 Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at security in the boardroom. It's a Chertoff event. They go all around the country and have these kind of small intimate events talking about security. And today it's really about the boardroom and escalating the conversation into the boardroom. So it's not a tech conversation. It's not a mobile phone management conversation. But really how do we get it up into the boardroom? And I'm really excited for our next guest. He's Michael Chertoff. He's a co-founder, executive chairman of the Chertoff Group with a long established career. And I'll let you go check out his LinkedIn. He's been Homeland Security and it's a long, long list. I won't even go there. And Jim Flaging, he's the principal technology sector and strategy performance lead also for the Chertoff Group. Thanks, Jim. Kick it off this morning and welcome both of you. So first off, Jim, a little bit about this event. What is this event and what is Chertoff trying to accomplish with this little bit of a road tour? Well, so I think it's important to know that we're passionate about the importance of security. I mean, with Secretary Chertoff and Chad Sweets' background, they were at sort of the ground floor of seeing the importance to our country. So we created the firm to focus wholly on security and to help firms with the whole life cycle of issues as a risk, as a business opportunity, as a catalyst for growth. And it was back in 2013 when some stakeholders around and said, hey, you guys have a bunch of XDHS folks. There's a bunch of interesting identity technology issues that are coming to the surface and other technology issues. Why don't you bring a group together and do it? We said, well, we're not an event company, but we went ahead and had a conversation back in DC. It was a big success. And then it was a little bit like that line from the Godfather where they say, they keep pulling me back. They keep pulling me back. So here we are on our 10th event. We've been to Silicon Valley three times, New York, Houston, and then DC. And each time the idea is make it topical to the local community and make it topical for the issues at hand at the moment. It's interesting the relationship and security specifically between government and technology companies. We do a lot of big technology shows and at IBM and HP, they're like, with the customers that we have distributed around the world and the regulations and compliance issues, in some ways we know more from a broad base of these global international customers than the government. On the other hand, the government's driving the compliance and has the privacy issues and hopefully looking out for people. So how do the two work more closely together to deliver better solutions? Well, in fairness to the government, the government also has access to information and intelligence that the private sector doesn't have. So there's kind of, each brings to the table a certain set of capabilities. And part of the challenge is to have people speak the same language. The government has tended over the years to develop a very rigid system of procuring, of interacting with the private sector out here in Silicon Valley and in other tech centers. There's a lot of focus on being innovative and nimble and sometimes those two cultures need to be bridged. And actually one of the things we started out doing was trying to bridge those cultures, helping the technology companies understand some of the objectives that the government had in terms of security and the economy and helping the government understand what's out there, what are the capabilities and the techniques that you might use. Because without an awareness of the art of the possible it's very hard to lay out a strategy for securing cyberspace. Right. And the whole security space to me, we talk a little bit before we turn the cameras on, feels like insurance. You know you gotta do something, right? You can't go unprotected. But by the same token, you can't be 100% but do you invest forever, right? Because at the end of the day for a private company, you know you have limited resources, government too. So when these conversations are happening and then what we're talking here about the boardroom, right? The worst way a board member wants to get involved is when you read the Wall Street Journal on Monday morning and he sees that his company has been breached and he's in the big, big trouble. So how is the relative importance of security investment changing in the boardrooms? What are you seeing? How is that evolving? So from my standpoint, it's about first of all understanding it's a risk, not security. You're managing the risk. You're not guaranteeing people nothing bad will ever happen. The analogy I use, as I said to people, it's like physical health. You know, go to your doctor and say, doctor, I want you to guarantee I'll never get sick. The doctor would throw you out of the office or you'd have you committed. What you do is you say, look, doctor, I'd like to be healthy. I'd like to have a healthy immune system. I'd like to keep most of the bacteria and the viruses out of my body, but I'd like to know if I do get invaded by bacteria or viruses, which will inevitably happen. I've got a system that can detect it and the white blood cells will eliminate it. That's why I get vaccinated. That's why I do other things to keep my immune system up. And that sense of managing expectations, I think, is critical for the board. If the board wants a guarantee we will never get hacked, then it's not realistic. If the board wants to understand what are the most important parts of our body politic, our corporate body we have to protect, and how do we build layers of defense to keep us healthy, then I think you can have an intelligent discussion about how much investment is enough. Right. But then as you said, you want to be healthy, but then we still go to bars and have a drink and we eat ice cream when we probably shouldn't. So in the security, so many of the percentage of the security problems are caused by people that didn't update their patches or they're responding to this great opportunity to get a bunch of money out of an African prince. So how are we changing the culture on the people process? You made an interesting comment about culture. We always talk about people process and technology, but you threw the culture piece in, which I thought was a pretty interesting twist on just people. I think that's a key piece and it's an area where the board can actually lead and this is when it has to start from the top. If management and the board says, hey, this is a technical issue and we're just going to leave it for that security team down the hall, I think you failed out right out of the gate. You need a CEO led cyber conscious culture, security conscious culture that shows that we value it and that ultimately you're going to spend time and money to reward the behavior that you're looking for to then retain and grow that organization. But it's then looking at it both as a risk, as Secretary said, but increasingly, it's part of an opportunity. It's part of an opportunity to engage your customers in a new way, show that you're really a trusted partner, you value and will hold private the information that you're collecting about them. As