 Live from Las Vegas, Nevada, extracting the signal from the noise. It's theCUBE covering Informatica World 2015. Brought to you by Informatica World. Now, here's John Furrier and Jeff Frick. Okay, welcome back everyone. You're watching live here in Las Vegas, the CUBE SiliconANGLES flagship program. We go out to the events and extract the signal from the noise. I'm John Furrier, my coach, Jeff Frick. We're here live at Informatica World 2015. And our next guest is Bill Burns, VP and CISO for Informatica. Welcome to theCUBE. Thank you for having me. Chief security officer, information security, IT. It's the hottest area right now. You're on the planning committee for RSA. Couple of weeks ago, the event was huge. Top concerns. I mean, that's no brainer. I mean, the headline today is no security breaches. Today, or- Security is sexy. Yeah, security is sexy. Give us the update. What's going on in the security space? Informatica's obviously tied into it's data. It's a big part of that. What are some of the top concerns right now for security industry and management in the CISO role? I think there's a number of things going on. So obviously, the amount of information is growing. The ability to secure it is trying to keep up with the growth, trying to keep up with the business. That's hard. And it's also hard because you have scaling problems with employment. So it's negative unemployment in the security industry. So you have to figure out new ways to both build products and secure products, both for customers and enterprises. So that's a big issue. The other big issue is we're seeing mobility takeoff. So last year, I was doing some research for an investment cap or venture capital company and CISOs that I polled were all concerned about the cloud and mobility and personal use and sort of work-life integration. And you have, I think Gartner was saying in 2017, half of the enterprise traffic will go from a mobile phone to a SaaS application. Won't even go through enterprise security controls. So all the stuff you used to buy, like your firewalls and antivirus on your endpoints, those are sort of irrelevant. So how do you, as a security practitioner, how do you manage the risk of security breaches of privacy breaches of this enterprise data? When the endpoint, the phone isn't your phone, it's a consumer device, the network is a carrier like AT&T of Verizon and the application is someone like Box or Workday. So IT traditionally had control of those components, doesn't have control anymore. So how does the CISO manage risk or even think that they're managing risk effectively? So there's a lot of growth, a lot of change. And data's the heart of it. So I got to ask you on the piece of the security, how is security getting a do-over? We were talking before we kicked off the segment around the computer industry. I just saw a new story, Windows is not going to be built anymore, Microsoft's not going to build Windows anymore, that's an operating system. We've got the Apple, doesn't have as many viruses because it's got some BSD in there. So are we rethinking security? And as new products are being built, we are in a good opportunity to kind of do a do-over. So what's your take on the security do-over model and how data and architecture will fit into it? Yep, so I think there's a few things. One is, like we were talking about before, the internet of things, the way that we used to sell products, produce products, build products and then try to secure it later on and sort of do a bolt on. That model doesn't work anymore, especially when you have something like a Fitbit which has almost no interface to it and you're shipping it to millions of customers who are going to slap it on and go running. They're not going to have time to be interacting with patch levels and updates. Like that model doesn't work, doesn't scale from what we did before with personal computers. You're embedding them in cars. We talked about self-driving cars earlier. So these are systems and operating systems and use cases that are atypical from what we were doing before. Managing security at scale is something that you do very differently than when you're doing it sort of as an art. Now you need to automate things. You can't just bolt security on to your systems when you're trying to build a secure cloud infrastructure, for instance. It's not a serialized workflow where you do some work, you go home, hopefully you hand it off to the next guy and then in a day or two or some time later he does his security thing. You've got to bake security into the infrastructure. You've got to make it part of the process. They talk about continuous integration, continuous deployment, agile security or security DevOps. These are all ways of saying, look, security is just part of the game now. It's not something off on the side that specialists would come in and then do security and disappear. It's got to be part of the whole ecosystem of protecting the data or protecting the car or the device. It's got the same characteristics of the buzzwords we hear in data, real time. If it's baked in, it has to be always on, right? Right, yep. And it has to be compatible with how people consume the technology. APIs in the cloud, notifications coming in. That's right, continuous monitoring, continuous patching. These are things, I remember when Windows was first doing or Microsoft was first doing patches on a monthly basis people were like, oh my gosh. Every month we have to do patching. I would presume that we should be doing patching continuously. You look at some browsers and they're constantly updating. You have to make it convenient but you just have to accept that security is just part of the discussion now. And yet on the other hand, people's expectations of the behavior of the application is what needs to be less intrusive, less on their way, just works. I just turn it on and go. That's right, yep. And then you've got that, like you said, the agile methodology is a dev-op so the software is getting updated all the time. So new potential holes potentially being exposed very, very regularly. So a much more challenging environment. Yeah, as I tell my staff and the people I advise, it's an arms race. And this is not a new paradigm but security is an arms race and the window of opportunity is getting shorter and shorter. It's happening faster and faster. So reaching to people and saying like, look, you're going to have to take some responsibility for the security of your car or your mobile phone. So successful