(computerized music) >> Announcer: Live from Las Vegas, it's theCUBE. Covering Fortinet Accelerate 18. Brought to you by Fortinet. (computerized music) >> Hi, welcome back to Fortinet Accelerate 2018. I'm Lisa Martin with theCUBE. Excited to be back here for our second year. I'm joined by my esteemed cohost Peter Burris. Peter and I are excited to be joined by the chief information security officer of Fortinet, Phil Quade. Phil, welcome back to theCUBE >> Thanks of having me today. >> Great to have you here. So you had this interesting keynote this morning talking about cyber security fundamentals in the age of digital transformation. So we'll kind of peel apart that. But, something that I'm really curious about is, as a CISO, you are probably looked at as a trusted advisor to your peers, at Fortinet customers, at perspective customers. Tell us about, as we're in this evolution of security that Kenzie talked about, what are some of the things that you're hearing? What are they looking to you to help them understand and help from strategic perspective to enable in their environments? >> I often hear people say, "I recognize that my security's inadequate, what can I do about it?" Or, "I think my security's good enough, but I'm not evolving commensurably with the risk." And they say, "What do I do about that? How do I get to a better spot?" And I typically talk about them modernizing their strategy, and then based on their modernized strategy, that leads to specific technical solutions. And I'll have to talk to you more about what some of those might be. >> Yeah, on the strategy side of things, I find that very interesting. Peter and I were talking with Kenzie earlier, and with the 20 to 30 different security solutions that an organization has in place today that are disparate, not connected, where does the strategy discussion start? >> Well it starts to me with, I say, the adversary's comin at you at speed and scale, so how do you address the problems of speed and scale? It's through automation and integration. And fortunately, I believe in that strategy, but it plays directly into Fortinet's strengths, right? We have speed baked into our solution set. We have speed at the edge for our custom ASICs. And we're fundamentally are an integrated company where our products are designed to work together as a team because what you want to do strategy wise, is you want to, I think, you want to defend at your place of strength. And at a time and place of strength as opposed if your adversaries, where he's probing at your weak point. So, that's this integration thing's not only strategic, but it's essential to address the problems with speed and scale. >> So, Phil, technology's being applied to a lot of IT and other business disciplines. So, for example, when I was seeing machine learning, and related types of technologies actually being applied to improve programmer productivity through what we call augmented programming. And that may open the aperture on the number of people that actually can participate in the process of creating digital value. But it still requires a developer mindset. You still have to approach your problem from a developer perspective. What is the security mindset? That as security technology becomes more automated, that more people can participate, more people can be cognizant of the challenges. What is that constant security mindset that has to be sustained in an enterprise to continue to drive better and superior security. >> Got it. I think that some companies get too hyped about artificial intelligence, and I think it's important to remember that you need to use computer science to get to science fiction. So, a very disciplined way you need to say, well in order to achieve high degrees of automation, or perhaps machine learning, or artificial intelligence, what are the building blocks of that? Well, the building blocks are speed, because if you have a decision that's too late, who cares. Integration. If you have a decision that can't be communicated effectively, who cares. And then, of course, access to all the right types of data. In order to get smart to do machine learning, you need access to lots of different data sources, so you need to have lots of disparate centers sending in data for you to analyze. Back in my old job, we used to do some centralized processing, say back in the data center. We would precompute a result, we'd push that precomputed result back to the edge, and then you would do that last bit of analysis right at the point of need. And I think, again, the Fortinet architecture supports that in that we have a back end called Fortiguard Labs, if you know what that is. It does deep analysis and research, pushes their results forward, then we use speed at the edge inside customer premises to sort of compute, I'm mixing metaphors, but do the last mile of computing. So I think it's, back to your question, what's the mentality? It's about leveraging technology to our advantage, rather than people being the slaves of machines, we need to have machines serving more man. And we need computer science to do that, rather than, like I say, creating busy work for humans. >> Peter: Got it. >> You talked about speed and scale a minute ago. And as we look at, I'm curious of your perspective as the CISO, how do you get that balance between enabling digital business transformation, which is essential for growth, profitability, competition, and managing, or really balancing that with security risk management. So, if a business can't evolve digitally at speed and scale, and apply security protocols at every point they need to, is digital transformation meaningless? How do they get that-- >> Great question. Cause you don't want to feel like it's going to be a haves and have nots. The good news is that, for example, for those who seek to move to the cloud for whatever reason, convenience or agility or business efficiencies, you don't have to go all cloud or no cloud, right. And the security solutions of Fortinet allows you to do each. You can have some cloud, some non-cloud, and get them both to work together simultaneously under what we call a single pane of glass. So, as a user, you don't care if your firewall is a physical appliance or a virtual one, you want to establish a security policy and have that pushed out no matter what your firewall looks like. So to answer your question, I think that hybrid solutions are the way to go, and we need to let people know that it's not an all or nothing solution. >> That visibility that you kind of mentioned seems to have been kind of a bane of security