 Good morning, everyone, we are live. It's theCUBE live at Google Cloud Next on the show floor. This is day one of the conference. There is about 20,000 people here. Lisa Martin and Rob Stretcher. Rob was just saying that not only was the keynote packed standing your moldy, but the overflow rooms were. There was a smattering of announcements, which you may have heard Rob, John, and Dustin breakdown on the keynote analysis. Lots going on, lots of folks here, lots of us, great to be here. We're going to have a great conversation next about cybersecurity, some of the things going on with SEC, multi-cloud edge, you name it. Sean Joyce joins us. Global Cybersecurity and Privacy Leader, US Cyber Risk and Regulatory Leader at PWC. Sean, great to have you, thank you for joining us. Thanks Lisa, great to be here. Hi Rob, good to see you. So much action, the SEC just announced an updated cyber risk management strategy, governance and incident disclosure rules. Just in what, a little over a month ago? Little over a month ago. What are you seeing in terms of clients response, what are some of the biggest challenges that they're going to have to comply with once this becomes established in just December? It is, so a couple of things. I would say one big surprise, when we talk to the chief information security officers out there, they're like, we've got it. Like we're used to this stuff, however, when we talk to the chief legal officer, when we talk to the CFO, when we talk to the chief audit executive, they're the ones that say, hey, talk to me about this process. Talk to me about this thing called materiality. So when you look at the SEC rule, I would break it down into cyber risk management and really how are you going to document sort of how you're overseeing cyber material risk, then cyber governance, both at the board level and at the management level, and then about the incident reporting and materiality. And I think there's a lot of discussion about this term, materiality. And really that is defined by the SEC is, hey, what would the average investor want to know? Is that info I would want to know when I'm considering whether I'm going to buy or sell that stock, or does it change the total mix of information available? So I think a lot of companies are looking at that materiality and there's like quantitative, like to you and I, that's easy, right? Like, oh, operations were stopped for a week. It cost us $5 million. That's easy, that's material, right? A ransomware event where you have to pay that, that's material, you know, sensitive information material. But what about your brand? Like when does that become material? So I think there's a little bit of discussion going on at those levels and then really refining the process of like how will we set up this process to make that determination? So it's not as big a change though as I think some people think where the SAC came out with interpretive guidance in 2011. They came out with further guidance in 2018. So I think this is really solidifying a recognition that we're living in a digital world. Yeah, absolutely. You mentioned brand and that's one of the things you also mentioned ransomware. Nobody wants to be the next headline, but obviously it's a massive risk for organizations across every industry is that brand reputation and ransomware is spiking so much right now that it's not a matter of when is it going to happen? If it's going to happen to us, it's when. What's the severity going to be? How do you help advise? You mentioned some of the different levels of thought with the chief financial officer or some of the other roles in the organization. How do you kind of help bridge the cultural gap there so they understand materiality, how it applies to them and how they can really construct processes that will allow them to play by the rules. So I'll give you a little bit of personal opinion here. Listen, I think we're living in an age where nothing's a secret, okay? And listen, I am a proponent of transparency. If you saw what Mandion did when they were breached, right? Like Kevin came out and basically said, hey, listen, and this is what we're doing to address it and you customer matter to us, right? And that's where I think like, I would say, let's not get caught up so much in terms is let's be good corporate citizens, right? And let's do what's right for our customers. So like, yes, it's not if, but when, but like, okay, how are we being resilient? Like how is we as a company going to say like, hey, listen, what's our first call to our customers? Right, how are we handling this? And you know, I will digress for a second about like, we've got to change the way we think, for instance, in crisis management. So when something big happens, I have companies say like, oh, the old way was the CEO just handled it. The new way is we have this cross functional, cross disciplinary, how about this? How about social media influencers? How about leveraging your company have a social media presence where you're actually picking a couple of employees and you're going to make them social media people for the