 From the Cube studios in Palo Alto and Boston, it's theCUBE covering IBM Think, brought to you by IBM. Welcome back to our coverage of IBM Think 2020, the digital version of IBM Think. My name is Dave Vellante and you're watching theCUBE. Hilary Hunter is here. She's the vice president and CTO of IBM Cloud and also an IBM Fellow. Hilary, thanks for coming on. Good to see you. Thanks so much for having me today. All right, let's get really, let's get into it. We want to focus on security and compliance. It's a key, obviously a key aspect and consideration for customers. But I have to start by asking you, there's this sort of age old conflict between being secure and then having the flexibility and agility and speed that business people need. How does IBM Cloud sort of square that circle? Yeah, you know, it's really interesting because cloud itself is designed to deliver agility and speed. And that's everything from release cadence to being able to consume things as APIs. And so when we say cloud and security, it's about the things that we implement as a cloud provider and the services that we stand up. And all of that is API driven. All of that is intended to enable data protection through APIs, intended to enable security monitoring through APIs and dashboards and other things like that. And so actually when delivered as cloud services, the security functions can actually even go more quickly and can facilitate that speed and agility in and of themselves. So it's really interesting that the means of delivering cloud capabilities actually can facilitate that agility in the security area. Yeah, I mean, I think especially in these times with COVID-19, a lot of clients that we're talking to were saying, hey, we're really going harder for the cloud. And the downturns have been actually pretty good for the cloud. I presume you're sort of seeing the same thing. But if you think about the cost of a breach, it's millions of millions of dollars on average. You think about the time it takes for an organization to identify when there's been an infiltration. I know small companies like ours, we feel good that we can tap into cloud infrastructure. But what are your thoughts on sort of that whole notion of cloud as essentially maybe even having better security in a way, however you define better. Yeah, you know, I actually agree with those statements. And I think it's played out in many of our client engagements because when you are talking about cloud and you're talking about security, we have the opportunity to present to you a proactive approach, right? Where we're saying leverage this type of technology in order to do your key management or your data encryption. It is stood up by us already fully as a service. You consume it, API driven. And so we are able to say that this will enable you to have and to end data encryption or encryption according to some standard or key management where the keys remain in your hands or use these things that are security services so that there doesn't have to be as detailed of a conversation as you often have to have when you're solutioning your own IT. You can say, okay, what's the objective we're trying to get to? What is the net security and compliance posture? And we as a cloud provider can be proactive in telling you, hey, therefore then use this combination of services and use them in this following way. And that will enable you to reach those outcomes. And so moving past, you know, it being fully self-service where you have to configure hundreds and hundreds of things yourselves to it being more prescriptive and proactive and goal oriented and outcome oriented is an opportunity that we have in cloud where we're standing up capabilities. And so we really try to talk to clients about, okay, what's the, what are you trying to accomplish? Are you concerned about control over your IT? Are you concerned about meeting particular documentation on particular regulatory compliance? What's the point? And then how does that relate into a conversation about data compute networking, et cetera? And then what does that map to in terms of how you should then use certain cloud capabilities? I want to follow up on that Hillary because I want to see if I can discern maybe there's some difference in the way IBM approaches this. I've often said in theCUBE that bad user behavior trumps good security every time. And of course, you've got multiple layers. You've got IBM securing, you know, its infrastructure and its cloud. You've got IT and whatever role they're playing and you've got the end user. Now, if somebody fishes the end user and end user admin, okay, there's things you can do, fine. But there's also the IT kind of in the middle. You mentioned managed services. Is IBM's approach, you know, somewhat different, but no cloud suppliers. Maybe you could elaborate on that. Yeah, so, you know, we really look to protect the services that we're standing at, whether it's infrastructure services where it's, you know, networking, whether or not it's container service or, you know, other services that we're providing. We're looking to protect those, you know, down to the core of what that service is and how it works and how it provides security. And then the technologies that that service integrates into, right? So services seamlessly integrating into bringer and key and our FIPS 140-2 Level 4 back, keep your own key, et cetera. So we take other things for our clients. And then in doing so, we enable end to end the client to understand both what the status of the service itself is as well as, you know, how they use it in order to take into account other security considerations. And I think it is a fundamentally different approach than one takes for, you know, your own IT where you're responsible end to end for everything. In this case, you know, we secure what we're doing. And then we enable through things like our security advisor to do configurations and such that govern the developer behavior and ensure that overall together between us and the client, the posture, even of what the developers and such is understood and can be monitored and ensured that it is secure and compliant. Okay, so I just want to take an example of that. So you are responsible for, let's say, securing the object store as an example. But yet at the same time, the clients IT organization can affect policies that map to the edicts of their organization. So they've got that flexibility, but it's a sort of a partnership approach. Is that, am I understanding that correctly? Yeah, absolutely. And