 Live from Barcelona, Spain, it's theCUBE! Covering Cisco Live Europe. Brought to you by Cisco and its ecosystem partners. Hello everyone, welcome back to theCUBE's live coverage here in Barcelona, Spain. For Cisco Live Europe 2019, we're in day three, three days of coverage. I'm John Furrier with Dave Vellante. Our next two guests, we're going to talk about privacy, data, Michelle Denton, VP and Chief Privacy Officer at Cisco, Robert Waitman, who is the Director of Security and Trust. Welcome back. And everything we talked about kind of is happening on steroids here this year. Welcome back. Thank you, glad to be here. Thanks for having us. Security, privacy, all go hand in hand. A lot going on, you're seeing more breaches, you're seeing more privacy challenges, certainly GDPRs going to the next level. People are quote, complying. Here's a gig of data, go figure it out. So there's a lot happening. Give us the update. Well, as we suggested last year, it was privacy Palooza all year long, running up to the enforcement deadline of May 25, 2018. There were sort of two kinds of companies. There's one that ran up to that deadline and said, woohoo, we're ready to drive this baby forward. And then there's a whole another set of people who are still sort of, oh my gosh. And then there's a third category of people who still don't understand. I had someone come up to me several weeks ago and said, what do I do? When is this GDPR going to be a law? I thought, oh honey, you need a hug. Two years ago. And some companies in the US at least were turning off their websites. Some media companies were in the news were actually shutting down their site and not making it available because they weren't ready. So a lot of people were caught off guard, some were prepared, but still, you said people would be compliant, kind of. And they did that, but still more work to do. Lots more work to do. And as we said, when the law was first promulgated two and a half years ago, GDPR and the deadline, A, it's just one region, but as you'll hear, as we talk about our study, it's impacting the globe. But it's also not the end of anything. It's the beginning of the information economy at long last. So I think we all have a lot to do, even if you feel rather confident of your base level compliance, now it's time to step up your game and keep on top of it. Before we get into some of the details of the new findings you guys have, I want you to take a minute to explain how your role is now centered in the middle of Cisco, because if you look at the keynotes, data is in the center of a lot of things in this intent-based network on one side and you've got cloud and edge on the other. Data is the new ingredient that's feeding applications and certainly collective intelligence for security. So the role of data is critical. This is a big part of the Cisco tech plan, nevermind policy and or privacy and these other things. You're in the middle of it. Explain your role within Cisco and how that shape- Well, and it's such a good question and actually if you watch our story through theCUBE, we announced actually on Data Privacy Day several years ago that data is the new currency and this is exactly what we're talking about. The only way that you can operationalize your data currency is to really think about it throughout the platform. You're not just pleasing a regulator, you're not just pleasing your shareholders, you're not just pleasing your employee base. So as such, the way we organize our group is my role sits under the COO's office, our chief operations office, under the office of John Stuart, who is our chief trust officer. So security, trust, advanced research, all live together in operations. We have sister organizations in places like public policy, legal, marketing, the sales groups, the people who are actually operationalizing come together for a group. My role really is to provide two types of strategy. One, rolling out privacy engineering and getting across inside and outside of the company as quickly as possible. It's something new. As soon as we have set processes, I put them into my sister organization and they send them out as routine and hopefully automated things. The other side is the work Robert and I do together is looking at data valuation models, working about the economics of data, where does it drive up revenue and business and speed, time to closure and how do we use data to not just be compliant in the privacy risk, but really control our overall risk and the quality of our information overall. Mathful. That's interesting. And Robert, that leads me to a question. We've seen these unfunded mandates before. We saw it with the Y2K, the Enron Backlash, certainly in the United States, the federal rules of civil procedure. And the folks in the corner office would say, oh, here we go again. Is there any way to get more value beyond just reducing risk and complying? And have you seen companies be able to take data and value and apply it based on the compliance and governance and privacy policies? Yeah, that's a great question. It's sort of the thought that we had and the hypothesis was that this was going to be more valuable than just for the compliance reasons. And one of the big findings of the study that we just released this week was that in fact, those investments, we're saying that good privacy is very good for business. It was painful. Some firms stuck their head in the sand and said, I don't want to even do this, but still going through the GDPR preparation process or for any of the privacy regulations has taken people to get their data house in order. And it's important to communicate. We wanted to find out what benefits were coming from those organizations that had made those investments. And that's really what came out in our study this week for International Data Privacy Day. We got into that quite a bit. What is this study? Can you give us some details on it? So it's the Data Privacy Benchmark Study we published this week for International Data Privacy Day. It's sort of an opportunity to focus on data privacy issues, both for consumers and for businesses, sort of the one day a year, kind of like Mother's Day. You should always think of your mom, but Mother's Day is a good day. So you should always think of privacy when you're making decisions about your data, but it's a chance to raise awareness. So we published our study this year and it was based on over 3,200 responses from companies around the world, from 18 countries, all sorts of sizes of companies. And the big findings were in fact around that. So privacy has become a serious and a boardroom level issue that the awareness has really skyrocketed for companies who are saying, before I do business with you, I want to know how you're using my data. And so what