 Live from Boston, Massachusetts, it's theCUBE. Covering AWS Reinforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. Okay, welcome back everyone. It's theCUBE's live coverage of Boston, Massachusetts for Amazon Web Services, AWS Reinforce. They're first in all the world conference around security, cloud security. I'm John Furrier with my co-host Dave Vellante. If you're talking about security, you cannot talk about cybersecurity, how it impacts government, society and commercial. We've got two great guests here from Telos, a leader in cyber out of DC, A.J. Turcotte, business development and Tom Ryder, VP of commercial sales at Telos. Great to see you guys, welcome to theCUBE. Thank you, John. Tripp forgot to be here. I've been intrigued by Telos over the years. One great company you guys so congratulations, John Wood is phenomenal CEO. He's been hanging around for a long, long time. He's seen many cyber waves in security. You guys have a lot of experience. Now we're talking about modernization of government. Two a week and a half ago, we were at AWS Public Sector Summit, which is the show in DC with Theresa Carlson's team. That's all about modernizing government, public sector, procurement, modernization, technology, cloud. Here, the security conference feels the same kind of vibe for security. Not so much modernization, but kind of level up, get faster, get better and get stronger and everything's great. Now let's go do it. So similar kind of experience, you guys are in the middle of both those worlds. Yes. What's your impression? What are these coming together? Are they two separate? What's your impression of the show? It's security is job zero. People have been saying that for a long time. The rubber's meeting the road now. You can see this wouldn't have been this big years ago. So we're happy to be here and be part of this. Our company's been focused on cybersecurity since the word go. And we're definitely seeing you can't do modernization without baking security in. Everybody gets it, it's not a bolt-on anymore. What are you saying? Absolutely, and it goes from the software development and lifecycle all the way up the stack. Little anecdote, John has been around for a long time. He's actually, and he'll hate me for saying this, but he's the longest standing CEO of a company in Virginia right now, 25 years. We've been around for a long time. We understand cybersecurity and we've seen it morph as the various platforms have evolved. But definitely a great show. A lot of vendors, some new, some old. We meet some friends that were with one that are now with another and asking them why they changed. And they say, well, the old school and the new school, different methodologies, different ways to approach it. But the problem fundamentally stays the same. I mean, he uses the term old guard, new guard. That's Jassy and Teresa's word. But it really is about the transmission of that all companies are becoming security companies. They say they're about media, all companies are becoming media companies. You inherently have this horizontal impact of security. It used to be, these firms do security and you hire them, they come in, they do the job. But now to where you got to bake it in, you're starting to see the brands, Microsoft, all these companies that were once software companies in general purpose areas, really getting deeper into security. And then companies themselves, like Capital One, Liberty Mutual, they're building out. And potentially not turning from a cost center to a revenue center. So the model's upside down right now in a good way. What's that doing to the industry? Is it one you believe that's happening and two, what do you see happening? The challenge in front of us right now is security has to keep up the pace and the scale of the cloud and the modern world. I know that we've had to change our tunes in our product suite to be able to test and demonstrate compliance at pace and at scale. Otherwise, you're just slowing down development. I mean, the real beauty of the cloud is the speed at which you can fail, recover, get the feedback loop, move forward and security's now at that space. And I think you'll see around here the companies that are offering that, not just a new coat of paint on the traditional offering are going to excel in the space. Well, this is why I like what you guys do because you talk to practitioners, they say their number one challenge is how to keep up with that pace. I mean, you could talk to one person at Amazon and no one person knows all the services, right? You think, oh, Amazon doesn't have that. Oh, yes, they do have that. So having a partner like you guys to help navigate that pace of change is critical. So how have you made that a tailwind for you guys and what are customers telling you that they need help with? What are end of it, the piece of the elephant that we touch is the customers are allowed to use the cloud, they're encouraged to use the cloud, they're going to school to get trained and certified, but you can't go at this pace unless you are authorized. You need permission, nobody's allowed to put in the plug without the permission and that's where our end of it is and we've had to really retool to go at this cloud pace. I've been at Telos for over 19 years and it's exciting now and when we had the opportunity to go into the commercial side of things, I really leapt at that because we're now building, as I said, tooling out to keep at this pace of how do I test, don't be a detractor, don't