 From the CUBE studios in Palo Alto in Boston, connecting with thought leaders all around the world, this is a CUBE conversation. Hello everyone, welcome to the CUBE conversation here in the Palo Alto studio. I'm John Furrier, host of the CUBE. We are here with the quarantine crew of the CUBE, having the conversations that matter the most now and sharing that with you. You've got a great guest here, Phil Quaid, who's the chief information security officer of Fortinet. Also the author of a book, Digital Bing Bang, which I just found out he wrote, talking about the different cybersecurity and the physical worlds coming together. And we're living that now with COVID-19 crisis, we're all sheltering in place. Phil, thank you for joining me on this CUBE conversation. Hey, it's my pleasure. Thanks for having me today. So I want to get in this quickly, that I think the main top thing is that we're all sheltering in place, anxiety's high, but people are now becoming mainstream aware of what we all in the industry have been known for a long time. Role of data, cybersecurity, access to remote tools. And we're seeing the work at home, the remote situation really putting a lot of pressure on as I've been reporting what I call at scale problems and one of them is security, right? One of them is bandwidth. We're starting to see, you know, the throttling of the packets. People are now living with the reality of like, wow, this is really a different environment, but it's been kind of a disruption and has created crimes of opportunity for bad guys. So this has been a real thing. Everyone's aware of it across the world. This is something that's now aware on everyone's mind. What's your take on this? Because you guys are fighting the battle and providing solutions and been doing it for a long time around security. This highlights a lot of the things in the surface area called the world. What's your take on this? Yeah, for a while, pre-COVID-19, Courtney has been advocating for architectures and strategies that allow you to defend anywhere from the edge through the core all the way up to the cloud doing so with, you know, high speed and integration. And so all of a sudden what we're seeing, not just in the US, but the world as well, is that that edge is being extended in places that we just hadn't thought about before, or excuse me, that people just hadn't planned for before. So so many people are telecommunicating these days. So we need to make sure we are able to move that edge securely out to people's homes and more remote locations and do so providing the right type of security and privacy for those communications that are coming out of those telecommunications. I noticed you have a flag in the background and for the folks that might not know, you spent a lot of time at the NSA, government agency doing a lot of cutting-edge work, I mean, going back to, you know, really, post-911 to now you're in the private sector with Fortinet, so you don't really speak for the agency, but you did live through a time of major transformation around homeland security, looking at data, again, different physical thing, you know, terrorist attacks, but it did bring rise to large-scale data, it did bring to those things, so I wanted to kind of point out, so the flag there, nice touch there, but now that you're in the private sector, it's another transformation, it's not a transition. We're seeing a transformation and people want to do it fast and they don't want to have disruption. This is a big problem, what's your reaction to that? Yeah, I think what you're pointing out that sometimes there's catalysts that cause major changes in the way you do things, and I think we're in one of those right now, we're already in the midst of an evolutionary trend towards more distributed workforces, and as I mentioned earlier, doing so with the right type of security and privacy, but I would think what I think the global pandemic is showing is that we're all going to be accelerating that thing, it's going to be a lot less evolutionary and a little bit more faster. That's what happens when you have major world events like this, be it 911 or other unfortunate tragedies, it causes people to think outside the box or accelerate what they are already doing. I think we're in that world today. It pulls forward a lot of things that are usually on the planning side and it makes them reality. I want to get your thoughts because not only are CEOs and their employees all thinking about the new work environment, but the chief information security officers, people in your role, have to be more aware of more things happening. What's on the minds of CISOs around the world these days, obviously the pandemic's there. What are you seeing? What are some of the conversations? What are some of the thought processes? What specifically is going on in the mind of the chief information security officer? Yeah, I think there's probably two different things. There's the emotional side and there's the analytic side. On the emotional side, you might say that some ceasers are saying, finally, I get to show how cybersecurity can be an enabler of business, right? I can allow you to maintain business continuity by allowing your workers to work from home and trying to sustain business and allow you to keep paying their salaries. Very, very important to society. It's a very important time to step up as a CISO and do what's helpful to sustain mission. And on the practical side, you say, oh my goodness, my job's gotten a whole lot harder because I can rely less and less on some of the physical controls that use some of the physical benefits you get from people coming inside the headquarter facility through locked doors and there's personal cognizance and personal identification, authentication. You need to move those same security strategies and policies and you need to move it out to this broad edge that's gotten a lot bigger and a lot more distributed. So I want to ask you around some of the things that are on cybersecurity