 We're back. This is Dave Vellante. I'm here with Stu Miniman, and he is my co-host for this segment. Matt Allen is here. He's the security practice lead at EMC, a CUBE along, Matt. Good to see you in Cambridge. Thanks for having me. So we feel smart hanging out in Cambridge with all these MIT people. I was telling these guys, you know, I went to grad school here, but I haven't been here since this, right? I figured the police would be waiting for me to shoot. Well, thanks for coming out from Hopkinson. You know, we really appreciate the collaboration that we have with EMC and some of our other, you know, great sponsors of the CUBE. You allow us to come to events like this because your great support over the years allows us to come in and come to smaller events like this where you have just an amazing set of people grasping or grappling with problems that are really hard, they're mind-bending. And, you know, the premise of today's event this morning really was set up. You've got a situation where the innovation is that are occurring with the internet and the rapid evolution of cyberspace is outpacing international relations and our ability to deal with that. So, you know, a lot of times we're down in the weeds and how do we protect the data and how do we protect our organization and the CIO? But there are all these geopolitical implications that are enormous and I'm glad that we've got smart guys like this on the case. Now, of course, EMC, you guys are prominent in this business, a leader in security, particularly with the RSA division. And this is obviously your sweet spot. So, I wonder if you can give us an update on what's new with you guys. Here it is, early January, I said earlier, I always look back, I read Art Covey-Ello's letters, I talk to Art, I say, all right, I feel less safe every year. What's going on? He goes, hey, we're working hard. So, what is the state of security, you know, generally and specifically at EMC? What's happening? Yeah, so, broad brushstroke, I think we continue to see some of the same old themes, some of the things we've talked about in the past at what I would call a tactical level. I think there's a fascination by everybody for the techniques and sort of the root level detail behind how attacks happen and denial of service and for lack of a better way to put it, the nuts and bolts of the things that happen to any company's network or infrastructure. The reality is that is now maturing in a way that is, I think, you know, bringing to the front a pending sort of intersect between the tactical sort of nuts and bolts components with the needs of boards of directors, senior leaders, shareholders. There's a practical reality. Those nuts and bolts items, those sort of tactical attacks and threats are adding up to a lot of money, big liabilities, things that need to be disclosed and or are important to any shareholder of any company anywhere. This is increasingly noticeable or increasingly a top level agenda item for most folks in large part because there are nation states behind some of this and or implications and broader geopolitical dynamics that we've just never experienced before. For life, what better way to put it when have you ever worried about, you know, a team of people that represent a military in another part of the world attacking private industry. That's crazy. Those are dynamics that we're sorting through now and that's some of the event today. And the ripple effects room, I mean, last, just last few years or so, right? Couple of years, WikiLeaks, Snowden, the Arab Spring, social media being shut off, you know, Google getting booted out of China or and or choosing to leave, you know, depending on who's version of the story that you believe. It's a complete new dynamic that's going on out there. So how does that affect the way in which organizations should think about security? Sure, I think in the backdrop of that convergence is giving senior level leadership, certainly of any organization, the ability to understand the nature of not just a sort of a tactical nuts and bolts attack or threat or security issue at any level, but an understanding of what the nature of the risk really is. So that incorporates some pretty simple business dynamics. How big is it? What's the extent of the liability? What are the controls that we have in place to manage or deal with that risk over an extended period of time? Controls can be not just limited to processes and policies and procedures, but frankly, tools, product. I mean, you know, RSA provides all kinds of different tools to help our customers better manage the risks and threats that are security oriented in nature. So it's for life a better way to put it, the convergence of very tactical, specific, you know, base level stuff with higher level strategy, broader corporate mandate. So Stu, we heard earlier today that the emphasis is moving away from the network into the data. Network guy, you know what I mean? Yeah, no, it was really, Matt and I were just talking about it beforehand. You know, we said when the internet was started, they didn't think so much about security, the people that started it, it was a close knit team, and we just, you know, networking was close to where all the packets went. So that was a great place to add it, but it's kind of been ad hoc and it hasn't been as regimented as it should be. And as we look back at it, you know, maybe the network's not the best place to secure anything. It's really at the data level that it makes sense. I know in one of your interviews earlier, Dave, they said