>>live from Las Vegas. It's the Cube covering Splunk dot com. 19. Brought to you by spunk. >>Okay, welcome back. Everyone secures live coverage in Las Vegas response dot com. I'm John Ferrier, host of the Cube. We're here for three days is a spunk. Spunk dot com 10 anniversary of their end user conference way Got some great guests here. They talk about diversity, inclusion breaking the barrier. Women in tech We got some great guests. Jane Heights, I add Si io National government service is Thanks for joining us. Appreciate it. Carol Jones, CEO Sandy and National Labs from Albuquerque Think coming on to CEOs of excited Suzanne McGovern. Diversity and inclusion talent leader for Splunk Thanks for guys joining us. Really appreciate it. I want to get into a panel you guys discuss because this is the area of really important to the workforce. Global workforce is made up of men and women, but most of the software text built by mostly men. But we get that second. I want to get in, find out what you guys are doing in your rolls because you guys, the journey is breaking through the barrier. Start with you. What's your role. What do you do? Their CEO. >>So I am CEO for National Government Service Is we do Medicare claims processing for the federal government. We also have a number of I t contracts with CMS. And, um, I organ. I have an organization of 331 people. Very different organization, Data center, infrastructure security gambit of I t, if you will. A great group of people divers were in Baltimore. Where? In Indianapolis. We're out of the kingdom office. How >>long have you been in 19 >>My career. So yes. Yeah. The waves. Yes. I have seen the waves have Daryl >>Jones and I'm c i o same National Laboratories. It's a federally funded research and development center. So we do research and development from on behalf of the U. S. Government. I have about 500 employees and 400 contractors. So we provide the I T for Sadia, all gametes of it, including some classified environments. >>A lot of security, your role. What's wrong? >>I'm the chief diversity officer. It's Plus I get the pleasure to do that every day. A swell, a cz. It's everyone's job. Not just magically explode. But I'm very honored to do that. How to look after talent. >>I want to compliment you guys on your new branding. Thank not only is a cool and really picking orange, but also that position is very broad and everything is trade message. But the big posters have diversity. Not a bunch of men on the posters. So congratulations, it's anger. Representative is really important. Worth mentioning. Okay, let's start with the journey. The topic you guys just talked about on a panel here in Las Vegas is female leaders smashing the glass ceiling. So when you smash his last ceiling, did you get caught? Was her bleeding? What happened? Take us for your journey. What was big? Take away. What's the learnings? Share your stories. >>Well, a lot of it, as I shared today with Panel, is really learning and be having that Lerner mindset and learning from something that you do, which is part of your life. And I use the example of I'm married to an Indian Muslim, went to India, spent some time with his family, and they told me Let's be ready at 6 30 and I said, Okay, I'm ready. I'm ready. Dressed in 6 30 nobody else was ready. And everyone in the room said, Well, we're gonna have Chai first we're gonna have some tea And I was like, Well, you said 6 30 and I'm ready And, um, everyone said, Well, you know, we need to relax. We need to connect. We need to have some time So I took that back and said, You know what? We all need to make time for tea Way. All need to connect with our people and the individuals that work with us, And I've kind of taken that on through the last 20 years of being married, Tim. But connecting with individuals and your teams and your partner's is what's important and as what Lead Meeks. I've built those allies and that great group of people that >>being people centric, relationship driven, not so much chasing promotions or those kinds. >>That's what's worked for me. Yes, >>Carol, it's been your journey. Stories >>start a little bit of beginnings. I've been in Tech over 30 years. I got a bachelor's and marketing, and then I was looking to get my master's. So I got, um, I s degree, but I didn't know even to go into that field. So my professor said you needed to go into my s, so don't know that's too hard. You can't do that. You know, you could do it. So it's always been challenging myself and continuing learning. I worked at IBM then I was there in the time when they did great layoffs. So no, e he was 93 right to left. Only wonder he's gonna be left by the end of the year. >>You know, for the younger audience out there M I s stands from management information systems. Before that, there was data processing division which actually relevant today. Quite a journey. What a great spirit. What's the one thing that you could share? Folks, this is a lot of young women coming into the workforce, and a lot of people are looking at inspirational figures like yourselves that have been there and done that. There's a lot of mentoring going on is a lot of navigation for young women and understand minorities. And they just you guys, there's no real playbook. You guys have experiences. What's your advice, folks out watching >>my number one advice. And I gave this to people who are wanting to go into leadership. Trust yourself. Trust to you. Are you all got to this place because of the successful person you are and just continue to trust yourself to take advantage of those opportunities. Take a risk. I took a risk when my total focus was in Medicare. I was asked to do another job and I took another, you know, position. And it wasn't in Medicare. So you have to take those opportunities and risk and just trust that you're gonna get yourself. >>Carol. You're >>similar. It's to continue to grow and to be resilient, there'll be times in your career like a layoff where you don't know what you're gonna do. You bounce back and make it into uneven. Better job on. Take risks. I took a risk. I went into cybersecurity. Spent 10 years there, continuing learning and the Brazilian >>learnings key, right? I mean, one of the things about security mentioned 10 years. So much has changed, hasn't it? >>Well, it's bad. Guys still outnumber the good guys. That has changed faster. Exactly. Technologies change. >>Just talk about the diversity inclusion efforts. You guys have a Splunk Splunk cultures very open transparent on the technology solutions very enabling you actually enabling a lot of change on the solution side. Now we're seeing tech for good kind of stories because Texas Tech Tech for business. But also you're seeing speed and times value time to mission value, a new term way kicked around this morning. It's time to mission value. >>Yes. So I'm glad you mentioned data, right? We're data company, and we're very proud that we actually whole star diversity inclusion numbers, right? So way moved the needle 1.8% on gender last year, year on year pride, but not satisfied. We understand that there's much more to diversity inclusion than just gender, But our strategy is threefold for diversity. Inclusion. So it's work force, workplace marketplace farces around just where talk is improving our representation so that these women are no longer the only. These are in the minority that were much more represented, and we're lucky we have three women and our board. We have four women in our C suite, so we're making good good progress. But there's a lot more to do, and as I say, it's not just about gender. We want to do way, nor the innovation is fueled by diversity. So we want to try. You know, folks of different races, different ethnicity, military veterans, people with disability. We need everyone. It's belongs to be, since >>you guys are all three leaders in the industry, Thanks for coming on. Appreciate that. I want to ask you guys because culture seems to be a common thread. I mean, I do so money talks and interviews with leaders for all types, from digital transformation to Dev ops, the security and they always talk speeds in fees. But all the change comes from culture people on what I'm seeing is a pattern of success. Diversity inclusion works well if it's in the culture of the company, so one filter for anyone a woman or anyone is this is a company culturally aligned with it. So that's the question is what do you do when you have a culture that's aligned with it? And what do you do? There's a culture that's not allow, so you want to get out. But how do you unwind and how do you navigate and how do you see the size of signals? Because the date is there >>a way to certainly really harness and failed a culture of inclusion. And that's through employee resource groups in particular. So it's plunks. More than 50% of our spelunkers are actually members. Followers are allies on employee resource. So gives community. It gives that sense of inclusion so that everyone could bring their whole Selves to work. So, to your point, it really does build a different culture, different level of connection. And it's super different. >>Any thoughts on culture and signals look for good, bad, ugly, I mean, because you see a good ways taken right. Why not >>take a chance, right? Right. No, I think, you know, like you look at it and you decide, like some young women we were talking to, You know, Is this the right company for you? And if not, can you find an ally? You know, it's a feeling that the culture isn't there and helped educate him on help to get him to be Jack of what does he and his leaders, I think we have to always ask ourselves, Are we being inclusive for everyone >>and mine? I would spend it a little bit. Is that diversity and thoughts And how? When I joined this organization. Culture is a big factor that needs to change and some of the things that I'm working on, but to bring people to the table and hear those different thoughts and listen to them because they all do think differently. No matter color, race, gender, that sort of thing. So diversity and thought is really something that I try to focus in on >>carry. Palin was just on the Cuban CMO of Splunk and top of the logo's on the branding and, she said, was a great team effort. Love