 Welcome back to SuperCloud 3. I'm John Furrier, host of theCUBE. This session is security plus AI, the perspectives of the CISO, the opportunities and challenges. And we're here with distinguished CUBE contributor and just announced from Lacework, their new field CISO, Merit Bear, Merit, great to see you. Congratulations on the new job at Lacework. Great to see you. Thank you so much, John. I'm happy to be here. Yeah, I'm very excited. And obviously this is a near and dear topic. So happy to do the conversation. Well, congratulations on the big news that launched this week that you moved from AWS office of the CISO to Field CISO at Lacework, a fast growing company we cover in detail. Jay was just on, the CEO was just on the keynote on SuperCloud on day one. Great company, we've been following them for years. A lot of action. So before we get into some of the SuperCloud 3 security and AI conversation and perspective of the CISO, tell us about your job as Field CISO. What are you going to be doing at Lacework? Yeah, I am going to be talking regularly with customer CISOs and CXOs executives about their approach to moving to cloud, about their security posture, about how we can help solution for them. It is not a sales role. I get to be the security practitioner geek that I am, but talking to folks who are working on these problems and helping them to understand how to best approach the life cycle of security. And also being a person in the industry who helps to inform thoughtful approaches to security at scale and being able to do that in a way that is enabling the business. And that's always been a big bone of my hair. We always joke about my T-shirts. I'm wearing a Lacework one today that says run EC2. And the point is like to go out and do stuff, right? The point is not that security should hamstring you, but that it should actually be woven into what you do and allow you to do more and have the confidence to do it securely. That's awesome. I like how you call that. That's not so much a sales role other than getting down and dirty with the tech and also the changing tech. And you know, the CISO has got to deal with relationships with the board, the C-suite, partnerships with industry, other companies, the platforms they're running on, the tools they want to do, the supply chain security, all that stuff is on the mind. But at the end of the day, there's new tech coming, new technologies. There's different ways to approach threat detection, scales there. These are real technical challenges. When you're out there talking to the CISO, what's their perspective? What's the psychology right now in the mind of the CISO? Are they more political, more technical? So you're going to take more of a technical approach. What's on the mind of the CISO? You know, honestly, the tech matters a lot. And folks that I talk to sometimes feel overwhelmed and sort of lonely having to confront some of these issues. And you know, they may or may not have huge amounts of support from the rest of the business. And so it's sort of like they need to garner the resources they need and then also go out and do it. And I think one of the reasons that I came to Lacework is that I think what I was hearing at AWS is that folks want something that just works. And Lacework felt like magic. And so the ability to take what are these kind of broad issues, so like, I want visibility. Well, great, now that you're in cloud, everything's an API call, let's say. And if you weren't in one environment, then you're going to have even other challenges with your visibility, right? But then what? How do you take action on things? How do you know that your muscle groups are getting better? And so that's just one example. But essentially, I think the goal for CISOs is to prioritize the issues they have, be able to make meaningful change and be able to enable the business, like keep the lights on, but be able to make security part of what they're delivering. These days, it is part of your bottom line. Like, it's got to be what you are delivering to your customers, too, regardless of the industry that you're in. And so having tooling and capabilities that allow you to build better, build and do security at scale, that's actually the enabler that we've been excited about, but it needs to be done, the CISOs are thinking, how do I do this in a controlled and responsible and secure manner? Yeah, there's always the question of the single security control point or multiple layers, what's, you know, is that you do it together? That kind of thing. And I think one of the things that we've observed on theCUBE, talking to folks and watching some talks that you've given actually in the past and others, is there's a big push with digital transformation, which is, you know, we're transforming our business and now with AI, almost half the code in GitHub is presented by machines. So you're seeing an acceleration of the digitization of business. At the same time, the security architecture has to evolve with some of the infrastructure changes, hybrid edges emerging, multiple clouds. So baking in security into operations sounds like a cool thing to say, but like it's hard. So can you share your perspective of from a CISO perspective, how do you bake security into the operations as the plane is traveling at 35,000 feet? Because you've got cloud, okay, get that on-premises, hybrid and edge and then multiple clouds. Yeah, I mean, I think, so first of all, when it comes to things like generative AI, although it's become a really buzzy word in the last year or so, you know, we have been using ML, we technologists and security folks have been using ML for at