 Welcome back to Falcon 22. We're here at the Aria Hotel in Las Vegas. We're in Las Vegas a lot, Dave Nicholson, Dave Vellante. Falcon 22, wall-to-wall coverage you're watching theCUBE. Anthony Cunha is here. He's the Chief Information Security Officer at Mercury Financial. He's joined by his deputy, CISO, Alex, and I can go. Welcome, gentlemen. Good to see you. Good to be here. Thank you for the opportunity to speak. Yeah, so this is a great event. It was our first time being at the CrowdStrike customer event. We do a lot of security shows, but this is really intimate. You got a high-flying company. Tell us first about Mercury Financial. What are you guys all about? Oh, that's a fantastic question. Let's leeway into that. So Mercury Financial is a credit card company that serves people who are near prime. So, be it some kind of hardship in their life, they had something impacted be a financial impact, maybe a medical impact in emergency, something a death in the family, where somehow their credit was impacted. We give them the opportunity through our motto, better credit, better life to build up that credit score, to add livelihood to their ability to be financially stable. I mean, I think this is huge because so many people, it's like, okay, one strike and you're out. That's just not right. You got to give people another chance. And so there's so much talent out there. I think about some of the mistakes I made, Dave, when I was a younger man. No comment. All right, so I heard a stat today that I thought was great. Did you guys see the keynote? Yeah, of course. The keynote, they did the thing at Black Hat, where they said, what's XDR? And I thought, my favorite, I'm not going to ask you what XDR is. But my favorite answer was a holistic approach to endpoint security. And I think, as a CISO, you have to take a holistic approach to a security program. Maybe talk a little bit about how you do that. Wow, a holistic approach, I would say it, I'll give you an opportunity to speak as well, but a holistic approach is people, processes, and technology. So a holistic approach would be, it isn't one box that you check, it's not a technology that is a silver bullet that fixes anything, those technologies, those services are implemented by people. So good training, our human firewall, the forefront of implementing those technologies to build those processes and incorporate people and a level of sincerity and integrity that we build. So I feel like a holistic approach is both cyber culture to build the cyber resilience program that we so dearly need. I could spend all day talking about security organization, SecOps, DevSecOps, DataSecOps, sorry, but Alex, what is your role as the deputy CISO? How do you complement what Anthony does? I got to bring it all together, right? So technically, what are we putting in place? What are the requirements that these stakeholders have, their needs, their wants? We all have something that we need in one our environment as an employee, as a customer, as a stakeholder. How do we get that to market? How can we get it there quickly? And it's really about finding the partners that can get us there, right? That can leverage us, that can force multiply us. Give my people more time to get the work done. The good work. Right. The hard work, of course. So paint a picture. We hear a lot about all the different, the bevy of tools, how complicated CISOs tell us all the time that we just don't have enough talent. We're looking for partners to help us complement. Paint a picture of your environment and how you guys use CrowdStrike. Oh, that's a good one. Do you want to take this one? Great one, right? I mean, we leverage CrowdStrike in everywhere we can. We're a Falcon complete customer. So they are an extension of our team. They're an extension of our SOC, right? We leverage them for many things. We leverage them to understand the risk in our environment. Where we're at in zero trust. How we can really bring a lot of the new processes that the business wants to market, right? How can we get there as fast as possible? Can we make it secure, right? I'm a Mercury card customer also. So I have a vested interest in that. And I like to drive that. So it comes down to, can you align your holistic approach, your organizational goals, and bring that to a really good security product that is world-class? And I can add a little bit to that as well. So I look at it as a triangle. So we leverage Falcon complete as that first level tier one triage. People who do and understand the product extremely well. We leverage them quite a bit. We also have a VSOC service that we have as I consider tier two, or the middle of the triangle by Versprite, fantastic boutique security company that just has been working with us year over year. Innovation, strategic initiatives, always there to play. And then Alex Orango and the threat management team is our top tier. That's tier three, that's the top of the pyramid. By the time it bubbles up to Alex, that's when the real work happens. Everyone's triaging, collecting data, putting together pieces. And then Alex and his teammates and people that he's trained, fantastic. Comes and puts it all together and paints a picture so we can then take that information and describe it in layman's terms, simple terms to the business to make them understand the level of risk, what we have to do to get to and through that attack or the indication of compromise, et cetera, so that we can remediate it, rectify it. It's building that security culture foundation, right? It's getting everyone to buy into that. It's a holistic approach and it's really the best way to do it, right? You get bought in from the stakeholders and understand what they need to do, what the goals of the business are, and it really works really well. You journey together and build a program together. Dave, I think that cultural aspect is critical because as I've said many