that because she's just really cool about that. And she said we had a lot of diversity and thought, which is a code word for debate. So when you have diversity, I want to get your thoughts on this because this is interesting. We live in a time where speed is a competitive advantage speed, creativity, productivity, relevance, scale. These air kind of the key kind of modern efforts. Diversity could slow things down, too, so but the benefit of diversity is more thought, more access to data. So the question is, what do you guys think about how companies or individuals could not lose the speed keep the game going on the speed and scale and get the benefits of the diversity because you don't want things to grind down. Toe halts way Slugs in the speed game get data more diverse. Data comes in. That's a technical issue. But with diversity, you >>want a challenge that, to be honest, because we're a data company in the details. Irrefutable. Right? So gender diverse Teams up inform homogeneous teams by about 15% if you take that to race and ethnicity was up to 33%. Companies like ourselves, of course, their numbers see an uptick in share price. It's a business imperative, right? We get that. It's the right thing to do. But this notion that it slows things down, you find a way right. You're really high performance. You find a way best time. So it doesn't always come fast, right? Sometimes it's about patients and leadership. So I'm on the side of data and the data is there. If you tickle, di bear seems just perform better, >>so if it is slowing down, your position would be that it's not working >>well. Yes, I know. I think you got to find a way to work together, you know? And that's a beautiful thing about places like spun were hyper cool, right? It's crazy. Tons of work to do different things were just talking about this in the break way have this unwritten rule that we don't hire. I'll see jerks for >>gender neutral data, saris, origin, gender neutral data. >>Yeah, absolutely no hiring folks are really gonna, you know, have a different cultural impact there. No cultural adds the organization way. Need everyone on bats. Beautiful thing. And that's what makes it special. >>I think you know, is you start to work and be more inclusive. You start to build trust. So it goes back to what Jane was talking about relationships. And so you gotta have that foundation and you can move fast and still be reversed. I >>think that's a very key point. Trust is critical because people are taking chances whether they're male or female. If the team works there like you see a Splunk, it shouldn't be an issue becomes an issue when it's issue. All right, so big Walk away and learnings over the years in your journey. What was some moments of greatness? Moments of struggle where you brought your whole self to bear around resolving in persevering what were some challenges in growth moments that really made a difference in your life breaking through that ceiling. >>Wow. Well, um, I'm a breast cancer survivor, and I, uh, used my job and my strength to pull me through that. And I was working during the time, and I had a great leader who took it upon herself to make sure that I could work if I wanted. Thio are not. And it really opened that up for me to be able to say, I can still bring my whole self, whatever that is today that I'm doing. And I look back at that time and that was a strength from inside that gave me that trust myself. You're going to get through it. And that was a challenging personal time, But yet had so many learnings in it, from a career perspective to >>story thanks for sharing Caroline stories and struggles and successes that made him big impact of you. Your >>life. It was my first level one manager job. I got into cybersecurity and I didn't know what I was doing. I came back. My boss of Carol. I don't know what you did this year, and so I really had to learn to communicate. But prior to that, you know that I would never have been on TV. Never would have done public speaking like we did today. So I had to hire a coach and learn hadn't forward on communications. Thanks for sharing stories, I think a >>pivotal moment for me. I was in management, consultants say, for the first half of my career, Dad's first child and I was on the highway with a local Klein seven in the morning. Closet Night started on a Sunday midday, so I didn't see her a week the first night. I know many women who do it just wasn't my personal choice. So I decided to take a roll internal and not find Jason and was told that my career would be over, that I would be on a track, that I wouldn't get partner anymore. And it really wasn't the case. I find my passions in the people agenda did leadership development. I didn't teach our role. I got into diversity, including which I absolutely love. So I think some of those pivotal moments you talked about resilient earlier in the panel is just to dig, dying to know what's important to you personally and for the family and really follow your to north and you know, it works out in the end, >>you guys air inspiration. Thank you for sharing that, I guess on a personal question for me, as a male, there's a lot of men who want to do good. They want to be inclusive as well. Some don't know what to do. Don't even are free to ask for directions, right? So what would you advise men? How could they help in today's culture to move the needle forward, to support beach there from trust and all these critical things that make a difference what you say to that? >>So the research says that women don't suffer from a lack of mentorship. The sucker suffer from a lack of advocacy. So I would say if you want to do something super easy and impactful, go advocate for women, go advocate for women. You know who is amazing I there and go help her forward >>in Korea. And you can do that. Whatever gender you are, you can advocate for others. Yeah, also echo the advocacy. I would agree. >>Trust relationships, yes, across the board >>way, said Thio. Some of the women and our allies today WAAS bring your whole self. And I would just encourage men to do that, to bring your whole self to work, because that's what speeds up the data exchange. That's what it speeds up. Results >>take a chance, >>Take a chance, bring your whole self >>get trust going right. He opened a communicated and look at the date on the photo booth. Datable driver. Thank you guys so much for sharing your stories in The Cube, you think. Uses the stories on the Cube segments. Cube coverage here in Las Vegas for the 10th stop. Compass Accused seventh year John Ferrier with Q. Thanks for watching.

>> Live from San Francisco, it's theCUBE, covering Google Cloud Next 2018. Brought to you by Google Cloud and it's ecosystem partners. >> Hello everyone, welcome back to theCUBE's exclusive coverage of Google Cloud here at Moscone South, in San Francisco. I'm John Furrier with Dave Vellante, covering all the stop stories here, and day one of three days of coverage with siliconeangle.com, thecube.net for all the great content. Our next guest is Suzanne Frey, director of security, trust, and compliance and privacy at Google Cloud, welcome to theCUBE, thanks for coming in today. >> Thank you so much, it's a pleasure to be here today. >> Don't you love the cube that Google built out here, fits the theme, it's beautiful. >> It is mighty fly, it is awesome. It's so exciting. >> That's great. Great to see Google kind of go the next level. The energy, the people in the company I've talked to, we've been following Diane's career since VMware. I knew she was an investor in Cloud, theCUBE actually started at the Cloud Air office when they got their first round of funding, so really a savvy industry executive. Now two years in the gestation period you can kind of see it. The best of Google being exposed to the world is really kind of a great strategy, we've been commenting on that, but one of things Google has, and has had for a long time is, they've had that really open culture of openness, open source, but trust; "Do no evil's" the slogan and they have all this expertise. >> Yep. >> Is your job to harness that. Take a minute, what is your job? Are you brokering all this greatness? Are you shepherding it? Are you influencing product? What's your role? >> My role, specifically, is to ensure that we make Google Cloud the most trusted place for user data. Now, trust is a multi-faceted thing. I often say that trust starts with making sure that what you expect is what you experience. That's the foundation of it and so my job is first to start there and make sure that everything that we do is in line with the customer's expectations and it's in line with what they experience once they're in the Cloud and that's everything from making sure that we're compliant, that we handle their data responsibly in line with all the rules and regulations around the world which vary greatly. You know all the way through to making sure that we're building exceptional, simple, smart, and secure products every single day across our stack. So that's my job and it's to galvanize that, not just in product and not just in expectations, but also in the people we hire and the culture we engender. >> You know it's interesting, we live in an interesting time right now, and as they say, if you look at the global landscape; from politics, play, to technology, a transformation is happening where security trust, the data, you got GDPR happening in Europe, you got fake news on Facebook, you got users not trusting where's my data, so you have this cultural dynamic, kind of independent of the mission of the big companies where there's an opportunity to use AI for good. There's an opportunity to have a compliance model that's going to maintain that. How does that affect you guys? I'm sure it does in some way, but this is on the minds of people. Surely no one want to be hacked, they want their data to be secure. I want to control my data. I want my data to be leverageable. I want to get utility out of the system, Because it's something bigger with Google Cloud, it's not part of a system. How are you guys talk about that internally? What are some of the conversations that you guys have around this cultural shift? >> It's day one of any new product of feature we develop, those