 Hey everyone, welcome to theCUBE's coverage, day one of cloud native security con 23. Lisa Martin here with John Furrier and Dave Vellante. Dave and John, great to have you guys on the program. This is interesting. This is the first inaugural cloud native security con, formerly part of KubeCon, now a separate event here happening in Seattle over the next couple of days. John, I wanted to get your take on your thoughts on this being a standalone event, the community, the impact. Well, this is an inaugural event, which is great. We want to cover all inaugural events because you never know, and there might not be one next year. So we were here, if it happens, we're here at creation. But I think this is a good move for the CNCF and the Linux Foundation. As security becomes so important, and there's so many issues to resolve that will influence many other things, developers, machine learning, data as code, supply chain code. So I think KubeCon, Kubernetes conference and cloud native con is all about cloud native developers. And it's a huge event, and there's so much there. There's containers, there's microservices. All that infrastructure is code, the DevSecOps on that side is enough there, and it's a huge ecosystem. Pulling it out as a separate event is a first move for them. And I think there's a toe in the water kind of vibe here, chest in the waters a little bit on, it doesn't have legs, how it's organized looks like they took their time, thought it out extremely well about how to craft it. And so I think this is the beginning of what will probably be a seminal event for the open source community. So let's listen to the clip from Priyanka Sharma, who's a Kube alumni and executive director of the CNCF. This is kind of a teaser. We will tackle issues of security together here and further on. We'll share our experiences, successes, perhaps more importantly, failures, and help with the collecting of understanding. We'll create solutions. That's right, the practitioners are leading the way. Having conversations that you need to have, that's all of you. This conference today and tomorrow is packed with 72 sessions for all levels of technologists to reflect the bottoms up developer first nature of the conference. The co-chairs have selected these sessions and they are true blue practitioners. And that's a great clip right there. If you read between the lines what she's saying there, that Dave is, let's unpack this, solutions, we're gonna fail, we're gonna get better. It's the culture of iterating, but practitioners, the mention of practitioners, that was very key, global community, 72 sessions, co-chairs, Liz Rice, and experts that are crafting this program. It seems like very similar to what AWS has done with re-invent as their core show, and then they have reinforced, which is their cloud native security, Amazon security show. I mean, there's enough there. So to me, practitioners, that speaks to the urgency of cloud native security. So to me, I think this is the first move. And again, testing the world. I like the vibe. I think the practitioner angle's relevant. It's very nerdy. So I think this is going to have some legs. Yeah, the other key phrase I can mention is bottoms up. And you know, John, in our predictions breaking analysis, I asked you to make a prediction about events. And I think you nailed it. You said, look, we're going to have many more events that they're going to be smaller. Even the most large events are going to get smaller. AWS is obviously the exception, but a lot of events like this, 500, 700, 1,000 people that is really targeted. So instead of like, you take a big giant event and there's events within the event, this is going to be really targeted, really intimate and focused. And that's exactly what this is. I think your prediction nailed it. Well, Dave, we'll call this the event operating system. Really cohesive events connected together, decoupled, and I think the Linux Foundation has an amazing job of stringing these events together to have community as the focus. And I think the key to these events in the future is having, again, targeted content to distinct user groups in these communities so they can be highly cohesive because they got to be productive. And again, if you try to have a broad big event, no one's happy. Everyone's underserved. So I think there's an industry concept and then there's like pieces tied together. And I think this is going to be a very focused event. But I think it's going to grow very fast. 72 sessions, that's a lot of content for this small event that the practitioners are going to have a lot of opportunity to learn from. Do you guys, John, start with you. And then Dave, do you think it's about time? You mentioned, John, they're dipping their toe in the water. We'll see how this goes. Do you think it's about time that we have this dedicated focus out of this community on cloud native security? Well, I think it's definitely time. And I'll tell you, there's many reasons why. On the business, on the front lines of business, there's a business model for security hackers and breaches. The economics are in favor of the hackers. That's a real reality from ransomware to any kind of breach attacks. There's corporate governance issues, that's structural challenges for companies. These are real issues operationally for companies in the enterprise. And at the same time that on the tech stack side, it's been very slow movement like glaciers in terms of security. Things like DNS, Linux kernel. There are a lot of things in the weeds and the details of the bowels of the tech world, protocol levels that just need to be refactored. And I think you're seeing a lot of that here that was mentioned from Brian from the Linux Foundation mentioned Dan Kaminski who recently passed away, who found that vulnerability in bind, which is a DNS construct. That was a critical linchpin. They got to fix these things. And Liz Rice is talking about the Linux kernel with the extended Berkeley packet filtering thing. And so like, this is where they're going. This is like, this is stuff that needs to be paid attention to because if they don't do it, the train of automation and machine learning is going to run wild with all kinds of automation that the infrastructure just won't be set up for. So I think there's going to be root level changes. And I think ultimately a new security stack will probably be very driven by data will be emerging. So to me, I think this is definitely worth being targeted. And I think you're seeing Amazon doing the same thing. I think this is a playbook out of AWS's event focus. And I think that's right. Dave, what are your thoughts? There was a lot of talk, and again, I go back to the sort of progression here in the last decade about what's the right regime for security should the CISO report to the CIO or the board, et cetera, et cetera. We're way beyond that now. I think DevSecOps is being asked to do a lot, particularly DevOps. So we