we hurdle into IoT and driverless cars that are generating massive amounts of information, more and more people are going to want to do business with people that are good stewards of that information that they collect. And I think the interesting thing that came up as well is it's not read the technology, it's not even the breaches, we talked a little bit about the whole iPhone encryption thing, now we all have Alexa sitting in our house, is Alexa listening all the time? I heard of a case where they actually went back to the Alexa on a domestic dispute or domestic violence to see if Alexa had collected evidence and listened into this domestic violence attack. But the privacy issues are tremendous. So as all these things get weighed, again, you made an interesting comment. How do we define success? What does success look like? Because it's not never, in the financial services industry, your worst nightmare is too many false positives as you're turning down people's bank account credit card. So what does success look like? How should people be thinking about success? Well, so I mean, and I think there are a couple of different dimensions to this, as Jim mentioned earlier, I mean, to the extent you are a steward of other people's data, your ability to promise them it'll be secure, it'll be private, and then execute on the promise is an important part of your business proposition. To the extent you have your own business secrets and your own business confidence as you wanna protect, that's important. But you're raising something with different issues, which is we do make deliberate decisions sometimes to bring into our homes and to our lives the kind of collection of information that is a feature and not a bug. That's gotta be deliberate decision because once you collect the information, as an example of the Alexa recording of some domestic disturbance, that's gonna be there for somebody else to get using a lawful process or otherwise. So part of, again, the process of culture and education is always asking, why do we wanna collect? Why do we wanna hold? What are we connecting to? You can make an intelligent decision, but you've gotta ask the question first. Right, right. Although I heard an interesting twist on that one time where even if you go through that analysis and you say, okay, based on these, on yes, yes, and this is why, we're gonna collect this data, which you don't know is what someone else might do with that data in a different scenario down the road. So even if you're a responsible steward of that activity, there's always a chance of something else could happen. So it's even kind of a double. I mean this is one of the byproducts that people talk about with big data. And it's a techie term, but people talk about a data lake where we're collecting this, we're collecting this, we're collecting that. In and of itself, there's not sensitive information. But if you connect different breadcrumbs about a person's activity and their identity, wow, all of a sudden that can be incredibly sensitive. So that's one of the issues that we've been dealing with in the tech community is how to enable us to collect that information, make good decisions from it, but understand the resultant security issues that come. That's a fascinating issue because I think what a lot of people don't understand is, although individual items collected may seem fairly benign, the ability to aggregate and store all the amount of data is huge. And the perfect example is, people always walking around taking selfies or pictures or putting things in their social media. And the third party's never really get into that. And I normally say, well, let's find someone who took a picture of me, it's gonna be in their house or whatever, who cares. But if it's all up in the cloud and someone has the ability to aggregate all that, and all of a sudden get a picture of everybody who's ever taken a photograph of me or mentioned me or I've had some interaction with, all of a sudden, unbeknownst to me, someone could really get a 24 seven picture of all of my life. So how do you deal with those issues? Some of these are legal questions, some of them are technical questions, but I do think we're on the cusp of having to have some serious conversation about this. So they're gonna come yank you guys back into the conference. And I thank you for taking a few minutes to come sit down with us. So I just want to kind of wrap up again with the board. As you talk to the boards, and we've talked about kind of things that are happening now, things that happened in the relative recent past, as you look forward, what's kind of your takeaway for them as you've sat around, you've talked about all this kind of crazy scary stuff and how they should think about it, as you tell them to look forward, what's your advice? Well, if I could start with that. So today we released some results from a study we did around this topic, is what do boards really think about security? Is it discussed? Is it a boardroom competency? And we interviewed over 100 senior execs, a vast percentage, 40% who were responding as a board member. And what we found was there's a tale of two cities, two cyber cities. If you're in a large public US company in what would be called critical infrastructure, finance, healthcare, telecom, yeah. The directors and the board, they're very well versed in cyber. It's been discussed, it's part of a risk management program, and they have very good CSOs, good interaction with the board. Then there's everybody else. And I would say this actually reflects the boards that I sit on, is that, you know, cyber's not discussed. It's maybe in reaction to a breach, but it's a technical discussion. And most directors self report, we're not where we need to be on education. So then just quickly as a finish, what we launched today was a seven point plan, a blueprint for directors to help guide areas that they can ask questions, document, review, kind of move them up their cyber literacy curve. I think the other thing I would say is this, and I really sympathize with this small and medium enterprises, which simply don't have the money to invest in terms of building up a whole standalone security system. I think that takes us more and more to outsourcing some of these functions. Some of it is the cloud, because you put your data up there. Some of it is outsourcing the intelligence and information to know what's coming. It's managed services, because most of these smaller companies, even if their heart is in the right place, they just don't have the scale to do what a major bank, for example, can do in terms of an operation center. Yeah, I think that's such a big piece of the cloud story, you know, sitting through some of the James Hamilton Tuesday night at a Divis or event, if you ever get a chance to go to that, and he talks about the investment into infrastructure, security, networking, you name it, that Amazon can make at scale, that nobody else, except for a very small group of companies, can make that type of investment, they just don't have money. All right, well, we'll leave it there for now. Really appreciate you stopping by, great event, and thanks for having theCUBE. Thanks for having us. All right, it's Michael, Jim, I'm Jeff, you're watching theCUBE, we'll be right back.