>>Brought to your by Amazon Web Services and its ecosystem partners.
(smooth music)>>Okay, welcome back everyone. This is theCUBE’s live coverage
in Boston, Massachusetts. I’m John Furrier with Dave Vellante at AWS, Amazon Web Services’ inaugural conference called re:Inforce. This is the first conference
that Amazon Web Services is putting on around security, and we’ve got a great guest,
we’ve got CISO, Brian Lozata, CISO for Dataminr, also on the
advisory board for Twistlock, which was recently purchased by, well, intent to purchase by Palo Alto Networks, really cracked the code
on DevSecOps, scaling up. Great to have you on,
thanks for coming on.>>No, thanks for the opportunity.>>Love getting down and
dirty and talking to CISOs, because you know, besides the, you know, which regime controls security,
which is always evolving, a lot of the state-of-the-art activity going on in the security sector. Clearly the path of catching
up to the DevOps Agility has been the big focus.
>>It absolutely has. As innovation has been, you
know, really pushed forward with cloud I think
security’s had to catch up and really start pushing
towards innovation, looking at ways that we could
be disruptive in the space with solving these
problems that, look, CISOs, we’ve been facing this for 20 years and we’re putting old technology at the same problem trying to fix it. Now that there’s new services, you know, new emerging technology with cloud, we should be taking advantage of that and innovating ourselves in the security–>>Brian, what’s the most important story that should be told, or is being told, or isn’t being told that needs to be told and covered by the media when it comes to the security industry,
what’s your view on this?>>The lack of talent, I mean,
we’re starving for talent. Cyber security’s the only field in the world with negative unemployment. We just don’t have the actual bodies to actually fill the gaps that we have, and in that lack of
talent CISOs are starving. We’re looking for the right things that, or tools to
actually patch these holes and we just don’t have it. Again, we have to force
the industry to patch all of those resource gaps
with innovation and automation. I think CISOs really need to start asking for more automation and
innovation within their programs.>>It’s a multidimensional challenge. I want to just get your thoughts on it. I mean, what pops into my
head when you say that, I think “Oh, entrepreneurial.” I’m an entrepreneur, it’s like,
“Oh, I can start a company.” So, one, build something.
>>Yeah.>>Build a tool, or work for a company, be talent within an
enterprise, and then three, you know, be part of that, you know, game changing ecosystem
community and do something.>>Yeah, how about all three, right? You could do all three, right? Like, I think security can’t be thought of as that arm to go check things anymore. I think security needs to be thought of that arm that pushes innovation forward and helps the business,
you know, move forward. We need to be business enablers, and the only way we’re going to
do it is by building something, like by shortening up the time to actually get code out there or
get products out there.>>So, I want to dig into
some of the Dataminr stuff we were just chatting
before we came on camera, but I do want to dig into Twistlock because I think, you know,
you’ve been in advise, you’ve seen that journey from day one, from seed financing to now where they’re, you know, exiting
to a large company. The success has been,
very short period of time, only a couple years, five years or so, magic happens, it’s a good thing. What happened, what’s the story there? (chuckles) I mean, what’s–
>>They found.>>Why so successful?
>>Well, they found the gap. They found the gap that everybody’s facing is the lack of talent to actually solve all of these issues with automation, and they helped fill that gap and fill it pretty quickly, right? So, I think it went from
selling to taking orders very quickly because they
actually helped solve a lot of, give visibility
and put more security into actual the, you know,
cloud-based platforms, and it helps companies modernize their tech stack quickly, right? That’s what we’re all about
is pushing things out quickly, and to do it with security in mind.>>If you look at a
typical budget pie in IT it’s usually about two-thirds people. You know, one-third, you know,
hardware, software services. Is it the same in your
world, or is it different?>>Depends on the industry
and it depends on the company. Some companies don’t put
security as that much of a focus, so you sometimes you are
trying to get those dollars to actually fund your program, others it just depends on the risk, right, how the company’s–
>>Well, if it’s financial services they’l
throw it in, no problem.>>Oh, they’ll throw, you know, financial services will
totally, totally do it, but if it’s an industry or a company that hasn’t had security in there and you’re evangelizing security, hey, the first six, eight months you’re going to be
struggling for that budget. You’re going to have to, you know, have that articulation that you, you know, speak on technical risk into business risk so you can fund your program, right? That’s why the most
important talent or skill that a security professional
needs is communication skills. If you can’t articulate technical risk into a business risk to
fund your program, it’s, you know, it’s very hard for you to actually be successful in security.>>So, you speak wallet
and geek, is that what…>>You have to.