folk's existence before. How do we get that broad visibility? >> Yeah, I think right, it's visibility and complexity I'd say are the bane of cyber security, right? Visibility, what you can't see, you can't defend against, and complexity is the enemy of security, right? So we need to address the problems. You asked me what CISOs say. We have to reduce complexity, and we have to improve visibility. And again, I think Fortinet's well postured to offer those types of solutions. >> So as you increase, we talk about the edge, you mentioned the edge. As more processing power goes to the edge, and more data's being collected, and more data's being acted upon at the edge, often independent of any essential resource, the threat of exposure goes up. Cause you're putting more processing power, or more data out there. How is securing the edge going to be different than securing other resources within the enterprise? >> Well encryptions will remain a part, right. Encryption to create confidentiality between the two computing entities is always a part. And then of course encryption can be used to authenticate local processes at the edge. So even though encryption might not be perceived as the silver bullet that it used to be, in the age of pending quantum computing, I can talk more about that in a second. In fact encryption is a fantastic tool for creating trust among entities and within an entity. So I think the applications of smart, strong encryption among and within the entities can create that web of trust we're talking to. If I could just briefly go back to quantum computing, right. So most commercial entities today, or most think tanks think that a quantum computer, a usable one, will be invented within 15ish or so years or so. Fortinet is actually already implementing quantum resistant cryptography in our products. >> Peter: Quantum what? >> It's called quantum resistant cryptography. And a quantum computer-- >> I understand. >> Will be able to break asymmetric encryption, so we're making sure we're implementing the algorithms today to future-proof our products against a future quantum computer. >> That's a major statement. Cause as you said, we're probably not looking at a more broad base utilization of quantum computing for many many many many years. And we'll know when they're being used by bad guys. We'll know who has one. How fast is that going to become a real issue. I mean as people think about it. >> The problem is that private sector doesn't know what the bad guy countries, when they will indeed have a computer, so Fortinet is being forward leaning, making sure we're starting to get familiar with the technology now. And also encryption's the type of thing that sometimes it requires special hardware requirements, special power-- >> Peter: Quantum computing does. >> No. Any encryption technology. The more computation you have to do, sometimes it might require more memory, or a faster processor. Well that takes months, if not years, if you're putting that into a custom chip. So we're planning and doing these things now, so we can make sure that we're ready, and aren't surprised by the actual compute power that's required of quantum resistant cryptography, or, and of course, aren't surprised when an adversary does in fact have one. >> Peter: Interesting. >> Good stuff. >> One of the things that you're doing later today is a panel, right? Between IT and OT folks. And I wanted to explore with you some of the evolution in the risks on the operational technology side. Tell us a little bit about what that panel today is going to discuss and maybe and example of, Triton for example, and how these types of attacks are now very prevalent from a physical stand point. >> Favorite topic of mine. Thanks for bringing it up. So one of the first things I'll do is I'll make the distinction between OT, operational technology, and IOT. So what I'll say is operational technology's designed primarily to work to protect the safety and reliability of physical processes and things. Things that move electricity, move oil and gas inside industrial automation plants. So operational technology. And then I'll talk a little bit more about IOT, the internet of things, which are primarily, and I'm cartooning a little bit, more about enabling consumer friendly things to happen. To increase the friendliness, the convenience, of our everyday lives. And so, once I make that distinction, I'll talk about the security solutions that are different between those. So, the OT community has done just fine for years, thank you very much, without the IT folks coming in saying I'll save your day. But that's because they've had the luxury of relying on the air gap. But unfortunately-- Meaning to attack an OT system you had to physically touch it. But unfortunately the air gap is dead or dying in the OT space as well. So we need to bring in new strategies and technologies to help secure OT. The IT side, that's a different story, because IOT is fundamentally lightweight, inexpensive devices without security built in. So we're not as a community going to automatically be able to secure IOT. What we're going to need to do is implement a strategy we call earned trust. So a two part strategy. Number one, rather than pretend we're going to be able to secure the IOT devices at the device level, that are currently unsecurable, we're going to move security to a different part of the architecture. Cause remember I talked about that's what you can do with security fabric, if you do defense as a team, you want to defend at the time and place you're choosing. So with IOT, we'll move the defense to a different part of the architecture. And what we'll implement is a strategy we call earned trust. We'll assign a level of trust to the IOT appliances, and then evaluate how they actually behave. And if they do in fact behave over time according to their advertised type of trust, we'll allow more, or in some cases, less access. So that's our IOT solution. And both of them are really important to the community, but they're very different IOT and OT. But unfortunately they share two letters and people are mixing them up to much. >> But at the same time, as you said, the air gap's going away, but also we're seeing an increasing number of the protocols and the technologies and other types of things start to populate into the OT world. So is there going to be a-- There's likely to be some type of convergence, some type of flattening of some of those devices, but it would be nice to see some of those as you said, hardened, disciplined, deep understanding of what it means to do OT security