 Hey guys and girls, good afternoon. Welcome back to theCUBE's day one coverage of Google Cloud Next live at Moscone South in sunny, I think, San Francisco. Lisa Martin here with Dustin Kirkland, our CUBE analyst. We're going to have a great conversation next with Deloitte and CME Group. We've got Pradeep Sandhu, Cloud Security Leader at Detroit. Great to have you. Deloitte, excuse me, not Detroit, Deloitte. Dan Manley is here, the CISO at CME Group. Guys, great to have you on theCUBE. Thank you for joining us. Thank you for having us. Yeah, thanks for having us. We're here with about 20,000 other people, so it's pretty loud in here. You probably can hear that in the background. Lots of folks here, lots of interest, lots of news. Dan, start us off, talk to us a little bit about CME Group. What do you guys do? Give us all that backstory. So CME Group is the largest futures and options exchange in the world. And so we're located out of Chicago, but we serve customers around the globe. You have been on, so CME's been on a Google Cloud adoption journey for, what about a, I see in my notes, more than a year now, Deloitte's been helping from a Cloud Security Enablement perspective. Give us a snapshot of that journey and then we'll get you to weigh in from a security lens. So CME Group announced our partnership with Google in November of 2021. And as a highly regulated, critical infrastructure provider in financial services, we knew that we had to have a secure infrastructure. We did not have that as optional. And so we've been working very hard to move forward down that path. We knew we needed a partner to assist us with that effort. And we chose Deloitte. And so Prateep and I have been working very closely over that time period. Prateep, talk a little bit about Cloud Security Enablement. You know, we can't have a conversation about Cloud without talking about security. It's a hot topic, as is Gen AI. But what does Cloud Security Enablement from Deloitte look like? Yeah, I think it's a loaded question. When I would try to, you know, like split it into some of those small phases. Like when we started off this journey, our focus was on enabling the foundational elements to start with. And then we started on building upon it. So as we went through that process, it's more than 18 months than we have been working together to strengthen the Cloud Security for CME. And overall, if you ask me to summarize it, you know, again, starts with the foundational element and then you jump into continuous improvements and building the automation into the mix. So close collaboration, I would say from the day one, Google, Deloitte and CME joined hands, we teamed together. And that was the first starting point, you know, when we started off with this journey overall. Yeah, I've spent the last four or five years in the financial services industry. And boy, that's an industry that is in need of some modernization and migration to Cloud. I don't know, either you can kind of just talk about that journey and how, you know, Google Cloud, Deloitte and CME have come together for that, you know, modernization. Maybe Dan, feel free to chime in. For the last five years and for the next 10 years, probably, you know, we are seeing there's a huge amount of migration and modernization in the Cloud is happening. And that is driving focus on Cloud security because ultimately you want to make sure that your workloads are secure in the Cloud. And security is no more just one word. It's a combination of multiple domains, right? Now you're talking about data protection, security logging, network security and so forth. So it is crucial for any enterprise to identify and address those risks up front, you know, before you start with that journey. And then feel free to opine on it. I think the other aspect is the speed with which we were expected to deliver today. The ability for competitors to jump into a particular market is obviously an area that all organizations are concerned with. So the Cloud really enables that. But as we move fast, we need to make sure that we continue to be secure and defensible. And so our ability to understand how we're going to roll out new technologies of the Cloud, migrate our legacy apps into that new environment, but still maintain that vigilance against the threat actors coming against us is something that's very important. Dan, share a little bit about some of the risk challenges that you face. And then when we think about the cybersecurity landscape, it's changing so rapidly. The perimeter is now so amorphous and porous. What were some of those key risks that you faced that you came to Deloitte and Google to help eliminate? So as I touched on agility, the speed to be able to be responsive and make that change was very important for us to exact the value out of that migration of the Cloud. The second item was to understand how that new technology coming into our environment, our infrastructure, what were the vulnerabilities that might exist? How would that help us to mitigate vulnerabilities? And the third item is to understand how does that change our security ecosystem? The tools we use to really detect and monitor threat actors attempting to do us harm to be able to make sure we can understand that. And the reality is it's a hybrid environment while you're making that change to the Cloud. So it's important to make sure that those two elements work together as one cohesive view. Would you say, Dan, that you're taking both a defensive security posture as well as offensively and trying to get out ahead of attacks as well? I think that's a little bit of the debate you see in sports which is, is it better to have a good defense or a good offense? The reality is we have to have a balance as we look at things to make sure we understand what our perimeter is and how secure it is, especially acknowledging how it is somewhat amorphous as things are moving. But also we're part of a broader financial services infrastructure and ecosystem that includes connectivity with government agencies, other large financial service clients. So we have to make sure that we're bringing security to them as well to make sure it all works together as one. Pretty talk a little bit about Deloitte's approach to help CME really tackle these risks and challenges head on so that you can start dialing the risk down. What was that approach like? Absolutely. And like I said earlier, it's a complex undertaking to secure the broader landscape which is evolving every day. So our approach was taking those baby steps starting with defining the