>>Around the globe presenting accelerating automation with Deb brought to you by Cisco >>We're back. This is Dave Vellante and TKK Anini is here. He's a distinguished engineer at Cisco TK, my friend. Good to see you again. >>How are you? >>Good. I mean, you and I were in Barcelona in January and, you know, we knew we saw this thing coming, but we didn't see it coming this way. Did we? >>No, that no one did, but yeah, it, uh, that was right before everything happened. >>Well, it's weird. Right? I mean, we were, you know, we, we, it was in the back of our minds in January, we sort of had Barcelona's hasn't really been hit yet. It looked like it was really isolated in China, but, uh, but wow, what a change and I guess, I guess I'd say I'd start with the, we're seeing really a secular change in, in your space and security identity, access management, cloud security, endpoint security. I mean, all of a sudden these things have exploded as the work from home pivot has occurred. Uh, and, and it feels like these changes are permanent or semi-permanent what are you seeing out there? >>Yeah, I don't, I don't think anybody thinks the world's going to go back the way it was. Um, to some degree it's, it's changed forever. Um, you know, I, I, I do a lot of my work remotely. Um, and, and so, you know, being a remote worker, isn't such a big deal for me, but for some, it was a huge impact. And like I said, you know, um, remote work, remote education, you know, everybody's on the opposite side of a computer. And so the digital infrastructure has just become a lot more important to protect. And the integrity of it essentially is almost our own integrity these days. >>Yeah. And when you see that, you know, that work from home pivot, I mean, you know, our estimates are, are along with our partner DTR about 16% of the workforce was at home working from home prior to COVID and now it's, you know, North of 70% plus, and that's going to come down maybe a little bit over the next, next six months. We'll see what happens with the fall surge, but what people essentially accept, expect that to, you know, at least double that 16%, you know, going forward indefinitely. So what does that, what kind of pressure does that put on the security infrastructure and how, how organizations are approaching security? >>Yeah, I just think, uh, from a mindset standpoint, you know, what was optional, uh, maybe, um, last year, uh, is no longer optional and I don't think it's going to go back. Um, I think, I think a lot of people, uh, have changed the way, you know, they live and the way they work. Um, and they're doing it in ways, hopefully that, you know, in some cases, uh, yield more productivity, um, again, um, you know, usually with technology that's severely effective, it doesn't pick sides. So the security slant to it is it frankly works just as well for the bad guys. And so that's, that's the balance we need to keep, which is we need to be extra diligent, uh, on how we go about securing infrastructure, uh, how we go about securing even our social channels, because remember all our social channels now are digital. So that's, that's become the new norm. >>No, you've helped me understand over the years. I remember a line you shared with me in the cube one time is that the adversary is highly capable, is sort of the phrase that you used. And, and essentially the way you describe it, as you know, your job as a security practitioner is to decrease their, the bad guy's return on investment, you know, increase their costs, increase the numerator. But as, as work shifts from home, I'm in my house, you know, my wifi in my, you know, router with my dog's name is the password. You know, it's much, much harder for me to, to increase that denominator at home. So can you help? >>Yeah. I mean, it's, it is, it is truly, um, when you think, when you get into the mind of the adversary and, and, uh, you know, the cyber crime out there, they're honestly just like any other business they're trying to, you know, operate with high margin. And so if you can get there, if you can get in there and erode their margin, they'll frankly go find something else to do. Um, and, and again, you know, you know, the shift we experience day to day is it's not just our kids are online in school and, uh, our work is online, but all the groceries we order, um, you know, this Thanksgiving and holiday season, uh, a lot more online shopping is going to take place. So, you know, everything's gone digital. And so the question is, you know, how, how do we up our game there so that, um, we can go about our business, uh, effectively and make it very expensive for the adversary to operate, uh, and take care of their business. Cause it's nasty stuff. >>I want to ask you about automation, you know, generally, and then specifically how it applies to security. So we, I mean, we certainly saw the ascendancy of the hyperscalers and of course they really attacked the it labor problem. We learned a lot from that and an it organizations have applied much of that thinking. And the it's critical at scale. I mean, you just can't scale humans at the pace, the technology scales today, how does that apply to security and specifically, how is automation affecting a security? >>Yeah, it's, it's, it's the topic these days. Um, you know, businesses, I think, realize that they can't continue to grow at human scale. And so the reason why automation and things like AI and machine learning have a lot of value is because everyone's trying to