what we need to do is add that layer of security at the data layer, and then eventually over time that can replace the network piece which has been kind of a high, very important, but kind of low priority for a lot of customers. I mean, obviously there's many companies driving that technology, but you know, I'd like to get, you know, Matt's take on. Yeah, does it eliminate the network, you know, need, or does it just sort of supplement it, complement it? What are your philosophies there? My thinking is supplement, or at the very least, works in a commingled way. I just don't think we'll ever get to a point where we won't need or we'll have other alternatives to a network-oriented security. I just can't foresee any time in the near future. I think the idea that you're securing data gives me better confidence that to your point we migrated away from sort of the garage days and into a formal environment where we're addressing the root cause of the issue. The root cause is the data. For life a better way to put it, why did they rob a bank? Well, that's where the money is. Why do you attack it, you know, a company's infrastructure? Well, that's where the data is, okay? So they're going after a very specific asset, it's data, that drives all of this. And for my money, I think that's the area we'll see the most advancement in the way of product and services and solutions over the course of the next. Really, two years. Yeah, and Dave, when you talk about if we look at, it doesn't go in the network or to go to the data, if we bring in the discussion of cloud, you know, governance, risk and compliance really needs to be addressed if we're going to cloud because I'm not going to control that network, I'm going to some provider. So I need to have that kind of common language that I can speak between and we really have to have, you know, governance is a real important piece. Well, so since you brought up cloud, right? We was just in November, we were at Amazon re-invent and hearing that the world is going to the public cloud. What do you see in the client base? I mean, you hear that, yeah, but, but then the one but is always more than one but. But anyway, the big but is always security. And not necessarily that the security of the cloud is bad, it's just, it's different, it's maybe not customized, it maybe doesn't align to the edicts of your organization. So what are you seeing in the base? So again, I apologize, I keep doing the, you know, there's the root level and then the higher level. And in this instance, I would tell you that we're seeing that most of the marketplace is still coming to grips with the reality of what's happening within or behind their firewall. We've got a number of different services, but in effect, these are services that are designed to help our customers understand the extent of their shadow IT problems or exposures. That gives you some sense of how much activity is going on behind the firewall and on the other side in the way of movement of data. So to your point, we end up with that, you know, the root level focus being data as you boil that up to the cloud, it becomes really sort of a fundamentally different way to view the infrastructure. The perimeter becomes a little bit different, but the fundamentals remain the same. The data is the asset, we've got to find a way to effectively address how we control or how we limit the extent of exposure to anyone outside of our network. Access to that data. Well, so a lot of folks were thinking, okay, the whole Snowden thing is going to make some of the cloud momentum, public cloud momentum, attenuate, but it hasn't seemed to happen, but I know it's coming up in discussion with customers. And virtually every customer you talk to says, oh, wait a minute, if I put it in the public cloud and they make whoever, name a company, whether it's Workday or Oracle's public cloud or whatever, if the government says, give us that data, you got to give them that data. So whereas if it's in your private cloud, you maybe have a stronger fight against giving up the data. So what are your customers saying about that, whether it's Snowden, whether it's WikiLeaks, you mentioned Shadow IT before, the threats are significant. How are they approaching that problem? Yeah, so it's unfortunately a number of different ways. On the one end of the extreme, they're doing nothing and they're in the sand and pretending it'll go away. And then on the other end, very advanced solutions that have more to do with how you govern and or formally administer policies and procedures that all of your employees are expected to sort of live by and work within. Look, I think you can sort of look at the two ends and what you'll find is what effectively becomes the middle and that will be some version of a model where governance, risk and compliance issues around data, how data is managed, will become a policy that's enforceable via a number of different tools and all employees will be monitored as they engage in that. That will become effectively aligned with whatever government requirements are imposed on different industries. That's a jumping off point into saying that goes in a lot of different directions because I don't think it'll just be blanket government requirements, it'll be based on industry and company type and sick code and any number of other requirements that not only industry and frankly, the market will need but frankly where the government, where government bodies are gonna draw the line. And that's the, frankly, that's what everyone's struggling with right now. Exactly