>>Fly from San Francisco. It's the cube covering RSA conference, 2020 San Francisco brought to you by Silicon angle media. >>Welcome back everybody. Jeffrey here with the cube. We're at RSA 2020, downtown San Francisco and Moscone center, 40,000 professionals in the security industries, the biggest security event in the world. I'm pretty sure, certainly the biggest one in the U S we're excited to have somebody who's been running around taking care of these problems and talking to customers for a very long time. It's got a great longterm perspective. We're happy to have him. Jonathan, new wind, the VP global field say-so team for fortunate. Jonathan, great to see you. So you said you've been coming to this show for a long, long time. Love to get kind of your impressions that the human element is the theme. Yeah, well, sheer, you know, I, I think, uh, it's changing. It's uh, the attendance is broken out by very senior people who've been here for, you know, multiple events and then a whole new slew of people are coming into the industry, right. >>And there's a lot of excitement. It's, um, there's a little bit less of a buzz. It just seems it's a little bit less people here this year because of the virus scare. Um, but overall I think that the themes are pretty consistent, which is kind of tragic that the themes are consistent year after year because this suggests that not a lot has changed despite the $130 billion and it works with purity span. You know, absolutely complexity. Uh, everyone is telling me about how to solve complexity, how to do more with less, uh, how to do more with less and fewer people and how to get their arms around this vast volume of data that's being generated. And there's a lot of talk about automation and AI, uh, but much more practical, less buzzwords and more practical solutions. And yet still tons of new vendors, right? Tons of new opportunities. >>You know, I don't know what the final count is on the vendor side, but it's a really large number and you go off into the corners to the EDBD little, little, a little mini boost is still a time of innovation. So I think that people trying to move the ball. So I think when the first show first started, there were less than a less than 500 vendors, I think in the industry back in 2007 I think today we're North of of 5,000 and it's probably 8,000 or about 5,000 vendors in the immediate vicinity here. But just go around the corner and there are dozens of others having their own events and the neighboring hotels and restaurants. It's astounding the number of different point products are still coming into the industry and, and, and that really suggests that we haven't gotten our arms around integrating all of this technology. >>And it's just another level of complexity. So what do you tell your friends on the buy side, right? Who know you and say, say Jonathan, I'm going, I'm going to RSA. How in the heck am I supposed to navigate not only the show specifically, but kind of this vendor landscape and then make sense of it all? I'm telling him to look for vendors that are partners that have a longterm perspective and that do the integration for you. You know, one of the things coming from an operational background, as I talked to other CSOs, like our job is to operate technology. It really isn't about integrating technology. It really isn't about OAA and product. I want to focus my budget and my resources on operating technologies and manage risk. So I look for partners and mentors like, like Fordanet that has a fabric with 258 plus different products and vendors that are already integrated out of the box. >>I'm looking for someone that solves complexity rather than a specific problem or specific threat vector. And I'm really looking for some of that helps me understand and manage risk because that's the object of the exercise in cybersecurity today. It's not about compliance, it's about compliance, it's about security, it's about resilience, but a reasonable level of care in managing risk. Right. And yeah, it's, it's a great topic cause I was thinking that kind of in terms of insurance. Yeah. In terms of, you know, how much do you spend and you can't insure everything to 100% right. So it's going to be some number less than that. Everybody else needs a piece of the pie. But how do you make those kinds of trade offs, investment versus risk? Because you can't absolutely protect everything. It makes no sense. So I think that value of it comes back to the CSO and his or her team. >>It's a very human decision. Uh, there is no prescriptive definition of what reasonable care is. You know, outside of one statement by Kamala Harrison, she was the state's attorney in California here, which is the CIS 20 is the minimum level of reasonable care. And so now we have to understand how do we define what is reasonable, what is the risk appetite or tolerance for a company? And once you identify those things, what are the controls and mitigation measures that you're gonna have in place to mitigate those risks? And then what's left is residual risk. And that's a hard decision. How much will you absorb? How much will you transfer, uh, and how much will you just tolerate? Um, but it's really no longer just about compliance, uh, and it's no longer just about having a security or continuity or resilience about all of those things. At a reasonable level. >>Right. It's interesting as pulling up Winnie Naylor from, from Cisco gave one of the early ketos and she talked about, you know, really this security profession, embracing