 Well, hello everybody. John Wall is here on theCUBE. He's continuing our segments here on the AWS Global Startup Showcase. We are at day three of ReInvent and Erking Jing is joining us now. He is the CEO and co-founder of Jupyter One. First off, before we get going, talking about security and big world for you guys, I know, what's your take on the show? What's been going on out here at ReInvent? Yeah, yeah, ReInvent has been one of my favorite shows. There's a lot of people here. There's a lot of topics, of course. It's not just cyber security. A lot of cloud infrastructure and just technology in general. So you get a lot, you know, if you go walk the floor, you see a lot of vendors, you look at, go into the sessions, you actually can learn a lot. But you're the hot topic, right? Everybody's focused on cyber big time and with good reason, right? Because as we know, the bad actors are getting even smarter and even faster and even more nimble. So just paint the landscape for me here in general right now as you see security, cloud security in particular, and kind of where we are in that battle. Well, we are clearly not winning. So I think that in yourself is a bit of an interesting problem, right? So as a, it's not just cloud security. If you think about cyber security in general as an industry, it has not been around for that long, right? But if you just look at the history of it, we haven't done that well. So pick another industry, say medicine, which has been around forever. And if you look at the history of medicine, well, I would argue it's done tremendously well because people live longer, when you get sick, you get access to healthcare. And- We have cures, we have solutions. Exactly, you have solutions. And you can see the trend, even though there are problems in healthcare, of course, right? But the trend is good. It's going well, but not in cyber security. More breaches, more attacks, more attackers. We don't know what the hell we're doing with that many solutions. And, you know, that's been one of my struggles as a former CISO and security practitioner for many years. You know, why is it that we're not getting better? All right, so I'm going to ask you the question. Yeah. Okay, why aren't we getting better? You know, how come we can't stay ahead of the curve on this thing? That for some reason it's like whack-a-mole times 100. Every time we think we solve one problem, we have a hundred more that show up over here. Exactly. And we have to address that and our attention keeps flooding around. Yeah, I think you said it, right? So because we're taking this whack-a-mole approach and we're looking for the painkiller of the day and, you know, we're looking for the band-aids, right? So, and then we ended up, well, I think to be fair, to be fair to the industry, the industry moves so quickly. Technology in general moves so quickly and security has been playing catch-up over time. We're still playing catch-up. So when you're playing catch-up, you can almost only look at, you know, what's the painkiller of, what's the band-aid of the day so I can stop the bleeding, right? But I do think that we're to a point where we have enough painkillers and band-aids and we need to start looking at how can we do better fundamentally with the basics and do the basics well? Because a lot of times, it's the basics that get you into trouble. So fundamentally, the foundation, if I hear you right, what you're saying is, you know, quick changing industry, right? Things are moving rapidly, but we're not blocking and tackling. We're not doing the X's and O's and so forget changing and we got to get back to the basics and do those things right. Exactly. You can only use- That seems so simple. It seems so simple, but it's so hard, right? So you can think about, you know, even in case of building a startup, building a company and in order, at one point, right? So we're blocking, blocking, tackling and then when we grow to a certain size, we have to scale, right? We have to figure out how to scale the business. This is the same problem that happens in security as in the industry. We've been blocking and tackling for so long, you know, where the industry is so young, but we're to a point that we got to figure out how to scale this. Scale this in a fundamentally different way. And I'll give you some example, right? So when we say the basics, now it's easy to think that, say, users should have MFA enabled is one of the basics, right? Or another basics would be, you have endpoint protection on your devices. Maybe it's cross-strike or consent to the one or carbon block or whatever. But the question being, how do you know it is working 100% of the time? How do you know that? How do you know that 100% of the users, right? You find out too late. Exactly, that's right. And how do you know that you have 100% coverage on your endpoints? The solutions are not going to tell you because they don't know what they don't know, right? If it's not enabled, if it's not, you know, what's the negative that you are not seeing? So that's one of the things that, you know, that's in the basic state that you're not covering. So the fundamentals, it really goes to these five questions that I think that nobody has a really good answer for until now. So the five questions goes, what do I have? Is it important? What's important? Out of all of the things I have, you have a lot, right? You could have millions of things. What are important? Now for those that are important, does it have a problem? And if it has a problem, who can fix it? Because the reality is, in most cases, security teams are not the ones fixing the problems. They're the ones identifying. They're very good at recognizing, but not so good at coming up with the facts. Exactly. Identifying the owner who can fix it, right? Could it be business owner, could be engineers? So the asset ownership identification, right? So these four questions. And then over time, you know, whether it's over a week or a month or a quarter or a year, am I getting better? And then you just keep asking these questions in different areas, in different domains, with a different lens, right? So maybe that's endpoints, maybe that's cloud, maybe that's, you know, users, maybe that's product and applications, right? But it really boils down to these five questions. That's the foundation for any good security program. If you can do that well, I think we cover a lot of bases and we're going to be in much better shape than we have been. All right, so where do you come in then, Jupiter One, in terms of what you're providing? Because obviously you've identified this kind of pyramid, this hierarchy of addressing needs, and I assume obviously knowing you as I do and knowing the company as I do, you've got solutions. That's exactly right. And we precisely answer those five questions for any organization from a asset perspective. Right, because all of the answers to all of these five questions are based in assets. It starts with knowing what I have, right? So the overall challenge of cybersecurity being broken, I believe, is