 Live from Las Vegas, it's theCUBE, covering Fortinet Accelerate 18, brought to you by Fortinet. Welcome back to theCUBE's continuing coverage of Fortinet Accelerate 2018. I'm Lisa Martin with my co-host Peter Burris, and we are now joined by the CISO of Ingram Micro, Kevin Keely. Welcome to theCUBE. Thank you both very much, it's nice to be here. I love your title, The Prince of Security Weirdness, your other title. Tell us about where you got that and why you like it. I was at a customer engagement years ago when I was working for AT&T in, of all places, Moline, Illinois, and I was working with a lady whose business card actually said Protocol Princess. And the customers, based on what we are actually there to do, the customer decided that if she was the Protocol Princess, then I had to be the Prince of Security Weirdness, because the problem ended up being a combination of something very odd that was happening with their security appliances, plus the network itself. And so, of course, she spread that when we got back to the office and it just kind of stuck from there on. So, I kind of like it. If the company found something weird that was going on with security, they'd just go, send him, he'll sort it out. And I did. So, you've seen probably a really interesting evolution of security. Oh yeah. You've been the CISO for almost a couple years in Ingram Micro? Yeah, almost two years, yep. Longest tenured one in a while, I think, so. And you have an interesting kind of strategic perspective. Tell us a little bit about that and what makes that unique. Sure, so, from a CISO perspective, it used to be the CISO as the CEO, you know, the place where business goes to die. My feeling is, if I'm not adding lift to the business, then I'm adding drag. And if you're adding drag, then you're not being a responsible custodian of the company's money or its direction. So, my feeling is, and my strategic objective is, always partner with business to help them achieve what they need to achieve, but to do it safely in a way that doesn't add risk to the company. So, I like to say you look through your lens at something, it looks ridiculous. Somebody's doing something truly stupid, but if you pivot your perspective and you look at what they're doing it for, they have a perfectly reasonable and rational expectation of their results and what they're trying to achieve. What you need to do is adjust your thinking to understand what you currently don't understand in order to pivot them to get to a safe perspective from them to the business. So, one of the key differences between business and digital business is the role the data plays, but we can also take a security perspective. Business was about securing and limiting access. Digital business is about sharing and making possible access. So, is that kind of where you mean when you say that you're not the C-no, you're not the C-yes necessarily, but you're really focused on how to appropriately share? Completely agree, yeah. My approach is always, let's consult with each other, tell me what you're trying to achieve. Let's not look at what's caused me to be in your business today, let's look at what you're trying to achieve, what's your end goal? Right now, let's work together to achieve that in a way that adds limited, because you can't ever have a solution that exposes stuff without adding any risk, but there's always an acceptable risk appetite that you have to maintain in order to business, right? With risk comes opportunity and reward, right? So, you can never eliminate all risk. So, my approach is understand what they're trying to do, work out how much risk there is in any different way of doing it, and then choose the way that offers you the most risk reduction for the least capital expenditure and operational expenditure and gets them to market the quickest. At that point now, I know I've done my responsible part of keeping risk under control. I maintain a risk register tells me, as a whole, the company has accepted this much risk. If we do this extra thing, this might put you over what you, the board of directors and the management have accepted before. Let's see what we can do to rein that little back in here. I have a solution here that's nearly what you want, will that do? Another mantra I cite is, don't let perfect be the enemy of good enough. Too many of my peers in the CISO realm keep chasing perfection. They see NIST 800 as an achievable goal. They see total PCI compliance as an achievable goal. My feeling is, as soon as you get to the point where you are PCI compliant and you still have things to do, then you need to start concentrating on other more risky things that are going on in your business. You can never achieve NIST 800 unless you have a government's funding. I don't know too many CISOs who have a government's funding, right? So my feeling is never let good enough fail to be good enough. Achieve good enough, then go and solve other riskier things, then come back maybe in a couple of years when it's time to refresh that solution and see if now that's not good enough anymore, maybe you need to do something different. But in all cases, I'm partnering with business to make sure that whatever I'm doing is adding lift for them, not drag. So Ingram Micro, we just had Eric Coulon a little bit ago. So Ingram's been a partner with Fortinet for 10 years or so. But you, on your side in your CISO role, are a customer of Fortinet. So in the last couple of years when you came on board, some of the things and hearing that you're talking about sounds like potentially a cultural shift. Talk to us about maybe some of the weirdness that you found in from a security perspective and how Fortinet is helping you guys on the Ingram