>> Announcer: Live from Las Vegas. It's the Cube. Covering Knowledge 16. Brought to you by ServiceNow. Here's your host, Dave Vellante. >> Welcome back to Knowledge 16 everybody. This is Dave Vellante. It's our pleasure to have Dr. Robert Gates here, American statesman, scholar, author, and the 22nd U.S. Secretary of Defense, Dr. Gates thanks very much for coming on the Cube. >> My pleasure. >> So we just came over. We had a nice walk over from the CIO event here at Knowledge, you were speaking on leadership. Your book, A Passion for Leadership, which I can not get on Amazon so I have to carry it around with me. It's nice, it comes in handy when we're on the Cube. First question. Are leaders born or are they made? >> I think that they are not necessarily born, but there are certain aspects of leaders, of leadership that I think cannot be taught. If your empathy with other people, character and honor. Courage. Sincerity. A liking for people. A vision. I think these are things that are very personal, you're not necessarily born with them, they develop during the course of your life. But I also believe that they can't be taught in a university. >> Now we were talking on the way over, I mentioned that there's no co-author on this book, you told me you write all the books yourself, do all the research yourself. And you said one of the things you're proud of, I'll let you explain it, there's been no factual, claims of factual error and you do all your own research, is that right? >> Well it's one of the benefits of the IT revolution is access to a lot of databases and things that even a non-technical person like me can use. >> So how much time does it take you to write a book like Passion for Leadership or...? >> I would say that that book probably took about 18 months. Two years. The previous book, Duty, the memoir of my time as Secretary of Defense under Presidents Bush and Obama took longer, but it's got a lot more factual information and a lot more synthesis of information. And this really was more all out of my head in terms of my experiences over 50 years in public service. >> So you've served eight presidents, six of whom had a great sense of humor. Why is it important for leaders to have a sense of humor? >> Well I think a sense of humor reflects balance. It reflects a perspective on the world that is healthy. And people who don't have, well to be specific, as I often joke, I mean the two presidents that as far as I was concerned had no discernible sense of humor were Richard Nixon and Jimmy Carter and I leave people to draw their own conclusions in terms of the outcome for those presidents. >> Now in thinking about some of the concepts that you put forth in your work on leadership, one of the things that struck me is when you came in as the head of the CIA, that was obviously a tumultuous time, the Soviet Union was splitting apart. You're an expert in that field. You had to have intense focus, and the same thing when President W. Bush asked you to come back as Secretary of Defense. The focus was on Iraq so you had intense focus on the Soviet Union in the first example, and Iraq in the second yet you had so many other tasks that you had to do. Help us understand how you balance that need for focus which many of us in the start-up community have to have with all the other tasks that you have to do, how'd you adjudicate? >> Well I said as I write in the book, you have to, sometimes you're faced with a situation where you need to make immediate changes and take immediate steps to deal with a crisis situation that's in front of you. But sometimes, simultaneously, you have to be making decisions about the long-term future. So for example, when I became CIA director in 1991, we were literally five weeks from the collapse of the Soviet Union. So it was not only how do I provide intelligence support for the president in terms of what's going to happen when the Soviet Union collapses, what happens to 40,000 nuclear weapons, will there be famine, will there be riots, et cetera, et cetera. But also the longer term task was how do I reorient the entire American intelligence community away from this singular focus on the Soviet Union that we'd had for 45 years to deal with a world where there many more and different kinds of challenges. So I was dealing with both a short-term crisis and the longer term issue. When I became Secretary of Defense, we were, for all practical purposes, losing two wars. In Iraq and Afghanistan. So my focus entirely as Secretary of Defense was on how do we turn those wars around. The president had made what I thought was a very courageous decision to surge troops into Iraq, so how do I get them there. The decision is one thing. Getting 30,000 troops there with their equipment and getting them into the fight and providing them the support was quite another. And then we also had the war in Afghanistan, so there was a singular focus there and as I write in the book, it was only when President Obama asked me stay on that I then broadened the aperture dramatically in terms of how do we change the way the Department of Defense gets managed and how we manage big weapon systems. How do we ring overhead out of our costs and take the longer term view of repositioning the defense department. >> So when you think back to 1991, you had to make a lot of predictions, you and your colleagues. About what would happen with the Soviet Union. And while I'm sure there was a lot of data, we talk a lot on the Cube about big data and big data analytics. How has data changed the decision making process in government at that level? Or has it? >> I think when it comes to intelligence, data provides you more information about capability. But big data and technology still cannot help you when it comes to intentions. I always liked to say that in the intelligence world, all the information we want to know can be divided into two categories. Secrets and mysteries. And unfortunately the mysteries are the big things. Will the Soviets invade Czechoslovakia? Will they invade