foundational capabilities and the plan around it. And those foundational capabilities like said, do you have a CSPM? Do you have CNAP? Do you have a SOAR capabilities established? And then also talking about what are the access controls and policies you want to make sure are going into the platform to start with and then you're building upon it. And I think Dan just mentioned it. It is a combination of prevention and detection which is super critical because you need to go hand in hand so that you have preventative capabilities going into the platform and you have detection capabilities going into the platform and both would provide you a good security posture which you need as you're taking on this journey. So our approach was defining that plan and then continuously identifying what next after the first step and second step and third step and building upon it. And being 18 months now, I would say we are charting towards what is the next thing we need to catch up and are we prepared for it? So those were the key areas of which any enterprise who's taking the journey needs to work upon. But what keeps you up at night security-wise, Dan? And how can Deloitte and Google Cloud help let you sleep a little bit better? So I think what Deloitte has really helped us with as we think about all those threats that are targeting us is how to understand the protections we put in place will help us identify when something happens. It's not really a case of if, it's really a factor of when. And so the ability to appropriately detect where those bad things are going to manifest themselves and make sure that we're getting that into our cyber defense center as we refer to it as a security operation center. That cyber defense center being able to identify things as early as possible is something that Deloitte's been able to help us do. A lot of announcements this morning in the keynote at Google, we knew we were going to hear a lot about GenAI, we can't go to any conference without talking about it these days. That's one of the hottest topics. But there was also a lot of talk about security. I'm just curious, Dan, if you were in that keynote, what were some of the things that you heard? And are you in a triangulate working with Deloitte and Google Cloud able to influence the direction their security posture is going in? I'm just curious. Yes, I would share with you, I was in the event, it was very exciting to see the announcements. CME Group, through our partnership with Google, it does have the ability to influence some of those things. We found the product management team at Google to be very receptive to feedback. And so as we've identified opportunities, features we would like to see, they've asked us to provide them information and insight to help them understand how they can add that to their roadmap. And so I think that's part of what has been great about the partnership with Google is to be able to have that face-to-face conversation and find that that's something they're very open to. Very symbiotic partnership, it sounds like to me. It certainly is. I'd say the three teams, Google, Deloitte and CME, we have a triumph for it, if you will, at CME as we've been going through the migration to understand who has the right skillsets, who has the artifacts that will serve as accelerators for us to be able to enable us to get to the cloud as fast as possible. Yep, that speed is key. I am curious too, Dan, and I want to get pretty pure thoughts too. The cybersecurity skills gap is real. It's significant, it's been around for quite a while. A lot of companies are trying really hard to help solve it. How does the work that CME is doing with Deloitte and Google, how is it helping you to address that? It's helping us in that there's quite a bit of education available to be able to help our security practitioners get certified. And then we look for the opportunity to be very much hands-on. Deloitte's contributed to that, bringing in the experience they have from other clients to help coach some of our staff up to an appropriate level, but then additionally, being able to get some sandboxes in the cloud where people can go in and practice safely, and then we can tear those environments down and let them do it all over again. Really, that iteration helps us to be able to grow and mature our skillsets as quick as possible. And Pradeep, just generally for other CISOs like Dan around the industry, what sort of messages or advice do you have for them around security, especially as it pertains to Google Cloud? Absolutely. So I think my advice, because we have been working on similar journeys with a couple of other enterprises, absolutely including CME Group, so three advice, and these three advice could be different for the three different groups. The first advice, in my opinion, is for security teams. Understand what is security of the cloud and security in the cloud, because those two are very different things, right? And it is very important or imperative for security teams to understand what they have in the cloud so that they can secure it. And it goes beyond, without saying, understand what you need to secure before you secure it. So that's the first advice to security teams. My second advice is to security leaders out there, like start this journey in a small step. This is not a sprint, it's a marathon. And you will take years to get to the perfection, right? That's the second advice. And so start with a small step, start with foundational capabilities and build upon it. And the third advice is to the transformational leader, and this is the big one, include security on day one if you are building your transformation plans because if they are not on the seat, every day, every hour would multiply by a couple of days and could derail the transformation journey. So include them on the day one and learn what is in the cloud and more importantly, start with a foundational step and build upon the continuous improvement. I think that's a great approach for so many things, kind of start small. At the same time, you talked about down the agility and the need to move fast. How do you manage both? Again, getting engaged as early as possible to help understand where blockers could develop or security services might not be available. And then once you have that transparency, you're able to allocate time, focus, attention to be able to make sure you clear those blockers as soon as possible. Part of that agile methodology to learn quickly and recognize it's not all rainbows and unicorns, you're going to encounter challenges, learn