(chuckles) I think, yeah, (laughs) I think wallet and geek is definitely, it’s a required skill in this space, probably more and more than others, right? The other thing is
security, you can actually see how it equates to dollars, too, right?>>So, to whom are you speaking wallet, line of business, CEO, C-suite, CFO?>>I think it’s definitely
going to be up to C-suite. I think in more mature organizations you’re going to get to the product line. You’re going to get, you know, security into that product aspect, so as products are starting to be developed,
those product managers and that product line can
start funding their own security within that
product development, right, and you need to have
that communication style so that you can push that initiative through that product line. So, maturity-wise you’ll get there, but I think initially it has to start at that C-suite at the board level.>>And how does that conversation start and what’s the flow like, what’s the key message
that you’re getting across?>>You have to talk about
risk to that product line. Where’s the risk that you
can articulate to them and say if this product
is impacted in this way, this is the damage to the brand, you know, financial, or financial damage. Once they see that and they can absolutely put dollars next to it,
it’ll absolutely help them fund that program when
it comes to security.>>And you spend time quantifying that>>You have to.
>>Is that right?>>Yeah, you absolutely have to. Everything nowadays needs to be quantified so you can put the appropriate
amount of resources towards it, both in human
capital and financial, right?>>How do you make that argument credible? Is it based on experience,
you pull in different data sources from lines of business?>>It’s different data sources. You’ve definitely got to
leverage your experience, but it’s looking at data lifecycle, where that data’s being
stored, process transmitted, the risk to losing it, and then
quantify that type of data. There’s different levels of
sensitivity to data, right? Certain data, like you
take a hit on your website, just the brochure site
versus transactional data, different risk levels,
different, you know, different impact to the
brand, to the company.>>So, you’re taking a portfolio view–>>Absolutely.
>>Weighing different values.>>Totally, you have to.
>>And helping people understand where to put their bill.>>Yep.
>>So, the CISO, the CIO, they care about production,
what’s in production, also on the DevOps ethos you’ve got Agility, you’ve got hackathons, so you have the kind
of the cultural shift, so how do they mitigate the risk, from your standpoint how do you view this, and what do other CISOs think, because you want to foster that creativity to get that incubating
going for new ideas, hackathons for instance, great tactic in the DevOps community. We’re seeing that now happen in security–>>Totally.
>>Where the people who are close to the action are getting involved in a very DevOps way, but they’re kind of not getting sanctioned clearance from the boss, but that’s the production
side, so again, Ops, different. How is that migration or transition between I’ve got a hackathon, this feature that if we roll this out this could really help
us with our visibility intro threats or better quality alerts. I’m just making that up, but you see where innovation’s going to come from, at the same time dealing
with all the other pillars of the compliance, and
audit, and security, and blah, blah, blah, all that
stuff that’s in production. How do CISOs deal with this?>>So, it’s taking a view, look, a risk-based approach
to that entire lifecycle and seeing where is the biggest risk, and then to fix that risk where the gap is and to get into that innovation piece. At my previous company we developed what’s called security as code. We had a big gap that we
were finding a lot of issues out there with our environment that we were finding three and four days after they were actually rolled out, so we were able to take
advantage of AWS services so that we could actually
get visibility live, and then we did it we actually remediated the issues with Lambda functions, right? That was innovation,
we were able to do it. Now, convincing DevOps to
put it into production, that took some time as well, but it was that partnership and showing them we’re not
going to be bothering you.>>Ballpark timeframe–
>>Yep.>>Ballpark a timeframe to invention, innovation to selling it through to production, ballpark?