conversations occur. It's part of our process in developing any new product or feature. We have a team, in fact a large portion of my organization is entirely dedicated to reviewing and scrutinizing every single feature, every single new product we bring to bear. Even if a customer wants to build, or I should say, even if an internal developer wants to build a new model, our team is responsible for reviewing that and making sure it's in line with the commitments we have to both legal commitments as well as our customers. So it's part of, and it continues all the way through to the point where I hit the launch button and say, "This is okay to go." >> (laughs) Nice. >> So the way you measure trust is that the expectations match the experience. Now when I look at your scope, we run our business on your scope. G-mail, Inbox, I personally love Inbox, I'm like an Inbox ambassador. >> Fantastic. >> And so thank you for developing that product. Google Drive, Docs, Sheets, you count it, I mean we run our business on your products. And so I wonder sometimes are we doing it right? Some of the challenges we have I think are onboarding and off-boarding folks. When somebody leaves the company or comes on the company you want to give them access to certain sheets or certain documents and then you sort of forget to take them off. How do you handle that? What's best practice there? Are you develop tooling around that? Maybe you could take about that a little bit. >> So we do it in many, many ways. And there certainly are best practices, they are documented out there through a number of tools and papers that we produce. We also have partners that work with our customers that engender those practices, but also then we bake the technology in so that you don't have to think about these things. And a good example would be; we released Team Drives last year. Team Drives is a great example of how you manage documentation for the inbound and outbound employees. It used to be that somebody'd actually have to think, "oh wait, Joe's no longer on this, We need to move him off," And all of that. But with the Team Drive that's handled automatically. Groups is another way. Google Groups is a great way to manage access to information and the like. And then we have tools like IRM, that allow you to sort of manage copying and forwarding information. And there's some more announcements that are coming tomorrow that'll let you also handle some of these things, but I can't talk about them quite yet. So stay tuned. >> You didn't want to release it too early. >> Can you talk about how you go to market with those cause every now and then I'll get a phone call or an e-mail from somebody at Google trying to either introduce me to something, maybe sell something, but it's kind of intermittent. What's the go-to market to inform people? We're obviously a small company. We heard today, "we want to help small, large, start-ups, big companies, governments." How do you guys go to market? >> We do it in lots of different ways. We certainly leverage our communication channels online heavily and we've been ramping up, I mean our investment in marketing and Cloud and getting all of these things, I mean you can see I right here at Next. This is a huge example of how we're trying to get the word out. We're at large across all of our verticals, across all of our customer sets, because I think that is information management and so that you understand, "hey I have these great tools to bear." That's super important for us to get right and we're continuing to evolve it. >> One of the things I always admire about Google from day one, the mission has always been speed. Load the pages faster, find what you're looking for, organize the information. With security and trust now, we were talking before we came on camera, I see Cloud as an opportunity, AI's an opportunity, as Diane Green said, security is the number one worry. Dave's asked this question every year, going back to since 2012, is security a do-over with the Cloud? You guys have such great experience with Sass and Cloud; is it an opportunity for customers going Cloud-native to do security over. Your thoughts? >> Well I think about this, so ill answer this in two ways, for us at Google it's not a do-over, it's been part of our DNA from day one because we were born in the Cloud. From the moment we started to think about how we design a data center to how we design a server to how we retire discs, this was mentioned in the keynote, that's been part of our DNA from day one. So for us we don't believe it's a do-over, we actually believe we're ahead of Darwin in terms of security, well ahead of it. And we'll put our words behind it, that we do believe, bar none, that we are the most secure cloud out there. Certainly customers using G-Suite, Chromebooks, Security Keys, we mentioned that at the keynote this morning as well- zero account hijackings. No one else can make that claim and we're proud to do it. For customers, however, I think many customers are realizing Patch Tuesdays and heterogeneous operating systems and tons of different platforms with customers that are storing information on their hard drives or their thumb drives- its a nightmare for many customers who have been operating on premise for many years and I think they're waking up to realize, "wait a minute, you're going to take care of all of that. You're going to take care of it. One operating system. All managed from the Cloud. One place. My documents are going to sit there. Oh my gosh, I can sleep again if I move to the Cloud." and that's really part of the overall narrative here. >> Just to follow up on that, so that was Chromebook, G Suite, and Two-factor authentication right? >> Yes. >> You called it Titan Security, is that right? >> Yes, Titan Security Keys, correct. >> And the Two-factor authentication comes from what, is it a dongle or- >> It's actually hardware based so if you think about- two-factor's not a new term, two-factor's been around for a long time. A lot of people would have these tokens that would generate a numeric key and you'd look at that and you'd plug it in. Well that's phishable actually, that key gets transmitted when you actually authenticate and that can be picked up. >> Exposed, yeah. >> Exposed. With hardware, its all base of the hardware, there's no key that's exchanged. It's all authenticated to your device and that makes it un-phishable. >> You don't think about it. >> Yeah, exactly. >> So lets talk about compliance for a second. That's part of your job. Honestly we see this year was kind of a- the earthquake, the tectonic plates of GDPR. >> Yes. (laughs) >> Certainly Google's experience, a little fine in the EU of some other areas of your business. Obviously data is a regional thing, obviously in Germany we know what's going on there, so as a customer goes global, you could be in the US, there's now policies that need to be implemented. Is that where softwares going to help? How are you guys talking to your customers and what's the solution that you guys see for compliance and making it seamless because it's a real hassle. >> Yep. >> Some sites and some companies aren't deploying their solution. Their website has been stripped down because they couldn't comply with the GDPR regulation which gives the users the ability to essentially tell you to forget me and all kinds of other things, I don't want to get into it, but the point is, that it puts the pressure on companies, like literally overnight, where it was policy. People in the database world know that data sprawls is a huge problem- people don't even know where the data is. What data base is that on. This is a huge issue. How do you guys talk about that? >> Well first I'll say that compliance is always a shared responsibility between ourselves and our customers. However, those customers who have worked with us, and have been going Cloud-native with us have found that the journey to be much much less friction-full, I will say, or I'd say its more friction-less. Because we are the team that's had to really implement the technical controls around the GDPR. And I want to emphasize, GDPR is incredibly important legislation. We believe it's very important. Two years ago we launched an initiative to be sure we were compliant on time. We're proud to say that we were among the first to announce that compliance in the Cloud. And we're really happy. Our customers have been happy. And our relationships- we take on a large responsibility for maintaining relationships with the legislators and the regulators around the world Many companies can't scale to do that and by going with Google you know you've got a tight and good relationship, a company that is focused on maintaining good relationships world-wide on that front and it's been important. >> So two years before GDPR went into effect, that's much better, most companies were two months before the fines went into effect. (laughs) >> It was roughly about two years, it wasn't quite exactly two years between the time it was announced, but it was close to that. >> But it's not just the technology problem too, which makes it so hard, it's a lot of people and a lot of process. >> Absolutely, yes. >> Shared responsibility as you said just now. >> Yes, and the fact that the data's all in one place of the Cloud, again, makes a huge huge difference with your posture, and your compliance posture for GDPR. >> Susanne, you've been at Google for over a decade, what's motivating you these days, obviously the Cloud market's pretty hot, so that's kind of a nice wave to be on. What's the culture like at Google now? What's the DNA? What's the in- cause Google Cloud's got to spring to their step, we can obviously feel it. We can see the results. But it's just the beginning of this new wave. >> Yep, yep. >> What's exciting you and what's the DNA of Google culture? Google Cloud culture? >> Well Sundar echoed this this morning and I was so happy to hear it. I'm at Google because of the mission. I'm here to manage the world's information, make it universally accessible and useful and secure. (laughs) I will add the "and secure" to my mission. I came because that was so exciting to me. As a kid I never got Encyclopedia's because my father was like, "there going to be out of