we saw this year is that seven out of eight companies are actually seeing some sales delay from their customers asking those kinds of questions. But those that have made the investment, getting ready for GDPR or being more mature on privacy, are seeing shorter delays. If you haven't gotten ready, you're seeing 60% longer delays. And even more interestingly for us too, is when you have data breaches and a lot of companies have them as we've talked about, those breaches are not nearly as impactful. The organizations that aren't ready for GDPR are seeing three times as many records impacted by the breach. They're seeing system downtime that's 50% longer. And so the cost of the whole thing is much more. So kind of the question of, is this still something good to do? Not only because you have to do it, we want to avoid 4% penalties from GDPR and everything else. But it's something that's so important for my business that drives value. So the upshot there is that you do the compliance, okay, check the box, we don't want to get fined. So you're taking your medicine basically. It turns into an upside with the data you're seeing from your report. Sales, benefit, and then just preparedness and readiness for breaches. Right, I mean, it's a nice way to think about, that's exactly right. Don, you've got it right. You've got your data house in order. I mean, there's a logic to this so that if you figured out where your data is, how to protect it, who has access to it, you're able to deal with these questions. When customers ask you questions about that, you're ready to answer it. And when something bad goes wrong, let's say there is a breach, you've already done the right things to control your data. You've gotten rid of the data that you don't need anymore. I mean, 50% of your data isn't used for anything. And of course, we suggest that people get rid of that. That makes it less available if a breach occurs. So I got to ask you a question on the data valuation because a lot of the data geeks and data nerds like myself saw this coming. We saw data mostly on the tech side. If you invested in data, it was going to feed applications. And I think I wrote a blog post in 2007. Data is going to be part of the development kits or development environment. You're seeing that now here. Data is now part of application development. It's part of network intelligence for security. Okay, so yes, check that's happening. At the CFO level, can you value the data so it's a balance sheet item? Can you say we're investing in this? So you start to see movement, you almost project maybe in a few years or now, how do you guys see the valuation? Is it going to be another kind of financial metric? Well, John, it's a great point seeing where we're developing around this. So I think we're still in somewhat early days of that issue. I think the organizations that are thinking about data as an asset and monetizing its value are certainly ahead of this. We're trying to do that ourselves. We've probed on that a little bit in the survey just to get a sense of where organizations are. And only about a third of organizations are doing those data mature things. Do they have a complete data map of where their stuff is? Do they have a chief data officer? Are they starting to monetize in appropriate ways their data? So there's a long way to go before organizations are really getting the value out of that data. But the signals are showing that there's value in the data. Obviously the numbers sales. There's some upsides of compliance, not just doing it to check the box. There's actually business benefits. So how are you guys thinking about this? Because you guys are early adopters or leaders in this. How are you thinking about the data measurement of it? Do you share your insights on that? Yeah, so data on the balance sheet, Grace Hopper 1965, right? Data will one day only be on the corporate balance sheet because it's in most cases more valuable than the hardware that processes. This is the woman who's making software and hardware work for us in 1965. Here we are in 2019. It's coming on the balance sheet. She was right then, I believe in it now. What we're doing is even starting, this is a study of correlation rather than causation. So now we have at least the artifacts to say to our legal teams, go back and look at when you have one of our new improved streamlined privacy sheets and you're telling in a more transparent fashion in a deal. Mark the time that you're getting the question. Mark the time that you're finishing. Let's really be much more stiletto like measuring time to close and efficiency. Then we're adding that capability across our businesses. Well one use case we heard on theCUBE this week was around privacy and security in the network versus on top of the network. And one point that was referenced was when a salesperson leaves, they take the contracts with them. So that's an asset and people get sued over it. So again, this is a business policy thing. So business policy sounds like. Well in a lot of the solutions that exist in the marketplace or have existed. I've sat on three encrypted email companies before encrypted email was something the market desired. I've sat on two advisory boards of a hope that you could sell your own data to the marketers. Every time someone gets an impression you get a micro center, a Bitcoin. We haven't really got that because we're looking on the periphery. What we're really trying to do is let's look at what the actual business flow and processes are in general and say things like, can we put a metric on having less records, higher impact and higher quality? The old data quality in the CDO is rising up again. Get that higher quality. Now correlate it with speed to innovation, speed to close, launch times. The things that make your business run anyway, now correlate it and eventually find causal connections to data. That's how we're going to get that data on the balance sheet. That's a great point. Is the data quality issue used to be a kind of a back office records management function and now it's coming to the fore. And I'll just make an observation. If you look at what were before Facebook fake news, what were the top five companies in the United States in terms of market value? Amazon, Google, Facebook was up there. It's at Microsoft, Apple. They're all data companies. And so the market has valued them beyond the banks, beyond the oil companies. So you're starting to see clear evidence and quantifiable evidence that there's value there. I want to ask you about, we have Guillermo Diaz coming up shortly, Michelle. And I want to ask you your thoughts on the technical function, you mentioned it's a board level issue now, privacy. How should the CIO be communicating to the board about privacy? What should