that have been elevated to the top of the list, obviously with the disruption of working at home. It's not like an earthquake or tornado or hurricane or flood. You know, there's backup and recovery for that. You've all kind of disaster recovery. This has been an unmitigated disaster in the sense of it's been an unforecast. And I was talking to an IT guy, he was saying, well, we provisioned our VLANs to be, our VPNs to be 30% and now they need 100%. So that disruption has caused an under forecast. So in cyber, as you guys are always planning and protecting, has there been some things that have emerged that are now top of mind that are 100% mind share base or new solutions or new challenges? Well, I think what we were referring to earlier is that, yep, any good CSO or company executive is going to prepare for unexpected things to a certain degree. You need to, whether it be spare capacity or the ability to recover from something, an act of God, as you mentioned, maybe a flood or a tornado or hurricane, stuff like that. What's different now is that we have a disruption which doesn't have an end date, meaning there's a new temporal component that's been introduced that most companies just can't plan for, right? Even the best of companies that, let's say, run very large data centers, they have backup plans where they have spare fuel to run backup generators to provide electricity to their data centers, but the amount of fuel they have might only be limited to 30 days or so stored on site. Well, you might think, well, that's pretty, that's a lot of forethinking by storing that much fuel on site for to allow you to sort of work your way through a hurricane or other natural disaster. What we have now is a worldwide crisis that doesn't have a 30-day window on it, right? We don't know if it's going to be 30 days or 120 days or even worse than that. So what's different now is that it's not just a matter of surging and doing something with band-aids and twine for an extra 30 days. What we need to do as a community is prepare solutions that can be enduring solutions. I have some things that if we have some time, I like to provide a little color what those types of solutions are, but that would be my main message that this isn't just a surge for 30 days, this is a surge for being agile with a no end in sight. Take a minute to explain some of those solutions. What are you seeing? What are specific examples and solutions that you can go deeper on there? Yeah, so I talked earlier about the edge, meaning the place where users interact with machines and company data, that edge is no longer at the desktop down the hallway, it could be 10 miles or 50 miles away to where depending on where I'm telecommuting from. So that means we need to push the data confidentiality things out between the headquarters and the edge. You do that with things like secure tunnels called VPNs. You also need to make sure that the user identification authentication is very, very secure, very authentic and with high integrity. So you do that with multi-factor authentication. And there's other things like that that are very, very practical that you do to support this new architecture. And the good news is that they're available today. And the good news at least with some companies, they're already had one foot in that world. But as I mentioned earlier, not all companies have yet embraced the idea of where you're going to have a large percentage of your workforce doing telecommuting. So they're not quite, so they're reacting quickly to make sure this edge is better protected by identification and authentication and VPNs. I want to get to some of those edge issues that now translate to kind of physical digital virtualization of life. But first I want to ask you around operational technology and IT, OT, IT. These are kind of examples where you're seeing at scale problem with the pandemic being highlighted. So cloud providers, et cetera, are all kind of impacted and bringing solutions to the table. You guys at Fortinet are doing large scale security. Is there anything around the automation side of it that you've seen emerge? Because all the people that are taking care of being a supplier in this new normal or this crisis, certainly not normal, has leveraged automation and data. So this has been a fundamental value proposition that highlights what used to be called the DevOps movement in the cloud world. But automation has become hugely available and a benefit to this. Can you share your insights into how automation is changing with cyber? I think he queued up a nice question for me. It allowed me to talk about not only automation, but convergence. So let's hit automation first, right? We all, even in pre-crisis, we need to be better at leveraging automation to do things that machines do best to allow people to do higher order things, whether it's unique analysis or something else. With a more distributed workforce and perhaps fewer resources, automation is more important ever to automatically detect bad things that are about to happen and automatically mitigating them before they get too bad. In the cybersecurity world, you use things like agile segmentation and you use techniques called SOAR. It's a type of security orchestration. And you want to leverage those things very, very highly in order to leverage automation to have machines serve humans rather than humans serve machines. But you also brought up one of my favorite topics, which is OT, operational technology. So OT as you know, are the things that are used to control for the past almost 100 years now, things in the physical world, like electric generators and pipes and valves and things like that, often used in our critical infrastructures. In my company, Fortnet, we provide solutions that secure both the IT world, the traditional cyber domain, but also the OT systems of the world today where safety and reliability are about most important. And so what we're seeing with the COVID-19 crisis is that supply