fundamentally that people do not understand and cannot properly deal with the complexity that we have within our own environments. So again, like using medicine as an example, right? So in order to come up with the right medicine for either it's a vaccine for COVID-19 or whether it's a treatment for cancer or whatever that case may be, you have to start with the foundations of understanding both the pathogen and to the human body, like DNA sequencing, right? Without those, you cannot effectively produce the right medicine in modern medicine, right? So that is the same thing that's happening in cybersecurity. You know, we spend a lot of times putting band-aids and patches, right? And then we spend a lot of time doing attacker research from the outside. But we don't fundamentally understand in a complete way what's the complexity within our own environment in terms of digital assets. And that's almost like the DNA of your own work. It's that kind of mind blowing in a way that, again, hearing you, what you're talking about is saying that the first step is to identify what you have. That's right. So it seems just so basic that I should know what I, what's under my hood. I should know what is valuable and what is not. I should prioritize what I really need to protect and what maybe can go on the second shelf. It has been a tough problem since the beginning of IT, not just the beginning of cybersecurity, right? So in the history of IT, we have this thing called CMDB, Configuration Management Database. It is supposed to capture the configurations of IT assets. Now, over time that has become a lot more complex and there's a lot more than just IT asset that we have to understand from a security and a tax surface perspective, right? So we have to understand IT environments. We have to understand cloud environments and applications and users and access and data and SaaS and all of those things. Then we have to take a different approach of sort of a modern CMDB, right? So what is the way that we can understand all of those complexity within all of those assets but not just independently within those silos but rather in a connected way so we can not only understand the attack surface but also understand the attack path that connect the dots from one thing to another, right? Because everything in your organization is actually connected. If there's any one thing that sits on an island, right? So if you say you have a server or a device or a user that is on an island that is not connected to the rest of the organization then why have it? And it doesn't matter. So it's the understanding of that connected tissue, this entire map or this DNA sequencing equivalent of a digital organization is what Jupyter One provides, right? So that visibility of the fundamental, very granular level of assets and resources to answer those five questions. And how does that, how do I get better at that then? I mean, I have you to help me but internally within our organization. I mean, I don't want to be rude but I mean, do I have the skill for that? Do I have the internal horsepower for that or is there some need to close that gap and how do I do it? You know, I'll tell you two things, right? So one, you mentioned the worst skills, right? So let me start there. So because this one is very interesting, we also have a huge skills shortage in cybersecurity. We have all heard that for years and for a long time but if you dig deeper into it, why is that? Why is that? And you know, we have a lot of talented people, right? So why do we still have a skills shortage? Now what's interesting is if you think about what we're asking security people to do is mind boggling. So if you get a security analyst to say, I want to understand how to protect something or how to deal with an incident and what you're asking the person to do is not only to understand the security concept and be a domain expert in security, you're also asking the person to understand at the same time AWS or other clouds or endpoints or code or applications so that you can properly do the analysis and the response. It's impossible. It's like you have to have a person who's an expert in everything. Know everything about everything. That's right, it's impossible. So that's one thing that we have to resolve is how do we use technology like Jupyter One to provide an abstraction so that there's automation in place to help the security teams be better at their jobs without having to be an expert in deep technology, right? Just at the abstract level of understanding because we can model the data and provide the analysis and visualization out of the box for them so they can focus on just the security practices. So that's one. And the second thing is we have to change the mindset. Like take vulnerability management as an example, right? So the mindset for vulnerability management has been how do I manage findings? Now we have to change it to the concept of more proactive and how to manage assets. So let's think about, you know, say log for J, right? That happened. And you know, when it happened everybody scrambles and say, hey, which devices or which, you know, systems have log for J and you know, does it matter? What's the impact? We can fix it, right? Going back to those questions that I mentioned before, right? And then they try to look for a solution at a time and say, where's that silver bullet that can give me the answers? Now, what we struggle with though is that, I want to maybe ask the question, where were you six months ago? Where were you six months ago where you could have done the due diligence and put something in place that help you understand all of these assets and connections so you can go to one place and just ask for that question when something like that hit the fan. So if we do not fundamentally change the mindset you say, I have to look at things not from a reactive findings perspective, but really starting from an asset centric, you know, day one perspective to look at that and have this foundation, have this map built. We can't get there, right? So it's like, you know, if I need direction, I go to Google Maps, right? But the reason that it works is because somebody has done the work of creating the map. Right, right. If you don't have the map and it's just at, you know, when the time you say, I got to go somewhere and you expect the map to magically happen to show you the direction. Not going to happen. It's not going to work. Right, right. I imagine there are a lot of people out there right now are listening to us and thinking, oh boy, you know, and that's what Jupiter wants all about. They're going to answer your, oh boy. Thanks for the time. Of course. I appreciate the insights as well. It's nice to know that at least somebody is reminding us to keep the front door locked too. Not just the back door or the side doors, keep that front door and that garage locked up too. Definitely. All right, we'll continue our coverage here at AWS reInvent 22. This is part of the AWS Global Startup Showcase and you're watching theCUBE, the leader in high tech coverage.