 From around the globe, it's theCUBE with digital coverage of VeeamON 2020. Brought to you by Veeam. Hi, I'm Stu Miniman and this is the Cube's coverage of VeeamON 2020 online. Really happy to welcome the program, a first time guest and he is the Chief Information Security Officer at Veeam. Gil Vega, thank you so much for joining us. Always loved the chat with the CISO. Awesome, thanks for having me, Stu. All right, so Gil, first give us a little bit of your background and you're relatively new than Veeam. Obviously, when you took the job, the current global pandemic wasn't necessarily front center, but yeah, give our audience a little bit of who you are. Yeah, yeah, timing is everything. I've been at Veeam for 90 plus days, joined the company just before the global pandemic broke and sort of disrupted our entire planet. Before that, I was the CISO for five years of a systemically important financial services market utility, but most of my experience is in government. I was a federal executive for almost 20 years in Washington DC where I was a CISO at the Department of Energy, Homeland Security, Naval Intelligence and a few other places. Excellent, well, that's a great pedigree. We love talking to the public sector people. Obviously, security front and center, they're always, but really, I mean, it's a board level today. Security so much of what's going on. I have to ask you, though, with the global pandemic hitting, obviously, work from home is a big piece of what's going on. Give us kind of your first reaction there being new to the role. How do you make sure that Veeam itself is safe and that your customers as they're dealing with things that can stay secure? That's a great question. I don't think anyone can say they were 100% prepared for a global pandemic, the likes of which no one's ever really experienced before, at least in the modern age, but Veeam is largely, even though we're 5,000 strong and global is largely a virtual workforce. So a large majority of our teammates work from home in mobile situations. So the company has a long track record of providing really innovative and secure tools so that we can conduct our business both with our customers, with our sales teams generating leads, our technical teams developing product. The technology here is pretty impressive. I will say the impact to our workforce, at least from a virtual perspective, hasn't been as significant as some more traditional companies. Being the new CISO here at Veeam, it's a first-time position for the company who's taken this topic very seriously. It has been, for me personally, a bit of a challenge in building my team. Obviously the Infosec space, cybersecurity space is very competitive when you're trying to hire folks and the pandemic obviously has made folks think twice about transitioning or starting careers or changing companies. So it's put a little bit of a hitch in my step in terms of overall planning, but we're moving on to some different strategies and building a team a little slower than we had anticipated. Yeah, well, definitely understandable. Put a freeze for most people. We're hoping that that is starting to fall a little bit these days. I'm curious if you can share, organizationally, this is a new role. Did you report to the CIO or you appear? What's been your experience with some of those organizational dynamics about where Assiso lives and reports in the org? Yeah, I think it really depends upon the company's culture. That drives where this role sits. At my previous company, I worked for the CIO who was a corporate officer. Here at Veeam, it is a new position and there's such a significance placed on cybersecurity because of the expectations around this topic, not only from our board, our customers, the government, regulators, and everyone else. This role, my role reports directly into Bill Large and our CEO, which fully empowers me as a member of the management team of the entire company to drive the initiatives that need to be driven so that we can meet those expectations which tend to rise every year from expectations of our customers, product features in our products, regulatory requirements, and so forth. So, this space tends to get more difficult, more complex as time goes on. And I think that Veeam has constructed this role in an operating model that is going to make it highly successful. Yeah, well, data security absolutely such a critical piece of today's landscape. Give us your thoughts about data security and really modern IT, and what is your charter to try to make sure that Veeam fits in there? Yeah, Veeam is now a U.S. company, right? And the idea here is to continue to drive growth in North America and one of the key components of that growth has to be the U.S. government. I have a pedigree with the U.S. government and I understand what the requirements are to do business there. So, again, back to those expectations, my charge here is to deliver us not only an internal cybersecurity program that continues to meet and exceed those expectations, but to be able to position our products in a way that not only solves some of the data resiliency issues that the government faces and that our global customers face, but also help to solve some of these significant cybersecurity issues that they're trying to manage. In the boardroom, cybersecurity is essentially the number one operational risk now with a lot of focus across not only the boards, but all the functional areas of the company, whether it's finance, sales, technology, and security. It's just seems to be the topic that everyone's most concerned about. We just want to make sure that we're positioned in a way that drives what we're delivering here as a competitive advantage. You know, what are some keys of consideration for data security on modern businesses? I'm sorry, you broke up. Could you repeat that question, Stu? Sure, just looking for some of the key security considerations for modern business. Yeah, you know, there are, there's so many, right? I tend to focus on the simple things for most companies, right? The priorities that every CISO ought to have are around, you know, the blocking and tackling of a risk-based vulnerability management program, making sure that you're managing identities so that the right people have the right access to the right resources at the right time. You got to have those strong and fast cyber ops because you will have incidents, right? We all know that. If you're a CISO in a company, you're not managing incidents. Chances are you're not seeing incidents, which is probably worse