chains, transportation, research, things like that, a lot of things that depend on OT solutions for safety and reliability are much more forefront of mind. So from a cybersecurity strategy perspective, what you want to do of course is make sure your solutions in the IT space are well integrated with your solutions in the OT space. So an adversary or a mistake cause a work into the crack and cause a disruption. That convergence is interesting. You know, we were talking before you came on camera around the fact that all these events are being canceled, but that really highlights the fact that the physical spaces are no longer available, the so-called OT operational technologies of events, the plumbing, the face-to-face conversations, but everyone's trying to move the digital or virtualize that. It's not as easy as just saying, we did it here, we do it there. There is a convergence and some sort of translation as new roles, as new responsibilities, new kinds of behaviors and decision-making that goes on in the physical and digital worlds that have to then come together and get reimagined. So what's your take on all this because this is not so much about events, but although that's kind of prime time problem, zooming in is not the answer, it's a streaming video. How do you replicate the value of physical into the business value in digital? It's not a one-to-one. So it's quite possible that we might look back on this event, the COVID-19 experience, we might look back at it in five or 10 years and say, that was simply a foreshadowing of the importance of making sure that our physical environment is appropriately secured and private. And what I mean is that with the rapid introduction of internet or things technologies into the physical world, we're going to have a whole lot of dependencies on the thing, inconveniences, dependencies, inconveniences on things that instrument our physical space, our door locks, our automobiles paths, our temperatures, color, height, lots of things that instrument the physical space. And so there's going to be a whole lot of data that's generated in that cyber, in that physical domain, increasingly in the future and we're going to become dependent upon it. Well, what happens if for what a reason in the future, that's massively disrupted? So all of a sudden we have a massive disruption in the physical space, just like we're experiencing now with COVID-19. So again, that's why it makes sense now to start your planning now with making sure that your safety and reliability controls in the physical domain are up to the same level of security and privacy as the things in your IT domain. And it highlights what's where the value is too and it's the transformation. I was just reading an article around spatial economics around distance, not being together. That's interesting on those points. You wrote a book about this. I want to get your thoughts because the cyber internet or digital or virtualization of physical to digital, whether it's events or actual equipment, is causing people to rethink architectures. You mentioned a few of them. What's the state-of-the-art thinking around someone who has the plan for this? Again, it's complex. It's not just creating a gateway or a physical abstraction layer of software between two worlds. There's almost a blending or a convergence here. What's your thoughts on what's the state-of-the-art thinking on this area? Yeah, my book that I and a number of very esteemed colleagues contributed to. What we said is that it's time to start treating cybersecurity like a science. Let's not pretend it's a dark art that we had to relearn every couple years. And what we said in the digital Big Bang is that humankind started flourishing once we admitted our ignorance and ultimately our ignorance in the physical world and discovered or invented, if you're right word, the disciplines of physics and chemistry. And once we recognized that our physical world was driven by those scientific disciplines, we started flourishing, right? The scientific age led to lots of things, whether it'd be transportation, health care or lots of other things improved for quality of life. Well, if you fast forward 14 billion years back to that cosmic Big Bang, which was driven by physics, 50 years ago or so, we had a digital Big Bang where there was a massive explosion of bits with the invention of the internet. And what we argued in the book is that let's start treating cybersecurity like a science. What are the scientific principles that we ought to write down and follow ruthlessly so we can thrive in the digital Big Bang, in the digital age? And one more point, if you don't mind, what we noted is that the internet was invented to do two things. One, connect more people or machines than ever imagined. And two, do so at speeds that were never imagined. So the internet is optimized around speed and connectivity. So if that's the case and maybe a fundamental premise of cybersecurity science is make sure that your cybersecurity solutions are optimized around those same two things that the cyber domains are optimized around, speed and integration. And from there, you can build on more and more complex scientific principles if you focus on those fundamental things of speed and integration. Yeah, that's awesome, great insight there, awesome. I want to just throw in while you had the internet history lesson down there. Also, what was interesting was a very decentralization concept. How does that factor in your opinion to some of the security paradigms? Does that help or hurt? Or does it create opportunities for more secure? Or does it give the actors an advantage? Yeah, I love your questions. It's a very informed question and it gives me a good segue to answer in the way you know it should be answered. By definition, the distributing nature of the internet means it's an inherently survivable system, which is a wonderful thing to have for a critical infrastructure like that. If one piece goes down, the whole thing doesn't go down. It's kind of like