achieve security transformation so that you can evolve. Sure, so that's a, I mean, Fortinet's been a great partner for me. They have a truly wonderful suite of products. I mean, everything from the edge protection for the dissolving perimeter, all the way out to small and SOHO type firewalls. And then we have wireless access points that are strong and well fortified with the ability to separate between multiple networks, all the way down to 40 dB, which I use to protect our databases. So in terms of our database monitoring for our critical databases, as a suite of things that I can manage with one console, it helps me minimize the number of operational staff and the operational training they have to do. And then from my perspective as a customer, Fortinet's always there for me. I know that I could just call them and within five minutes, somebody's calling me back and I get the right resources right on the phone. That kind of partnership, you can't put a price on that. You know, everybody's at some point in their lives bought a product that's failed and then you can't get any customer support on it and eventually you have to toss it out. Fortinet's always there for me. They're always checking to make sure that we're doing the right thing. And to give you an example of how Fortinet is part of our company fabric, and I use the word in both its terms. We chose Fortinet Gear to protect our CEO's house. All right, our CEO of course has a lot of, you know, he's a high net worth individual, has a lot of high value assets that he takes home to work from home. You know, he's clearly a target. So for protecting his home and infrastructure there, we deployed Fortinet Gear. That's a very interesting use case. Yeah, and all my staff, including myself, we have Fortinet Gear at home as well. So this is the stuff that we trust to protect ourselves when we're in our most vulnerable environment. A lot of people don't think about that. You take these well secured devices and you take them outside the company perimeter. Now they're on their own. You know, if you can take them to a safe environment though it makes them a lot safer. From an engagement perspective as the buyer of things for a company like Ingram, one of the first partnerships I made when I joined the company was with Eric because I want to make sure that I'm supporting our sales side as well. So if anybody comes to me and says, hey, I have the perfect solution for you, the very first question I ask them is, are you a reseller with us? And if the answer's no, it's like, call this guy. This Eric Colchap, he'll be able to have a very interesting conversation with you. So Fortinet being such a long-term partner of Ingram, it's an easy purchasing decision for me. Number one on the technology side, number one on the partner side, nobody got, you know what that old story is, nobody got fired for buying IBM. At Ingram, nobody got fired for buying more Fortinet gear and it helps that it's the best on the books for me anyway for the stuff that I use it for. I'm very excited about the new fabric. Tell us about that from a visibility perspective, internally, complexity, mitigation standpoint, TCO. How was that going to help you at Ingram? So you just said the word, visibility. One of the first things I did when I got to Ingram was I realized that I couldn't see all the way to the edges and to the bottom of my network, right? So I've started to increase the visibility with a combination of the Fortinet product suite. I think I'll be able to get the edge-to-edge top-to-bottom visibility and I'm really excited about the web-based CASB solution. Because what I really don't want to do, and one of the talks this morning at the keynote was talking about is the vendor, just the vendor pile of different things that have to be managed, all the different people we have to get training from, or the currency that you have to maintain. If I can manage it all through one console, and I only have to train my staff in one suite of products, that makes the overall work that they do that much simpler to execute. And I love the concept of being able to make those contextual rules. If this device is in this class, then don't let it go over to this data that's in this class. That's so simple to describe, and I love the fact that you can then orchestrate that deployment. So as we go to a virtualized environment and we roll into cloud and so on, being able to push a policy like that and being able to push that context, it's going to be so exciting for me. One of the challenges of integration is that you get dependencies. Yes. So as a CISO, and you start looking at a fabric, and as you said, it's a very rich fabric, and it does a lot of work. How do you ensure that you don't find, because if there's a vulnerability inside the fabric, then the whole fabric gets affected? So what is that trade off between integration and dependency for you? That's a great question. Back in 1998, 1999, I was at AT&T during what became known as the Great Frame Relay Outage that AT&T had. Many people will remember that. Not to laugh at you. Do you remember it though? I do remember it. And the cause of that was, the company was entirely CISCO on the backbone, and I was one of the engineers that was there trying to fix it all. And CISCO had a self-deploying patch protocol where you drop a patch onto a device and it would automatically push the patch to all its neighboring devices and so on. Well, you drop the patch on this device, it would push the patch to all its neighbors and then it would crash and reboot. But it had already had time to push the patch towards neighbors. So one by one, every single router and switch in the entire network received a patch and then crashed