financial services and this is why, here's the context for that. I think as we've continued to see more and more financial institutions take on that technology company mindset, I'm a technology company that happens to run a bank or happens to run an exchange company or happens to run an insurance business, it's actually been easier to talk to them about the services that we offer because now they have that mindset, they're moving more towards DevOps and moving more towards agile. And so it's been really easy to actually communicate hey, here are the appropriate changes you have to make, here's how you evolve governance, here's how you address security and compliance and the different levels of resiliency that actually improve from the standpoint of using these services. >> All right so Scott, back before I did this, I worked for some large technology suppliers and there were some groups on Wall Street that have huge IT budgets and IT staffs and actually were very cutting edge in what they were building, in what they were doing and very proud of their IT knowledge, and they were like, they have some of the smartest people in the industry and they spend a ton of money because they need an edge. Talking about transactions on stock markets, if I can translate milliseconds into millions of dollars if I can act faster. So you know, those companies, how are they moving along to do the I need to build it myself and differentiate myself because of my IT versus hey I can now have access to all the services out there because you're offering them with new ones every day, but geez how do I differentiate myself if everybody can use some of these same tools. >> So that's my background as well and so you go back that and milliseconds matter, milliseconds are money, right? When it comes to trading and actually building really bespoke applications on bespoke infrastructure. So I think what we're seeing from a transitional perspective is that you still have that mindset where hey we're really good at technology, we're really good at building applications. But now it's a new toolkit, you have access to a completely new toolkit. It's almost like The Matrix, you know that scene where Neo steps into that white room and hey says "I need this" and then the shelves just show up, that's kind how it is in the cloud, you actually have the ability to leverage the latest and greatest technologies at your fingertips when you want to build and I think that's something that's been a really compelling thing for financial institutions where you don't have to wait to get infrastructure provisioned for you. Before I worked for AWS, I worked for large financial institutions as well and when we had major projects that we had to do that sometimes had a regulatory implication, we were told by our infrastructure team hey that's going to be six months before we can actually get your dev environment built so you can actually begin to develop what you need. And actually we had to respond within about thirty days and so you had a mismatch there. With the cloud you can provision infrastructure easily and you have an access to an array of services that you can use to build immediately. And that means value, that means time to market, that means time to answering questions from customers, that means really a much faster time to answering questions from regulatory agencies and so we're seeing the adoption and the embrace of those services be very large and very significant. >> It's important to make sure that the guardrails are set appropriately, especially for a risk managed firm but once you get that in place correctly, it's an incredible boost of productivity and capability, as opposed to the old crappy way of doing governance of oh it used to take six weeks to get a server in so we're going to open a ticket now whenever you want to provision an instance and it only takes four, yay we're moving faster. It feels like there's very much a right way and a wrong way to start embracing cloud technology. >> Yeah and you know human nature is to take the run book you have today and try to apply it to tomorrow and that doesn't always work because you can use that run book and you'll get down to line four and suddenly line four doesn't exist anymore because of what's happened from a technological change perspective. Yeah I think that's why things like AWS control tower and security hub, which are those guardrails, those services that we announced recently that have gone GA. We announced them a couple of weeks ago at Reinforce in Boston. Those are really interesting to financial services customers because it really begins to help automate a lot of those compliance controls and provisioning those through control tower and then monitoring those through security hub and so you've seen us focus on how do we actually make that easier for customers to do. We know that risk management, we know that governance and controls is very important in financial services. We actually offer our customers a way to look from a country specific angle, add the different countries and the rule sets and the requirements that exist in those countries and how you map those to our controls and how you map those into your own controls and all the considerations that you have, we've got them on our public website. If you went to atlas.aws right now, that's our compliance center, you could actually pick the countries you're interested in and we'll have that mapping for you. So you'll see us continue to invest