expand, uh, and operate at machine scale. Now, I mean that for, for businesses, I mean that for, you know, education and everything else now, so are the adversaries, right? So it's expensive for them to operate at Cuban scale and they are going to machine scale, going to machine scale, uh, a necessity is that you're going to have to harness some level of automation, have the machines, uh, work on your behalf, have the machines carry your intent. Um, and when you do that, um, you can do it safely or you could do it dangerously. And that that's really kind of your choice. Um, you know, just because you can automate something doesn't mean you should, um, you, you wanna make sure that frankly, the adversary can't get in there and use that automation on their behalf. So it's, it's a tricky thing because, you know, if when you take the phrase, you know, uh, how do we, how do we automate security? Well, you actually have to take care of, of securing the automation first. >>Yeah. We talked about this in Barcelona, where you were explaining that, you know, the, the bad guys, the adversaries are essentially, you know, weaponizing using your own tooling, which makes them appear safe because it's, they're hiding in plain sight, right? >>Yeah. Well, there's, they're clever, uh, giving them that, um, you know, there's this phrase that they, they always talk about called living off the land. Um, there's no sense in them coming into your network and bringing their tools and, uh, and being detective, you know, if they can use the tools that's already there, then they have, uh, a higher degree of, of evading, uh, your protection. If they can pose as Alice or Bob, who's already been credentialed and move around your network, then they're moving around the network as Alice or Bob. They're not marked as the adversary. So again, you know, having the detection methods available to find their behavioral anomalies and things like that become a paramount, but it also you having the automation to contain them, to eradicate them, to, you know, minimize their effectiveness, um, without it, I mean, ideally without human interaction, cause you, you just, can you move faster, you move quicker. Um, and I see that with an asterisk because, um, if done wrong, frankly, um, you're just making their job more effective. >>I wonder if we could talk about the market a little bit, uh, it's I'm in the security space, cybersecurity 80 plus billion, which by the way, is just a little infant testable component of our GDP. So we're not spending nearly enough to protect that, that massive, uh, GDP, but guys, I wonder if you could bring up the chart because when you talk to CSOs and you ask them, what's your, what's your biggest challenge? They'll say lack of talent. And, and so what this chart shows is from ETR, our, our, our survey partner and on the vertical axis is net score. And that's an indication of spending momentum on the horizontal axis is market share, which is a measure of presence, a pervasiveness, if you will, inside the data sets. And so there's a couple of key points here. I wanted to put forth to our audience and then get your reactions. >>So you can see Cisco, I highlighted in red Cisco's business and security is very, very strong. We see it every quarter. It's a growth area that Chuck Robbins talks about on the, on the conference call. And so you can see on the horizontal axis, you've got a big presence in the data set. I mean, Microsoft is out there, but they're everywhere, but you're right there, uh, in that, in that dataset. And then you've got for such a large presence, you've got a lot of momentum in the marketplace, so that's very impressive. But the other point here is you've got this huge buffet of options. There's just a zillion vendors here. And that just adds to the complexity. This is of course only a subset of what's in the security space. You know, the people who answered for the survey. So my question is how can Cisco help simplify this picture? Is it automation? Is it, you know, you guys have done some really interesting tuck in acquisitions and you're bringing that integration together. Can you talk about that a little bit? >>Yeah. I mean, that's an impressive chart. I mean, when you look to the left there it's, um, I had a customer tell me once that, you know, I, I came to this trade show looking for transportation and these people are trying to sell me car parts. Um, that's the frustration customers have, you know, and I think what Cisco has done really well is to really focus on outcomes. Um, what is the customer outcome? Cause ultimately that's, that is what the customer wants. You know, there might be a few steps to get to that outcome, but the closest you can closer, you can get to delivering outcomes for the customer, the better you are. And I think, I think security in general has just year over year been just written with, um, you need to be an expert. Um, you need to buy all these parts and put it together yourself. And I think, I think those days are behind us, but particularly as, as security becomes more pervasive and we're, you know, we're selling to the business, we're not selling to the, you know, t-shirt wearing hacker anymore. >>Yeah. So, well, well, how does cloud fit in here? Because I think there's a lot of misconceptions about cloud people that God put my data in the cloud I'm safe, but you know, of course we know it's a shared responsibility model. So I'm interested in your, your thoughts on that. Is it really, is it a sense of