 Live from Las Vegas, it's theCUBE, covering Fortinet Accelerate 18, brought to you by Fortinet. Hi, welcome back to Fortinet Accelerate 2018. I'm Lisa Martin with theCUBE, excited to be back here for our second year. I'm joined by my esteemed co-host Peter Burris and Peter and I are excited to be joined by the Chief Information Security Officer of Fortinet, Phil Quaid. Phil, welcome back to theCUBE. Thanks for having me today. Great to have you here. So you had this interesting keynote this morning, talking about cybersecurity fundamentals in the age of digital transformation. So we'll kind of peel apart that, but something that I'm really curious about is as a CISO, you are probably looked at as a trusted advisor to your peers at Fortinet customers, at prospective customers. Tell us about, as we are in this evolution of security that Kenzie talked about, what are some of the things that you're hearing? What are they looking to you to help them understand and help from a strategic perspective to enable in their environments? I often hear people say, I recognize that my security's inadequate. What can I do about it? Or I think my security's good enough, but I'm not evolving with the commensurately with the risk. And they say, well, what do I do about that? So how do I get to a better spot? And I typically talk about them about modernizing their strategy and then based on their modernized strategy, that leads to specific technical solutions. And I'll have to talk to you more about what some of those might say. Yeah, on the strategy side, I find that very interesting. Peter and I were talking with Kenzie earlier and with the 20 to 30 different security solutions that an organization has in place today that are disparate, not connected, where does the strategy discussion start? Well, it starts to me with, I say, the adversary's coming at you at speed and scale. So how do you address the problems of speed and scale? It's through automation and integration. And fortunately that plays, I believe in that strategy, but it plays directly into Fortinet's strengths, right? We have speed and baked into our solution set, where you have speed at the edge for our custom ASICs. And we're fundamentally an integrated company where our products are designed to work together as a team because what you want to do strategy-wise is you want to, I think, you want to defend at your place of strength and at a time in place of strength as opposed to your adversary's point, where he's probing at your weak point. So that's this integration things, not any strategic, but it's essential to address the problems of speed and scale. So Phil, technology's being applied to a lot of IT and other business disciplines. So for example, we're now seeing machine learning and related types of technologies actually being applied to improve programmer productivity through what we call augmented programming. And that may open the aperture on the number of people that actually can participate in the process of creating digital value. But it still requires a developer mindset. You still have to approach a problem from a developer perspective. What is the security mindset? That as security technology becomes more automated, that more people can participate, more people can be cognizant of the challenges. What is that constant security mindset that has to be sustained in an enterprise to continue to drive better and superior security? Got it. I think that some companies get too hyped about artificial intelligence and I think it's important to remember that in order to, you need to go from, use computer science to get to science fiction. So a very disciplined way, you need to say, well, in order to achieve high degrees of automation or perhaps machine learning or artificial intelligence, what are the building blocks of that? Well, the building blocks are speed because if you have a decision that's too late, who cares? Integration, if you have a decision that can't be communicated effectively, who cares? And then of course access to all the right types of data. In order to get smart to do machine learning, you need access to lots of different data sources and so you need to have lots of disparate sensors sending in data for you to analyze. Back in my old job, we used to do some centralized processing, say back in the data center, we would pre-computer result. We'd push that pre-computer result back to the edge and then you would do the last bit of analysis right at the point of need. And I think again, the Fortinet architecture supports that and that we have a back end called Fortiguard Labs, if you know what that is, which does deep analysis and research, pushes every results forward and we use speed at the edge inside customer premises to sort of compute, I'm mixing metaphors, but do the last mile of computing. So I think it's back to your question, like what's the mentality? It's about leveraging technology to our advantage rather than people being the slaves and machines. We need to have machines serving more man and we need computer science to do that rather than like I say, creating busy work for humans. You talked about speed and scale a minute ago and as we look at, I'm curious to your perspective as a CISO, how do you get that balance between enabling digital business transformation which is essential for growth, profitability, competition, and managing or really balancing that with security risk management. So if a business can't evolve digitally at speed and scale and apply security protocols at every point they need to, is digital transformation meaningless? How do we get that? It's a great question because you don't want to feel like it's going to be a haves and have nots. The good news is that, for example, for those who seek to move to the cloud for whatever reason, convenience or agility or business efficiencies, you don't have to go all cloud or no cloud, right? And the security solutions of Fortinet allows you to do each. You can have some cloud, some non-cloud and get them both to work together simultaneously under what we call a single pane of glass. So as a user, you don't care if your firewall is a physical appliance or a virtual one. You want to establish a security policy and have that pushed out no matter what your firewall looks like. So to answer your question, I think that hybrid solutions are the way to go and we need to let people know that it's not an all or nothing solution. That visibility that you kind of mentioned seems to have been kind of a bane of security folks' existence