than not having them. The other thing that I've learned as a key consideration for protecting your company coming from government is this concept of information sharing and making sure that you're not only speaking with your peer companies but your competitors as well because they're seeing an awful lot of the same issues that you will see or have seen. And there's really no competitive advantage in information sharing amongst the CISOs in various industry communities. In financial services, I feel like they've optimized that. Where I came from, I would talk with CISOs at my competing firms on a weekly basis, comparing notes, talking about threats, understanding threat actors, talking about technology and so forth. Just trying to provide for this sense of collective defense that those in the financial services industry has together. And then obviously for the last several years, there's got to be a deep understanding of the differences in managing cyber security in the cloud and what that entails and holding those vendors accountable for your security requirements. You can outsource the technology but you can't outsource the risk. So you have to be able to understand how the cloud changes the risks that you're facing from the internet. Yeah, I'm so glad you brought up. I think back earlier in my career, you go back to 10, 15, 20 years ago and could IT be a differentiator? And therefore there wasn't necessarily that sharing among peer group or they were very careful of how they did things because, oh wait, I tried this new project and I might have some advantage but as you said, security is something we need to as a community get involved with and you also brought up cloud. So if we look at cloud models today, we understand it's really a shared responsibility model. So how should people be thinking about cloud? How should they be moving forward with really these multitudes of environments that they need to go with? Yeah, we could probably have an hour show and talk about some of the scar tissue that I've gained over the years in managing cloud programs. The number one thing I would talk about, I think it's probably the most important thing is making sure you understand exactly what security services your cloud provider is providing and don't assume that they're going to meet your requirements. You need to understand what those requirements are, whether or not they fit your business and operations model and whether or not they're capable of meeting the risk appetite that you've set for yourself and communicated to your board. In certain cases, the default cloud security services won't meet those expectations and you'll have to work with the cloud vendors to augment those in a way that make it more acceptable for your risk profile and for your business. I've often talked with peers who at companies, smaller companies who just assume that the large cloud providers are going to take care of everything that you used to take care of on-prem. And in fact, there are just certain things that are happening in the cloud that are completely different than on-prem situation as it relates to cyber and you've got to have a really good understanding of how those are differentiated because if you're making assumptions about the level of cybersecurity services that you're procuring in the cloud, it's probably going to turn around and bite you at some point. Yeah, I laugh a little bit. I think in the pre-cloud era was, you need to be careful because just somebody that is lazy or being a little bit malicious could go against any security things that you set. Well, if you go to the cloud, some things have changed but many things haven't. I need to make sure that I've adjusted those settings. Oh wait, there's something I should have looked into or added to, let me make sure I adjust those. I think, at least I think the cloud providers are a little bit more engaged after some key kinks in the armor that were seen. So there've been a little bit more awareness of what's going on and everybody is engaging a little bit more. Gil, governance and ransomware are things that I've talked to you for many years about being, how does that fit your overall discussion? You know, governance is probably one of the most overlooked but most important components of a cybersecurity program that's effective. We don't do cybersecurity just to do cybersecurity. We're trying to meet key business objectives. We're trying to meet customer expectations. We're trying to support technology integration programs and having all of the efforts of the CISO and her organization governed correctly within the corporate structure is just absolutely critical. Here at Veeam, my function is governed by the board of directors as it is in most large companies. So they're interested obviously in the health status of the projects that I'm leading, the initiatives that I'm driving, the transformations that are occurring across the globe. They're interested in understanding exactly how the product feature sets in our products are being informed by the experiences of our internal team and what our customers need. For us, it's very important to provide that oversight and insight into everything that we're doing at the highest levels so that our board of directors can have a really good understanding of overall risk of the organization and what we're facing. Gil, final question I have for you. Just key priorities going forward. What should we be looking for from Veeam and the security practice particularly? Yeah, sure. So we've gone and we've adopted a new security framework. We've adopted the NIST cybersecurity framework version 1.1. We're leading ourselves through a maturity assessment based on that framework. We're setting objective maturity measures for each of the components of our cybersecurity program based on the NIST cybersecurity framework. And we're driving some transformation across the globe to make sure that we're doing everything we can to protect not only the company, but our customers' data, our products, and so forth. We're also positioning ourselves in a way to, as I said earlier, enhance our business opportunities with the U.S. government and adopting the NIST cybersecurity framework is probably the first step in a long program to be able to do much more business with our government counterparts. All right, well, Gil Vega, thank you so much for joining us. Really pleasure to talk with you. Very good, thanks, Stu. All right, be back with lots more coverage from Veeamon 2020 online. I'm Stu Miniman and thank you for watching theCUBE.