>>Maybe a month.>>What’s the difference between infrastructure as code
and security as code?>>So, infrastructure as code is you’re putting out the environment, you’re creating that VPC,
you’re setting up the routes. Security as code, what we’re
calling security as code is that it finds an issue
with that environment and it automatically fixes
it with a Lambda function or something like that, right? So, it could find the vulnerability, it knows what the fix is, and it automatically goes and fixes it. That’s the benefit of
cloud, immutable technology. You can fix things pretty quickly.>>Yeah.
>>Well, let’s, now that we have that ability, let’s innovate on security
so that we do do those fixes instead of waiting days
for it to come back.>>And the secret sauce
for that comes from what?>>Developing–
>>Homegrown math, doing.>>Homegrown, homegrown.
>>No problem>>You have, like the, I think cloud has allowed emerging
technology and security to get back into being innovative and not just coming in to
protect or to have visibility. Like security engineers are now saying, “Now we can create,” right? AWS has that, the logo,
what is their motto, “Build on,” right, well that should apply to security practitioners as well. We should be building just
as quickly as developers.>>And by the way, the old model was hire a firm to come in, buy a product.>>Totally, yes.
>>Now you’re saying is let’s code up some security.
>>Let’s do it ourselves.>>Because the practitioners are close to the action–
>>Absolutely.>>They have the innovative device, doesn’t take a lot of
time to whip something up, find the discovery…
>>And do it. And the other thing is we spent years buying tools, buying tools, buying tools. Tools were built to solve one use case. Who knows better their environment than CISOs that are working in it, right? So, let’s build tools that our customers–>>It’s like a tool
shed, open up the doors, like “I bought that 10 years ago. “We’re still amortizing that.” It’s like there’s too many tools.>>Too many tools, so let’s
build what’s appropriate for the environment
based on our knowledge, right, of being working in it.>>Describe a great day for
a security practitioner.>>(chuckles) A great day is that I don’t get called at two in the morning, right? I think every day is a
great day in security, and I’m going to tell you why,
because it’s growing so quickly I think organizations are starting to realize the value of security, that security is a value prop
to a customer or to a client. They like to see security
being baked into the products, so I think it is good for
security to see it grow. I love to see that AWS has
now invested in re:Inforce. I think it was about time. I had been going to
re:Invent for, I don’t know, maybe four or five years
now, and I saw that grow and it was absolutely time for this, so–>>It’s interesting–
>>It’s good.>>You hear the chatter,
you hear the chatter also around security not, not just being not being a call center
and being strategic, which clearly it is, because one breach and you go out of business,
that’s a business model problem. But as a revenue generator,
seeing a trend now–>>Totally.
>>Of people who are building in-house because they
have their own problems are taking the Amazon playbook. Do it for yourself first and then expose that out as a service–>>Totally.
>>With Marketplace. Dave McCann’s kicking butt over there. He’s got services, so the
idea is that if people have a good foundation
you’re just buying services.>>Totally.
>>Not tools.>>Yep, and investing in and
buying services, not tools, and then pushing those, your
resources and your talent to actually be creative and innovative, and be just as hungry when
they see new services come out. I love when developers
come up to us and say, “There’s this new service that’s “going to launch tomorrow, AWS is.” Can I mess around with it? Can I throw, like I like to see that because then we can get insight
into it and say yes, right? Fear is a greater threat
to progress than hardship. I don’t want my developers to have fear. I want them to feel,
“Security team’s got my back.” The platform has the–
>>Yeah.>>ability to visualize it, so
let’s move forward with that.>>So, let’s talk about fear, uncertainty, and doubt, AKA known as FUD.>>FUD, yeah.
>>All right. So, it used to be that the suppliers would put FUD onto the customer saying, “No, don’t buy that other product.” You could, you know, use that fear. It’s now flipping around with CISOs, you know, the way we’re hearing
that one of the mandates is to get the supplier
account from hundreds to single or double digits, and so the fear is being pushed back out, saying if you don’t have this
kind of stack integration, this kind of API support,
you’re not going to be a vendor.>>Yeah.