that conversation be like? Oh my gosh. So we now report quarterly to the board. So we're getting a lot of practice. We'll put it that way. I think we're on the same journey as the security teams used to. You used to walk into the board and go, here's what ransomware is. And all of these former CFOs and sales guys would look at you and go, ah, okay, onto the financials. Because there wasn't anything for them to do strategically. Today's board metrics are a little soft. It's more activity driven. Have you done your PIAs? Have you passed some sort of a third party audit? Are you getting rejected for third party value chain in your partner communities? That's the have not and da-da-da. To me, I don't want my board telling us how to do operations. That's how we do. To really give the board a more strategic view, what we're trying to do is study things like time to close and then showing trending impacts. The one conversation with John Chambers that's always stuck in my head is, he doesn't want to know what today's snapshot is because today's already over. Give me something over time, Michelle, that will trend. And so even though it sounds like, you know, who cares if your sales force is a little annoyed that it takes longer to get this deal through legal? Well, it turns out when you multiply that in a multi-billion dollar environment, you're talking about hundreds of millions of dollars, probably a weak loss to inefficiency. So if we believe in efficiency in the tangible supply chain, that's some more strategic view I want to take. And then you add on things like, here is a risk portfolio, potential fair risk reporting type of thing if we want to do a new business. Do we light up a business in the Ukraine right now versus Barcelona? That is a strategic conversation that's board level. We've forgotten that by giving them activity. Interesting what you say about Chambers. John, you just interviewed John Chambers and he was the first person in the mid-90s to talk about a virtual close, if you remember that. So obviously what you're talking about is way beyond that. Yeah, and you're exactly right. And let's go back to those financial roots. So one of the things we talk about in privacy engineering is getting people's heads, the concept that the data changes. So the day before your earnings, that data will send Chuck Robbins to jail if someone is leaking it and causing people to invest accordingly. The day after, it's news. We want everyone to have it. Look at how you have to process and handle an operationalize in 24 hours. Figuring out those data stories helps it turn it on its head and make it more valuable. You know, you mentioned John Chambers. One of the things that I noticed was he really represented Silicon Valley well in Washington, DC. And there's been a real void there since he retired. You guys still have a bread presence there and are doing stuff there. And you see Amazon with Theresa Carlson doing some great work there. And you still got Oracle and IBM in there and doing their thing. How is your presence and leadership translating into DC now? Can you give us an update of what's happening at? So I don't know if you caught a little tweet from a little guy named Chuck Robbins this week. But Chuck is actually actively engaged in the debate for US federal legislation for privacy. The last thing we want is only the lobbyists, as you say, and I love my lobbyists wherever you are. We need them to help give information. But the strategic advisor is to what a federal bill looks like for an economy as large and complex and dependent on international structure. We have to have the network in there. And so one of the things that we are doing in privacy is really looking at what does a solid bill look like so at long last we can get a solid piece of federal legislation. And Chuck is talking about it at Davos, as was everyone else, which was amazing. And now you're going to hear his voice very loudly ringing through the halls in DC. He's upping his game in leadership in DC. Have you seen the size of Chuck Robbins? Game up, privacy on. It's a great opportunity because we need leadership in technology in DC. To affect public policy, no doubt. We need to do that. And globally, too. It's not just DC, but DC in America, but also globally. Yeah, we need to serve our customers. That's when they win. We got to get wrapped up here, but I want to get you guys a chance to talk about what you guys announced here to show. What's going on? Get the plug in for what's going on. Cisco Trust, what's happening? Do you want to plug first? Well, I think a few things we can add. So in addition to releasing our benchmark study this week and talking about that with customers and with the public, we've also announced a new version of our privacy data sheet. So this was a big tool to enable sales people and customers to see exactly how data is being used in all of our products. And so the new innovation this week is we've released these very nice color-created like subway maps. They make it easy for you to navigate around. They just make it easy for people to see exactly how data flows. So again, something up on our site at trust.cisco.com where people can go and get that information and sort of make it easy. We're pushing towards simplicity and transparency in everything that we do from a privacy standpoint. And this is really that trajectory of making it as easy as possible for anyone to see exactly how things go. And I think that's the trajectory on, that's where the legislation, both where GDPR is heading and the federal legislation as well to try to make this as easy as reading the nutrition label on the food item to say, you know, what's actually here? Do I want to buy it? Do I want to eat it? And we want to make that really that easy. That trust transparency gives accountability too, comes into play too, because if you have those things, you know who's accountable. It's terrifying. I challenge all of my competitors, go to trust.cisco.com, not just my customers, love you to be there too. Go and look at our data subway maps. You have to be radically transparent to say, here's what you get customer, here's what I get Cisco, here's where my third parties. It's not as detailed as a long report, but you can get the trajectory and have a real conversation. I hope everybody gets on board with this kind of simplification. Trust.cisco.com. We're going to keep track of it. Great work you guys are doing. I think you guys are leading the industry. Congratulations. Thank you. This is not going to end. This conversation continues. We'll continue globally. Thanks for coming on, Michelle. Appreciate it. Robert, thanks for coming on. Cube coverage here, day three. In Barcelona, we'll be right back with more coverage after this short break.