purpose of when something happens, you have avenues to get out information. So think of some of the banks and what happened recently. And there was rumors about one person put out this message that possibly caused the run on the bank. Like how are we acting at machine speed to sort of address that? Yeah, I think that's really interesting. And I think it's not just the SEC doing this, right? Again, PWC being a worldwide company, I know a little bit and had to deal with Dora in the EU as well. And which is more prescriptive in how they're really looking at resiliency, cyber resiliency. And I think what's interesting in a multi-cloud world, it's very prescriptive to geography as well. Do you see that coming to the US as well? It seems like we're just so far behind on some of the data privacy stuff that GDPR has been around. We got CCPA, VC, DPA, or whatever the one is in Virginia that the acronyms kill me, but. No, no, no. I think that's a good point. And I would say I am not as hopeful as I would like to be just because when you look at our incident reporting laws, right? It's 50 of them for each state, right? CISA has just recently had it only on critical infrastructure companies. So I am not, I think the EU is a leader. I think the UK is doing some great things. You know, when you're talking about the Digital Operational Resilience Act as Dora, right? Not the explorer. No, no, no, that's right, that's right. But just applying to FS companies, right? Like, how do we actually, we're all living in this ecosystem, right? And as Lisa said, 20,000 people here at Google Next Event, right? And we're talking about, like, it's a shift to the cloud, right? And so what are we doing responsibly here? And I worry, Rob, just what you're saying, I worry that we're not moving fast enough. What are some, as we see cloud adoption on the rise, customers going cloud native, customers living in multi-cloud by, for many reasons, what are some of the big challenges from a security perspective that you're seeing where cloud adoption is happening at such fast speed? Yeah. So I think it's a little bit of lack of understanding and I think we're going through a journey on cloud adoption. So I'll date myself. I used to be a programmer on mainframes, right? But like we're going through the cycle. The mainframe is now the cloud, right? Think of the technology and it just goes in this cycle and moves to the edge, which we're doing now. But it's really about when you look at what I see companies struggling with, it's really about misconfiguration. Like, hey, I have a container out there. Did I make sure, right? Like when I talked to Google, it's security by default, it's not that I got to turn these things on, they're already on, right? And it's just, when you look at some of the past breaches, it's about, hey, no one actually, there was one container that basically anyone that knew the URL could go into it and grab the info, right? It's not doing the right authentication, right? So it's a challenge though, because when you look at the cloud environment, it's a partnership. So no more are you legacy on cram owning your stuff, you've got to share that. So I just think it's getting ahold and I think it's looking at, hopefully we're moving past the stage of lift and shift in modernization and actually leveraging the compute power in the analytics that I think the cloud environment really brings you. We kind of talk about gen AI, it's a hot topic, it's a hot topic across the globe, right? You can't have any conversation at a tech conference without talking about it. Do you have a chance to see the keynote this morning? I did not. Okay, well it was all about gen AI and what's going on there. I'd love to get your perspectives on, how are you helping, how is PWC helping customers really approach it as a journey, unlock the values from a secure perspective? They talk a lot about security from a gen AI perspective in the keynote this morning. So you might have heard we're doing a billion dollar investment in AI, so not just gen AI in AI. I would say I have had dozens of calls with companies about this gen AI. This is what I'm finding. Everyone's running full speed on their business, kind of how does it apply to the business? What are the use cases? How can I get cost efficiencies? How can I change the way I'm doing business? And then what I'm getting is this call a week later from the chief compliance officer, the chief risk officer and say, how do we do this responsibly? You know what, they're running, those software guys are running like a hundred miles an hour down here and the responsible AI portion is not running with them. So I kind of go to my old DevSecOps, like let's kind of bring responsible AI into the development of this. So at PWC, like we're doing a couple of things, right? So we actually have templates, we're helping companies, we're part of a NIST working group. If you know NIST came out with their AI risk framework, we're bringing it down really, right? Building the risk taxonomy, right? When you look at model risk, when you look at infrastructure risk, user risk, data