 Live from San Francisco, it's theCUBE. Covering RSA Conference 2020 San Francisco, brought to you by SiliconANGLE Media. Hey, welcome back, everybody. Jeff Rick here with theCUBE. We are day four here at the RSA Conference in Moscone. Thursday, we've been going all day, Monday, Tuesday, Wednesday, Thursday. It's a huge conference, over 40,000 people. You know, kind of the first big U.S. conference after the Mobile World Congress thing with a coronavirus. So we were all kind of curious to see how it would work out. There were some companies that pulled out, but you know, Rohit and the team stayed the course. They got the support they needed from the city, and it's turned out to be quite a show. So I'm sure there's a lot of people all over the industry kind of watching this as an indicator of how do you execute a conference in these kind of crazy times. So we're excited for our next guest. He's Andy Smith, the Senior Vice President of Marketing for Centrify. Andy, great to see you. Good to be here, Jeff. How you doing? Great. You've been coming to this show for a while. You're a seasoned veteran of the industry. First off, kind of general impressions of this show versus other kind of RSAs you've been in the past. Yeah, it's super interesting to watch it, ebbs and flows of the security industry, right? I mean, I've been 15 years over the past 25. I've been at this show, and you've seen it be big and then shrink down to one hall, then to two halls again, I mean, what's interesting the last couple of years is it's big again. Like, security is hot. We know budgets are going up. Breach culture is out there. And so, you know, I see the RSA show as a reflection of what's happening with the industry when you look at the size and number of attendees. Right. The other kind of theme this year was the human-centric boat. And we had Rohit Guy on just a little bit earlier. And this keynote I thought was really interesting. It was not about security per se. It was not about threats and detection. It was really about stories and narratives and peoples and kind of taking that back as an industry. I wonder, you know, kind of your impression as this kind of human-centric theme as we're surrounded by tech, tech and more tech. It is. If you think about human-centric, it's a big piece of your security strategy, right? I mean, what there was just this morning, one of the sharks got fished, right? Lost $400,000. Oh, I see that. Yeah, yeah. And so, you know, educating people about looking out for fishing attacks, right? Looking at insiders who are one of our biggest threats and you know, they're a huge fetus. It's not technology at all. I thought Wendy's keynote was great too from Cisco talking about everything we do on computers is about clicking and yet we tell people, you know, click to download the patch, but don't click on anything else. And really, you know, kind of taking an approach that people need to be part of the solution. They're not these horrible people that keep clicking on the wrong things, but you really need to integrate them into your strategy. Yeah, absolutely. I mean, it's about educating your workforce. It's about educating consumers, right? Whether you're talking B2C security or whether you're talking B2B, that human element and educating to be diligent, right? You got to know a little bit about how to look for something that might be suspicious and know what you should be clicking on and what you shouldn't. There's not a lot of technology that can solve that for you. It's getting out and making sure people are educated. And unfortunately, the bad guys have been working hard on their grammar and doing all the AI on the background. So, you know, a lot of things today are not easily identifiable like they used to be. That's no longer really kind of a baseline hope just not to click that thing. They've gotten way better, right? So rather than these attacks that are spray and pray, they're going after, you know, just going after anybody they can. They're targeted now, right? So spearfishing, right? And so specific individuals. And that's why one of the things that is a little bit coming up at this show and something that we talk about is identity-centric security. So that you've got to tie that kind of human element to your security. You know, there's network-centric, but getting identity-centric and tying that human element to your security aspect, making sure the security, the identity technologies and the security technologies are working together, that brings that human element into your own security strategy. And when you talk about identity, how should people be thinking about identity? Because clearly we see the kind of the rise in multi-factor now, right? We have to do, we have to go to our phones all the time with the code. Now we're hearing people can spoof identity. They can spoof faces. I guess identity is not a face. But you know, some of these indicators of identity. So when you help people think about identity, what are some of the factors they should think about? What are the things they don't, but they should be thinking about? Yeah, yeah. I mean, some of the things that we talk a lot about is multi-factor authentication. So although, yes, right? Real sophisticated people can have ways of getting around that, but most attackers and hackers are lazy, right? They're going to go up for somebody who's got no multi-factor in place. Like even doing the basics is way better than doing nothing. I mean, the statistics bear out that you do a little something, right? And then you can always step it up and get more sophisticated where you've got tokens that you have to put your finger on, right? And you know, et cetera, you can get smart cards and all those kinds of things. You can get much more sophisticated, but multi-factor in general works. I mean, you're just going to take it a far bit above. But what's interesting about identity is we always think of humans, right? But when we talk identity, where this market is going, is identity is machines. You have to give a machine an identity. You have to give a service account an