be a slower downer, and it's the way we got to be. Tell me to explain your product offerings for the commercial sector, what are you guys offering, what's the value proposition? Sure, our product suite is called XACTA, it's a mature product in the Fed space, it's been around for 19 years and it's in very wide use in the Fed space to operationalize their assessment and authorization, the NIST risk management framework. We're now seeing NIST cybersecurity standards are gaining a lot of traction in spaces outside the Fed. If you're a software company like we see around here, you want to do business in the Fed, you got to get a FedRAMP authorization, XACTA's tool to do that now. We're seeing state and local government embracing NIST cybersecurity standards. The defense industrial base has NIST 800-171, it's built into the defense acquisition regulations, you need to corporately meet these security controls, so it's not just for an agency on its own anymore, everyone's getting into the game. So those standards are moving to commercial, you guys are baked out, bulletproof, hardened product, you're bringing that into commercial. Yeah, and I would say, if you take spreadsheets off the table, XACTA is the number one NIST cybersecurity automation and management platform. Yeah, spreadsheets will always be number one, it's like other in the pie chart, other always has the most market share. So it used to be, and I'm wondering if it still is, that the public sector would look to the commercial for sort of best practice, they might be a little slower to adopt certain things, and there's certainly examples of that today. You see, Teresa at Public Sector announces something that maybe Amazon announced a year ago, and now it's available public sector. But the cloud feels a little bit different, you've had cloud-first mandates, you have things like Jedi, is that trend changing? You just sort of gave us an example, we're certifications bringing that up to commercial. Is there still a wide gap between commercial adoption and public sector adoption? Well, I think one thing that we see is a lot of commercial or government entities built data centers because they had to, right? Now you see entities that have big, robust, mature data center infrastructure, they like what they do in there, but not necessarily keeping up that data center. So they're looking, they're all going to the cloud in varying degrees of speed, but nobody wants to be in the data center business like they used to. Like Charles Phillips from Inforces, friends don't let friends build data centers. Right, right. Hey, just tell us some customer use cases and examples where you guys are helping them, what's their challenge? Give us some real world experiences. Sure, sure, so one of the industries that's highly regulated is financial industry. And we talk about healthcare with HIPAA and different regulations, but in financials they're really hit from regulatory bodies throughout the country and it can change from state to state and a lot of times it just piles on top. So one of the main issues that these companies face is audit fatigue, internal audit teams to make sure that they're compliant, external audit requests that come in and they're really looking for a way to reduce this audit fatigue. One of the ways of doing it is to operationalize as we do with our tool, the systems internally to make sure that you can be compliant and I'll throw out a phrase here. We believe strongly that you apply good cybersecurity hygiene, a byproduct of that will be compliance. So if the foundationally things are good and you've taken care of cybersecurity from the get go, you know, you might have to tweak a few things to demonstrate compliance, you will be able to comply to many different regulatory bodies. So being built in from the beginning. Being built in, right. So what, with this particular organization, they've been around for a hundred years, they're in the financial sector, they've got a lot of regulations and state to state, as I mentioned, that are different, they were really looking and they use all the tools. They've got them all, they have data centers, they have one of the largest networks outside of the defense in the country. So they're quite big and they were really feeling this audit fatigue. 800 auditors working day in and day out to get to meet these requirements that are thrown at them. We're able to help them take the process from months to weeks. So just there, there's an economy of time as well. So the resources can really go off and do what their mission is without having to, you know, daily deal with the grind of going through spreadsheets, for example, into different systems. Do you discern any patterns in terms of, can you get more specific on what they're doing with that freed up budget? Are there digital transformation? Are they developing apps? Are they retraining people? How are they dealing with that? Sure, in this particular case, a lot of training internally and it's like moving a cruise ship, you know? It doesn't turn on a dime. So you have direction on the top. They take, you know, the primary focus might change and they have study groups. Interesting about them is they don't make, they make group decisions. So they do, they're very big on data analytics. They're all actuaries, I guess, and they're used to that. They want to look at the value. And I think that's something that we see, that's a tendency we see throughout all the different industries we work with, the