also start to influence the way IT thinks about security as well. >> Love it. Great point. Not only can the OT folks perhaps borrow some strategies and technologies from the IT folks, but the opposite's true as well. Because on the OT side, I know you're making this point, they've been securing their industrial internet of things for decades, and doing just fine. And so there's plenty that each community can learn from each other. You brought up a recent type of malware effecting OT systems Triton or Trisis. And the memory brings me back to about nine years ago, you might be familiar there was just a catastrophic incident in Russia at their-- It was a failure of operational technology. Specifically it was the largest electricity generation, hydroelectric plant, ninth biggest in the whole world, they took it offline to do some maintenance, loaded some parameters that were out of range, cause vibration in the machinery, and next thing you know, a major cover flew off, a 900 ton motor came off its bearings, water flooded the engine compartment, and it caused a catastrophic explosion. With I think, I'll just say, well over 50 people dying and billions of dollars of economic loss. So, what I'm trying to say is not, you know, get excited over a catastrophe, but to say that the intersection between physical and cyber is happening. There's not just the stuff of spy novels anymore. Countries have demonstrated the will and the ability to attack physical infrastructures with cyber capabilities. But back to Triton and Trisis. This is just a couple months ago. That sort of rocked the operational community because it was a very sophisticated piece of malware. And not only could it affect what are called control systems, but the safety systems themselves. And that is considered the untouchable part of operational technologies. You never want to affect the safety system. So the time is here. The opportunity and need is here for us to do a better job as a community to protecting the OT systems. >> So the speed, the scale, all the other things that you mentioned, suggests that we're moving beyond, and Kenzie has talked about this as well, the third generation of security. That we're moving beyond just securing a perimeter and securing a piece of hardware. We're now thinking about a boundary that has to be porous, where sharing is fundamentally the good that is being provided. How is a CISO thinking differently about the arrangement of hardware, virtuals, services, virtual capabilities, and, in fact, intellectual property services, to help businesses sustain their profile? >> I think you're spot on. The boundary as we know it is dead. You know, dying, if not dead. Right so, the new strategy is doing agile segmentation, both at the macro level and the micro level. And because you might want to form a coalition today that might break apart tomorrow, and that's why you need this agile segmentation. Back you your point about having some stuff in the cloud and some stuff perhaps in your own data center. Again, we don't want to make people choose between those two things. We need to create a virtual security perimeter around the data, whether part of it's existing in the data center or part of it exists in the cloud. And that again gets back to that strategy of agile segmentation at both macro and micro levels. And of course we need to do that with great simplicity so we don't overwhelm the managers of these systems with complexity that causes the human brain to fail on us. I'll often times say it's not the hardware or the software that fails us, it's the wetware. It's the brain that we have that we get overwhelmed by complexity and it causes us to do silly or sloppy things. >> So let me build on that thought one second, and come back to the role that you play within Fortinet, but also the CISO is starting to evolve into. As a guy who used to run not a big business, but a publicly traded company, I learned that when you wanted to go into a partnership with another firm, you got a whole bunch of lawyers involved, you spent a long time negotiating it, you set the parameters in place, and then you had a set of operating models with people that made sure that the partnership worked together. When we're talking about digital, we're talking about that partnership happening at much faster speeds, potentially much greater scale, and the issue of securing that partnership is not just making sure that the people are doing the right things, but the actual systems are doing the right things. Talk about the evolving role of the CISO as a manager of digital partnerships. >> I think you're right, it used to be the case where if you're entering a partnership, you're partner might say tell me a little bit more about how you secure your systems. And that company might say that's none of your business, thank you very much. But today, for the reasons you so well said, your risk is my risk. As soon as we start operating collaboratively, that risk becomes a shared situation. So, in fact, it becomes a responsibility of the CISOs to make sure the risks are appropriately understood and co-managed. Don't get me wrong, each company still needs to manage their own risk. But once you start richly collaborating, you have to make sure that your interfacing doesn't create new risks. So it used to be the day that only a couple of people in a company could say no. Of course the CEO, maybe the general council, maybe the CFO. But increasingly the CISO can say no too, because the exposure to a company is just too broad to take risks that you can't understand. >> And it's not a financial problem. It's not a legal problem. It's an operational problem >> That's right. That's right. And so the good news that CISOs I think are stepping up to the plate for that. The CISOs of today are not the CISOs of five, seven years ago. They're not insecure folks fighting for their posture C suite. They are valued members to the C suite. >> I wish we had more time guys, cause I would love to dig into that shared responsibility conversation. We've got to wrap up. Phil, thank you so much for stopping by theCUBE again, and sharing your insights on the strategic side, not only the evolution of Fortinet and security, but also the evolution that you guys are leading in at 2018 with your partners. We wish you a great time at the event, and we think you're having us back. >> Thanks for having me very much. I enjoyed talking to you both. >> And for my cohost Peter Burris, I'm Lisa Martin. We are live on theCUBE at Fortinet Accelerate 2018. Stick around and we'll be right back. (computerized music)