the question is then that IT organization that's taken policies, we then enable our clients to use tools, everything from things that can be integrated into the DevSecOps pipeline of Red Hat, you know, and initiatives that are going on with CNCF and NIST and other places like that. So how can they translate their risk and security postures into concrete tools that we deliver, right? Everything from DevSecOps on OpenShift to then tools and dashboards that we have like security advisor so that they can then most effectively implement the entirety of what constitutes security on a public cloud environment with confidence. Yeah, so security and compliance slash privacy are sort of two sides of the same coin. So I want to understand how IBM Cloud is approaching compliance, obviously GDPR kicked in, you know, whatever, May of, I guess, 2018 in terms of the fines, the California Consumer Privacy Act. Everybody sort of has their own little GDPR now, in states and regions and countries, et cetera. How is IBM supporting clients in regards to compliance and such initiatives? Yeah, you know, and this is an area where, you know, again, we are working to make it as easy as possible for clients to not only see our status on certain compliance areas, which is visible through our website on compliance, but also to achieve compliances where there is some joint or shared responsibility. So for example, in Europe with the European Banking Authority, we have kind of an industry unique position in enabling clients to achieve what is needed. And so we provide proactive, you know, guidance on European Banking Authority or PCI DSS or other things like that. So we're really trying to take a very proactive approach to providing the guidance that clients need and meeting them in that journey. Overall, we in addition have a specific program for financial services where we announced our partnership back in November with the Bank of America for financial services for a very significant control set in compliance that is not just a combination of a bunch of little existing things, but really is a tailored control set for the financial services industry that acknowledges the fact that, you know, getting compliance in that space can be particularly challenging. So we are taking a very proactive approach to helping our clients across different sectors, deal with those changing, you know, postures and internally as a cloud organization, we are advised also by IBM Promontory, which it has extensive background over 70 jurisdictions globally changes in all these postures and in compliance and rules and such like that, that they consistently and continuously monitor and help us design the right cloud moving forward because compliance, as you said, is very much a dynamic and changing landscape. You know, when you talk to chief information security officers and ask them, you know, what their biggest challenge is, they'll tell you lack of skills. And so they're looking to automation to really help close that gap. And clearly cloud is sort of all about automation. So I wonder if you could just talk a little bit about what you're seeing with regard to automation generally, but specifically how it's helping people, you know, close that skills gap. Yeah, you know, the topic of automation is so interesting when it intersects security because I really view this transition to cloud and the use of cloud native and the use of containers and such actually is an opportunity again, yet again to improve security and compliance posture because cloud and the DevOps and CI CD pipelines and all of that of a cloud native build and a containerized build give you certain opportunity both to prevent a bunch of behaviors as well as to collect certain information that may become useful later on. I think actually cloud modernization because of the automation it brings is a really, really topic for both CSOs and risk officers right now because it can not just improve the agility that you started with as a motivation to go to cloud but it can also improve visibility into what's going on with all your workloads, you know to know that a developer used a particular library and then you see oops, maybe there's a concern about that library and you instantly know where across the entirety of your IT that that's been deployed. That's a tremendous amount of knowledge and you can take either immediate action on that or you can do automation, push out changes and things like that. We use internally as a cloud provider the best of SRE and automation practices to keep our estate patched and other things like that and that can also then translate into people's own workloads which I think is a really exciting opportunity of cloud. You know, we're out of time but I want to close in asking you sort of what we should look forward to. We had a great conversation earlier with Jamie Thomas about quantum and she talked about idea. You get that on the IBM cloud. What should we look forward to sort of in the coming months and even years at IBM cloud? Yeah, you know, we're really excited about that agility that cloud itself for us as a company provides, right? Like you said with quantum, it is the place that we can bring out the latest and greatest things for our clients to use and experiment with and adopt their algorithms and such too. So you're going to continue to see us taking a very aggressive posture in turning the latest in open source and technologies into cloud delivered fully managed services. And so, you know, everything from what we've done already with Istio as a service and K-Native as a service and quantum as a service, et cetera, you'll continue to see us take that approach that we want to be a fresh and vital environment for developers to consume the latest and greatest that's out there but yet as an enterprise-focused company and a company very much focused on security and compliance, you'll continue to see us back those things with our own efforts to secure and then enable security on our environment. Well, Hillary, thanks so much for coming on theCUBE. It's always great to have experts like yourself share with our community, appreciate it. Great, thank you so much for having me. And so we're seeing cloud acceleration as a result of COVID-19 but it's always been a real wave for the last 10 years. We're just seeing it accelerate even faster. This is Dave Vellante for theCUBE. You're watching theCUBE's continuous coverage of IBM Think Digital Think 2020. Keep it right there, we're right back right after this short break.