Afghanistan? Is China prepared to go to war over the South China Sea? And there is no data that can help you answer those questions. You can, the data can help you identify the capabilities they can bring to the problem. Or to the issue. But in essence, when it comes to figuring out what other leaders will do, sometimes figuring out what our own leaders will do, there is no data that can help you solve that problem. >> I want to change the subject, ask you about term limits. And specifically my question is, do you think corporations should have term limits on their executives? >> I think these kinds of broad rules are a mistake. I think that there may be certain companies where that has value, but on the other hand, you've got leaders, and I write about 'em in the book, who've been leading institutions, whether it's a university or a company for 20 years. And they are still the most restless, the most innovative, the most entrepreneurial people in the company. Even at 75 or 80 years old. So to have some kind of a general rule that says everybody has to leave, I think is a serious mistake. I first joined corporate boards when I was 50 years old. After I retired as CIA director. I thought age limits on boards then were crazy. And I was the youngest person on virtually every board I was on. But I would see somebody forced to rotate off at 70, who at 70 was making a bigger contribution than a lot of members of the board at 50 or 55. So I think these general rules are a mistake. I think it has to be very company-specific and personality-specific. >> Well in the technology industry obviously you have some big names like Dell still around and the other Gates who did quite a good job and so forth. What about at lower levels within the organization. Still senior but what's your philosophy in terms of mixing things up, putting executives in different roles? Giving them a flavor for whatever, running finance or information technology or logistics, et cetera? >> Well let me frame it a different way. I would tell rising military officers that they were not, as Secretary of Defense in my view, they were not competitive for senior command if artillery was all they'd every done. Or if flying helicopters was all they had done. Or supervising people who flew helicopters. I wanted people who had a breadth of experience, who knew different aspects of the defense establishment. So they had a broader perspective of the various challenges that we faced. So I think for someone who is going to aspire to the most senior positions, having some exposure to the other parts of the organization is valuable. By the same token, it seems to me, it doesn't make any sense to take somebody who is a CFO and who has a particular skill and then put them in charge of the production line or something, I don't know, I've never run a private company but it seems to me you have to be pretty careful about that. Of taking somebody who is in a technical specialty and then trying to get them to do something else. But once you rise to a certain level in an organization, if you want to have the big job, it seems to me you have to have a variety of experiences that give you a broader perspective. >> I feel I want to talk a little bit about cybersecurity, you mentioned in the CIO event that you were just at the threat of cyber, I feel like in our industry it's trivial compared to some of the cyber threats that you've had to deal with. But nonetheless, there seems to be the recognition within the executive community that it's not about just keeping people out anymore, it's about recognizing that you have been hacked, you will continue to be hacked, it's about the response. What should be on board of directors' check list, if you will, with regard to cybersecurity? >> Well I think cyber and the risks associated with cyber and IT need to be a regular part of every board's agenda. I think that there is value in having it an integral part of risk management. And so whether you focus specific attention, in the audit committee for example, and then have briefings for the broader board. Probably is up to each company but, there's no question in my mind that when it comes to risk, for most companies today, cyber is right up there with natural disasters and business continuity and so on and needs to be a responsibility in terms of oversight for a board. >> With regard to the board's use it on, do you feel like there's an honest and frank conversation about cyber and has that changed? >> Well I do, I do, I think it's very different, I mean I think people really take it seriously. >> Yeah sometimes I get concerned that this fail equals fire mentality has led a lot of organizations to sandbag the risks, is that a fair criticism? >> Oh, what do you mean by that? >> By essentially say, I've got it covered. The risk of us getting hacked is low, we have it under control. Verus an open and frank conversation of no, we're getting infiltrated, we have to think about the response versus we can't keep the bad guys out, we can try, but... >> Anytime anybody in an organization tells me he's got everything under control, I am automatically skeptical. >> Okay fair enough. I got to ask you, I know we're tight on time, you've been gracious with your time, but I have to ask you about the current tone of the campaigns. Your reaction to that. It's kind of comedic. There's not a lot of comedy. Comedy in the narrative. What's your take as now an independent observer? >> Well I don't think it's funny at all, I think it's very serious, I worry about the fact that there's no real discussion of specific, of the many challenges that we face expect in the broadest possible terms. Foreign policies being discussed in almost primitive terms. And not very intelligently in my view. So in terms of the challenges that the country faces, which are quite extraordinary, it seems to me, the campaigns at this point, across the board politically, seem to me to be pretty superficial. >> So I want to end with coming back to the Passion for Leadership. You know I