date." (laughs) He know instantly. >> Data quality number one, he was smart. Data scientist- >> Yes he was, he was. And when Google started to evolve, I was so excited. I'm like, "oh my gosh, look at what's happening to information management in the world." And that's why I'm here and I'm surrounded by other fellow citizens who are so excited about that but also excited about the challenge of keeping information secure. So that's what excites me and to work around so many great data scientists and software engineers and site reliability engineers and customer engineers. Google is about engineering at it's core but we take such a human approach to working with our customers. Understanding how important their information, their productivity in the Cloud is, their security in the Cloud is, and that's what excites me every single day. >> Final question for you; talk about what you're working on. What's your guiding principles for your organization. Where are you guys hiring- obviously you mentioned earlier, which I loved, the expectation is the experience should match; that's a great quote, I think that's important but I would argue that, to add to that complexity, is that expectations that are coming are not yet known. You saying things like "block chain" for instance, that kind of hit a lot of exciting areas around security, decentralization, decentralized applications, token economics. So you're seeing the world starting to get a little bit different where those expectations are not yet seen. So you got to get out in front of that. How are you guys managing that? How are you hiring? What's the vision? >> Sure. So there's sort of three pillars that Prabhakar Raghavan talked about this morning; simple, smart, and secure. Those are kind of our guiding principles for everything we do and, for example, G Suite. How we're thinking about the future, well we're very very lucky that we are always getting low latency signals about what's happening in the world right now. We talk about spam and phishing protection and things like that and we get billions of signals every single day about malicious information or malware, ransomware, those sorts of things. So we have a very low latency view into what's happening at the next minute around the world in that respect. And that gives us a competitive edge in terms of really thinking about what's the next thing that's going to happen. We certainly know that machine learning, whether it's smart compose and smart reply, or it's actually based in security, an anomaly detection. What's an anomaly to one company, is not necessarily an anomaly to another, depends on what business you're in and the like. So investing in machine learning and understanding how to be that security guardian for our customers in an automated fashion, so the people don't have to worry about security, but we've taken care of it for them. That's the holy grail and that's what we're investing in right now. >> Suzanne thank you so much for coming on theCUBE, really appreciate it. We were just talking before we came on, Dave and I, before we went live that if security and some of these complexities can be just services under the wire, like electricity. All cue-ade before we even turn the lights on of computing. That's kind of the goal. (laughs) So we're super early. >> Yes, absolutely. >> That's great. Director of security, trust, compliance, and privacy at Google Cloud's theCUBE. Live coverage, stay with us. This is day one of three days of wall-to-wall coverage. I'm John Furrier, Dave Vellante, we'll be right back. >> Thank you. (techno music)

[Music] [Music] [Applause] [Music] me [Music] [Applause] [Music] [Music] so [Music] [Music] [Applause] [Music] so [Applause] [Music] [Applause] [Music] [Music] me [Applause] [Music] [Music] [Music] [Music] [Applause] [Music] [Music] [Applause] so [Music] [Music] [Music] [Music] so [Applause] [Music] so [Applause] [Music] [Applause] [Music] [Music] um [Applause] [Music] [Music] [Music] [Music] [Applause] [Music] so so [Applause] so [Music] so welcome to cyber security insights we're excited to talk to you today about some of the key developments in the cyber security area let me start off by saying you know security's always been a board room topic boards care about it but right now it's actually getting even more important given what's happening covered 19 given the risk the world faces the fact that 70 percent of the workforce is now really working from home at vmware we have all of our employees working for we made that a mandate not just required but we're taking a cautious approach as to how they come back that's the reality of many of our customers but the bad guys are not staying still 148 increase in ransomware during this time they're just looking for every way to take advantage of innocent people working at home and then we've seen 52 percent increase of all attacks in the march time frame targeting the financial sector so it's very important that you we have a different approach to security because our belief is the security industry has been broken uh you'll see on this chart 5000 odd vendors 15 or 20 different categories and it's often i described like going to a doctor to stay healthy and she tells you you've got to take 5 000 tablets and you fall off your chest and that's just not possible you know so how do you prevent staying having 5000 tablets taking 5000 tablets to stay healthy you eat your vegetables your fruit your proteins drink your water you make it part of your hygiene and that's what needs to happen in security we've got to move away from this bolted on approach siloed approach where you've got you know various differences feels like even 5000 tablets 5000 security tools are all kind of like healthcare deem themselves very important and also from security that's just focused on threats and the new approach needs to be one that's more built-in intrinsically part of the platform like making a part of your diet more unified as opposed to just siloed across all of the key pillars of security and a lot more context-centric rather than just threat centric to do this we've been looking at kind of the value proposition of vmware we're you know about a 10.8 billion dollar company and have played across these three or four layers off being a digital foundation for the world any cloud any app any device with intrinsic security you've seen this from us several uh over the last several years what we've sought to do is layer into that diagram five or six important control points in security that we think are going to be super important to make security intrinsic let's start off on the bottom right corner of this with network security we think a new approach for network security means that if you look at data center networking or firewalls or load balancing or sd-wan what is a 30 billion dollar opportunity a new approach you know could be one way you could have in one platform all of those capabilities in something that's more software-defined that's what we've been doing uh in with nsx a platform some customers call us sort of the tesla of networking because we're taking a somewhat you know traditional hardware-defined approach to networking and building a more software-defined networking stack for security much the same way a tesla is building a software-defined car if you go to the left-hand side you see kind of the endpoints but it's two different forms of endpoint an endpoint that's on the client side near the device a laptop tablet a phone or a endpoint that's closer to the server a workload or a container and in both areas we believe we have an opposition proposition to really be the best uh security solution for endpoint and workload security identity we think there's a tremendous opportunity to be the best solution that not just some ourselves but also partners with the best of breed players for example um octa or azure active directory in cloud security we're going to do a lot ourselves for example cloud security posture management but we're also going to partner with the likes of well web gateways and and proxies like z scale or netscope and then analytics is the big kahuna because the more data that you have the more equipped you are to prevent breaches and what we believe here is this notion of what the analysts are now calling xdr collecting telemetry from all of these control points which we have exposure to network endpoint workload identity cloud and having one big data lake where you reason over this with a variety of behavioral and ai algorithms and then provide the best way by which you can protect customers from possible future security events this is something we well best because we actually collecting the most telemetry of anybody from disparate different sources and you're gonna only see this increase so vmware's proposition uh as you look at this we today have a billion dollar security business i know you're gonna listen to that and say wow where did that come from some customers call us one of the best kept uh security secrets in the industry uh a significant about that comes from network security a growing part of it now comes from endpoint security we think the opportunity is to take that billion dollar business it's about 20 000 odd customers and double or triple that by really focusing in these five or six control points you're going to see us build the best products in each of these categories but one that's intrinsic and also works between them in ways that are incredible let me give you a couple examples with carbon black we're going to make it agentless on the server side with vsphere nobody else can do that we're going to do that and you're going to see that very soon with carbon black we're going to make it unified with workspace 1 on the console so you have a unified approach there on both the console and the agent something that you also start seeing from us very soon these are things that nobody else in users can do network security you're going to see from one platform data center networking load balancing firewalls and sd-wan beautiful security-centric networking story so this is the approach for folks and now i think as we listen to several of the thought leaders and analysts you're going to hear them get into this story in more detail thank you