fast and then be able to move on from there. I always say failure is not necessarily a bad F word. And just talk about that. I'm just talking about that. Have the right partner with you, right? Your right partner is very important because who have done this few times is always really doing on the ground rather than planning for it. There's a different plan and doing action about it, right? So I think it's very important to have the right partner who have done it and who can take, who can join you along in this journey. And I think Dan already mentioned it at the start. The teaming with the cloud service provider and the consulting partner and the client is very crucial because those three people need to move every step together, right? To make the progress. What I would add to that is pick a partner that you can have a difficult conversation with based on fact. As I said, things don't always go right. Having somebody you can say, I don't understand that or that doesn't make sense to me. How do you account for this scenario is very important. It's unrealistic to think your partner's going to come in with everything defined for you. It takes that team working together to be able to right size the solution to fit for your organization. And how, from a leading edge perspective, Dan, were you in the Google Cloud journey? As the CISO, were you the lead there? We talk about, you know, when our security is concerned, we've got to shift left, bring security in. But how many people are at the table, if you will, in terms of really getting buy-in from your executive peers and even the folks downstream to say, we need to go to Google Cloud. Here's why, here's how we're going to do it securely. So, CME Group had actually been on their cloud journey for probably four or five years before our partnership was announced with Google. And so, that really accelerated things for us. And that really gave the executive endorsement that we were moving to Google Cloud. And then we were doing it intentionally and with purpose. That really helped us make sure we had a seat at the table. And then as we adopted some of the new product operating models to be able to integrate and work closely with our developers, we pulled in part of my larger team as quickly as possible to get folks working together to drive that incremental improvement that Pradeep talked about. And it's allowed us to be able to start parallel paths to be able to get things deployed so that you're not singularly focused on one project. We're moving at the speed of the business as much as we can. That's just it, moving at the speed of the business. It's all about enabling those business outcomes, right? Correct. You have to be able to provide value today. The idea that we are going to just secure the perimeter and not let things that happen is very unrealistic. And so our understanding of that is really leading into that cultural shift. I think it's going to help us to be successful for the future. You just brought up a great point. It is a cultural shift. And that's a hard thing for especially history organizations to go through, especially with the agility and the speed with which you need to be competitive. Pradeep, how does Deloitte help organizations like a CME and other enterprises that you work with to really face head-on that cultural transformation that has to happen and actually enable kind of smooth waters? Yeah, I think there are a couple of steps, you know, like every enterprise need to consider whenever they are on the cloud adoption journey. So a couple of steps could be, do you have a solid cloud strategy? It looks like, you know, a taxonomy which everyone uses, but do you have a plan even, right? Like what are the five steps you want to do? Second thing is, is your tooling or security tooling ready? Where are you going to implement these access controls, policies or the configurations? Do you have the right tooling to secure your world, right? And the third thing I would emphasize on, how are you building your teams to your point? You know, like it's a cultural shift. Are your teams being trained on the cloud? Do they know what needs to be secured? And last but not the least is have a line of sight where you want to direct your teams, what to do next and what is behind and have the interdependencies called out. And just the bonus point here is, I want to talk about it is, have a single plan. We have seen infrastructures having their own plan, platform is their own plan and then security is on there. Do we have a single plan to drive the transformation and security inside it? So those would be the key things I would say, you know, like where Deloitte have been helping multiple enterprises in this space. Yeah, and so that line of sight, like what's just over the horizon for you? Maybe that's a question for both of you, but like, you know, what's kind of next? I wish you were seeing me, we're still on that journey. We've got our foundations built, we're moving applications over, we're working with the appropriate regulators to make sure they're comfortable with the move. But even as we start moving things, we know there's another version of improvement we'll have to build for. And so it's going to be a very long marathon as Pradeep alluded to earlier. Yeah. And in my opinion, just add what Dan said, definitely there's a plan every enterprise have it, right? And we need to walk through it. For consulting firm like us, it is a journey. And there is a huge opportunity to help enterprise, you know, who needs help. And on that point, I would call it out is within Deloitte we are building our teams, defining or redefining our offerings in the secure digital transformation areas. And also pulling together, what are our common alliances? Like Google is our alliance here. We work with them very closely, right? So who are our common alliances? Who can help the enterprises like CME Group in this situation? That strong alliance, technology alliance, strategic alliance is so incredibly important. Guys, thank you so much for joining us on theCUBE today, sharing what's going on at CME, how you're on this Google Cloud journey, the journey that Deloitte is helping drive and Deloitte's journey. We appreciate that lots to look forward to. So thank you so much for your time. Thank you so much for having us. Our pleasure. For our guests and Dustin Kirkland, I'm Lisa Martin and you're watching theCUBE live, day one of our coverage of the Google Cloud next from the show floor at Masconi South. Stick around, Dustin and I have a great guest lineup coming up next.