identity. You have to give a microservice identity. And these more and more, this is a just complete automated world. This isn't humans logging into things anymore. This is microservices talking to each other. Each of those needs an identity, needs an authorization, because they have accounts that can be hacked also. And so you need to protect those just as much as you need to protect those human accounts. That's funny, because we cover a lot of RPA shows, right? And the whole talk of people that do RPA, right? Is that they treat them as people, right? They treat them as kind of like your little assistants. Your own little bot to do, little tasks that you assign them to do. So treating them with kind of an identity protocol then that gives all the authorizations and you kind of leverage all that back end, is the way to integrate them into the workforce. Absolutely. It's all about access controls, authentication, authorization. Those are the controls that have been there forever. You're just applying these to new types of identities and we're in the privileged access management space. So it used to always be a Windows admin or a Unix Linux admin logging into a physical box, right? And so it was about protecting those accounts. But more and more it's about giving a machine an identity and a microservice identity and how are those things talking to each other? We're protecting, it's all completely automated with DevOps. You think about if I have, as I moved to the cloud, I want to be able to scale out dynamically, right? Horizontally, vertically. So all of a sudden new servers, virtual servers, or containers just popping up automatically. You have to be able to control the access to all those automatically, dynamically on the spot and then they shrink back down, you need to get rid of all that, right? So the automation that's come into our space, although I'm still trying to do authentication, authorization, same type of privileged access controls we've been doing for 30 years, but how they're applied in this new world is much different. Now what about then you layer on top of that zero trust? So I definitely want to identify you but I have zero trust and I'm presuming at some point in time you might end up either being a bad guy or some bad guy is going to come in via your credential. How does the zero trust piece fit on top of the identity kind of management? Well it's really why we're talking about identity-centric security now is because you can't, you have to assume somebody's on your network. You can't trust all those perimeter controls that are there. The reality is they're going to get in and so that identity-centric security starts at that access layer and not trusting just because you got onto the network that oh, sure, here you go. You can do whatever you want. That's where zero trust comes in. I don't, every time I want to get access to a piece of data or a system, et cetera, I need to do that authentication, that authorization, apply that multi-factor. Those are all identity-centric controls that result in this journey towards the zero trust world. It's funny, I've sat down with Mike DeCesar at Fourscout and he talks about when they do the little sniff around all the little devices that are plugged into the networks and it's usually multiples back of what people think are on the network, especially room locations people are plugging stuff in, but then to, like you said in the machine, identify what should a logic cam do and how should it act? And as soon as it starts acting and asking for things in accounts payable, maybe that's not necessarily what a logic cammer wants to do or should be doing. Yeah, yeah. And so first there's like knowing what that device is, giving it an identity so we know what it is, know what it should be doing, it has a role, it has specific access and authorization rights that are granted to it, so the logic cammer, if I know what that cammer is, you have an identity, I know what it's supposed to be doing, I should be able to restrict the access it has to just what it needs to do, right? Rather than it's got root account to do whatever or some God account to create, you know, like those are the kinds of controls we have in place and it's just logical identity management controls that have been there forever, but once you can identify those devices connecting, you can give them those limited, you just talk about least privilege, right? That's again a 30 year old control but giving it least privilege on just what it should do and nothing more. And do you see in the future just more and more kind of multi-factor validation points that will have to get added to the process as we move from single factor to factor, however many factors it's going to take? For sure, yeah, I mean, so the multi-factor, because there's one thing you authenticate yourself at the front door, right? So that's what most authentication is, but there's this concept of continuous authentication. You're the trust in that initial authentication degrades as your session goes on, right? So the longer I have a session open, you know, is that still that same person or that same service that is clicking away at the keyboard there? There's cool stuff around continuous authentication where they can tell it's still the same person based on the cadence, they click on the keyboard, other biometric methods, the swiping I do on my phone and stuff like that. So there's ways to have continuous, the concept is now called continuous authentication, right? And so I absolutely see that those behavior-based types of authentication going out through a user's entire session. So I want to shift gears a little bit. One of the things that amazes me about this show, and I don't know when it was small, but it's been big ever since I've been coming, is right, there's so many vendors here. There's so many companies and there's so many kind of stories that a lot of really enthusiastic people work in booths that are screaming at you to come on over and tell you all the great things they do. From a marketing point of view, you're the SVP marketing, how do you kind