have to say the brilliant part of this book, don't hate me for this, but you basically laid out a lot of common sense ideas but the brilliance of the book was the way in which you weaved it together and gave examples. If I may, it was listen, respect, reward people, delegate, empower, have fun. Care from your heart. Check your ego at the door. Hire smart people, honesty, integrity. These are very common sense things, but you brought them all together in a way that had meaning, I felt like some of the classics, Dale Carnegie's How to Win Friends and Influence People, I feel like there's a lot of timeless things in here. Was that your objective or did you just write from your heart? >> Well both. It seems to me that as I looked back and realized that I had let these three very large institutions, the American intelligence community, the fifth largest university in the country, and the Department of Defense, that I actually had been able to change a lot. And in environments where people said that was impossible. And so it seemed to me worth sharing here's how I got it done. It can be done, I guess one of the most important messages I wanted to convey was that institutions can be reformed. They can be transformed. And made more efficient and more cost-effective and more user-friendly. And better serve both customers and citizens. At a time when most people just throw up their hands and say this is all impossible. The theme of the book is it's not impossible, it can be done, it has been done, it can be done in the future. >> Dr. Gates, thanks so much for coming on the Cube, taking your time and really appreciate you at this event and really welcome the feedback. >> Thank you very much. Really appreciate it. >> Alright, keep it right there everybody, we'll be back with our wrap right after this. Thanks for watching. >> Service management is helping GE connect...

[Music] okay we're back my name is dave vellante and this is thecube's coverage of aws storage day you know coming off of reinforce i wrote that the cloud was a new layer of defense in fact the first line of defense in a cyber security strategy that brings new thinking and models for protecting data data protection specifically traditionally thought of as backup and recovery it's become a critical adjacency to security and a component of a comprehensive cyber security strategy we're here in our studios outside of boston with two cube alums and we're going to discuss this and other topics wayne dusso is the vice president for aws storage edge and data services and nancy wong as general manager of aws backup and data protection services guys welcome great to see you again thanks for coming on of course always a pleasure dave good to see you dave all right so wayne let's talk about how organizations should be thinking about this term data protection it's an expanding definition isn't it it is an expanded definition dave last year we talked about uh data and the importance of data to companies every company um is becoming a data company uh you know the amount of data they generate uh the amount of data they can use to uh create models to do predictive analytics and frankly uh to find ways of innovating uh is is growing uh rapidly and you know there's this tension between access to all that data right getting the value out of that data and how do you secure that data and so this is something we think about with customers all the time so data durability data protection data resiliency and you know trust in their data if you think about running your organization on your data trust in your data is so important so you know you got to trust where you're putting your data you know people who are putting their data on a platform need to trust that platform will in fact ensure its durability security resiliency and you know we see ourselves uh aws as a partner uh in securing their data making their data they're built durable making their data resilient all right so some of that responsibility is on us some of that is on amazon responsibility around data protection data resiliency and you know um we think about forever you know the notion of um you know compromise of your infrastructure but more and more people think about the compromise of their data as data becomes more valuable in fact data is a company's most valuable asset we've talked about this before only second to their people you know the people who are the most valuable asset but right next to that is their data so really important stuff so nancy you talk to a lot of customers but by the way it always comes back to the data we've been saying this for years haven't we so you've got this expanding definition of data protection you know governance is in there you think about access etc when you talk to customers what are you hearing from them how are they thinking about data protection yeah so a lot of the customers that wayne and i have spoken to often come to us seeking thought leadership about you know how do i solve this data challenge how do i solve this data sprawl challenge but also more importantly tying it back to data protection and data resiliency is how do i make sure that data is secure that it's protected against let's say ransomware events right and continuously protected so there's a lot of mental frameworks that come to mind and a very popular one that comes up in quite a few conversations is in this cyber security framework right and from a data protection perspective it's just as important to protect and recover your data as it is to be able to detect different events or be able to respond to those events right so recently i was just having a conversation with a regulatory body of financial institutions in europe where we're designing a architecture that could help them make their data immutable but also continuously protected so taking a step back that's really where i see aws's role in that we provide a wide breadth of primitives to help customers build secure platforms and scaffolding so that they can focus on building the data protection the