and rebooted. And that became a three-week problem known as the Great Frame Relay Outage of 1998. So at that point, our then CISCO, Edward Amoroso, he decided that we wanted vendor diversity in our network. And at AT&T at the time, then we went to CISCO on the edge, Juniper in the core. And the reason was we wanted the network to be able to stay up and routing even if we had a problem on the edge. And of course, the great patch push protocol was disabled. From my perspective, I think there's a fine line to be managed here. Southwest Airlines has made a very concrete and a very risky, but certainly it's worked out for them right now. Decision. All their aircraft are Boeing 737s. So they only have to train their maintenance staff to maintain one airplane. All their pilots can fly all their airplanes. And there's a pilot for them, yes. Right? All of them are 737s. But if the FAA grounds 737s, all of Southwest is out of business for the duration of the flying van, right? So Southwest has decided they don't need vendor diversity across their fleet. I know they bought a legion and that's got a number of Boeing aircraft. However, from the perspective of their original business plan, all 737s, because they now have very, very well-defined TCO. From my perspective, I think there's a line to be drawn here. But sport and it has me covered. They have their APIs. They work with the other vendors. So if I have a SIM or a log manager or something like Splunk deployed, they already have that partnership in place. It means they can manage the data within the device as though it's my own data. It's though it's within the Fortinet fabric. And that then keeps me happy. Because then I get the benefits of the additional features perhaps that I would get from a Splunk rather than a Fortinet tool. But I also get the vendor diversity that's there. See, Splunk for me is not just a security tool. It's a BI tool. And there are many other groups that are leveraging the capabilities that it has. So for me, if I went to something like the Fortinet SIM, that would be a very selfish solution. It would be just a security thing. That's not really partnering with business. My investment in Splunk, I've got six other groups within the company leveraging it and I just invited the seventh one in today. Now those people are all using Splunk for their own things. I'm footing the bill for them so they get all of this BI for free. That's been a real big win for me because I'm now known as the guy that's providing stuff that the company can actually use. That's a very powerful position to be in as the CSO. Cause when I come asking for something that normally they would have said no to, I don't have to do is remind them, hey, you know you're using my Splunk solution. Well, now would you mind helping me out? I need you to do this thing with your laptops and your organization. And they're much more receptive because they know of me as a partner. So would you say one of the things we were talking about a number of times today, Peter, with guests is getting, how does a CSO get this? Well, maybe it's enable the balance at the speed at which a business needs to transform digitally to be profitable and grow and compete and manage that with risk. Where do you think that you are on getting that balance? It sounds like there's a lot of collaboration in what you've been able to achieve. So there's a couple of rules that I go with. The first is I go and meet the business leaders and introduce myself. And I say, I know you may have heard this before, but this time I mean it, I'm here to help. Tell me what your pain points are, how can I help you, right? And that's a very powerful question. I always try to end every meeting with, how can I help you, right? If you end the meeting with that question, that last memory they have of you will be, you were offering to help last time I saw you and willing to give you another audience. And then it's by action. Like my Splunk investment, I invested in it and now other people are using it. I'm showing by my actions that I'm actually not just all talk, right? And other people have noticed they would come to one of my predecessors and say, hey, I want to do X and they would be told straight out no. My answer is always, okay, how are you planning to do it? Something brought you here today, let's talk about it. And then when they show me how they're planning to do it, it's like, you know what? I see opportunity here. You guys could do it in three fewer steps and that's significantly less risk if you just let me help you in this area and then we do it this way and we use this tool that I've already bought and you don't have to pay for. Now all of a sudden they got a yes. It's already through, it's through architecture review. They've got a solution in place, but I get the logs and I get to put my own encryption solution in or whatever else it is and I get to absorb the risk for the company. And again, it's all by actions too. If you make sure that you never say the word no. So people say no because, try to change it to yes and. And by pivoting the conversation that way, all of a sudden people are arguing with you. They're trying to sell you something and when somebody's trying to sell you something and you're buying it, now you've got the upper hand, right? So now I'm the buyer, right? It's like, yeah, sure, let's buy it, but let's do it like this. So I have another question for you. Something related to one of the conversations we've had many times today. I'm going to paint a scenario for you. A CEO is sitting in front of a group of investors. Sure. And talking about strategic flexibility and the things that their assets allows her to do. Right. My balance sheet will allow us