risk, I mean, that's a big, all these data sets, right? And then don't forget, these LLMs are not a cognitive based, right? Algorithm, right? They're just taking this huge corpus of information, right? And it's code, right? People forget, it's just code. This isn't a thinking, this isn't, you know, 1984, this is just code. So like, how do you put that responsible AI wrapper around it? I think is incredibly important. I think a lot of people are going to run into that. At PWC, we've actually set up a governance structure where we have my AI, we're upskilling 65,000 people, training them on that, right? We have an internal, like many companies, about how do we bring efficiencies to what we do? And then we have our AI factory, which is all of our use cases. And instead of like the use cases, there's a risk lens to that. Are we going to like in the heavily regulated industries, like healthcare, financial services, right? Are you just going to use Gen AI and not look at sort of the output and how? So it's really, you know, it's about augmenting, I think humans right now, especially in the complex areas. In the simple areas, I think it's about just repeatable tasks that you can simply automate. Yeah, it'll be interesting because they also announced the general availability of Palm Med, which they trained with HCA, you know, one of the largest healthcare in the US. And I think that to your point on the regulated, it'll be interesting because they're all getting together next week. It sounds like in DC again, to have a little pow wow, except Amazon's surprisingly missing from that conversation. But other than that, you know, but I think it'll be very interesting to see what the outcome is of that. And Sundar announced some, you know, watermarking and some things and pushing forward into that. Do you see that really as some of the stuff that you're looking for? And I mean, not only on the NIST side and security and how you actually build the process. I think you're going to see some technologies that are not as big a buzz as they used to be like blockchain. When you're talking about watermarking where how do you prevent deep fakes? Like Lisa, how are they going to stop your voice which everyone's going to hear? And they're going to say like using it for fraudulent purposes, right? So how do you use blockchain where on this interview, you actually have, right, a hash that's saying, no, this is here. And if someone tries to use it, right, you're going to be able to detect that. So I think you're going to see like almost like some digital assets take place, which is kind of I think an interesting twist and something that, you know, we're looking at PWC. Like this is like, I think this gen AI specifically as a part of the AI family is huge because it's B2C, right? My wife is on there looking about what am I going to have for dinner this week, right? Like the consumer use is so different than like you and I maybe that are very familiar with software, right? And blockchain where you got to be a little bit more of a techie or a geek, right? And this is like, wow, anyone like, I was on bar this morning, chat GBT, like it's like phenomenal, but you know, you got to watch out for accuracy, hallucinations, those type of things. Definitely. Last question for you, Sean, give us a snapshot of some of the things that we can expect where cyber is concerned, where gen AI is concerned, PWC plus Google Cloud together. So we are actually, and part of my strategy as a business is listen, the hyperscale is have to be a partner, right? Google has been a great partner. We're really looking at two areas. So one is sort of how do you transform the sock, right? So the security operation center, right? Where all these alerts come in every day and you know, Google with me and Ian, I think brings a unique sort of right, the mix of the Intel with virus total and all of this malware out there, pushing that in. And then what we bring in the risk and reg space. So like, I think it's a perfect union. So when I look at Google security foundation, right? And all their tools and identity and privacy, right? We're the experts when it comes to risk and regulatory. I mean, that's what we do all day, every day. So really that partnership has been unique. You know, Phil Venable is over there. I work with a lot. A lot of those folks, they're great people. I think Google is really kind of shifting into hyper drive and like ready to really make some moves in the industry. So we're excited about some of the things we're doing with them. And I really, I look to the future. Well, we will keep our eyes on this space. Sean, thank you for joining Rob and me on the program, sharing what's new from a cyber risk perspective, but also an opportunity perspective for customers across industries through the lens of PwC. We really appreciate you taking the time to join us. Thank you both for having me. Our pleasure. For our guests and Rob Strache, I'm Lisa Martin. You're watching theCUBE live on the show floor, day one of our coverage of Google Cloud Next. Stick around, our next guest joins us in just a minute.