 Live from Barcelona, Spain. It's theCUBE, covering Cisco Live Europe. Brought to you by Cisco and its ecosystem partners. Welcome back to Cisco Live in Barcelona. I'm Dave Vellante with my co-host Stu Miniman. You're watching theCUBE, the leader in live tech coverage. It's day one of a three-day segments that we're doing here at Cisco Live Barcelona. Brett Hartman is here as the CTO of Cisco's security group. And we thank a CUBE alum from way back. Way back, way back. Great to see you again, thanks for coming on. So we're here to talk about workload security. Yep. What's that? What is workload security? What is workload security? So it's really the whole idea of how people secure applications today, because applications aren't built the way they used to be. It's not the idea that you have an application that's just sitting running on a server anymore. Applications are actually built out of lots and lots of components. Those components may run in a typical data center. They may run in the cloud. It may be part of a SaaS solution. So you've got all these different components that need to be plugged together. So the question is, how do you possibly secure that when you have all these pieces, containers, and virtualized workloads all working together? That's the big question. Written oftentimes by different people. Different people, different services. Yeah, open source, right. So all that somehow has to come together and you have to figure out how to secure it. That's the question. And so what did you used to do with application security? You used to just kind of figure it out at the end and bolt it on? Pretty much. I mean, historically people would do their best to secure their application. It would be kind of monolithic, or three tier, the web tier, app tier, database, that sort of thing. And then you'd also depend a lot on the infrastructure. You'd depend on firewalls. You'd depend on things on the edge to protect the application. The problem is there's not so much of an edge anymore when in that world I described you can't really rely so much on that infrastructure anymore. That's the shift of the world we know of. So what's the prescription today? How do you solve that problem? You know, there's a lot of ad hoc work. And so this whole notion, a lot of people talk about DevSecOps these days or sometimes it's DevOpsSec or there's all these different versions of that. But the whole idea of the DevOps world, the way people build applications today and the security world, the security ops world either coming together or colliding or crashing. And so it's getting those things to work. So right now the way DevOps and SecOps works today is not particularly well. A lot of manual work, a lot of kind of ad hoc scripts. But I will say probably over the last year there's a lot more awareness than we need to figure this out to be able to merge these two things together. That's kind of the next stage. Bring us inside that a little bit because if you listen to the DevOps people, we got to do CICD, we need to move fast and there was the myth out there, oh well, am I faster or am I secure? And I was reading some research recently and they said actually that's a false trade-off. Actually you can move fast and be more secure but you raised a risk because you said if these are two-step things and they're not working in Lobstep then it's not secure every step of the way in that part of your methodology then you're definitely going to break security. That's exactly right and there's a basic question of how much of a responsibility the developers have to provide security anyway. I mean historically we don't really necessarily trust developers to care that much about security. Now to your point, these days without, the way people develop software today they need to care more about it but typically it was the security operations folks that was their responsibility. Developers could do whatever they wanted and the security folks kept them safe. Well again, as you said you can't do that anymore so the developers have to pull security into their development processes. Yeah, when I go to some of the container shows or the serverless shows the people in the security space are chanting up on state, security is everyone's responsibility. It hasn't traditionally been the case. It has not and so it's really what companies are working on now is how do the security operations people fit into that development process and what are the tools and again it's a long complicated set of infrastructure and other sorts of tools but that's sort of the point at Cisco we're really working on evolving the security products and technology so exactly it fits into that process, that's the goal. So I'm sure there's a maturity model or a spectrum when you go out and talk to customers. Maybe we could poke at that a little bit and sort of describe that. So you're really talking about a world where it's team sport, the regime is everybody's got to be involved but oftentimes they're working for different people. Some are working for the CIO, maybe some the CTO, some the CISO. Different companies, contractors, providers, all that. Yeah, right, partners. So what does that spectrum look like and how are you helping customers take that journey? Yeah, so not surprisingly, companies that are born in the cloud they're like this is old news or it's like this is how they deal with it every day. A lot of those companies have lower risk deployments anyway, the organizations that are really early days on this are the ones that have lots of existing investment and all that data center stuff and they're trying to figure out how this is going to work. You talk to a typical bank, for example, their core business processes of how they protect money, they're not going to move to the cloud, right? So how do they evolve? And by the way, they have to deal with compliance requirements and all this other stuff. They can't play too fast and loose. So that's an example of something that's early days but they are also working a lot in terms of evolving, moving to the cloud and having to be able to support that too. So when you engage with clients, I presume you try to assess kind of where they're at and then figure out where they want to go and then how to best get them there. So what is Cisco's role in helping them get there? And so first of all, of course, I represent the business group that builds the security products, right? So a lot of this and the reason why my group is so interested in this and our security group at Cisco is so interested is this really represents the future of security, this idea of having it much more embedded into the applications as opposed to purely being in the