>>This is shifting.>>You agree?
>>1000% agree. I think we needed to, like
we should not have taken our tempo for so many years from vendors. They were dictating our programs
at that particular point. Now we can take control of our program, saying we don’t want to partner with you if you don’t integrate with the
way we’ve built our program, that we know our environment, right? So, I think we’re taking a little bit more control of our destiny and our platforms versus just taking the tempo from vendors.>>And the key here is
having that platform built–>>Absolutely.
>>To start thinking through the critical thinking around tech stack, purpose, and this is
their shift, this is what, and some families aren’t there yet. They, because they have to build it up.>>They have to build it up, and–>>How long does it take to do that?>>The most important thing
to build that up, talent. Look, you’re only as good
as the talent you have. If you don’t have the talent
to build that platform up you’re going to be stuck in
that vendor loop forever. I mean–
>>Had a CISO saying to me privately, “Love
multi-cloud, love the vision, “but honestly I’m not investing
in Diamond multi-cloud “until I get my team on one cloud, “and I’ll use secondary
clouds for, you know, “either rollover, backup,
or some other point feature, “or inherited workload through
an M&A or other project. “No big deals, shadow IT,
but in terms of my talent “I don’t want to have
three different teams. “I want one team to build the stack “and continue to think about automation, “then we’ll get to
multi-cloud when it’s ready.” Your thoughts to that.
>>I 1000% agree. I think that we need to
get one cloud right first before we start thinking
about putting our talent, our limited talent resources, again, everybody’s starving for
talent, into investigating and remediating other cloud issues. I think you definitely have to get one thing right first before moving over. I do think, though, that
the time’s going to come where there’s going to be a lot
of companies doing, you know, production workloads in multiple clouds. I, you know, I’m actually
eager to see that day, and see it publicly and see
how it’s being managed, right?>>Well, the one who cracks that nut is going to win big lottery ticket.>>Oh, totally, totally.
>>Metrics. I want to quickly defrost on metrics. Metrics is something that if you, if you, if you serve the metrics master too hard you could actually miss out
on what your real purpose is. The joke I heard was that you
could turn into Chernobyl, like that movie that’s on Netflix, or Prime, I forget which show. Oh, it’s on HBO actually,
it’s an HBO series where they were pressing buttons. They had no idea what was
going on with the reactor, it blew up, and the rest is history. That’s the metrics problem
and challenge, isn’t it? What’s your thoughts on metrics?>>I agree, I’m not a fan of metrics. I don’t think security programs should be either built or measured against metrics. I don’t think metrics really provide too much detail behind any of that. Metrics are just there I think to provide a little bit of insight of
where you could double-click and actually do a little
bit more diligence, but they should not be measured, they should not be used
to measure your program. I don’t run my program on metrics. It’s not like I’m
escalating metrics, either, up to the board or anything like that. Providing relevant data and how that data impacts the business from
a security perspective is how I like to escalate, not putting up, you know,
charts or anything like that of what, you know, how many
vulnerabilities were remediated. Guess what, you did your job. I don’t want to put a metric up there that actually says, you
know, something like that. I want to show some real
value with some real data.>>So, what are you communicating
to the board specifically?>>How we’ve integrated
information security, the security program, into the workflow without slowing down the business. I think that’s the key part, and how, security at the end of the day
it’s a culture change, right, and you are changing behavior, right? So, how you’re able to do that without slowing down production, especially in technology companies, because you don’t want to slow down that development pipeline, that’s a key metric to put out there.>>Mm-hm.
>>And we’ve been able to, you know, enable static and dynamic code analysis without slowing things down. Things are still getting
to product at that time, or using container security
for our infrastructure so that it takes that out
of the developer’s mind when they’re actually building out a, you know, new environment, right?>>Digital transformation equations, people, process, technology.