where do you draw the line? Exactly where should they be imposing parameters that here to Ford just haven't existed? Yeah and you know, we obviously talk a lot about security today but privacy has come up a little bit and they're kind of, to me anyway, two sides of the same coin and it just seems like the privacy issue now, especially again with Snowden, has bubbled to the top. Are you seeing that and what are you guys advising in terms of best practice or any kind of consulting that you're providing or architectures that you're developing to address that issue? So it comes in a number of different packages. It all, for my money, a lot of it right now is falling under the idea of social engineering and at some level sort of extended threats and the human element, databases don't usually just leak information, people usually leak information and so the policy framework that they have to work within the types of data that they're exposed to, have access to and are allowed to work with are limited by role and responsibility and requirements of the organization become sort of the driver. You get out of the nuts and bolts of the conversation then and into the idea that everyone gets certain types of data and access to workloads based on their needs and that's where we're just not even close to where we need to be. That's where the big data conversation and some of the network conversation becomes such a big deal you effectively develop the ability to better understand what the user needs in the way of application support and data and then that'll drive exactly how you dictate the terms of their use. How will data in your view, Matt, affect sort of defense policies, defending against security attacks? Data has a role, we know that, but what role does it play? Because it's early days and everybody talks about the potential for analytics and helping to solve this problem. Where are we and where do you see us headed? So here's, the funny part of this is I'm really torn. On the one end of the extreme, I'm an economic laissez-faire. The market will dictate the terms of what we need in the way of regulatory requirements and guidance. Then on the other end of the extreme, I've seen what happens to organizations and entities that are attacked and or have security issues in the extent of those liabilities. Ultimately, I think the answer lies somewhere in the middle of that and striking a balance where the regulatory bodies give guidance as it relates to what we don't want people doing and or behaviors we want to prevent rather than dictating the terms of how they do business. So I know it sounds like a nuance and it sounds like a debate of semantics, but the reality is I think we want them acting very much like Adam Smith's invisible hand. Guide the marketplace to where it needs to go. Don't be prescriptive at a detailed level. The marketplace will figure that part out. That's what they're there for and the forces in that marketplace will dictate the terms of how they do it. So I wanna talk a little bit about IT transformation or just transformation in general. It's a theme that you guys have hit on. It's something that you, I think, are embedding into a lot of your motions these days, cultural, marketing, sales motions, et cetera. Where does security fit into the IT transformation discussion? You always hear the bromide around security has gotta be designed in, you can't bolt it on, it can't be an afterthought, but as I transform my IT, I also hear, well I need a way to get from point A to point B without ripping and replacing. So I feel like it's almost an impossible paradox to solve, but how are you guys supporting those transformations from a security context? So we are helping as much as we can with what I would call sort of legacy models where, to your point, you can't rip and replace, but you do have to find creative ways to patch legacy systems and applications and information technology infrastructure that was built and predicated on older models. Basically, I think the transformational discussion is predicated on the idea that we're moving to a new platform of computing, that third platform, migrating away from the second platform and into the third where data is king and you're really talking about massive amounts of flows of different data, not just within the organization but outside of the organization. For me, that is all predicated on the idea that there's a governance structure in place and that the infrastructure is managed and at one level or another, access the traffic cop for how those priorities and investments and spends are basically prioritized. Security is one of the top spends in my eyes as it relates to the transformation discussion in large part because it's one of the greatest liabilities. It's one of the only things that as time goes by if you don't address updating and refreshing your infrastructure or engaging in a transformational discussion, you will undoubtedly have to pay exhaustive costs in large part because of self-inflicted gun shots. So the big challenge in our industry is just when you think you gotta figure out everything changes, right? So one of the things that has not been talked about today, now part of that is because it's an academic conference and they don't just throw around buzzwords, but this whole notion of internet of things, the interconnectedness of virtually all infrastructure and devices and certainly mobile plays into that, but also the electric grid, nuclear facilities, you name it, traffic patterns, et cetera, all connected consumer devices. What