least 30 years, maybe longer depending on how you define it. So on some level, I think we should continue to let computers do what computers do well. And that doesn't mean that it's going to take away from the raw importance of human innovation and creativity and thoughtfulness. So I think questions around AI are important and exciting and that we should be taking advantage of technologies where they make sense, but it's certainly not a sort of, okay, we've arrived, there's no need for human thoughtfulness in this area. We definitely are working on that and with that. And one of the ways, as you alluded to, that folks are taking advantage of it is having generative AI do code reviews and other things. We've seen the outputs that you get when you try to have them write code and it's not that great, but I don't think there's any reason why you can't take the tool and use it for whatever it works for. In terms of, as you were describing, sort of doing this at scale and being able to get to that woven in standpoint, I think part of the key is that digital transformation. So while lots of organizations do and will have on-prem assets for the foreseeable future, moving what you can to cloud will really allow you to take advantage of that scale, the ability to have those flexible environments to scale up and down. And by that token, to you use infrastructure as code. So things like terraform, cloud formation, et cetera, to be templatizing your environments. And you've got your security team with arms around these so that you're generating templatized environments for your R&D teams that look different than your HR teams. And you're really constraining as you push to production. A lot of this, again, can be validated by computers and ensuring that you're doing least privilege or in the case of lacework, helping with configuration anomalies and misconfigurations. As you know, this is one of the huge pain points for folks. And so it's something that, like you said, it's not just like a push a button and you're done, but it is a huge advancement over the kinds of physical jobs that it was like some person's job to go run around and make sure all your VMs are plugged in. And you don't have to think of security in those same manual terms today. And in fact, you shouldn't, you should take advantage of that ephemerality and the ability to do that kind of modular environment. Identities should be vended, and that will decrease your sort of special snowflakes, which are always sources of possible, negative security impacts. Well, I want to get in some of the challenges organizations have with multi-cloud and super cloud as it emerged. There was certainly data is a big part of it, but I do want to ask you about culture. Well, you brought up some of those things you mentioned. The security culture of the old VM ways. Now you got cloud native moving forward is not just AWS, you got Azure, you got multiple clouds. They have their own security cultures as well and code and stacks. What's the culture like that you're seeing that's working for CSOs and security practitioners? Is there a trend that's happening? Is there a certain playbook that's sustainable that you see people adopting from a culture standpoint? So I get it's actually one of the primary questions that I get from CSOs is like, or other executives, how do I build a culture of security? And the answer is by doing it, your culture will reflect what your actual priorities are. And I'm not saying that to be flippant. I mean, so nothing goes out without app set reviews and you can add an architectural security review onto that, especially if you're building on cloud. And you can make sure that like I said that you're using paved roads for your developers so that their app set reviews go faster and they have a security engineer trained person on the team and like you can do this in very mechanical or mechanistic ways that ensure that you're actually living up to these kinds of ideals. It's not, this is not a lip service. We say we want a culture. You have to do it. And it takes work and you build up those muscle groups and the tech matters, but ultimately it's more the commitment. And part of that is your executive sponsorship or whatever the right word is for the importance of security and the fact that it's going to be part of what you deliver and not a cost center. I always get weary of that misnomer because I just think we have to think of security as part of your core business delivery. And once you do that, hopefully the business is able to support you, but my personal prescription would be that the CISO should report to the CEO, for example, so that they cannot be benched when it gets inconvenient to prioritize security, that they should have a seat at the table, that your processes are informed by security, that you're then able to translate that down to your customers. Like I said, it can be a really compelling part of both what you translate up to the board and down to your end users as what they get when they do business with you. It's interesting. It's an IQ test when you look at the CISO relationship because when you call it a cost center, essentially that's so dumb because it is the only thing that matters because if the company goes out of business with a breach, there is no cost center profit center. They are the business because digital transformation assumes securities everywhere and that's why this whole security everywhere message. We heard that at reinforced too about scale. I talked with Megan Isenberg from Lacework at there about this too. And she was telling us about what you guys are working on but the comments we heard from