data governance controls and guardrails on top of that platform and that's always been aws philosophy make sure that developers have access to those primitives and apis so that they can move fast and essentially build their own if that that's in fact what they want to do and as you're saying when data protection is now this adjacency to cyber security but there's disaster recoveries in there business continuance cyber resilience etc so so maybe you could pick up on that and sort of extend how you see aws helping customers build out those resilient services yeah so you know two uh core pillars to a data protection strategy is around their data durability which is really an infrastructural element you know it's it's it's by and large the responsibility of the provided that infrastructure to make sure that data is durable because if it's not durable and everything else doesn't matter um and the second pillar is really about data resiliency so in terms of security controls and governance like these are really important but these are a shared responsibility like the customers working with us with the services that we provide are there to architect the design it's really human factors and design factors that get them resiliency nancy anything you would add to what wayne just said yeah absolutely so customers tell us that they want always on data resiliency and data durability right so oftentimes in those conversations three common themes come up which is they want a centralized solution they want to be able to transcribe their intent into what they end up doing with their data and number three they want something that's policy driven because once you centralize your policies it's much better and easier to establish control and governance at an organizational level so keeping that in mind with policy as our interface there's two managed aws solutions that i recommend you all check out in terms of data resiliency and data durability those are aws backup which is our centralized solution for managing protection recovery and also provides an audit audit capability of how you protect your data across 15 different aws services as well as on-premises vmware and for customers whose mission-critical data is contained entirely on disk we also offer aws elastic disaster recovery services especially for customers who want to fail over their workloads from on-premises to the cloud so you can essentially centralize as a quick follow-up centralize the policy and as you said the intent but you can support a federated data model because you're building out this massive you know global system but you can take that policy and essentially bring it anywhere on the aws cloud is that right exactly and actually one powerful integration i want to touch upon is that aws backup is natively integrated with aws organizations which is our de facto multi-account federated organization model for how aws services work with customers both in the cloud on the edge at the edge and on premises so that's really important because as we talk about all the time on the cube this notion of a decentralized data architecture data mesh but the problem is how do you ensure governance in a federated model so we're clearly moving in that direction when i want to ask you about cyber as a board level discussion years ago i interviewed dr robert gates you know former defense secretary and he sat on a number of boards and i asked him you know how important and prominent is security at the board level is it really a board level discussion he said absolutely every time we meet we talk about cyber security but not every company at the time this was kind of early last decade was doing that that's changed um now ransomware is front and center hear about it all the time what's aws what's your thinking on cyber as a board level discussion and specifically what are you guys doing around ransomware yeah so you know malware in general ransomware being a particular type of malware um it's a hot topic and it continues to be a hot topic and whether at the board level the c-suite level um i had a chance to listen to uh dr gates a couple months ago and uh it was super motivational um but we think about ransomware in the same way that our customers do right because all of us are subject to an incident nobody is uh uh immune to a ransomware incident so we think very much the same way and as nancy said along the lines of the nist framework we really think about you know how do customers identify their critical access how do they plan for protecting those assets right how do they make sure that they are in fact protected and if they do detect a ransomware event and ransomware events come from a lot of different places like there's not one signature there's not one thumb print if you would for ransomware so it's it's there's really a lot of vigilance uh that needs to be put in place but a lot of planning that needs to be put in place and once that's detected and a we have to recover you know we know that we have to take an action and recover having that plan in place making sure that your assets are fully protected and can be restored as you know ransomware is a insidious uh type of malware you know it sits in your system for a long time it figures out what's going on including your backup policies your protection policies and figures out how to get around those with some of the things that nancy talked about in terms of air gapping your capabilities being able to if you would scan your secondary your backup storage for malware knowing that it's a good copy and then being able to restore from that known good copy in the event of an incident is critical so we think about this for ourselves in the same way that we think about these for our customers you've got to have a great plan you've got to have great protection and you've got to be ready to restore in the case of an incident and we want to make sure we provide all the capabilities to do that yeah so i'm glad you mentioned air gapping so at the recent reinforce i think it was kurt