the power grid, the US electrical power grid. There's too many people who say the grid will go down. Well, that's just not a practical thing. It's not a reality thing. The grid's broken up into three major grids and there's fabulous strategies and implementations of diversification to allow the grid to fail safely. So it's not catastrophic. The internet's the same thing. So like I was saying before, we ought to base cybersecurity around a similar principle that a catastrophic failure in one part of your cyber security architecture shouldn't result in cascading across your whole architecture. So again, we need to borrow some lessons from history. And I think you bring up a good one that the internet was built on survivability. So our cybersecurity strategies need to be the same. One of the ways you do that, so that's all great theory. But one of the ways you do that, of course, is by making your cybersecurity solutions so that they're very well integrated. They connect with each other so that speaking in cartoon language, one unit can say, I'm about to fail, help me out. And another part of your architecture can pick up a slack and give you some more robust security. And that's what a connected, integrated cybersecurity architecture can do for you. Yeah, it's really fascinating insight and I think resiliency and scale are two things I think are going to be a big wave. It's going to be added into the transformations that are going on now. It's very interesting. Phil, great conversation. I could do a whole hour with you. We do officially a virtual panel, virtualize our own event here. Keynote speech, thanks so much for your insight. One of the things I want to get your thoughts on is something that I've been really thinking a lot lately and gathering perspectives. And that is on biosecurity. And I say biosecurity, I'm only referring to COVID-19 as a virus, as biology involved, started in a lab or some people debate all that, whether it's true or not. But that's what people work on in the biology world, but it spreads virally, like malware and has a similar metaphor to cybersecurity. So we're seeing conversations starting to happen in Washington, DC and Silicon Valley and some of my circles around if biology is a weapon or it's a tool, like open source software could be a tool for spreading cybersecurity trojans or other things and techniques like malware, spearfishing, all these things are techniques that could be deployed metaphorically to viral distribution of biohazard or bio warfare, if you will. Will it look the same? And how do you defend against the next COVID-19? This is what average Americans are seeing the impact of the economy with the shelter in place, is that what if it happens again? And how do we prevent it? And so a lot of people are thinking about this. What is your thoughts? Because it kind of feels the same way as cybersecurity. You got to see it early. You got to know what's going on. You got to identify it. You got to respond to it. Time to closure, contain. Similar concepts, what's your thoughts on biosecurity? With all due respect to the bio community, let me make a quick analogy to the cybersecurity strategy, right? Cybersecurity strategy starts with, well, at least start as an attacker. So parts of my previous career and authorized to have the opportunity to help develop tools that are very, very precisely targeted against foreign adversaries. And that's a harder job than you think. And I think the same is true of anyone of a natural born or a custom buyer virus that not just any virus has the capability to do a lot of harm to a lot of people. So it doesn't mean that you can sit back and say, since it's hard, it will never happen. You need to take proactive measures to look for evidence of a compromise, whether it's a cyber virus or otherwise, you have to actively look for that. You have to harden yourself to make sure you're not susceptible to it. And once you detect one, you need to make sure you have the ability to do segmentation or quarantine very rapidly, very, very effectively, right? So in the cybersecurity community, of course, the fundamental strategy is about segmentation. You keep different types of things separate that don't need to interact. And then if you do have a compromise, not everything's compromised. And then lastly, if you want to gradually bring things back up to a recover, you can do so with small chunks. I think it's a great analogy. Segmentation is a good analogy to I think what the nation is trying to do right now by quarantining and gradually reopening up things in segments. And as you mentioned earlier, some of the other techniques are very, very similar. You want to have good visibility of where you're at risk. And then you can automatically do in detect and then implement some mitigations based on that good visibility. So I agree with you that it turns out that the cybersecurity strategies might have a whole lot in common with bio hazard strategy. It's interesting site reliability engineers, which is the term that Google coined when they built out their large scale cloud has become a practice. That kind of mindset combined with some of the things that you're saying the cybersecurity mindset seemed to fit this at scale problem space. And I might be an alarmist, but I personally believe that we've been having a digital war for many, many years now. And I think that troops aren't landing, but it's certainly digital troops. And I think that we as a country and global state and global society have to start thinking about these kinds of things where a virus could impact the United States, shut down the economy, devastating impact. So I think wars can be digital. And so I might be an alarmist and they can spear at us, but I think that, you know, thinking about it and actually talking about it might be a good thing. So appreciate your insights there, Phil, appreciate that. One of the point that might be interesting, a few years back, I was doing some research with a national lab and we're