are you guys seeing there and from a security standpoint, it's all, it's talking about the Wild West, it's just the whole new world. So how does that challenge, keep you guys up at night? So the good news is lots and lots of device level, data level, network level, tools and techniques that you can apply, remote wipe technologies, encryption, all of the things that, what look, as you see from the RSA portfolio of products. Broader context though, I think you start talking about different data types that are housed within industry and the needs or requirements from security or protection, privacy is a part of the equation by industry or sub-industry. So a grid would be a data type or the data that resides there would classify or be characterized in a certain way and I think by extension would call for some level of regulatory requirement as it relates to treatment and housing and management and so on. Other industries, pick whatever one it is, would have different requirements. In that instance, what we would be doing and I think what you'll see a lot more of is classification of data, data type, in a way that gives government bodies and regulatory authorities the ability to more prescriptively require certain types of treatment. And in that instance, when you're talking about big parts of the public infrastructure, I think we need, I think that's clearly long overdue and I think one of the bigger weak spots we have. Well, when you think of the threat matrix, we've been doing a lot of tracking of what GE calls the industrial internet. John Furrier, my normal co-host. Some people would say he's not normal, but it's a typical co-host of the cube, founder of Silicon Angle. He hosted a panel with Jeffrey Immelt, CEO of GE and just when you think about the IT, bleeding into all these industrial systems, the way in which you evaluate your threat and your risk is changing. Correct me if I'm wrong, but I think most IT organizations aren't thinking about that today, but within the next decade, you're gonna have to be thinking about it. What's your take on that? So there's a, I think, again, there's the gap that it seems to me I continue to see in systemic fashion in the marketplace, lots of tactical pieces, very little in the way of strategic understanding, very little understanding at the board level or the senior leadership level of the extent of the liabilities that a security, a series of security gaps or security-oriented threats can cause to your organization. So to sort of blow out where I suspect Immelt would go with some of that conversation, it's the idea that folks who usually grew up in finance and operations and engineering and that sort of thing just don't have an appreciation for what a denial of service could do to the organization, especially from a transaction perspective, brand and reputation perspective. Do you really want to be the guy that was the captain of the ship when somebody attacked the data that exists, the crown jewels of the data of the organization? No one wants to be that. And I think there's a struggle because there's a gap between understanding what those tactical level threats are and the extent of the real exposure at the board level. Well, a lot of the IT guys are finally attuned to this. It's credibility. Yeah, yeah. When you think about the industrial internet or internet of things, you start thinking about engineers who are very focused on whatever, the wind turbine and making it work, now all of a sudden that becomes part of the threat matrix. They have to secure that device, that industrial system because it's connected to their IT systems. That's just the order of magnitude, more complexity that we're going to see over the next decade. So I'll ask you, as Pat Gelsinger, I've asked a number of folks, is security a do-over? So a couple of things. One, the quick comment to your note regarding the turbine, if they even know if it's connected. Yeah, they even know it's connected exactly, I don't know. The second part of it is I don't think it's a do-over. I think it's a continuation of what we have. I think we've learned a lot about what our security needs are, especially those practitioners who are involved. I mean, as a general rule, I'm never really that worried about what I would call specific tactical threats, somebody breaking in and getting into a database. That happens pretty regularly for a lot of different companies. I worry more about the sort of the mundane garden variety, social engineering or just, I've got a really mad employee who decided to burn a bunch of data from an unencrypted database and sold it in the broader marketplace. That's a security threat that I don't think, one, a board of directors usually understands. One and two, the guys usually charged with security aren't looking at that as intensively as maybe they need to be. But I can tell you, that's a far greater likelihood than a bunch of guys in a basement in Russia deciding to attack my infrastructure. No threats from within, potentially. Yeah, so it's less do-over, I think, and more just migration, maturity, just knowledge across different bodies and stakeholders coming forward. All right, Matt, well listen, I really appreciate you coming out here to Cambridge and joining us on theCUBE, it's always a pleasure. Thanks for having me. Thanks for having me. Appreciate it. All right, well, good to see you. Okay, keep it right there, everybody. This is Dave Vellante, Stu Miniman here with me, along with Charlie Senate of the Global Post and Jeff Kelly will be right back after this word.