times, bad user behavior trumps good security every time. Yeah, absolutely. Every time. Nicely break it through. I like that. So I know we're early in the week still, but we did have the keynote. Is there anything that you're hearing in terms of vision that peaks your interest specifically? And then also sort of the follow-up question is, are you guys kind of like lifeguards who can't ever relax at the beach? That's why I have a deputy C, so we know we can take time off. We have to share this. Of course we do. Let's definitely, what would you say would be the most innovative thing that we're looking for? Yeah, what's the next big thing as far as you're concerned? Next biggest thing is definitely building the relationships we have. As we bring in new technologies, we go even more cloud-native. How do we leverage that expertise of the partners that we're bringing on board, like Zscaler, CrowdStrike, Versfor, how do we make them a part of the team and make them perform? Bring that world-class quality talent across the spectrum, from DevOps to that security analyst who's picking up the phone and saying, I'm not really sure what's going on, but there's a culture that's built there where everybody comes to the table to feed. We all eat together. The ecosystem. Yes. That is the tooling that we leverage day in and day out. That's how we sleep at night. We don't have to pick our partners. You know, we talked about the ecosystem up front, and you look around, you can see the ecosystem and it's growing, and I predict it's going to grow a lot more. That's the other, and it has to, right? I mean, exactly what you're saying is that no one company can do it alone. And we heard, you know, we heard it is confusing. You hear CrowdStrike's doing identity, but then they partner with Okta, right? And they're here on the floor. So that's what you guys need. Talk a little bit more about the importance of ecosystem and partnerships from your perspective. Ooh, I got a good one for this. So I use the metaphor of having a restaurant. So we run a restaurant really well. We know what we want in the menu. We have a chef, we know what we want to put together, but we need excellent ingredients. You make muffins well. Bring your muffin into the restaurant. That brings and builds that rapport that I want the menu to be rich and empower people to come in and say, you know, I've never had scallops or octopus before. I hear you guys make it better than anyone else. Well, our ingredients are fantastic. Therefore, no matter what we do and we present it, it's perfect. It's palatable. Yeah, that's great. You're not making ice cream. I can, if we ever want to show it. We're just converging our bakery, you know. We're just working the bakery part out, yeah. Okay, I want to ask you about cloud because in 2010, 2011, when you talked to a financial services firm, cloud, no. That's an evil word. Now everybody's cloud first. George Kurtz talks about how, I mean essentially, CrowdStrike is dogmatic. We are cloud native. We have a cloud native architecture. I know Gartner has this term CNAP or cloud native application platform. So what does the cloud mean to you guys? How does it fit in? What does cloud native architecture do for you? It lets us converge everything we've been talking about. That's a really big struggle that all security teams are having today. How do I converge threat intelligence? How do I converge the environment that I'm in? How do I converge the threat intel that's coming in, right? All this, you're getting, security teams are constantly on a swivel, right? They're looking left, they're looking right. They're trying to identify what to do first and you bring in the right partners and you build the right program. You cement that culture internally and it really provides dividends. You know what I think as well, Dave? Is in the past, everyone was more data center based. The cloud was like a thing. We forklift, we'd move over. We were born in the cloud. So cloud native application protection is something that we need and will drive innovation. We'll align with our strategic initiatives. We need people to think like the cloud is what's happening. Super cloud, some of the things that we spoke about. Yeah, so I was at, when we were at Reinforce, I had this new mental model emerge and sort of hit me in the face and you tell me, I love to talk to practitioners to say, yeah, that makes sense or no, that's crap. So it seems like the cloud has become the first line of defense for CISOs. Now, you're cloud first or cloud native, so okay. But then now you've got the shared responsibility model. And I don't know if you use multiple clouds. Do you use multiple clouds? Cannot say. Cannot say, okay. Let's assume for a second, some of your colleagues, CISO colleagues, use multiple clouds. Now they've got multiple shared responsibility models. Now you've got also the application development team. They're being asked to be the pivot point to actually execute. They've got to secure the platform. They've got to secure the containers, the runtime. Workloads, yes. And then you've got audit behind you is kind of the last line of defense. So things are shifting. Describe sort of the organizational dynamic that you see not necessarily specific to mercury financial, that would be cool, but generally in the industry. Oh, I would say, I could say this, that having multi-tenancy cloud or the super cloud model, where we could abstract our services, our protection, the different levels of security tooling, being able to abstract and speak a common language, where you could run in Azure, GCP or AWS and still have a common language that you can interpret and leverage between all the tooling would be something I would love to see. That's super cloud. Yeah. That is a cloud interpreter, essentially. I think we use different words, but yes. A PAS layer, super PAS layer, sorry to take it too far. I want to be able to