looking for novel cybersecurity analytics. And we hired some folks who worked in the biology, the biomedical community who were studying bio viruses at the time. And it was in recognition that there was a lot of commonality between those who are doing cybersecurity analytics and those who are doing bio biology or biomedical type analytics. And there was a lot of good cross-fertilization between our teams. And it kind of helps you bring up one more, there's one more point, which is what we need to do in cybersecurity in general is have more diversity of workforces, right? And I don't mean just the traditional but important diversities of sex or color, but diversity of experiences, right? Some of the best people I've worked with in the cyber analytics field weren't computer science trained people. And that's because they came in problems differently with a different background. So one of the things that's really important to our field at large, and of course the company, my company, Fortinet is to massively increase the amount of cybersecurity training that's available to people, not just the computer scientists, the world of the engineers, but people in other areas as well, the other degree to non-greed people. And with that higher level of cybersecurity training available to a more diverse community, not only can we solve the problem of numbers, we don't have enough cybersecurity people, but we can actually increase our ability to defend against these things by have more greater diversity of thought and experience. You know, that's such a great point. I think I just put an exclamation point on that. I get that question all the time on the skills gap is, should I study computer science? And I'm like, actually, if you can solve problems, that's a good thing. But really diversity is a wonderful thing in the age of unlimited compute power because traditionally diversity, whether it was protocol diversity or technical diversity or human makeup, tend to slow things down, but you get higher quality. So that's a generalization, but you get the point. Diversity does bring quality. And if you're doing a data science, you don't want to have a blind spot and not have enough data. So having a good diverse data set is a wonderful thing. You're going to a whole nother level saying bringing diversely skill sets to the table because the problems are diverse. Is that what you're getting at? It is. And in fact, it's one of our, I'll say our platforms that we're talking about during the COVID-19 crisis, which is perhaps we can all make ourselves a little bit better by taking some time out since we're not commuting, taking some time out and doing a little bit more online training where you can either improve your current set of cybersecurity skills and knowledge or be introduced to them for the first time. And so there's some wonderful Fortnite training available that can allow both the brand new folks to the field or the intermediate level folks of the field to become higher level experts. It's an opportunity for all of us to get better. Rather than spending that extra hour on the road every day, why don't we take at least 30 of those 60 minutes of former commute time and use it to do some online cybersecurity training? Phil, final question for your great insight, great conversation. As the world and your friends, my friends, people we don't know, other members of society as they start to realize that the virtualization of life is happening, this intersection, this convergence. What general advice would you have for someone just from a mental model or mindset standpoint to alleviate any anxiety or change that certainly will be happening? To how they can better themselves in their life? Is it thinking more about the experiences? Is it more learning? How would you give advice to folks out there who are going to come out of this post pandemic? Certainly it's going to be a different world. We're going to be heightened to digital and virtual. But as things become virtualized, how can someone take this and make a positive outcome out of all this? I think that the future remains bright. Earlier we talked about sci-fi, the integration of the cyber world and the physical world. That's going to provide great opportunities to make us more efficient, give us more free time, detect bad things from happening earlier and hopefully mitigating those bad things from happening earlier. So a lot of things that some people might use as scare tactics, right? Convergence and Skynet and robotics and things like that. I believe these are things that will make our lives better, not worse. Our responsibility though is talking about those things, making sure people understand that they're coming, why they're important, and make sure we're putting the right security and privacy into those things as these worlds, this physical world and the soccer worlds converge. I think the future is bright, but we still have some work to do in terms of making sure we're doing things at very high speeds, that there's no delay in the cyber security we put on top of these applications and make sure that we have very, very well integrated solutions that don't cause things to become more complex, but in fact make things easier to do. Certainly the winds of change and the big waves of the transformations happening, I guess I was just summarized by saying is to make it a headwind, I mean tailwind, not a headwind. Make it work for you. Swing with the tide, not against it. Bill, thank you so much for your insights. I really appreciate this cube conversation, remote interview, I'm John Furrier with theCUBE, talking about cyber security and the fundamentals of understanding what's going on in this new virtual world that we're living in, to being virtualized. As we get back to work and as things start to evolve further back to normal, the at scale problems and opportunities are there. And of course the cube's bringing it to you here remotely. From our studio, I'm John Furrier. Thanks for watching. Good job.