infrastructure. So what we're seeing for typical customers, like if I rolled a clock back a year ago and we talked about things like DevSecOps, they were like, yeah, kind of an interesting problem, the one we just talked about, but it's like not quite ready for it. Now this is, I think, every CISO, Chief Security Officer I talked to, very aware, have active engagements about how they're working with their DevOps groups and are actively seeking for tools and technology to support them. So to me, that's a good sign that the world is moving in this direction and as a security vendor, we need to evolve too. So that means things like evolving the way firewalls work, for example. It's not just about firewall sitting at the edge. It means distributing firewall functionality. It means moving functionality into the public cloud like AWS and Google and Azure. It means moving security up into the application itself. So it's a very different world than just a box sitting on the edge. That's the journey and we're on that journey too. And the industry is, I mean, it's not a solved problem for exactly how to do that. If we go back to the early days we were talking about, you know, when the Cube started in 2010, security really wasn't a board level topic back then. True, true. It's at least not for every company. There's certainly some companies, but yeah, but now it's like you're right. Every company cares about it. Right, and it comes up at every quarterly meeting, you know, certainly every annual meeting. So what should, how should the technical seaside, the CIO, CTO, if they're invited into the board meeting, how should they be communicating to the board about security? What should be the key messages? And to your point, I mean, typically these days for most major corporations in the world, the Chief Security Officer is often presenting at every board meeting because cyber risk is such a big, big part of that risk. And this is a challenge, right? Because to try to communicate all the tech required to manage that risk to a board, not so easy, right? It's like trying to count how many malware threats stopped. It's like, what do they do with that? If you talk to our Chief Security Officer, Steve Martino here at Cisco, I mean, he talks a lot about first of all, having visibility, you know, being able to show how much visibility, how much can we see, and then how much can we control and show that the organization is making more and more progress in terms of just seeing what's out there so you don't have rogue devices and then putting controls in place. So you need some pretty, you know, the big animal pictures, communication of being able to manage that. But you can never come in and say, yep, guaranteed, we're secure, you know, or give it a number, it kind of has no meaning. But strategy, visibility, response, you know, mechanisms, preparedness, what the response, you know, protocol is, that's the level of, it sounds like, showing, you know, maturity of the processes, really, and the ability to take that on as opposed to getting into the weeds of, you know, all the metrics that just don't. So, we've had multi-vendor for a long time and even in the network space, there's a lot of different pieces of the environment. How is multi-cloud different from a security standpoint? Yeah, so the issue there and kind of what I was hinting at when we talk about the way people build applications is that all those vendors, they all do security differently. Everyone does security differently. It's all good. I mean, and for example, Amazon, Google, Microsoft, they're all making massive investments to secure their own clouds, which is awesome, but they're all also different. And then you have the SaaS vendors. You talk to Salesforce, Dropbox and Box, they have different security mechanisms. And then of course you have different ones in the enterprise. So, from a chief security officer's standpoint, reporting to the board, they want one policy, you know, we want to protect sensitive corporate data. And then you have maybe 100 different security policies across all these, all this mess. That's why it's different. Trying to manage the complexity and get the policies to work and get enforced across all those platforms. You can't force it all to be the same. So a lot of what we're working on are really tools to do that. So you can, fitting back into that DevOps process, you can define high-level policies of how do you control that data and then map it to all those different platforms. That's the goal. That's how we get there and make progress. So you had a picture up in the keynotes today. It had users, devices, kind of on one side of the network and then applications and data on the other side of the network and then the network in the middle. And all those pieces fitting in. How does that affect how you think about security? We've talked a lot about application, securing the application. Are you thinking similarly about the data or the devices or even the users? Bad user behavior will trump great security every time. Where do those other pieces fit into the context? Well, of course, that's a big reason why we just acquired Duo Security. It's a very significant acquisition there, which is exactly around trust of human beings as well as the devices. A key component that Cisco didn't have before that and fits in exactly to that point, that was a key strategic piece of that, defining trust. And yeah, that fits in. Obviously we already do lots on the device side. We do things like the identity service engine to enforce access with the network. We have more and more on the application side. Not so much in the data side yet. But as we move up the stack into the application, it'll be around data too. But the network is a natural convergence point there and the whole idea of having security embedded right into that network is, of course, why I'm at Cisco. Security is a critical thing that needs to be embedded in everything that Cisco does. Well, you've got an advantage in that you can do the deep packet inspection while you're in the network. I mean, that's where... The visibility, I mean, security is really all about visibility. You don't have visibility, you have nothing. And Cisco has this incredible footprint, incredible telemetry across the world. I mean, all the statistics around tallows you've probably seen, it's huge. And that's a big advantage that we have to really provide security. Right, awesome. Well, Brett, thanks for coming back on theCUBE. It was great to see you again. My pleasure, glad to see you again. All right, keep it right there, everybody. Stu Miniman, Dave Vellante. You're watching theCUBE from Cisco Live Barcelona. Stay right there, we're right back.