of package your messaging? How do you kind of break through the clutter? What advice do you give to buyers to help them kind of navigate what is a very large, loud and complex ecosystem? Yeah, it's a complex battle, right? So you have to be able to, because there are so many different technologies here in the security arena, when we're all fighting for the same share of wallet in a sense, right? And so first you have to identify yourself with something people recognize, a market that people recognize, like identity, privilege access management, endpoint security, et cetera, but then you have to differentiate yourself within that market, right? So you've got to add something to the market space I'm in that gives a little twist. So for us, it's identity-centric privilege access management and that we suppose that against vault-centric or something else that we try to put the other, but so you try to, in your message, you've got to categorize what's the space I'm in and how do I differentiate? And in something as short and brandable as possible. And then you've got to have this kind of ongoing solutions, partnership, relationship with your clients, right, because this is not something you're going to be switching things out that frequently and in the landscape and the threats evolve and change so rapidly. I think we've had a number of people come on to publish this report or that report or this report. These come out every six months. And there's actually the online version so you can keep up with what happened today or what happens tomorrow. So not an easy kind of marketing challenge to stay relevant, stay connected, and stay really in people's mind. Well, there's awareness aspects to it and it is really just, what really helps is you just create as many happy customers as you can, right? I mean, you're amazed at the, how connected this industry actually is. I mean, the attendees that are coming to this conference, they know each other. They've been coming here from years just like we have, right? And word of mouth between people who have used your technology, they share that with something else. I mean, the security industry as big as it is, it's super interconnected. One person goes from one company to the other and so tons of business just comes from word of mouth referral, et cetera. So the happier you can keep your customers, the more, you know, mind share you can get out there. Okay, last question before I let you go. We just, like I said, we just had Rohit on and one of the topics was they just got bought by, yeah, Symphony, I think it's Symphony, private equity firm. We met the other night at a cocktail party put on by Toma Bravo and you were at Centrify before they came in and after, you know, I think some people are kind of confused, you know, what is private equity? How does it impact the company? So I wonder if you can kind of share, you know, how that transition has come along and, you know, kind of give us an update on what's going on at Centrify and where you guys are going next. Yeah, so we were acquired about a year and a half ago now by private equity and, you know, they basically, they take later stage companies and help them get profitable, they increase value and then they look for going, taking that company IPO or selling it off, et cetera, right? But it's really about looking for opportunities in existing market with larger companies. A little venture capitalist will go after smaller, much larger risk. These are bigger dollar amounts, right? Larger companies, but then they look about how to optimize, they're very sophisticated on how to run a B2B business. Toma Bravo happens to have a huge investment in security companies. I think there was like eight or 10 companies there the other night. Yeah, so they realize that this is a hot space right now so if they can take a company and create value that they realize that there's more stuff popping up, there's more money being invested and one of the things that, but not all private equities created equal. Yes, they are about all about kind of optimizing increasing value but what we really found with Toma Bravo is they're interested in investing in that company, looking at other fold-in acquisitions, et cetera and that's a part of a strategy for me as a manager and a part of the executive team when you're VC backed, they don't have the money to go after acquisitions like that. They make these smaller investments where Toma Bravo actually does have the capital to look at other things that can be immediately accretive and add to your value and that's a real part of our strategy now that didn't exist before we were owned by PE. In fact, I think they spun out a whole other company out of what your technology said, correct? Exactly, so one of the unique things about our particular acquisition is Centrify was both a privileged access management and a identity as a service, an IDAS company and they looked at what we were doing and they said, geez, you're really selling to two different markets and it's two different sales cycles and two different business models. We could actually create more value if we split these up and each of you focused on your individual markets and so there's an MQ and a market segment and a wave for IDAS and there's an MQ and a wave, et cetera, for PAM but there's not anything that does both and that's what Centrify was so they actually, we completely divested our IDAS capabilities, spun off an entirely separate company called Adaptive and so over the last year, that was a lot of the work that was going on and was splitting this company into two but it really provided us much more focus to go after the market that we were going after. Well they wouldn't come in if they didn't see some opportunity to pull some more value out that was really being unlocked. Absolutely. All right, Andy, well thanks for taking a few minutes and great to catch up and best you for the rest of the show. Awesome, thanks a lot, Jeff. All right, he's Andy, I'm Jeff, you're watching theCUBE, we're at the RSA show in San Francisco. Thanks for watching, we'll see you next time.