hear a lot about shift left. We're hearing about protecting the runtime and the ops getting much more involved in helping them do their jobs. Because the cloud itself has brought a lot to the table. It's like the first line of defense. But then you've really got a lot to worry about from a software defined perspective. And it's a complicated situation. Yes, there's less hardware. Yes, we can rely on the cloud. But culturally, you've got a lot more people that have to work together, have to share data. And you want to remove the blockers to use kind of an Amazon term. And the way you do that is you really, really, if we talked about it many times on theCUBE, do over, you got to really rethink the way in which you approach security and it starts with culture and team. Well, the thing, I would call it the five C's of security culture. You mentioned that's a good C. You got cloud, tons of issues involved in cloud. You got access issues, identity. You got clusters. You got community clusters. And then you got containers, the fourth C. And then finally is the code itself, supply chain. So all areas of cloud native, if you take out the culture, it's cloud, cluster, container and code, all have levels of security risks and new things in there that need to be addressed. So there's plenty of work to get done for sure. And again, this is developer first, bottoms up, but that's where the change comes in day from a security standpoint. You always point this out. Bottoms up in the middle out for change. But absolutely, the imperative is today the business impact is real and it's urgent. And you got to pedal as fast as you can here. So I think this is going to have legs. We'll see how it goes. I'm really curious to understand the cultural impact that we see being made at this event with the focus on it. John, you mentioned the four C's, five with culture. I often think that culture is probably the leading factor. Without that, without getting those teams aligned, is the rest of it set up to be as successful as possible? I think that's the question. Well, I mean, to me Dave, Dave asked Pat Gelsinger in 2014, can security be a do-over at VMworld when he was the CEO of VMworld? VMware, he said, yes, it has to be. And I think you're seeing that now and Nick from the co-founder of Palo Alto Networks was quoted on theCUBE by saying, zero trust is some structure to give to security, but cloud allows for the ability to do it over and get some scale going on security. So I think the best people are going to come together in this security world and they're going to work on this. So you're going to start to see more focus around these security events and initiatives. So I think that when you go to, you mentioned reinforce a couple of times, when you go to reinforce, there's a lot of great stuff that Amazon puts forth. They're very positive. It's not that negative, oh, the world is falling, and the sky is falling. And so I like that. However, you don't walk away with an understanding of how they're making the CISOs and the DevOps lives easier, once they get beyond the cloud. Of course, it's kind of not Amazon's responsibility. And that's where I think the CNCF really comes in and open source. That's where they pick up. Obviously the cloud's involved, but there's a real opportunity to simplify the lives of the DevSecOps teams. And that's what's critical in terms of being able to solve, or at least keep up with this never ending problem. Yeah, I mean, there's a lot of issues to evolve. I mean, I took some notes here from the keynote. You heard security and education, training and team structure, detection, incidents that are happening, and how do you respond to that architecture, identity, isolation, supply chains, and governance and compliance. These are all real things. I mean, this is not like hand-waving issues. They got their mainstream and their urgent. Literally the houses are on fire here, so at the enterprise. So this is going to be very, very important. That's a great point. Some of the other things Priyanka mentioned, expose edges and nodes. So just when you think we were starting to solve the problem, you got IoT. Security's not a one and done task. We've been talking about culture. No person is an island. It's a $188 billion business. Cloud native is growing at 27% a year, which just underscores the challenges. Bottom line, practitioners are leading the way. Last question for you guys. What are you hoping those practitioners get out of this event, this inaugural event, John? Well, first of all, I think this event's going to be for them, but also we at theCUBE, we're going to be doing a lot more security events. RSA is coming up. We're going to be at Reinforce. We're also going to be covering this event. We've got Black Hat, a variety of other events. We'll probably have our own security events fairly focused on some key areas. So I think the thing that people are going to walk away from this event is that paying attention to these security events are going to be more than just an industry thing. I think you're going to start to see group gatherings or group convening virtually and physically around core issues. And I think you start to see a community accelerate around cloud native and open source specifically to help teams get faster and better at what they do. So I think the big walk away for the customers and the practitioners here is that there's a call to arms happening. And this is, again, another signal that it's worth breaking out from the core event, but being tied to it. I think that's a good call. I think it's a good architecture from a CNCF standpoint and worthy effort. So I give it a thumbs up. We still don't know what it's going to look like. We'll see what day two looks like, but it seems to be experts, practitioners, deep tech, enabling technologies. These are things that tend to be good things to hear when you're at an event. I'll say the business imperative is obvious. The purpose of an event like this, and it's kind of aligned with theCUBE's mission, is to educate and inspire business technology pros to action. We do it at theCUBE with free content. Obviously, this event is a four-pay event, but they are delivering some real value to the community that they can take back to their organizations to make change. And that's what it's all about. Yep, that is what it's all about. I'm looking forward to seeing over as the months unfold the impact that this event has on the community and the impact the community has on this event going forward and really the adoption of cloud-native security. Guys, great to have you doing this keynote analysis, looking forward to hearing the conversations that we have on theCUBE today. Thanks so much for joining and for my guests, for my guest, for my co-host, John Furrier and Dave Vellante. I'm Lisa Martin. You're watching theCUBE's day one coverage of cloud-native security con at 23. Stick around, we've got great content on theCUBE coming up.