before. How do we get that broad visibility? Yeah, I think, right, it's visibility and complexity, I'd say, are the bane of cybersecurity, right? Visibility, what you can't see, you can't depend against. And complexity is the enemy of security, right? So we need to address the problems. You asked me what CISO say, we have to reduce complexity and we have to improve visibility. And again, I think Fortinet's well-postured to offer those types of solutions. So as you increase, we talk about the edge. You mentioned the edge. As more processing power goes to the edge and more data's being collected and more data's being acted upon at the edge, often independent of any central resource, the threat of exposure goes up because you're putting more processing power, more data out there. How is securing the edge going to be different than securing other resources within the enterprise? Well, encryption will remain an impart, right? Encryption to create confidentiality between the two commuting entities is always a part. And then, of course, encryption can be used to authenticate local processes at the edge. So even though encryption might not be perceived as the silver bullet that it used to be in the age of pending quantum computing, I can talk more about that in a second. In fact, encryption is a fantastic tool for creating trust among entities and within an entity. So I think the applications of smart, strong encryption among and within the entities can create that web of trust we're talking to. If I could just briefly go back to quantum computing, right? So most commercial entities, most think tanks think that a quantum computer, usable one will be invented within 15 or so years or so. Fortinet is actually already implementing quantum-resistant cryptography in our products. Quantum what? Called quantum-resistant cryptography. Okay. And a quantum computer. I understand. Will be able to break asymmetric encryption, but asymmetric encryption. So we're making sure we're implementing the algorithms today to future-proof our products against a future quantum computer. That's a major statement, because as you said, we're probably not looking at a more broad-based utilization of quantum computing for many, many, many, many years. And we'll know when they're being used by bad guys, we'll know who has one. How fast is that going to become a real issue? I mean, as people think about it. The problem is that the private sector doesn't know what the bad guy countries, when they will indeed have a computer. So Fortinet's being forward-leaning, making sure we're starting to get familiar with the technology now. And also encryption's the type of thing that sometimes it requires special hardware requirements, special power. Quantum computing does. No, any encryption technology. The more computation you have to do, sometimes it might require more memory or a faster processor. Well, that takes months, if not years, if you're putting that into a custom chip. So we're planning and doing these things now so we can make sure that we're ready and aren't surprised by the actual compute power that's required of quantum-resistant cryptography or, of course, aren't surprised when the adversary does in fact have one. Yeah, good stuff. One of the things that you're doing later today is a panel, right, between IT and OT folks. And I wanted to explore with you some of the evolution in the risks on the operational technology side. Tell us a little bit about what that panel today is going to discuss and maybe an example of Triton, for example, and how these types of attacks are now very prevalent from a physical standpoint. Favorite topic of mine, thanks for bringing it up. So one of the first things I'll do is I'll make a distinction between OT, operational technology, and IoT. So what I'll say is operational technology is designed primarily to work to protect the safety and reliability of physical processes and things. Things that move electricity, move oil and gas inside industrial automation plants, so operational technology. And then I'll talk a little bit more about IoT, the Internet of Things, which are primarily, and I'm cartooning a little bit, more about enabling consumer-friendly things to happen, to increase the friendliness and convenience of our everyday lives. And so once I make that distinction, I'll talk about the security solutions that are different between those. So the OT community has done just fine for years, thank you very much, without the IT folks coming in and saying, I'll save your day. But that's because they've had the luxury of relying on the air gap. But unfortunately, in the operation, meaning to attack an OT system, you had to physically touch it. But unfortunately, the air gap is dead or dying in the OT space as well. So we need to bring in new strategies and technologies to help secure OT. The IoT side, that's a different story, because IoT is fundamentally lightweight, inexpensive devices that without security built in. So we're not, as a community, going to automatically be able to secure IoT. What we're going to need to do is implement a strategy we call Earned Trust. So a two-part strategy. Number one, rather than pretend we're going to be able to secure the IoT devices at the device level that are currently unsecurable, we're going to move security to a different part of the architecture. Because remember I talked about, that's what you can do with the security fabric. If you do defense as a team, you want to defend at the time and place you're choosing. So with IoT, we'll move the defense to a different part of the architecture. And what we'll implement is a strategy we call Earned Trust. We'll assign a level of trust to the IoT appliances and then evaluate how they actually behave. And if they do, in fact, behave over time, according to their advertised type of trust, we'll allow more or, in some cases, less access. So that's our IoT solution. And both of them are really important to the community, but they're very different, IoT and OT. But unfortunately they share two letters and people are mixing them up too much. But at the same time, as you said, the air gaps going away, but also we're seeing an increasing number of the protocols and the technologies and other types of things start to populate into the OT world. There's likely to be some type of conversion, some type of flattening of some of those devices, but it would be nice to see some of those, as you said, hardened, disciplined, deep understanding of what it means to do OT security, also start to