those pesky people that keep clicking on links because really they're the people that can, that have the data around the specific, um, applications and specific assets that the company has to kinda have that informed decision as to what is it worth to protect and do we need to protect it? Do we need to protect them more? Can we let this thing go a little bit? Yeah. I think the human element is the hardest part, you know, in mind at this conference and its theme, that human element. The hardest part about this job is that it's not just mechanical issues on routing issues and networking issues, but it's about dealing with all types of humans, innocent humans that do strange and bad things unknowingly. >>And then malicious people who do very bad things that by design. And so the research suggests that no matter what we do in security awareness training, some 4% of our employee base will continually fail security awareness tests. Well, we fished actively. And so one of the things that we need to do is use automation and intelligence so that you could comb through all of that data and make a better informed decision about what risks you're going to mitigate, right? And for this 4% that are habitually abusing the system and can't be retrained while you can isolate them, right, and make sure that they're, they're separated and they're not able to, uh, to do things that may harm the organization. Right. The other human element is the people on the security teams, right. And it's a tough resource. There aren't enough of them. And, and, and historically, they'd been the ones that, that integration point between all these different systems and it's a highly stressful job. >>You know, there was a Forbes article that said 17% of all CSOs are functional alcoholics. I mean, I mean, and they met as a 17 for 17%. One of every six CSOs medicates himself or herself with alcohol. And medicate is a very specific term of art. It doesn't mean recreational drinking means you are a functional alcoholic and that tells you about the level of stress and complexity. You know, in this job, our research suggests that the average CSO lifespan is somewhere on the low end of about 12 months on the high end, somewhere about 24. You know, in their role or in their profession, their role and their current job, their current gig, they're not lasting more than than two years. Uh, the sheer complexity and stress of the job and you know, and, and those, of course, 24 months, three of those months are just orientation cause that gives you an idea. >>It's a level of stress and complexity that the average CSO is going to face here. Right. So really begs for a lot more automation, a lot more automation on the defense side. It does, it, it makes for a lot more automation. And how do you help those teams cope with a massive levels of complexity and data that's coming out of these digitized and digitally transformed enterprises, right? And when you think about each person's going to generate three to five terabytes of data per person per day, uh, and that computing is going to change in the next three to five years. Right now 85% of computing and data generated comes from traditional it functions as you move into 5g and edge based computing, the vast majority of data generating computing will be done on the edge. So the level of complexity, the number of technologies and devices that we're going to have to monitor is only going to expand, right? >>Right, right. And the speed of those transactions and the speed of the potential harm. So marry that against the research data says that 99% of the attacks could have been mitigated through simple intermediate controls and that the patches, the signatures were readily available. And so the thing to contemplate as we go into this heightened level of complexity and expansion of our computing environment is we're missing the basics today, right? Right. If 99% of the successful attacks are based upon exploits that are known that the signatures are available in the patches available for then a year, what are we going to do when everything else becomes even more complex, more sophisticated. Yeah. That's funny. That was part of, of of raw heats keynote, uh, to kick off the whole thing is he said, you know, we as security professionals like to focus on the complex, we like to focus on the, the ornate and the, and the super sophisticated attacks on the reality is the vast majority and we're just coming right in the normal side door that they've been coming in all along. >>And one thing I decided during my time at the Verizon data breach investigations report was a 77% of all the breaches were not identified by the security team. They were identified by law enforcement. And so 77, 77% of the case. So let's, so let's say you've got a CIS admin that that goes out and accesses financial information before the earnings call and does insider trading. And it's the sec that calls the FBI. And then it's the FBI that calls you and said, by the way, your CIS admin is going to be charged with insider trading. And that's how they know that there's been a compromise out. And in many cases, what does that tell you? Despite $130 billion of network security spend this year alone, that's seven out of 10 data breaches will be identified by law enforcement and not the security team. Yeah. So that tells you that not the security law enforcement team, either it's the FBI or the sec hires the cl service and it just says that security is so complex that until we find ways like the FORNAS security