security programs are learning to educate folks not just from an employee perspective but from a, you're an online citizen 24 seven. The things I can teach you from a security perspective while you're employed with my company, those to be effective, those will be lessons that you can take home and have conversations with your family and say, look, here's security, here's password security, here's social media security, here's updates and patches. So that's just part of the conversation. Talk about secure source and that product, what's going on with practices and how that's being rolled out. Yep, I think one of the big challenges we started off the segment with, what are some of the big challenges with companies? Part of the biggest problem is just visibility. Where is my critical assets? So you always want to figure out where are your assets in your company? But now they're moving so fast. They're moving around, the lines of business have control of the sensitive data. So where is that data? What type of data is it? What are the regulations that constrain that data or that give you different controls that you have to put in place? So secure source is a way to sort of scan the data that you already know is in these databases and say, what are the regulations around this? What type of data is it? Is it what you expected? In some cases, you know it should have, let's say PCI data, but it doesn't have HIPAA data in there as well. So secure source is a way to sort of scan the databases that you know about, hopefully find some ones that you don't know about and confirm what was the posture. And not from a batch mode, not something that you run once a quarter, but you do it continuously, back on that theme of continuous monitoring, continuous integration. What is the security posture at any moment in your company with your sensitive data, which is really the heart of what a security team is protecting is the most sensitive information in the company. So talk about the product management piece of it, informatic aside, and also talk about what's going on with customer accounts. So can you give us a bridge between the capabilities and how customers are put into use, so it's an audit or something like that. And then what happens next? What do they reinvest? Is it like, they go, oh my God, I'm screwed or hey, I got to take action? I mean, it's got to be some, it's data, so it's get some base data. What's the iteration on the customer side? Yeah, I think one of the interesting things is it's got a really rich UI. So it's not just report with some data, but it actually lets you drill into it and sort of ask questions and figure out, pivot through the graphs. What does this mean to you? Ultimately, there's a human element of providing content to the data, but it's going to tell you, here's what you told me to alert you on. Here's the systems and changes in the system. And now what are you going to, how are you going to make sense of this? The roadmap is going to be talking about protection control. That's key, that's a good point, because if you don't have a good UI, then no one wants another dashboard that's hard to use. It's really critical that you have that ease of use. Exactly. Yep, so it's a very pretty dashboard, but it's actually actionable. You can go in there and ask interesting questions. You get value pretty quickly. Within a couple hours of my team deploying it, and I strived to be customer zero. I wanted to be the first one to kick the tire. So when we brought it in, I think we have roughly 150 data sources right now that we're scanning, and we're just getting started. It's a relatively new product out about a month, but within a couple hours we were able to confirm, these data sources should have this type of data. Is that what we're seeing? Yes it is, okay great. How about this other data source? Well, we were expecting more data. Why aren't we seeing more? Or we didn't realize it was going to have this flavor of data. So let's go talk to that administrator and say, we know what you were supposed to be doing, but here's what you're doing differently that surprised us. Now, it was nothing catastrophic, but it was a way to start having a conversation, and I knew that it was going to be continuously updating. So it wasn't a hide from the security team until the next quarterly audit, but now I can have a conversation with these guys and say, hey, I know it's another change. What's going on? So it's an early product, early customer feedback. It's starting to come in, but from my perspective, it's been really interesting, and now I'm thinking of other use cases for it. Like what other environments in my ecosystem can I apply this system to go out and sort of double check what is the security posture for the sensitive data? So what does the age of engagement mean to you as a CISO when it comes to engagement data? Because we were having this philosophy earlier. I mean, to me, is that I'm engaging on Twitter, I'm engaging with retail data, I'm engaging with threat data, breach data, or potential pattern data coming in off probes and devices, systems. This is another area that's sort of an renaissance for the security industry. Traditionally, companies were siloed, they were very secretive, they might get some information from a third party or from a government agency, but it was all these silos of information we didn't share very well. Now people are actually engaging in either building private communities, which we've had for a while, but larger private communities and sponsored by other products, and we're sharing information more readily. So now there's open source intelligence frameworks that allow security professionals to be more engaged with each other. I'm not a unique snowflake in terms of the attack surface. There are peers of mine who are seeing similar attacks, or maybe they're seeing the first attack. I would love to know about that, and I would love to share those insights with my peers so that we can become more secure together. That was a big theme by the way at RSA, which was do you share the data and that culture, it's always been the culture of sharing and security, but at a whole other level, corporate to corporate, government to corporates, a lot of that stuff going on. And it's messy, so it's really messy data right now. It's unstructured, there's a lot of context missing. You have to have a lot of intelligence, a lot of context from a practitioner standpoint to take this data ingested and say, okay, what does this