influence the way IoT thinks about security as well. Love it, great point. Not only can the OT folks perhaps borrow some strategies and technologies from the IT folks, but the opposite's true as well. Because on the OT side, I know you're making this point, they've been securing their industrial internet of things for decades and doing just fine. And so there's plenty that each community can learn from each other. You brought up a recent type of malware affecting OT systems, and it brings me back to about nine years ago, you might be familiar, there was just a catastrophic incident in Russia as a failure of operational technology. Specifically, it was the largest electricity generation hydroelectric plant, ninth biggest in the whole world. It took it offline to do some maintenance, loaded some parameters that were out of range, caused vibration in the machinery, and next thing you know, a major cover flew off, a 900 ton motor came off its bearings, water flooded the engine compartment and caused a catastrophic explosion. With, I think, I'll just say, well over 50 people dying in billions of dollars of economic loss. So what I'm trying to say is not, is not, you know, get excited over a catastrophe, but to say that the intersection between physical and cyber is happening. It's not just, you know, the stuff of spy novels anymore. Countries have demonstrated the will in the ability to attack physical infrastructures with cyber capabilities. Now back to Triton and Trice, this is just a couple months ago, that's sort of rocked the operational community because it was a very sophisticated piece of malware, and not only could it affect what are called control systems, but the safety systems of cells. And that is considered the untouchable part of operational technologies. You never want to affect the safety system. So the time is here, the opportunity and need is here for us to do a better job as a community protecting the OT systems. So the speed, the scale, all the other things that you mentioned suggests that we're moving beyond, and Ken has talked about this as well, Ken Z has talked about this as well, the third generation of security, that we're moving beyond just securing a perimeter and securing a piece of hardware. We're now thinking about a boundary that has to be porous, where sharing is fundamentally the good that's being provided. How are, how is the CISO thinking differently about the arrangement of hardware, virtual services, virtual capabilities, and in fact, intellectual property services to help businesses sustain their profile? I think you're spot on that the boundaries we knew it is dead, dying if not dead, right? So the new strategy is doing agile segmentation, both at the macro level and the micro level. And because you might want to form a coalition today that you might break apart tomorrow and that's why you need this agile segmentation. Back to your point about having some stuff in the cloud and stuff, stuff perhaps in your own data center. Again, we don't want to make people choose between those two things. We need to create a virtual security perimeter around the data whether part of it exists in the data center or part of it exists in the cloud. And that again gets back to that strategy of agile segmentation at both macro and micro levels. And of course we need to do that with great simplicity so we don't overwhelm the managers of these systems with complexity that it causes the human brain to fail on us. I'll oftentimes say it's not the hardware or the software that fails us, it's the wetware. It's the brain that we have that we get overwhelmed by complexity and it causes us to do silly or sloppy things. So let me build on that thought one second and come back to the role that you play within Fortinet but also the CISO is starting to evolve into. As a guy who used to run, I'm not a big business but a publicly traded company, I learned that when you wanted to go into a partnership with another firm, you got a whole bunch of lawyers involved, you spent a long time negotiating it, you set the parameters in place and then you had a set of operating models with people that made sure that the partnership worked together. When we're talking about digital, we're talking about that partnership happening at much faster speeds, potentially much greater scale and the issue of securing that partnership is not just making sure that the people are doing the right things but the actual systems are doing the right things. Talk about the evolving role of the CISO as a manager of digital partnerships. I think you're right, it used to be the case where if you're entering a partnership, the other, your partner might say, tell me a little bit more about how you secure your systems and that company might say, that's none of your business, thank you very much. But today for the reason he so well said, your risk is my risk. As soon as we start operating collaboratively, that risk becomes a shared situation. So in fact, it becomes a responsibility of the CISOs to make sure that the risks are appropriately understood and co-managed. Don't get me wrong, each company still needs to manage their own risk but once you start richly collaborating, you have to make sure that your interfacing doesn't create new risks. So it used to be the day that only a couple of people in a company could say no. Of course the CEO, maybe the general counsel, maybe the CFO, but increasingly the CISO can say no to because the exposure to a company is just too broad to take risks that you can't understand. And it's not a financial problem, it's not a legal problem, it's an operational problem. That's right, that's right. So the good news is that CISOs, I think are stepping up to the plate for that. They're not the CISOs of today or aren't the CISOs of five, seven years ago. They're not insecure folks fighting for their posture in the C-suite, they're valued members of the C-suite. I wish we had more time guys, because I would love to dig into that shared responsibility conversation. We've got a wrap up. Phil, thank you so much for stopping by theCUBE again and sharing your insights on the strategic side, not only the evolution of foreign and security, but also the evolution that you guys are leading in 2018 with your partners. We wish you a great time at the event and we thank you for having us back. Thanks for having me very much. I enjoyed talking to us, okay? And for my co-host, Peter Burris, I'm Lisa Martin. We are live on theCUBE at Fortinet Accelerate 2018. Stick around, we'll be right back.