to do this. My sales force will allow us to do this. When are we going to see the first CEO say, my security, my digital security will allow us to do this? Things that our competitors can't do. That's an excellent question. I hope it's soon. I'd like to be right in the vanguard of that. Ingram Micro already uses us as an enabler. Or I'm sorry, what was that? Ingram Micro already uses me and my group as an enabler. This year we've been able to negotiate a reduction in our corporate insurance rates for cyber risk. Simply because I was able to show the value in what we've achieved over the last two years and show how materially we've affected the company's risk envelope and our acceptance of risk. So by doing that, I've already added value to the bottom line because insurance costs money and it's a dead sunk cost, right? So I've already reduced the cost of that. So now all of a sudden I'm enabling the business. And I'm also meaning that we can actually uplift our coverage too. So now we're reducing risk even more. We can displace more risk to the outside of the business. This conversation with Eric, I'm about to award an RFP. Before I award an RFP, I'll go and see to Eric if there's a strategic reason for me to award it to this vendor or this other vendor. Now, of course, when negotiating on the sales side and the buy side together, that's a very powerful story. So certainly at Ingram, I think I'm already partnering with the business in such a way that we can make that a compelling message. In terms of the overall industry, I really hope it'll be soon. I think the CISO and the CIO roles are merging together. I think as the CIO is rolling less hardware and is rolling more into virtual and policy and direction and technology choices, I think people are going to have to realize that security has to be built into that. Because if you try and bake it on later or bolt it on, it's never as effective. It's always more expensive. You look at something like the Fortinet fabric, you roll that as part of your orchestrated virtual environment. You've turned the whole attack chain on its head now. Now it's going to cost so much to try and compromise any part of that infrastructure. You're going to see it so quickly. You've turned it all around. Now it's way too expensive to try and attack companies with that kind of fabric. Now the boot is on the foot. Okay, so invent something that I can't see. You know, we've got contextual threat intelligence here that's able to spot patterns. We've got polyform on the outside here. Everything's working in concert. Okay? So you're not worried about being put out of a job anytime soon? I think sadly this job is around for a while. I used to joke that it was Bill Gates and his company that provided us with permanent job security now as the cyber criminals. I tell you what though, today the simplest attacks are still the ones that work. It's fishing, fishing, fishing, fishing. People clicking on links. Human beings are always easier to hack than computers. So you've given us last question as we have a minute or so left. You've given us a great perspective of the impact that you've been able to make using Fortinet as on the customer side. You talked to a lot of partners in Ingram's ecosystem. How do you impart your wisdom and your expertise on the partners from that enablement so that they can go and talk to customers and really share best practices from the CISO suite? So again, I partner with Eric's Cyber Security Advisory Committee where he has a number of our key security partners who come along and for the two years running now I've participated, I've spoken, I spend two days with those folks. I'll answer any question they have. I'll spend the evenings with them. We'll have a beer together and I'll do a panel and I'll have discussions just like this with them and share with them some of the things that I've done with the company that have worked and some of the things that haven't worked out quite so well. No holds barred. I'm a big believer in herd immunity. You know, it's an old joke. You don't want to be the fastest antelope but you sure as hell don't want to be the slowest one either, right? So from my perspective, the more of us that share that kind of intel, the easier things will be as we go forward because together as a herd, we will be more immune. So from my perspective, even if it's a competitive, competitors CISO, I'll still sit down, have a coffee with them and chat with them and it'll be very much open kimono because I feel like we can never share enough of this intelligence with each other. We're not seeking to gain a competitive advantage individually, we're seeking to make the field and the companies and if you like, the white hats less vulnerable and I think that's a compelling value message. And I noticed your clothes, I guess you're an all-black fan. Well, you know, being South African, I have to be a spring box but you know, I was such a sad day when Jonah Loomoo died. That was such a sad day. I got to meet him once and he was a mountain of a man but such a gentleman. Yeah, that was good. But yes, rugby is definitely my sport so thank you. Well Kevin, thank you so much for stopping by theCUBE and sharing your insights, what you've been able to achieve on the consumer side or consuming Fortinet's technology and what you're able to impart on your partners. We wish you great success in 2018 and we'll look forward to having you back on the show. That sounds great, thank you very much. Thanks for having me, it's been a great pleasure. Thanks. Excellent. And we want to thank you for watching theCUBE from Fortinet Accelerate 2018. I'm Lisa Martin with my co-host Peter Burris. After the short break, we will be right back.