mean to me? What are the bits and pieces? It's messy, there are some early initiatives like Sticks and Taxi that try to structure that data, but we're just getting started. So it's a very messy process. It's actually an exciting opportunity. Don't you think, I mean, if you can create some sort of way to have it discoverable, like a search engine kind of way, that would be very interesting. Or even push alerts out. Yes, that's another thing is, it's one thing to get an alert and have it sent to a system that you review once in a while, but then how do you actually take action on that? So rather than getting an alert that I know I'm going to follow the next five steps, why don't you automate that response? Why don't you take the most likely or maybe the safest approach at quarantining or segmenting a system that may be in danger or operating in an unsafe way? Why don't you automate some of those response characteristics? That's one of the early areas of security innovation that I see. I actually helped build a system of just, which was just open source last week in a private company. You're starting to see a new small ecosystem of companies that are building out this automated response or automated resiliency system. So again, taking the data and building expert systems to go take action. What is the most likely thing that needs to get done to protect the company from this type of attack? But it's interesting because then you get the lawyers, I'm sure, that get involved. And there's always this thing that goes around that people don't know they've been breached for an average of 200 and some odd days or whatever that number is. So just the fact that I'm sharing with you that I've been breached, let me share with you the information to give you some security. Then I'm basically admitting that I've been breached and does that open up a whole nother can of worms? So the legal aspects and the significant business impact, legal impact of these breaches is huge. Exactly, yep. And I know some people want to take it a step further and sort of automate not just response, but hack back. If they can attribute this attack to a country or a particular organization, like why can't I go attack them? Another can of worms from a legal perspective, but at the very least, we're all not that unique. Why don't we find a way to safely share that information? So that share that intelligence so we can be more informed of it. Everyone that I know since security has some sort of gaming background, that tack back, counter strike, call of duty. I mean, it's like, it goes back to the old spam days. So I got to, on that note, I want to ask you a personal question and we get a lot of younger folks watch as well, some senior people in the industry. Security is a real hot area to go after from a discipline standpoint. I see a lot of kids who aren't necessarily computer science, love gaming or get hooked on computer science through their millennial touch points, phone gaming. What advice would you give young people about, if they have an interest in say, some of the root technology and or security, what should they do? Is there things that you'd recommend? What kinds of courses should they read? Goat take, books should they read? Games they should play. What's advice would you share? Someone out there in their teens or even in college? Yep, that's great. So my team actually hired our first security intern for the first time at Informatica, which is fantastic. So this is a person in college. He's about two or three years through his career and we're really looking forward to giving him practical experience to sort of hone the skills that he's grown over time. From someone who's not yet in college and maybe not yet in high school, I would say you wanna foster that curiosity, that that person is very creative, he's trying to figure out not just how something works, but why does it work that way? And what happens if I do it just a little bit differently? Can I make it, can I fuzz the system? Those are the traits that I look for when I'm interviewing someone, when I'm looking to hire someone, is that curiosity, that passion of, it's a game. What can I do to make this thing work differently or work better? Not necessarily maliciously, but just from a traditional hacking perspective. Also outside the box thinker probably, connecting the dots kind of thing, see patterns. And I think one of the trends that I'm a strong advocate for is programming skills. So get the math background, get the computer science degrees, get the programming skills that will help you not just figure out how to make something work, but work in an automated fashion. Security didn't scale before. Like after a tooling standpoint, using that coding as to prep tooling into a wrangling data. Yeah, I think the security products in the future will have APIs. In fact, the ones that I select in my current role, they must have APIs. If I can't inter-operate two things together, I don't want to hire one person to run a console and click on buttons. I want him to orchestrate our response or our intelligence platform. So, programming skills are extremely important. So have that young person. First language, Python, would it be like something different? What kind of language is it? I think cool kids are doing Python right now. I used to be in Perl. And I don't think it really matters. If you have a good programming background, you can adapt. You can figure out, and you'll be curious, and so you'll want to learn Go, and you'll want to learn all the new languages. Yeah, a little hip stuff. Exactly. So if you learn some base structured programming, understand how to deal with data structures and whatnot, you're going to be good. All right, Bill, great conversation. Yeah, thanks so much. Kind of went off on the reservation a little bit there, but it's good content. You need more people, right? It's a good job opportunity for people looking for careers. I see people and I encourage people who don't know they're actually getting addicted to the science side of it, or actually should be like, just jump in, you're okay. You don't have to have the degree or you don't have to have some sort of course in school to go there. So I think that's one of the things I like about security is that people who actually have an affinity towards it. Yeah, and the more diverse in your background, I think the better. Yeah, Bill Burns, VPCISO Informatica. This is theCUBE sharing the data with you. We'll be right back after this short break.