kufeld was speaking about ransomware and he didn't specifically mention air gapping i had to leave so i might i might have missed it because i'm doing the cube but that's a that's a key aspect i'm sure there were things in the on the deep dives that addressed air gapping but nancy look aws has the skills it has the resources you know necessary to apply all these best practices and you know share those as customers but but what specific investments is aws making to make the cso's life easier maybe you could talk about that sure so following on to your point about the reinforced keynote dave right cj moses talked about how the events of a ransomware for example incident or event can take place right on stage where you go from detect to respond and to recover and specifically on the recover piece he mentioned aws backup the managed service that protects across 15 different aws services as well as on-premises vmware as automated recovery and that's in part why we've decided to continue that investment and deliver aws backup audit manager which helps customers actually prove their posture against how their protection policies are actually mapping back to their organizational controls based on for example how they tag their data for mission criticality or how sensitive that data is right and so turning to best practices especially for ransomware events since this is very top of mind for a lot of customers these days is i will always try to encourage customers to go through game day simulations for example identifying which are those most critical applications in their environment that they need up and running for their business to function properly for example and actually going through the recovery plan and making sure that their staff is well trained or that they're able to go through for example a security orchestration automation recovery solution to make sure that all of their mission critical applications are back up and running in case of a ransomware event yeah so i love the game date thing i mean we know well just in the history of it you couldn't even test things like disaster recovery be right because it was too dangerous with the cloud you can test these things safely and actually plan out develop a blueprint test your blueprint i love the the game day analogy yeah and actually one thing i love to add is you know we talked about air gapping i just want to kind of tie up that statement is you know one thing that's really interesting about the way that the aws cloud is architected is the identity access and management platform actually allows us to create identity constructs that air gap your data perimeter so that way when attackers for example are able to gain a foothold in your environment you're still able to air gap your most mission critical and also crown jewels from being infiltrated that's key yeah we've learned you know when paying the ransom is not a good strategy right because most of the time many times you don't even get your data back okay so we we're kind of data geeks here we love data um and we're passionate about it on the cube aws and you guys specifically are passionate about it so what excites you wayne you start and then nancy you bring us home what excites you about data and data protection and why you know we are data nerds uh so at the end of the day um you know there's there's expressions we use all the time but data is such a rich asset for all of us some of the greatest innovations that come out of aws comes out of our analysis of our own data like we collect a lot of data on our operations and some of our most critical features for our customers come out of our analysis that data so we are data nerds and we understand how businesses uh view their data because we view our data the same way so you know dave security really started in the data center it started with the enterprises and if we think about security often we talk about securing compute and securing network and you know if you if you secured your compute you secured your data generally but we've separated data from compute so that people can get the value from their data no matter how they want to use it and in doing that we have to make sure that their data is durable and it's resilient to any sort of incident event so this is really really important to us and what do i get excited about um you know again thinking back to this framework i know that we as thought leaders alongside our customers who also thought leaders in their space can provide them with the capabilities they need to protect their data to secure their data to make sure it's compliant and always always always durable you know it's funny you'd say it's not funny it's serious actually steven schmidt uh at reinforce he's the the chief security officer at amazon used to be the c c iso of aws he said that amazon sees quadrillions of data points a month that's 15 zeros okay so that's a lot of data nancy bring us home what's what excites you about data and data protection yeah so specifically and this is actually drawing from conversations that i had with multiple isv partners at aws reinforce is the ability to derive value from secondary data right because traditionally organizations have really seen that as a cost center right you're producing secondary data because most likely you're creating backups of your mission critical workloads but what if you're able to run analytics and insights and derive insights from that secondary data right then you're actually able to let aws do the undifferentiated heavy lifting of analyzing that secondary data as state so that way you as customers or isv partners can build value on the security layers above and that is how we see turning cost into value i love it you're taking the original premise of the cloud taking away the undifferentiated heavy lifting for you know deploying compute storage and networking now bringing up to the data level the analytics level so it continues the cloud continues to expand thank you for watching thecube's coverage of aws storage day 2022