that event were, weave security into the development cycles, shift left as they say, not bolted on after the fact. What does that mean when people say weave in security into the development cycles? Yeah, and I think this is actually, you alluded to like the business risk of breach, for example, and that obviously is true. Like no one wants to be in the newspaper headlines tomorrow for that but there's also a much more just like ordinary or like, bread and butter story around that importance of security which is as you alluded to, like the ability to actually get your death cycles shorter to have them running into fewer obstacles and doing that in an increasingly automated way. So it means that, the minute you spin up an environment in the cloud you have made some decisions. There are permissions in there. There's either an internet facing endpoint or there isn't. There's all these ways in which escalations might be able to be privileged or not like you are either encrypting or you're not and those are security decisions that you've now embedded in the ways that you're building. So I think in cloud it's very evident that you have to weave it in but I think even when you're working in multi-environment and on-prem, you know, the idea that you have these muscle groups that security is part of your lifeblood that you're regularly doing exercises. I mean, another thing is like if you define security by the CIA triad of confidentiality, integrity and availability, we security practitioners focus really heavily on the confidentiality and integrity side, you know, making sure things are locked down or encrypted or are validated as being true. But what about availability? Like it also has to work. So you have to build all this stuff and build it securely, but it also has to be something that, you know stays highly available. And I think that as part of your security mechanism does mean that the business is, you know this is critical to how we define a successful business strategy is ensuring all of those elements including the fact that things keep working. Merit, great to have you on theCUBE. Certainly we appreciate you being a CUBE contributor part of our collective, but also the being the field CISO at Lacework, great company. Final question for you is what are the conversations you're going to have you expect to have this year as you go forward now that you're kind of outside the cloud AWS which is they're great with security. We've covered them great too but they're one cloud. You know, customers have multiple environments not just one public cloud. They have multiple public clouds. You sit now a partner with AWS with Lacework but you also have an independent perspective for the customer. They want to connect their environments, run their cloud operations with security. What are some of the conversations that you expect to have this year in the field? Yeah, I think you're right on with that. I think, you know we will have conversations with customers frankly, even when I was at AWS we had plenty of conversations with customers who were in multi cloud or in multi environment including OT and other considerations. I think we will do the same hard work that it is to take advantage of technologies that are available. One of the reasons folks come to Lacework is to help with multi cloud management and multi account management which is a deliberate best practice but it takes corralling and you want to have some posture management and other elements of your security strategy then need to take that into account. So I think it's going to be the kinds of conversations that folks are increasingly having which are around how do I do more automation so I can get more scale? How do I contribute to the digital transformation that I know we need to do but that we may have some technical debt and other issues in implementing and how do I take advantage of emerging technologies? You know, how do I take advantage of the ways in which we are seeing increasing reliance on like you said, AIML on being able to scale up using modular environments using open source but having awareness of the security considerations around it. You know, there's going to be all of those good sort of constant conversations because security is something that doesn't just get done one day. We're never going to be like, all right, our work here is over. It is like a journey and it is also something you get better at over time and it changes over time. And so it's really kind of that commitment to doing the best we can with what we have and being bold enough to make the choices when we need to move. I think sometimes security folks are risk averse and think that not moving is a security strategy and I would encourage folks to reframe that because not moving means that you have also lost out on some possible gains. So I think, you know, we're going to see those threads continue and I hope to be a force for good in that momentum and bring back customer feedback to our roadmap too. You know, we are extremely empathetic and we build for the customers. So I look forward to being able to be a feedback loop both ways. I hear a great voice and great to have you on expertise here on theCUBE, SuperCloud 3. Great to have you. We'll check in with you when our security conversations, when we do our top power panels, definitely want to hear more about what's going on and appreciate your time. Merit, thanks for coming on theCUBE, SuperCloud 3, security plus AI. That sounds great. Thank you, John. Appreciate it. Okay. Merit Bear, the field CISO at Laceworks for with AWS, CUBE contributor. We'll be back more with SuperCloud 3 after the short break.