in things like that to make that much easier for customers to actually deploy quickly and to evolve those governance frameworks. >> And things like with Artifact, where it's just grab whatever compliance report you need, submit it and it's done without having to go through a laborious process. It's click button, receive compliance in some cases. >> If you're not familiar with it you can go into the AWS console and you've got Artifact right there and if you need a SOC report or you need some other type of artifact, you can just download it right there through the console, yeah it's very convenient. >> Yeah so Scott you know we talked about some of the GRC pieces in place, what are you seeing trends out there kind of globally, you know GDRP was something that was on everybody's mind over the last year or so. California has new regulations that are coming in place, so anything specific in your world or just the trends that you're seeing that might impact our environments-- >> I think that the biggest trends I would point to are data analytics, data analytics, data analytics, data analytics. And on top of that obviously machine learning. You know, data is the lifeblood of financial services, it's what makes everything go. And you can look at what's happening in this space where you've got companies like Bloomberg and Refinitiv who are making their data products available on AWS so you can get B-Pipe on AWS today, you can also get the elektron platform from Refintiv and then what people are trying to do in relation to hey I want to organize my data, I want to make it much easier to actually find value in data, both either from the standpoint of regulatory reporting, as you heard Steve talk about on stage today. FINRA is building a very large data repository that they have to from the standpoint of a regulatory perspective with CAT. Broker dealers have to actually feed the CAT and so they are also worried about here in the US, how do I actually organize my data, get all the elements I have to report to CAT together and actually do that in a very efficient way. So that's a big data analytic project. Things that are helping to make that much easier are leg formations, so we came up with leg formation last year and so you've got many financial institutions that are looking at how do you make building a data leg that much easier and then how do you layer analytics on top of that, whether it's using Amazon elastic map reduce or EMR to actually run regulatory reporting jobs or how do I begin to leverage machine learning to actually make my data analytics from a standpoint of trade surveillance or fraud detection that much more enriched and actually looking for those anomalies rather than just looking for a whole bunch of false positives. So data analytics I think is what I would point to as the biggest trend and how to actually make data more useful and how to get to data insights faster. >> On the one end it seems like there's absolutely a lot of potential in this, on the other it feels in many cases with large scale data analytics, it's we have all these tools for machine learning and the rest that we can wind up passing out to you but you need to figure out what to do with them, how to make it work and it's unclear outside of a few specific use cases and I think you've alluded to a couple of those how to take in a typical business that maybe doesn't have an enormous pile of data and start applying machine learning to it in a way that makes intelligent sense. That feels right now like a storytelling failure to some extent industry wide. We're starting to see some stories emerge but it still feels a little "Gold Rush"-y to some extent. >> Yeah I would say, and my advice would be don't try to boil the ocean or don't try to boil the data leg, meaning you want to do machine learning, you've got a great amount of earnestness about that but picture use case, really hone in on what you're trying to accomplish and work backwards from that. And we offer tooling that can be really helpful in that, you know with stage maker you can train your models and you can actually make data science available to a much broader array of people than just your data scientists. And so where we see people focusing first, is where it matters to their business. So if you've got a regulatory obligation to do surveillance or fraud detection, those are great use cases to start with. How do I enhance my existing surveillance or fraud detection, so that I'm not just wading again through a sea of false positives. How do I actually reduce that workload for a human analyst using machine learning. That's a one step up and then you can go from there, you can actually continue to work deeper into the use cases and say okay how do I treat those parameters, how do I actually look for different things that I'm used to with the rules based systems. You can also look at offering more value to customers so with next best offer with Amazon Personalize, we now have encapsulated the service that we use on the amazon.com retail site as a service that we offer to customers so you don't have to build all that tooling yourself, you can actually just consume Personalize as a service to help with those personalized recommendations for customers. >> Scott, really appreciate all the updates on your customers in the financial services industry, thanks so much for joining us. >> Happy to be here guys, thanks for having me. >> All right for Corey Quinn, I'm Stu Miniman, back with more here at AWS Summit in New York City 2019, thanks as always for watching theCube.