complacency? A lot of the cloud vendors, by the way, say, Oh, the state of security is great in the cloud. Whereas many of us out there saying, wow, it's, it's not so great. Uh, so what, what are your thoughts on that, that whole narrative and what Cisco's play in cloud? >>I think cloud, um, when you look at the services that are delivered via the cloud, you see that exact pattern, which is you see customers paying for the outcome or as close to the outcome as possible. Um, you know, no data center required, no distract required, you just get storage, you know, it's, it's, it's all of those things that are again, closer to the outcome. I think the thing that interests me about cloud two is it's really been, it's really punctuated the way we go about building systems. Um, again at machine scale. So, you know, before, when I write code and I think about, Oh, what computers are gonna run on or, you know, what servers are going to is you're going to run on those. Those thoughts never crossed my mind anymore. You know, I'm modeling the intent of what the service should do and the machines then figure it out. So, you know, for instance, on Tuesday, if the entire internet shows up, uh, the, the system works without fail. And if on Wednesday, if only North America shows up, you know, so, but, but, but there's no way you could staff that, right. There's just no human scale approach that gets you there. And that's, that's the beauty of all of this cloud stuff is, um, it really is, uh, the next level of how we do computer science. >>So you're talking about infrastructure as code and that applies to security as code. That's what, you know, dev net is really all about. I've said many times, I think Cisco of the, the large established enterprise companies is one of the few, if not the only, that really has figured out, you know, that developer angle, because it's practical, you're not trying to force your way into developers, but, you know, I wonder if you could, you could talk a little bit about that trend and where you see it going. >>Yeah, no, that is, that is truly the trend. Every time I walk into dev net, um, the big halls at Cisco live, it is Cisco as code. Um, everything about Cisco is being presented through an API. It is automation ready. And, and frankly, that is, um, that is the, the love language of cloud. Um, it's, it's machines, it's the machines talking to machines in very effective ways. So, uh, you know, it is the, the, uh, I think, I think necessary, maybe not sufficient but necessary for, um, you know, doing all the machine scale stuff. What what's also necessary, uh, is to, um, to secure if infrastructure is code therefore, um, what, what secure, uh, what security methodologies do we have today that we use to secure code? While we, we have automated testing, we have threat modeling, right? Those things actually have to be now applied to infrastructure. So then when I, when I talk about how do you do, uh, automation securely, you do it the same way you secure your code, you test it, you, you threaten model, you, you, you say, you know, can my adversary, uh, exhibit something here that drives the automation in a way that I didn't intend it to go. Um, so all of those practices apply. It's just, everything is code these days. >>I've often said that security and privacy are sort of two sides of the same coin. And I want to ask you a question and it's really, you know, to me, it's not necessarily Cisco and company like companies like Cisco's responsibility, but I wonder if there's a way in which you can help. And of course, there's this Netflix documentary circling around the social dilemma. I don't know if you have a chance to see it, but basically dramatizes the way in which companies are appropriating our data to sell us ads and, you know, creating our own little set of facts, et cetera. And that comes down to sort of how we think about privacy and admin. It's good from the standpoint of awareness, you know, you may or may not care if you're a social media user. I love tick-tock, I don't care, but, but, but they, they sort of laid out. This is pretty scary scenario with a lot of the inventors of those technologies. You have any thoughts on that and you'll consist go play a role there in terms of protecting our privacy. I mean, beyond GDPR and California, consumer privacy act, um, what do you think? >>Yeah. Um, uh, I'll give you my, you know, my humble opinion is you, you fix social problems with social tools, you fixed technology problems with technology tools. Um, I think there is a social problem, um, uh, that needs to be rectified the, you know, um, we, we, weren't built as human beings to live and interact with an environment that agrees with us all the time. It's just pretty wrong. So yeah, that, that, that, um, that series that really kind of wake up a lot of people it is, is, you know, it's probably every day I hear somebody asked me if I saw it. Um, but I do think it also, you know, with that level of awareness, I think we, we overcome it or we compensate by what number one, just being aware that it's happening. Um, number two, you know, how you go about solving it, I think maybe come down to an individual or even a community's, um, solution and what might be right for one community might be, you know, not the same for the other. So you have to be respectful in that manner. >>Yeah. So it's, it's, it's almost, I think if I could, you know, play back, what I heard is, is yeah. Technology, you know, maybe got us into this problem, but