fabric to automate and to manage complexity in an integrated way, you know, that's the, that's the leading edge indicator that I look for is that at what point do security teams identify more data breaches then law enforcement and the victims and they're way behind at this point? >>I think so, unfortunately. Yes. That's crazy. So, um, but there's a lot more AI now that you guys can use to write on the good guys side. But how does that really square the circle when you're saying so many of it just comes through the simple approaches because of lack of visibility. Uh, SOC teams are overwhelmed by the volume of data. And so the way to address the volume and variety and velocity of data is to use artificial intelligence to use a machine to make human decisions and behavior at machine speed. And so when we launched our 40 AI product offering and the virtual security analysts, you know, the research that we did suggest that is he pivoted a five SOC analysts. And so that's one way of helping SOC teams that are overwhelmed by the volume of data that are understaffed, to use artificial intelligence to distill out from all of that, that data, that useful patterns, and to marry that with our Florida guard intelligence, say, okay, this is the techniques, tactics and procedures most likely associated with this threat vector right now, escalate that to a human to make a decision on whether you want to mitigate that. >>And once you decide to mitigate that, use the automated and integrated capabilities of the fabric to make an efficient and effective, uh, mitigation, uh, of that incident. Right? Yeah. Yeah. That's interesting. You bring up the sec case. We had a conversation earlier today where we were talking about deep fakes. Yeah. If somebody had the use case that, you know, what, if you just had a pretty straight forward, deep fake of some executive from some companies saying something to move the market and you drop that into the, uh, into the social stream three minutes before the close on a Friday, you get a play off the off the margin leverage. Nobody gets to really investigate the thing until the four minutes are over. Markets are closed, right? You get a significant financials damage in a situation like that, not even really directly impacting the company system. Right. >>So you're, you're hitting on the fact that we are more interconnected than ever and that the traditional compensating controls that we would have used to mitigate that type of risk is not, not as effective. And so, you know, that's going to be a challenge moving forward. Everything is going to be more interconnected, accelerated and decisions will be driven by data. So it's all of those things will drive complexity. So maybe next year when we talk again, we'll see it and see that. But I'm a little, one of the reasons I'm, you know, I have a credit freeze personally is that I'm aware of things like, like deep fakes, uh, impersonations moving my identities. So having a credit freeze allows, allows me to know that no one can leverage my credit even if they have my data. Right. Interesting. So thanks. Question. We sit down here a year from now, uh, without the benefit of 20, 20 hindsight. >>Yeah. You know, what do you think the themes are going to be? What, what do you see as kind of this kind of short term move in the market based on some of these factors that you've identified? I think, uh, more automation, more uh, artificial intelligence ways of automating the traditional process was insecurity. The secondarily, I think there's going to be the rising awareness of edge based computing and smart systems, autonomous level five vehicles that are networked and rather than a sensory based awareness, smart homes, smart industrial applications, uh, that computing will be done on the edge increasingly and those industrial applications, that 85% of the data computer will be done there. And that increasingly the cloud will become a repository for, for, uh, for storage and correlation. But the actual computing and actuation will be done on the edge. And so as 5g takes hold, you're going to see tremendous transformations in our society and our economy and how we conduct commerce, how we communicate. >>Uh, and that leads some more complexity. That's why, that's why I'm so focused on helping organizations getting security right now before that next onslaught of complexity hits us. It's coming. It is the five G IOT thing is, is just around the corner. The look at the telcos, there is a very specific reason why they're investing literally hundreds of billions of dollars into five G and the tremendous societal and economic changes that that will bring in infrastructure, communications and security will have to stay pace with that. One of the things that we're going to see moving forward is that the digital infrastructure is only successful only as successful as a security is. And I think we'll, we should see a breakdown in the traditional operational silos in network operations and security operations as Michelle Dennett. He said earlier on the air, if you cannot protect, you should not connect. But unfortunately people are still connecting before they're ready to. Absolutely. Well, hopefully there'll be a little bit more circumspect going forward. We'll try Jonathan, thanks for, uh, for taking a few minutes and sharing your perspective. Really appreciate it. Always a fun time. Alright, Jonathan, I'm Jeff. You're watching the cube where at RSA 2020 from downtown San Francisco. Thanks for watching. We'll see you next time.