very much let's continue in this show cyber security insights and now we'd like to explore the unified approach of security and i.t how do you unify them as a foundation for success our special guest today is chris sherman who's senior analyst at forrester and a pretty renowned security uh researcher and thought leader himself chris welcome to the show great to be here with you sanjay you know i'm sitting here in my living room in cleveland ohio as we uh ride down the curve right fighting off a cabin fever and staying healthy hope you're doing the same chris i'm doing well but listen i look at your beautiful looking um you know i can't confess that my background is my natural i've got a virtual background is that actually your living room or is that a virtual background it is this is my living room we built the house last year and it's also my little private iot lab because you know i'm a huge nerd and i love my devices we've been you know kind of a big fan of a lot of the forester research zero trust security you mentioned your research and iot uh i.t security and i'd like to explore this a little further with you chris i'm a big fan of your research read a lot of your stuff uh but let's kind of focus in you know clearly in this time having security strategy and i.t strategy be together in this current climate many organizations have had to pivot uh due to covert 19. you know one example is employees having to work at home which raises a whole host of cyber security issues and you know having reviewed the research results it makes them i think even more relevant the need for security and i.t to join forces i believe right now to defeating the cyber criminals during the pandemic um so that we don't have this risk and quite frankly you know we've been finding the risk is even higher because the bad guys aren't sleeping uh even if there's a crisis going on so maybe you can tell us a little bit more about this research and your findings absolutely yeah so you know i think the genesis of this research really started with a conversation i had with some of your team members back in november uh we talked about you know the high level of friction between these two teams right between i.t and security and frankly the lack of support that a lot of the existing tools in the market really have for you know integrating the two and when you look across the industry there really aren't a whole lot of resources for buyers or you know technology strategists that you know want to understand these dynamics and you know this is really what led to vmware commissioning forester to uh you know this past february to survey over 1400 security and it ops decision makers across the globe we really wanted to probe those dynamics right you know what's holding companies back from eliminating this friction right this really was actually the largest sample size of any commissioned study that i've been a part of here at forester and it really led to some excellent results and and data as you know from the uh published research i'm looking forward to to reading them and knowing more about it and you know i think if you think about the research and uh you know there's a shift in security driving alignment and collaboration security and it's you know kind of the top initiative we see in the next 12 months uh maybe even tell us about why the relationship between these security and id teams um you know are important whys have been strained across both you know all three of people process and technology yeah i mean so i team security really are two sides of the same coin right but unfortunately their teams have struggled to work well together for many years according to our survey date it's gotten to the point where 83 of both team staff report a negative relationship between the two it's very unfortunate but there are many reasons for this you know many reasons for this friction especially with the vp director and manager roles between the security and the ite teams you know at a high level most of this is driven by the fact that security and i.t have differing priorities right our data backs us up you know you have i.t on one side that's focused on technology efficiency and uptime and from our conversations with it staff it's clear you know they view security as philosophically opposite you know to this right often as roadblocks to accomplishing their goals and then on the other side security's top priority is as you'd expect responding to security events and incidents and preventing compromises and this difference in priorities is the source of a lot of friction also both security and i.t staff are really unhappy with the technology that the tools specifically that they're using or the security tools the c cios and csos you know that we talked to all had the same complaint they have too many disjointed tools in fact the average across our study was 27 security products on average in each organization and even the most established security solutions like take firewalls for example you know it caused some serious angst right we found that only 52 percent of respondents felt that their firewalls were satisfactory in terms of the performance and the security uh efficacy i think you know listen a couple of points i'll point point out from what you talked about that resonate deeply with us one is when you talked about uh i don't know it was 25 or 27 odd tools i'd be surprised the number of csos i talked to who say it's in the dozens one i think i always sort of keep a record for the number of tools i've heard one tell me it was like 100 different security tools i asked you know him was there a hundred different consoles so it's just the number of tools and consoles uh the other one that you resonated with me was even in one of the more mature areas like firewalls you would have thought oh people are really happy there we find the same level of dissatisfaction with people saying listen traditional hardware-based approaches appliance-based approaches lots of policy way way too complicated um now let's talk a little bit about staffing i think it's it's you know listen at the end of the day security is a team sport it does depend on products and processes and technology but there's also people and you know we security teams are understaffed they're increasingly dealing with a complex portfolio of these non-integrated products how uh is this impacting teams and what can companies you do as you advise them to reduce complexity from the plethora of different products that are often point products today well you're right right finding and training the right item security staff is really critical to the success of the respective teams unfortunately this continues to be a major pain point right across the whole industry in fact 64 of the security teams that we surveyed and 53 of the it teams reported they're understaffed but yeah i mean amid this global pandemic when most organizations are focused on surviving and you know maybe keeping the lights on or i guess in this case maybe the vpn's running right and getting by with limited resources and protecting an increasingly remote workforce it's much more difficult to collaborate and work together across teams but our data showed that one of the major results of this you know the formation of communication silos you know teams aren't communicating enough right they're they're communicating within their or organization designed for their particular use case right with very little integration and collaboration across those silos and you know this is where tools could help right most of the time though they the tools actually just reflect or amplify those silos by reinforcing the division right between the two teams ultimately organizations may be looking for technologies that can support the needs of both it and security right this will help alleviate any tension that might arise over things like competition over limited resources right ideally once the teams come together and agree on goals as well as objectives and and measures of success for that matter right they can address their technology stack inherent complexity wisely said listen the security attacks are becoming more sophisticated uh organizations are considering now i think the approach as you've described is a unified strategy to address these critical issues uh can you tell us more about how you've seen these unified approaches to security strategy being effective well so i mean it seems like we've been talking about unifying the tools and strategies by you know i.t ops and security for years right but it's only been recently that we've seen the two sides really demonstrate any appetite to actually do so unfortunately most of the tools again right on the market are focused on one or the other and integrations are only starting to really accelerate to the point where our true unified vision is even possible this not only aligns teams under common goals right having a common tool set but it also aligns workflows between those two teams and helps foster collaboration uh listen uh you mentioned a couple of these these examples are really good for people to kind of grop you know in this have you uh outside of these exams or any other sort of tangible results uh that you think companies can expect uh as they bring together their security and id strategies and make them more unified what are the results from your research you think customers can expect to gain yeah there are several other you know clear benefits right that we identified in this research right the benefits to unifying the tech stacks between it ops and security our research showed that companies with a unified strategy reported fewer security incidents fewer data breaches which makes sense right given how critical endpoint configuration and overall i.t hygiene is to the security posture of an organization also you know building security capabilities directly into the it infrastructure helps to motivate non-security staff to take some ownership right over basic security fundamentals and this all helps speed right this this increases the speed to you know both detect new threats and uh respond once they're you know identified you know time to containment right this was also validated by our survey data a common strategy