>>Totally.>>Heard that over and
over, and it’s cliche, but the people part, okay, you could get more people, totally agree, technology, plenty of tools and services, that’s a huge opportunity, but the process is where
the focus has been, and I heard a quote
earlier on theCUBE today. It says, “Process is a
reflection of your culture.”>>True.
>>And a lot of those cultures won’t yield the process control
to either CISOs or teams. Your thoughts to that comment
and where that kind of goes. That’s the key breakdown
on digital transformation, isn’t it?
>>It is, it is. That is true, I think the one thing that CISOs need to remind themselves is when they introduce
themselves to the organization they need to be a customer
service organization. CISOs need to be available to
the users and to the business, and offer their services as a partnership instead of as a mandate. I think that warms the waters a little bit for that behavioral change
and that culture change so that process can change
into the new, innovative way of actually pushing security as code and infrastructure as code as the new way of actually doing business.>>And success has got, is contagious.>>Totally.
>>Like at Twistlock. You’re advising that company. Boom.
>>Yeah. Absolutely is contagious,
and showing those type of examples actually
throughout the business actually help, you know what I’m saying? Breaking down those old silos of security is viewed is important, right, so.>>You kind of implied
before in the earlier days vendors sort of controlled the table. You were sort of beholden to
their way of doing things. Steve Schmidt today made the
statement that, you know, all the negative fear factor
is not helping our industry. It really, the state of cloud security, anyway, is good, the union is strong. Do you agree with that
and are there other things that vendors are doing
that drive you crazy as a practitioner that
they shouldn’t be doing?>>So, two great questions. I think the first one, I think cloud security absolutely is, does exist, and it gives power back to the CISOs, so they can actually make
more controlled decisions over their environment, you know, instead of being beholden to vendors. I think understanding the
shared responsibility model between a company in the cloud is crucial for CISOs to
make those decisions.>>Mm-hm.
>>And I think for years that was misunderstood and
that’s why it took time, probably, to migrate to the cloud or to be born in the cloud initially, but I think once that’s
understood it empowers, you know, the CISOs and the
technology organizations, I think that’s one. On your second questions,
I think everybody in the world has vendor fatigue. I think vendors, what drives
me nuts about all of them is that they say they
integrate with everything and that they’re going to give
me more visibility than before. Great, man, like that’s what everybody’s been doing for the past 20 years. They’re giving me a lot of information. I want them to fix things,
don’t give me alerts. Don’t give me alarms
unless you’re going to say, “Here’s the alert, here’s the alarm, “here’s the automated script that you can “put into your environment to fix it.” Knowing that every CISO in the
world is starving for talent, we don’t have the resource
to double-click on that, due diligence, and write it, do it for me. I think vendors need to start innovating and stop doing the same thing that we’ve been doing
for the past 20 years.>>So, you’re seeing, furring from that is a lot of incrementalism,
kind of taking safe bets, and really you’re looking
for a step function.>>Totally, I want vendors
to take a more aggressive approach in their
innovation, I don’t want, so you’re giving me more alerts that I’ve seen in different shapes, in different sizes from different vendors. Tell me how you’re going to
fix it, or fix it for me. That’s what I really
want, we need to push, we need to exceed that more from vendors, and look, since we’re not getting it it’s making us, or I’m
happy to do it actually, is to start innovation.
>>Do it.>>And doing it ourselves, right?>>Yeah.
>>So, it, I’m investing more in
resources, in talent, doing it that way–
>>Yeah.>>Instead of outsourcing
and getting a vendor, so–>>And that’s a trend that’s happening more and more.
>>Totally.>>And that’s an indictment on the community itself and the vendors.>>Yeah.
>>Brian–>>We need to exceed
more from the vendors.>>Thanks so much for coming on. Great insights, profound commentary. Great to have CISOs on
theCUBE, thanks for sharing. It’s theCUBE’s live coverage, Boston. I’m John Furrier with Dave Vellante. Day one of two days of CUBE
coverage of the inaugural AWS re:Inforce conference,
we’ll be right back. (smooth music) People want to work for a mission–