abstract and speak a language that would work at any of the different. What does that do for you as a technology practitioner? I imagine if you had to speak three different languages with three different people, get lost in translation. If we could speak a common language across all the different platforms and all the different footprints, it would be easier to define our security posture. Where are we? Are we secure? You might say security groups in AWS might mean something else, but it's still a level of protection that surrounds the endpoint, right? Something that would abstract that level would be very fun, very good for me. It's pretty easy to understand your use case for this when you're talking about, here we are, mercury financial. You have the most sensitive financial information about people, right? A data breach where all of the information about your customers getting out there on the dark web, right? Heart attack time. Instantly. What are some things that people might not think about though that are going on in your world? What would surprise someone who maybe isn't a security specialist in terms of the things that you're dealing with as far as threats are concerned? I'm going to leave that on you. I have some examples of things that you could, you know, obviously. I'm just going to point to the number one and two most common ways that applications and businesses are getting owned right now. And that's misconfigurations on your web app or a vulnerable application or phishing. And those are both very important things, right? A lot of development teams, they want to get things to market as soon as possible and maybe security's on the back foot. It's about building that culture. And, you know, being cloud native helps. You have a, you can provide different tool sets to your organization that helps you understand that posture and makes you help those business decisions. Are we in a good posture to go forward right now? That's a big question that I think most security organizations need to ask themselves and they need to hold other stakeholders accountable. So phishing and the concept of social engineering still alive and well. Oh goodness. Everything starts with people. The human firewall has to be front of mind. Security can't be an afterthought or a bolt on. That's something that you think about. Well, I guess if I have to meet our compliance, it doesn't work with us. It goes back to the culture that you guys were talking about before. Yeah, cyber resiliency starts with cyber culture. Kevin Mandia said it today. I never underestimate the adversary. The adversary is highly capable, motivated, big ROI, and it just keeps getting bigger. The more technology gets embedded into our lives, the more lucrative hacking becomes. And more attack vectors. We have more areas that we could be potentially penetrated. We're gonna have a lot of time. Those three actors have a lot of time, yeah. Right, and to your point, you're constantly on the swivel, right? You don't have time. Right, right. So do your responsibilities touch on things like fraud detection as well? Is that a silly question? I'm thinking there isn't segregation between what we would think of as IT and the credit card transaction that fires up a red felt. Those are integrated? It's definitely important in any business, right? Is to, like I mentioned, I use this word a lot, converge, right? It's converging that intel, that fraud intelligence, and making it into a process where we're reducing the risk and the losses that the business is incurring. It's so important, right, that we build that culture within the fraud teams, the operational teams, the really anybody who has a really large stake in whatever the business product is. And being cloud native, bringing in the right partners, building that security culture. I mean, that's the biggest one. Last and definitely not least, is the cultures where you need to be? Absolutely. You know, you guys, I'm sure, work with a lot of different vendors, a lot of tools, and sometimes the tools are point tools, they're best to breed. CrowdStrike says it wants to be a generational company. Oh yeah. It says this notion of an unstoppable breach is a myth. You guys can't live that way. You have to assume you're going to breach. But can CrowdStrike be a generational company? I think they've proven themselves. They've been around over a decade now. It's 11 years. They just had their birthday yesterday, right? Our anniversary, the company started. Yeah, 11 years, yeah. Absolutely. I also agree to add a little bit part from the fraud part. I think CrowdStrike will be an integral piece of the overall solution that we have. It hits so many different aspects and looks at so many different potential attack vectors that keep using that word. But I think integrating fraud in other parts and other functions of the business will start to see that they can leverage CrowdStrike, that there's tooling within CrowdStrike innovatively, like ahead of the game. And I always liked that about CrowdStrike, being way ahead of the game and thinking in front of our adversaries. I think other departments have been like, what tools do you have? How can we use them? This is fantastic. This makes us feel better. We don't have to worry about that. We can focus in on what we're good at and build that best of breed solution. So fraud can focus on fraud and you can leverage the tooling and the infrastructure that we provide them together holistically to build a security program that's beyond reproach. Guys, we've got to go. Great perspectives. I always love having the practitioners on. I really appreciate your time. Thank you. Absolutely, always a pleasure. Thank you so much for your time. Nathan and Alex, Dave and Dave will be right back right after this short break. Thank you for watching theCUBE from Falcon 2022 from the Aria, Las Vegas. Here's my friend. Yeah, of course. Yeah, of course.