>> Live from Orlando, Florida, it's theCUBE, covering .conf 18. Brought to you by Splunk. >> We're back in Orlando, everybody, at Splunk .conf18, #splunkconf18. I'm Dave Vellante with my co-host Stu Miniman. You're watch theCUBE, the leader in live tech coverage. We like to go out to the events. We want to extract the signal from the noise. We've been documenting the ascendancy of Splunk for the last seven years, how Splunk really starts in IT operations and security, and now we hear today Splunk has aspirations to go into the line of business, but speaking of security, Gary Mikula is here. He's a senior director of cyber and information security at FINRA, and he's joined by Siddharta "Sid" Dadana, who's the director of information security engineering at FINRA. Gentlemen, welcome back to theCUBE, Gary, and Sid, first-timer, welcome on theCUBE. So, I want to start with FINRA. Why don't you explain, I mean, I think many people know what FINRA is, but explain what you guys do and, sort of, the importance of your mission. >> Sure, it's our main aspiration is to protect investors, and we do that in two ways. We actually monitor the brokers and dealers that do trades for people, but more importantly, and what precipitated our move to the Cloud was the enormous amount of data that we have to pull in daily. Every transaction on almost every US stock market has to be surveilled to ensure that people are acting properly, and we do that at the petabyte scale, and doing that with your own hardware became untenable, and so the ability to have elastic processing in the Cloud became very attractive. >> How much data are we talking about here? Is there any way you can, sort of, quantify that for us, or give us a mental picture? >> Yeah, so the example I use is, if you took every transaction that Visa has on a normal day, every Facebook like, every Facebook update, and if you took every Twitter tweet, you added them altogether, you multiplied it by 20, you would still not reach our peak on our peak day. >> (laughs) Hence, Splunk. And we'll talk about that but, Sid, what's your role, you got to architect all this stuff, the data pipeline, what do you... >> So, my role is basically to work with the webs teams, application teams to basically integrate security in the processes, how they roll out applications, how they look at data, how they use the same data that security uses for them to be able to leverage it for the webs and all the performances. >> So, your mission is to make sure security's not an afterthought, it's not a bolt-on, it's a fundamental part of the development process, so it's not thrown over the fence, "Hey, secure this application." It's built in, is that right? >> Yes. >> Okay. Gary, I wonder if you could talk about how security has changed over the last several years. You hear a lot that, well, all the spending historically has been on keeping the bad guys out the perimeter. As the perimeter disappears, things change, and the emphasis changes. Certainly, data is a bigger factor, analytics have come into play. From your perspective, what is the big change or the big changes in security? >> So, it's an interesting question. So I've been through several paradigm changes, and I don't think anyone has been as big as the move the Cloud, and... The Cloud offers so much opportunity from a cost perspective, from a processing perspective, but it also brings with it certain security concerns. And we're able to use tools like Splunk to be able to do surveillance on our AWS environments in order to give us the confidence to be able to use those services up there. And so, we now are actually looking at how we're going to secure individual AWS services before we use them, rather than looking to bring stovepipe solutions in, we're looking to leverage our AWS relationship to be able to leverage what they've built out of the box. >> Yeah, people oftentimes, Stu, talk about Cloud security like it's some binary thing. "Oh, I don't want to go the Cloud, because Cloud is dangerous" or "Cloud security is better". It's not that simple, is it? I mean, maybe the infrastructure. In fact, we heard the CIA, Stu and I were in D.C. in December, we heard the CIO of the CIA say, "The Cloud, its worse day is better than my client's server from a security perspective." But he's really talking about the infrastructure. There's so much more to security, right? >> Absolutely, and, so I agree that the Cloud gives the opportunity to be better than you are on PRAM. I think the way FINRA's rolled out, we've shown that we are more secure in the Cloud than we have been on traditional data centers, and it's because of our ability to actually monitor our whole AWS environment. Everything is API-based. We know exactly what everybody's doing. There's no shadow IT anymore, and those are all big positives. >> Yeah, I'm wondering how you've, what KPIs you look at when you look at your Splunk environment. What we hear from Splunk, you know, it's scalability, cost, performance, and then that management, the monitoring of the environment. How are they doing? How does that make your job easier? >> So, I think we still look at the same KPIs that Splunk advertises all the time, but some of the reasons, from our perspective, we kind of look at it in terms of, how much value can we give it to not just one part of the company, but how can we make it much more enhanceable part for everyone in the