demonstration of value. So it might be neat, it might be fun, it might be more secure, less secure, do we accept the risk? What value does that bring to the organization? And what they've done through training, through trying to change the old guard, you know, it's also reorganizing their systems internally and how they do things, not just tools. So you guys got to love the fact that Amazon decided to have a security-focused show. I mean, every show Amazon does is security-focused, but dedicated. The crowd here, you were mentioning that, you know, a lot of partners here, a lot of vendors, but actually, it's a very attendee-heavy event. This is not like a huge, you know, Comdex show floor. A lot of practitioners, sec ops guys, you know, developers, what are your thoughts on why Amazon did this in your reaction to the pandemic? Amazon has, you know, like we said, security is job zero for everyone at Amazon. They put their money where their mouth is. This was not an experiment, this was an eventuality. And you know, there's zero doubt they're going to continue to do this year on year on. It's going to get bigger. Houston next year. Houston. Kind of an interesting choice, Houston. Yeah. Be hot and stay in the air conditioning. I wish you'd stay in Boston. Yeah, I like Boston. I like Boston too. But the show is to your point, some dev ops and sec ops. So it's, again, there's, there's biz dev folks here. You've got geeks here. Not a lot of CEOs of big companies, because it's not a glam conference. There's no big fanfare announcements. The announcements are pretty meaty, VPC traffic, a mirroring, huge announcement, security hub general availability, not a surprise, but just a smaller announcement. A lot of CISOs, obviously. A lot of CISOs. I'd say CISO in that. This is a CISO's cloud security show. A lot of things get invested in. Seems to be heavy activity. So going into this, when it was announced, you know, AJ and I had our hands up right away, saying, let's do this. And then we get here like, okay, is this going to be a direct hit for us? And I wouldn't say that everyone we talk to is a direct hit, but everyone that comes by the booth has some understanding of what we do. And there's been no wasted time. We're having a lot of good conversations. They're right where you guys are. They know what you do, value to them. Right. All right, so here's a question for you in the show. Given that you guys had this perspective for so many years at Telos and Cyber, shipping a great product, now commercials changing, cloud scale, cloud security, what do you think the most important stories are that should be told that the media should be telling or maybe they are telling me to be amplified or isn't being told and should be told. What are the top stories coming out of this event and this industry right now that should be told? I think that the two trends I'm seeing is that, like we said before, building and maintaining data centers is not cool anymore. And you see the trends of all these entities getting out from under that and they might be making a big commitment to the cloud or phasing out their data centers over time, that is happening. And I want to read more about it because that helps us target who's going to be most receptive to our message. And then the other thing is just, like we said before, the security at scale and at pace. I know we've had to retool for it. The other companies here that are built for that are going to succeed. Yeah, I think there's an appetite for it. A.J., anything to add on that? No, very good point. At scale and to be able to pivot quickly. And as Tom mentioned before, to be able to fail, retool, start again. But to have, it's really essential to have security baked in. That confidentiality, integrity, availability of data, you know that the basis. You guys have partnered well with Amazon, public sector, now in commercial. And not a lot of change is still Amazon as Amazon. Question for you is, what do you guys think about what the opportunity is to differentiate? As you guys have your solution, speed and scale, totally agree? Size, speed, scale? You guys take the benefits of that by partnering with Amazon. But as it gets bigger and bigger, you guys still have to differentiate, help customers. Yeah. How, what is the formula for success? You don't just do thing, do a relationship thing. We're done, now collect the business. They move it so fast, if you don't iterate on top of it, your diet seems to be the playbook. What do you guys think the value for ecosystem partners, the formula to be successful? What is that formula for it with an AWS cloud scale? Well, you know, everyone would love to just hitch your partner wagon to something that's rising and not have to do a lot of work. But that's not the way we roll. I think we get in a great partnership with Amazon because we have a lot of similarities, especially the customer obsession. You know, we want the customer to be successful and we ride along on that train. That's how we're successful. Great. Well guys, congratulations. Great to see you here. Likewise. It'll be a good journey. Cube's kicking off their security coverage at this event. Obviously cloud security changing the game. Yep. It's got to level up with DevOps, agility. You guys have been doing it. Thanks for sharing the insights. Appreciate it. Thank you, thanks for having us. Cube coverage continues here in Boston for AWS Reinforce. I'm John Furrier with Dave Vellante. Stay tuned for more coverage after this short break.