really can empower both to you know mitigate risk ensure continuous compliance and improve you know their threat response uh workflows you know between the two teams really companies need to find tools that meet the needs of both teams and at the end of the day as you pointed out security is a team sport right we all benefit from working together to protect the business and its employees right from malicious actors especially in these difficult times that's great chris thank you for uh your research um um so i just encourage all of you are listening um if you want to um you know get chris's research um you know go to this url on the screen here and you'll be able to download it uh we're excited about it i mean listen you know personally when i watch it teams and security teams sometimes sort of spar each other um you know i i i think that increasingly whether the security team reports under the cio sometimes that's the case sometimes security teams report into the chief legal officer or they report maybe into the cfo wherever reporting structures are only you have to build a team sport because there's aspect of this that's policy aspects of this that are technology there are aspects of this that are people uh thank you for this research chris as always i'm a fan of uh the stuff as are all of we and what you're right so it's always good to be able to see more this is also much of the other extended uh forest to work like zero trust that have become kind of the things that i've seen now becoming more pervasive in the industry so thank you all for listening to this uh and we hope we'll continue to serve you in the course of this program cyber security insights with more insights like this it's my pleasure right now to also continue this uh cyber security insights series now with a wonderful interview um with the head of security and infrastructure at circle k suzanne hall um i've had a chance to briefly meet her prior to this and she's got an incredible vision of how infrastructure security comes together uh in the context of retail so i'm looking forward to the discussion suzanne thank you for joining us today thanks sanjay glad to be here great hey listen maybe i'll start with um you know circle okay some folks may know you in the locality in the areas where they shop or whatever have you but many folks around the country may not and we're assuming there'll be a very large audience watching this tell us a little bit about the company what you guys do uh what's your vision and how are you serving uh customers and consumers oh terrific oh well yeah so circle k uh many people do not realize it's actually a canadian-owned company we are a global uh convenience and fuel service organization uh with with offices all across north america uh large part of northern europe um and with franchises in a large part of asia as well we're the second largest convenience store company in the world and the 11th largest retailer we yeah we acquired circle k the brand um back in the early 2000's and uh our goals right now over the next five years are to try and double in size um which is a pretty aggressive goal goal considering uh our organization which really is taking a you know 60 billion dollar organization and trying to double that in the next five years so wish us luck let's focus now a little bit more on the infrastructure and security part of it um it's interesting that you own both as you think about those areas um you know how are they linked together and what have you been doing to tie uh infrastructure topics and security topics which are often you know you have a ciso and then a cto owns infrastructure in your case you own both and i think it's a classic way in which you know we're trying to kind of get traditional it teams the security work world to go you're living it then you're breathing and you're implementing your team uh how is it working out and how are you making it work yeah oh sorry it was actually a key part of me being attracted to the to this world i've been here about 18 months um i really feel for certain organizations culturally if you can make it work where security operations can function together um it really empowers your security team to move things quickly and it also gives me the opportunity to take ultimately super scarce resources from the security side and build uh more security acumen within my network teams and my hosting teams and my infra um so that i get actually really smart technologists that also get security collaborating with really great security folks that also get technology there's a lot of synergies that i that i get from that from combining these two organizations and where circle k was before i got here you know we we um did need to rapidly mature a lot of our security program um because it had just um grown uh i think the organization grew beyond the competencies of the security team before i got here and so by having both sides of that house i was really able to move things quickly um kind of i don't have to i don't have to uh negotiate between the network team and the hosting team the security team because they all report up to me and i get i get to pick who wins all the time so it works really well i'd love to talk to you but just cover it it's on on everybody's mind it's changed transformed how we all work you and i are doing this interview work from home uh if we were doing it in different concerts i have to come to you or come to us we have done this in the studio together or in an event um and certainly it's you know kind of changing the ways in which we work and family life and so on and so forth but how is it changing your business how is it changing your i.t organization uh and how have you had to adapt to um you know this time that we're sheltering place work at home yeah well it's really it's changed everything for us as i'm sure for for most of your of your clients as well um you know obviously serp okay being convenience we are uh on the front lines we are open across the globe we may have some small stores that may get closed for periodic periods of time or maybe some shortened hours but we've got convenience workers and gas station workers working around the globe through coven so we've had to change how the stores look and feel um we've had to rapidly deploy things like curbside delivery to really adjust to uh customers um wants and expectations and then we've had to take the entire back office and put people working at home which was not our culture um before this all happened and we had to do that almost like in watching a wave go across the globe as it started uh offices started closing in northern europe first uh and then and then all the way through to ireland and then and then obviously the east coast and canada and all the way through to the west coast so um we actually had a very short period of time to create a remote working uh operation um luckily enough um we had some really talented folks we put a couple different solutions in place and uh within two weeks or so we were able to get everybody working remotely that could work remotely and then that really empowered us to support all those operations folks that needed to get things like plexiglass into the stores hand sanitizers into the stores masks uh um into the stores uh to serve our customers and to serve our staff i'd like to move on um then to the um the kind of the context of this infrastructure and i.t workers and security work i.t teams and security teams working better together one of the things we find often and we did some research with forester that where companies performed well and had great you know security prevention practices breaches places where i t and security work well together and traditionally often csos uh may be separate from the infrastructure team sometimes csos don't even report into ci support elsewhere and that can be uh not intensely so sometimes intentionally but often just a silo or a warring mentality you're good evidence now where you're bringing these together let's talk a little away from technology for a second and the people process collaboration how have you been able to bring these cultures together so that they work together for the common good of either cost saving protection whatever have you yeah you know um and so i've had the benefit of being a cso and a cio and a couple different organizations and also i was in i was in consulting for many years i worked for a big four uh from a letter of cyber practice with one of the big four firms and i'll tell you cyber programs uh move fast forward best when there's a couple of key elements in place and the first one is you have to have shared goals anytime that the cyber team is trying to implement something um in that the network team isn't on board with or the network team picked a tool they don't want to implement the tool that the cyber team is as um and has selected i mean that's that's always a recipe for failure so somehow you have to really work on aligned goals and i do that even though i own the infrastructure teams and the security teams um nobody's successful if we're not all successful together and really focusing on what does success look like for for each one of the each one of our areas and look sometimes you know we do have to take some uh educated risks in the environment you know for responding to things quickly but we also don't take we don't um let those risks sort of linger and and never get remediated right so we really work together to make sure that any new risks that we're taking on we have a focus on how we're going to mitigate that and we hold ourselves accountable and um and the network team is equally accountable for responding to security events as a security team is the key element i also say to my security teams is when you're working with production operations teams and and folks you've got to have skin in the game you've got to recognize that they're trying to keep systems up and running 24 7 you know for the operations of the organization right so we can take credit cards and cash in the stores and make the sales and deliver the goods and services when we need to if the security team isn't seen as fully on board with that mission and that um that responsibility then there's there's a non-equity sort