organization. So, the more we do that, I think that makes it a much better ROI for any organization to use a product like this one. >> You guys talk about the "shift left" movement. What is "shift left" and what is the relevance to security? >> Yeah so, "shift left" is a concept where, instead of looking at security as a bolt-on, or an add-on, or a separate entity, we're looking to leverage what are traditional DevOp tools, what are traditional SDLC pipeline roles, and we're looking at how we integrate security into that, and we use Splunk to be able to integrate collection of data into our CDCI pipelines, and it's all hands-off. So, somebody hits a button to deploy a new VPC and AWS, automatically things are monitored and into our enterprise search, I'm sorry, enterprise security SIM, and automatically being monitored. There's no hands-on that needs to be done. >> So, on a scale of one to five, thinking of a maturity model in terms of, in a DevOps context, five being, you know, the gold standard and one being you're just getting started. Where would you put FINRA on that spectrum, I mean, just subjectively? >> So, I'll never say that we're a five because I think there's always, >> You're never done. >> You're never done and there's always room for improvement, but I think we're at least a strong four. We've embraced those concepts, and we've put them into action. >> And so, I thought so, and I want to ask you from a skill standpoint how you got there. So, you've been around a long time. You had a Dev team and an Ops team before the term DevOps even came around, right? And we talk about this a lot, Stu. What did you do with the Ops guys and the Dev guys? Is it OpsDev or DevOps? Did you retrain them? Did you fire them all and hire new people? How did you go through that transition? >> Yep, that's a fair thing. I went to my CISO John Brady a couple of years ago and I told him that we were going to need to get these new skill sets in, and that I thought I had the right person in Sid to be able to head that up, and we brought in some new talent, but we also retrained the existing talent because these were really bright people, and they still had the security skills. And what Sid's been able to do is to embrace that and create a working relationship with the traditional DevOps teams so that we can integrate into their tools. >> So, it does include a little bit work even on our end to do where you kind of learn how the DevOps forces work, so you've got to do it on your own to first figure out things and then you can actually relate to the problems which they will go through and then you work through problems with them, rather than you designing up a solution and then just say, "Hey, go and implement it out." So, I think that kind of relationship has helped us and in the long run, we hope to do a bit better work. >> Yes, Sid, can you bring us in a little bit, when you look at your Splunk deployment, FINRA'S got a lot of applications, how do you get all those various applications in there? You know, Splunk talks about, you can get access to your data your way, do you find that to be the reality? >> Yes, to a certain extent, so... Let's take a step back here. So our design is much more hybrid-oriented. So, we use Splunk Cloud, but that's primarily for our indexers whereas we host our own sort of class receptor. All the data basically goes in from servers from AWS components, from on-prem, basically it flows into our Splunk Cloud indexers, and we use a role-based access management to actually give everyone access to whatever data they need to be looking at. >> Alright. The number of enhancements from 702, updates, the Cloud, Gar-Gar, is there anything that's jumped out that's going to architecturally help your team? >> So, I think one of the interesting things is the new data pipeline, and to be able to actually mangle that data before I get it into my Splunk indexers is going to be really really life-changing for us. One of the hard parts is that developers write code and they don't necessarily create logs that are event-driven. They don't have date-time stamps, they do dumps. So, I'm going to be able to actually massage that before it hits the indexers, and it's going to speed up our ability to be able to provide quick searches because the indexers won't be working on mangling that data. >> And how big of a deal is it for you? They announced yesterday the ability to scale storage and compute separately in a more granular fashion, is that a big deal for you? >> So, I actually, I remember speaking to Doug Merritt probably three years ago. >> You started this! (laughing) >> And I said, "Doug", I said, "I really think that's the direction that you need to go. You're going to have to separate those two, eventually, because we're doing a petabyte scale, we realized very early that that'd need to be done. And so, it's really really refreshing to see, because it's going to be transformative to be able to do compute-on-demand after that. Because now we can start looking at API brokers, and we can start looking at containers, and all those other things can be integrated into Splunk. >> Love having customers on like you guys, so knowledgeable. I have to ask, switch gears a little bit, I want to ask you about your security regime. We had a customer on yesterday, and it was the CISO who reported to him. He was the EVP, and he reported to the CIO. A lot of organizations say, "You know what? We want the CISO to be separate from the CIO. Cause it's like