technology alone is not going to get us out of the problem. It's not like some magic AI bot is going to solve this. It's got to be, you know, society has to really, really take this on as your, your premise. >>When I, when I first started, um, playing online games, I'm going back to the text based adventure stuff, like muds and moves. I did a talk at, at MIT one time and, um, this old curmudgeon in the back of the room, um, we were talking about democracy and we were talking about, you know, the social processes that we had modeled in our game and this and that. And this guy just gave us the SmackDown. He basically walked up to the front of the room and said, you know, all you techies, you judge efficiency by how long it takes. He says, democracy is a completely the opposite, which is you need to sleep on it. In fact, you shouldn't be scared if somebody can decide in a minute, what is good for the community? It is two weeks later, they probably have a better idea of what's good for the community. So it almost has the opposite dynamic. And that was super interesting to me. >>That's really interesting, you know, you read the, like the, the Lincoln historians and he was criticized in the day for having taken so long, you know, to make certain decisions, but, you know, ultimately when he acted acted with, with confidence. Um, so to that point, but, um, so what, what else are you working on these days that, uh, that are, that is interesting that maybe you want to share with our audience? Anything that's really super exciting for you or you, >>Yeah. You know, generally speaking, I'm trying to try and make it a little harder for the bad guys to operate. I guess that's a general theme making it simpler for the common person to use, uh, tools. Um, again, you know, it, all of these security tools, no matter how fancy it is, it's not that we're losing the complexity, it's that we're moving the complexity away from the user so that they can thrive at human scale. And we can do things at machine scale and kind of working those two together is, is sort of the, the magic recipe is, is not easy, but, um, but it is, it is fun. So that's, that's what keeps me engaged. I'm definitely >>Seeing, I wonder if you see it as just sort of a, obviously a heightened organization awareness, but I'm also seeing shifts in the organizational structures. You know, the, you know, it used to be a sec ops team and an Island. Okay, it's your problem? You know, the, the, the CSO cannot report into the, to the CIO because that's like the Fox in the hen house, a lot of those structures are, are, are changing. It seems, and be becoming this responsibility is coming much more ubiquitous across the organization. What are you seeing there and what are you? >>Yeah, no, and it's so familiar to me because, you know, um, I started out as a musician. So, you know, bands bands are a great analogy. You know, you play bass, I big guitar. You know, somebody else plays drums, everybody knows their role and you create something that's larger than, you know, the sum of all parts. And so that, that analogy I think, is coming to, you know, we, we saw it sort of with dev ops where, you know, the developer, doesn't just throw their coat over the wall and it's somebody else's problem. They move together as a band. And, and that's what I think, um, organizations are seeing is that, you know, why, why stop there? Why not include marketing? Why not include sales? Why don't we move together as a business? Not just here's the product and here's the rest of the business. That's, that's, that's pretty awesome. Um, I think, uh, we see a lot of those patterns, uh, particularly for the highly high performance businesses. >>You know, in fact, it's interesting you for great analogy, by the way. And you actually see in that within Cisco, you're seeing sort of a, and I know sometimes you guys don't like to talk about the plumbing, but I think it matters. I mean, you've got a leadership structure now. I I've talked to many of them. They seem to really be more focused on how they're connect, connecting, you know, across organizations. And it's increasingly critical in this world of, you know, of silo busters, isn't it? >>Yeah, no, I mean, you almost, as, as you move further and further away, you know, you can see how ridiculous it was before it would be like acquiring a band and say, okay, all your guitar players go over here. All your bass Blair is over there. I'm like what happened to the band? So that's, that's what I'm talking about is, you know, moving all of those disciplines, moving together, um, and servicing the same backlog and, and, and achieving the same successes together is just so awesome. >>Well, I always, I always feel better after talking to you. You know, I remember I remember art. Coviello used to put out his, his letter every year and I was reading. I'd get depressed. We spend all this money now we're less secure. But when I talked to you TK, I feel like much more optimistic. So I really appreciate the time you spend on the cube. It's, it's awesome to have you as a guest. >>I love these, I love >>Things. Thanks for inviting me and I miss you. I, you know, hopefully, you know, next year we can get together at some of the Cisco shows or other shows, but be well and stay weird. Uh, like the sign says to get Kenny, thanks so much for coming to the queue. We, uh, we really appreciate it. And thank you for watching everybody. This is Dave Volante. We break back with our next guest, this short break.