of relationship going on between the two different teams so you really need to bring them all together and make sure that everybody um understands supports each other's wins and goals it's awesome that you've been a cio and a ciso and you've seen all of these in various different companies i'm sure maybe in smaller bigger wherever have you so you're able to really relate to that uh i find the csos i talk to uh most of my relationships in the years past have been with cfos and cios uh i set myself a personal goal this year as we started getting more into security as i've been shaping that strategy of the company to meet a thousand cesars i was 15 years ago at symantec and most of the csos i know are retired and moved on so uh it's a good new way of my understanding and i find as i talk to them so refreshing the ones who are strategic like yourself uh have had tremendous experience in id or are also owned them and are able to paint a vision that's very collaborative as to as opposed to ones who don't then are also able to strategically bring teams together so it's really good to to see that i'd like to kind of just work a little bit more into security because i mean your strategy plays into the reason we're quite carbon black um and you i have some obviously you know knowledge and investment vmware but i'm listening as i was listening to prior to getting on to this you know program together you're probably doing more with carbon black which is awesome i mean it'll probably strengthen our relationship with vmware too and of course but we can talk a little bit about that what's been your history carbon black why you picked them and where do you see that going on the endpoint security um and then i'll talk a little bit about how we're trying to try that into infrastructure too yeah so um so my relationship with carbon black goes back to uh almost right after i first arrived at circle k um obviously i know uh from having come from consulting a number of different uh tools and products out there um although carbon black always had a really good reputation and strength and um i went to carbon black pretty early on and said you know here's my here's my situation i've got a little bit of carbon black and a little bit of other things in different places i really want to standardize on a single tool i really want to get to a better visibility of my overall network and of my of my risks and ultimately i want to have a single pane of glass but um that you know i've got folks working from an eyes on 24 7. um you know carbon black hands a table really quickly and had a great vision uh for how they could get us uh standardized across some different versions that we had um and when i said okay i want to do this in six weeks or fewer um they didn't say we can't make that happen um i think a lot of people on my team wish that they'd said that we can't make that happen but um but now we were able to really rather quickly um deploy and and get up to speed across all of our stores across all of our networks all of our you know we're a very distributed organization i've got offices all across north america and europe um and uh and we were able to in six weeks get get standardized and get things up and running and i had gained great visibility uh in that and i'm a big believer when looking at all sorts of tools whether they're input tools or security tools that you know you can tell whether or not you've picked the right solution if it's fit for purpose relatively quickly if it feels like it's too hard to implement if it just feels like it's you're not getting the value out of out of something in a relatively quick period of time you really do need to look at whether or not the tool you're looking at is fit for purpose in your environment and i would say the carbon black team and the carbon black tool that made it really easy for us and um you know it's giving us great visibility we have been able to uh detect and respond to a number of different instances you know retail is a very uh high threat high target industry these days um so it's been it's been super helpful in us defending um circle k in our environment and with 130 000 employees i suspect your number of endpoints are in the tens of thousands on the client side and probably just as many in terms of server-side endpoints right so your your kind of surface area of potential endpoints is pretty large oh indeed and you know but you know you have over 15 000 stores every store has multiple point of sale systems and at multiple uh computers laptops tablets devices um and that's and that's even before i go out into the uh what we call the forecourt which is where the gas dispensers and pumps are so yeah it's very complex well listen we look forward to that journey together part of what she has talked about here is a key part to our vision uh folks listening to this is to basically bring together security to make it key parts of the infrastructure both in the endpoint the network and the cloud thank you for your partnership i look forward to getting to know you and your team better um thank you also for all you're doing to serve the community during these tough times especially those workers at circle key that are the front line in the stores we appreciate you tremendously and we look forward to continuing this dialogue thank you very much thank you thank you everybody for watching this cyber security insight segments titled security as a team sport we talked about the shift in security and how security is moving to a shared responsibility model in this team sport in this segment we also discussed the benefits of a consolidated security and an i.t strategy that allows for fewer breaches and a faster response to security incidents as key benefits that have implemented a common strategy for those who have done this i encourage all of you to watch this part two of cyber security insights the securities of dual mission and we will have two security leaders discussing how security helps not only protect but help drives the business forward thank you all for watching this segment [Music] you

(clicking) >> Hey welcome back everybody. Jeff Freck here with theCUBE. We're in Palo Alto, California at the Chertoff Event. It's called Security in the Boardroom and it's really about elevating the security conversation beyond the IT folks and the security folks out in the application space and out on the edge and really, what's the conversation going on at the boardroom, 'cause it's an important conversation. And one you want to have before your name shows up in the Wall Street journal on a Monday morning for not all the right reasons. So we're excited to have a real practitioner, Rich Baich. He's a chief information security officer for Wells Fargo. Welcome Rich. And in the company of Jason Cook who's the managing director with the Chertoff group. Great to see you Jason. So we talked a little bit off camera Rich. You've been in a lot of different seats in this game from consulting to now you're at Wells Fargo, and a few more that you ripped on this, but I can't remember them all. From your perspective, integrating this multi-dimensional approach. How do you see this conversation changing at the boardroom? >> Well I think most importantly, the board is a topic of discussion, one of the top discussions over the last couple of years. There's been a lot of guidance recently that's been put out to board directors through the National Association for Corporate Directors, as well as various consulting firms providing guidance. Board members need to be able to take this complex topic and simplify it down so that they can do their jobs. It's expected of them, and sometimes that can be a language barrier. So I think what I see happening is boards are beginning to hire individuals with some cybersecurity expertise. My example at Wells Fargo, we hired a retired general Suzanne Vautrino to come in as one of our cybersecurity, obviously experts in the board. And it's great having her in that board seat because often times, she can help me translate some of the issues and gain a different perspective from the board. >> So that's a pretty interesting statement. So they're actually putting security expertise in a formal board seat. >> Yes. >> That's a pretty significant investment in the space. >> But if you think about this. I mean why? >> Right. >> Right. >> Well most institutions today when you break them down are really technology companies that's just a business platform rolls on. So security is becoming part of not only the institution today but the institution of the future as organizations move towards digitalization. So having that ability to have someone who understands risk management side of cybersecurity as well as the practitioner side will only make, I think a boardroom that much stronger. So what's your experience in terms of trying to communicate the issues to a board? Just down and dirty. Where do you find the balance as to what they can absorb? What can they not absorb? How do you outlay the risks if you will and how they should think about driving investment in these areas? >> Well great points, the first and most important thing with boards is gaining trust. Did you have the expertise and you had the information. By no means could I bring all my data to a board meeting because it's just not digestible. So there's a little bit of an art of taking that down and building the trust and focusing on certain areas. But a point you made I think it's really important is one you have to help them understand what are the top risks and why. But when you're talking to a board, you have to be able to say, and this is what we're doing to address them and here is the time frame and here is the risk associated with this. Because in their minds, they're thinking what can I do to help you? And then secondly, Stu point was the decisioning regarding prioritization. in this particular space, there's always going to be risks but it's really the art of deciding which ones are more important. I'll talk to the board and I'll highlight things like probability of occurrence. So the higher the probability of occurrence of something happening really drives our prioritization. >> Then Jason from your perspective. You're coming in from outside the board