the, you know, the fox in the henhouse kind of thing. And we want that a little bit of tension in there." How do you guys approach it? What's the regime you have for... >> That is a fair question, and I've heard that from many other CISOs that have that same sort of complaint. And I think it's really organization-based. And I think, do you have the checks and balances in place? First of all, our CIO, Steve Randich, is extremely, he cares a lot about security, and he is very good at getting funding for us for initiatives to help secure the environment. But more importantly, our board of directors bring up security at every board event. They care about it, they know about it, and that permeates through the organization. So there's a checks and balances to make sure that we have the right security in place. And it's a working relationship, not adversarial at all, so, having our CISO John Brady report to Steve Randich, the CIO, has not been a hindrance. >> And I think that's a change in the last several years, because that regime that I described, which was, there was sort of a wave there, where that became common, and I think you just hit on it. When security became a board-level issue, and for every Fortune 1000, Global 2000 company, it's a board-level issue. They talk about it every board meeting. When that occurred, I think there was an epiphany of, "We need the CIO to actually be on this." And you want the CIO to be responsible for that. And the change was, it used to be, "Hey, if I fail, I get fired." And I think boards now realize that "failure" in security doesn't mean you got breached. >> Sure. >> You know. Breaches are going to happen. It's how you respond to them and, you know, how you react to them that is becoming more important. So there's much more transparency around security in our view. I wonder if you agree with that. >> I think there's transparency. And the other thing is is that you have to put the decision-making where it makes the most sense. Most of the security breaches that we're talking about are highly technical in nature, where a CIO is better able to evaluate some of those decisions, not all companies have a CEO that came from a technology train in order to be able to make those decisions. So, I think it makes more sense to have the CISO report to somebody in the technology world. >> Great, thank you for that. Now, the other question I have for you is, in terms of FINRA's experience with Splunk, did it start with SecOps and security, or was it, sort of, IT operations, or...? >> It did, it started with security. We were disenfranchised with traditional SIMs that were out there, and we decided to go with Splunk, and we made the decision that security was going to own it, but we wanted it to be a corporate asset from day one. And we worked our tails off to integrate, through brown bags, through training. So we permeated through the organization. And, on any given week, we pull about 35-40% of all of technology is using Splunk at FINRA. >> So, I'm curious as to, we heard some announcements today, I don't know if you saw them, about, you know, Splunk Next, building on that, Splunk for the line of business, the business flow, they did a nice demo there. Do you see, because security sort of was the starting point, and your mission was always to permeate the organization, do you see that continuing to other parts of the organization more aggressively now given this sort of democratization of data for the business lines, and... Will you guys be a part of that, directly? >> We hope so. We hope we are part of that change, too. I mean, the more we can use the same data for even business users that will help them, that would relieve a lot of, and they made this point again and again in the keynote, too, that, the It Ops and SecOps are already burdened enough. So, how do we make life easy for business users who actually leverage the same data? So we hope to be able to put these tools up and see if it can make any difference to business users. >> So, you guys have put a lot of emphasis on integrating with Splunk and AWS Cloud. You have a presentation later on today at .conf18 around the AWS Firehose that you have with Splunk. What's that all about? What's the AWS Firehose? How are you integrating it? Why is it important? >> So, it is streaming and it allows me to get information from AWS that's typically in something called the CloudWatch Logs, that is really difficult to be able to talk to. And I want to get it into the Splunk so I can get more value from it. And what I'm able to do is put something called a subscription filter on it, and flow that data directly into Splunk. So, Splunk worked with AWS to create this integration between the two tools, and we think we've taken it to a high level. We use it for Lambda, to grab those logs, we use it for VPC Flow Logs, we're using it for SaaS Providers, provide APIs into their data, we use it for that, and finally, we're going to be doing database activity monitoring, all leveraging this same technology. >> Love it, I mean, you guys are on the forefront of Cloud and Splunk integration, Cloud adoption, DevOps, you guys have always been great about sharing your knowledge, you know, with others, and we really appreciate you guys coming on theCUBE. Thank you. >> Thanks for having us. >> You're welcome. Alright, keep it right there, everybody. Stu and I will be back. You're watching theCUBE from .conf18, Splunk's big user conference. We'll be right back. (electronic music)