trying to help out. How have you seen the security conversation and priority change over time, especially in the context of this other hot topic that everybody is jumping on, which is probably the agenda item, just before Rich comes in the room, which is digital transformation. We got to go, we got to go, we got to go. Everybody is evolving. We got to go, we're getting left behind, and then oh by the way. We're just going to come on afterwards and tell us what some of these risks are. >> Yeah and I think actually Rich started to touch on it. All organizations especially when you're looking at the Fortune 500 and around that shape and size are global. And they're all on a digital journey, whether they acknowledge they're actually a digital product company. All of them now, digitizing is happening. So as a result of that security is an absolute critical component of anything linked to that for all of the reasons that you can just read the headlines around. And actually at the boardroom level, it's more now, hopefully becoming a conversation that's about how do we as board members take responsibility and accountability for how to protect our organization. And it's framed now more and more so in a risk management conversation. Rather than just saying security 'cause security is like outside. But actually the reality is security and cyber activity because you're a digital organization. It's embedded into everything whether you realize it or not so the board needs to be education to what that means. How do you take risks in the context of digital activity and assign it to a risk management program approach rather than just saying it's the security guy that's got to come in and do that. And the security guy is most probably going to be the guy that absolutely has to understand that boardroom issue, and then execute upon it and bring options to the table every time in and around that space. But the main message I would say is take this from a risk management perspective and start using the language like that. And that's probability the other point that we were discussing just earlier in the security series today, that actually it's about risk management, and educating everyone very clearly as to what do we mean. What are we actually protecting. How are we protecting it and what are we doing as a set of board members, and as a leadership team to actually take forward enablement of the business. From a security perspective, understanding it but then also protecting the business. >> Right, so are you building models then for them to help them assign a value to that risk, so now they know how much that they have to invest. 'Cause the crazy thing about security, I'm sure you could always invest more right. You can always use a little bit more budget. There's a little bit more that you can do to make yourself a little bit more secure than you were without that investment. But nobody has infinite resources so as you said bad things can happen, it's really risk mitigation and knowing the profile and what to do about it. So how do help them model that? >> I can answer that and I know Rich can jump in, so what you're seeing is a brand new leader role emerging from the traditional IT security guy to now, the guy that isn't or person should I say more accurately that's engaged at the boardroom. That's there to talk about risks in the context of how the board sees it. And so what does that means? It means that absolutely, you need to know what you've got from a digital perspective. Everything from the traditional network to all of the IT assets and everything there. The key thing is you need to know what you've got, but you have then contextualize all of that against business risks. And pulling those two things together is the challenge that you see across the industry today 'cause there have been silos. And usually underneath that silos and many other silos so bringing that together is really important. And I think if you look at how we're going to see disrupt it is and how things are managed in the risk management perspective. Actually, that's what you're going to see come together. How do you bring those models together to give actionable intelligence that the board can react to or predict against, and that's not an easy thing to pull together. >> Yeah, and to take it more down to a tactical arena so you know at some point, like you said, you can't asking for more money. Because you're not practicing good business attributes because everybody can ask for more money. So I think as organizations mature their security programs, they're going to go to the board with issues like this. Endpoint security, there's so many different Endpoints security products out there that you could buy. But if you're practicing good risk management. You're starting off by saying what is the risk. Let's just talk about malware. So malware is the risk, well how much malware gets to your Endpoint. Unless just say in this particular instance, you're here. You go into a program where you're enhancing your tools, your techniques, you're shutting down USB ports. You're not allowing people to connect to the internet unless they go through the VPN. You're buying endpoint solutions to put on there. You're encrypting the endpoint, you're doing all these things and you suddenly see your monthly average of malware go from here to here. And then when you do that and you walk into a boardroom, and you can show them that and you say this is kind of our risk appetite. 'Cause we're never going to be able to reduce it but I could go spend some more money. I could go spend five million more dollars that I'm going to move it this much. I'd rather take that five million move it over to this risk which is right here to reduce it to that area. So I think that goes hand in hand with what Jason's saying but when you can get to that level to the board to help them understand their decision. They have a greater comfort level that the money is being spent and prioritization is occurring. >> Yeah, so if I may so that one of the things that you just touch on, I think is really useful for us kind of expand upon more. One of the advise points Chertoff Group had in our series session was around bringing cybersecurity experts to the boardroom. I know obviously, you're very active in the whole finance sector, providing advice and direction in that space. Can you tell us more about that? >> Sure so, what's particular in my world also as the chair or the financial services sector coordinating council. What we do is we work closely with the government, with policy and doctrine and then the FSI sector, financial services sector, analysis center is the group that really goes out, and kind of operationalize it through information sharing and that sort. But what we've seen is a desire to have, honestly more security professionals on boards. So CISOs potentially being asked to sit on public and private company boards to provide that expertise back to the company. So that the boardroom can help understand and transcend what is going on. Again from my standpoint, I feel very privileged to have one of them on my board today. And she's been just a wonderful addition, not only does she bring cyber expertise, but being a retired general brings a lot it to other additional. So I would predict, we'll see more and more CISOs being asked to sit on public and private boards. They bring that perspective as the business models move to digitalization. >> We can go on forever, forever and ever but we can't unfortunately, but I have one more question for you Rich. Is kind of this change in attitude amongst the CISO community and other people ideal security in terms sharing information. You mentioned on this group and you use to be, we didn't want to share if we got attacked for a lot of different reasons, but there's a real benefit to sharing information even across industries about the profile of some of these things that are happening. How are we seeing that kind of change and how much more valuable is it to have some other input from some other peers, than just kind of you with you're jewels that they're trying to protect. >> Sure so in general, from an industry standpoint, the financial services are much further ahead than a lot of the other industries 'cause we've been doing it along time. So sharing occurs officially through the FSI site but also you'll pick you phone up and call a friend right a way, and say hey, I've just seen some of you're IP space associated with so and so. So that informal sharing is there. It's a very tight community, in particularly from the financial services. You don't think of security as a differentiator necessarily because the reality of it is when an adversary chooses to point their direction at you. It's just a matter of time before they get around to your institution. So sharing occurs and secondly, the government been doing a great job of trying to break down those barriers. Work through all the issues that are related with sharing of classified, unclassified information. So there exists a model today, it seems to be working pretty well. Formal as well as informal and if you look at some of the past history. That sharing has really helped a lot of organizations. I see they only getting better and better as time goes by. >> And the point, I'd add to that is the financial services I said for example is one of the most mature out there. In fact, it is probably the most mature or global even out there. But that's taken time to establish the trust and the collaboration there. And the one recommendation that we would all give out to the industry as a whole is you need to be getting those types of things stood up. And you have to invest time into them to generate the collaboration and trust. You're not going to get it over night but you have to start somewhere in doing the same. Because really what good work is happening here, needs to be happening across the global industry as a whole. >> Right, alright Rich and Jason, we'll have to leave it there unfortunately. Really great insight and thanks for sharing your insight with us. >> Rich: And thank you. >> Alright, I'm Jeff Freck. You're watching theCUBE. We're at Security in the Boardroom at the Chertoff event, Palo Alto. Thanks for watching. (clicking)