 Hey, welcome back everybody. Jeff Frick here with theCUBE. We're in Palo Alto, California at the Chirtoffs event, Security in the Boardroom. And again, this is an event about elevating the security conversation beyond speeds and feeds and end points and IoT and ever increasing attack surfaces. And really, how do we elevate it into the boardroom discussion? Because that's where it needs to be before they wake up Monday morning and see their company's name in the newspaper, which is when you don't want to have your first conversation. So we're excited to have our next guest. He's Joe Gottlieb, the Senior Vice President of Corporate Development for SailPoint. Joe, welcome. Thank you. Good to be here, Joe. Absolutely. So for people who aren't familiar with SailPoint, why don't you give us a quick overview? Sure. So SailPoint helps large enterprises control who has access to what. So at the end of the day, all the access that you need to do your job should fall into what your role is in the company and what projects you're working on. And for many companies, that's not what is proactively being delivered. You're accumulating a set of things based upon who you ask, who you know. And a lot of sort of inadvertent accumulation of things that you might need or you might not need. So we help companies put that under lock and key and under control. Make sure that there's a process for who should approve your access. How can we empower you quickly when you start your job? How can we transfer you to a new role if you move jobs? And most importantly, oftentimes, how do we take away things very systematically when you leave the company? So that's what we do in a nutshell. So I would imagine before you get there, it's a hodgepodge of spreadsheets and Google Docs and all types of assorted and all sorts of random things. This is a manual effort and it is just not systematic, which it has to be. And what you have, when you don't have a systematic effort here that's filtered by business approvals and workflow processes is accumulated surface area that need not be available to the attackers. We want to narrow that surface area by narrowing your access to only that's what's needed and keep it pruned as you evolve with your role in the company. It seems like there's so much low-hanging fruit about just doing what you should be doing, just doing, you know, doing it and so many people don't apply patches. They don't systematically take people out of things when they leave the company. I mean, all these things that seem relatively simple on the surface from the outside, but in fact, in a lot of organization are not simple by any stretch of imagination. It's so true. In security in particular, right, it's a really hard job, but consistency and patience and methodic progress is really, really key. I liken it to the quality movement that we experienced in manufacturing over two decades ago, right? We started measuring. We started being consistent. We started thinking about what is the root cause of this or that and how can we continually make ourselves a bit better every time period. And so that's what some of the basics are all about and governance is a big part of that. Okay, so you just got off a panel and the event here's really focused about the board room conversation. So let's just jump into that and you made an interesting conversation from the board about a portfolio approach which is only natural since you're a corp dev guy taking a portfolio strategy. So how should they think about the portfolio? I haven't heard anyone kind of discuss their tools in a portfolio kind of strategy method. So let's zoom out on the context here, right? Boards are trying to provide governance. They need wisdom to provide governance. If they don't understand security at all, how can they be wise about it? So there's definitely a really, really strong push to get the board being more proactive about demanding the right levels of security and being shown the data that they can have for how security is being applied. I like to look at security portfolio management as a great way to step out of the FUD domain where we have vendors selling us technologies that we don't understand and most of the people talking to us don't even understand. And into a domain where there's less of a bet on prevention, which we know isn't gonna happen, and more of a bet on monitoring a response, governance, which is just going back to the source and making sure people have the right access, and education, right? Helping end users understand what that phishing attack would look like, actually going through testing and really accumulating awareness of what to avoid because we know that's the easiest way to get started. Every attack starts with a phishing attack that compromises end user point in station and then moves laterally to the good stuff. So that portfolio view allows the board to start understanding how we're not making a bunch of hopeful bets on prevention that is elusive and we're actually making some balanced bets around the pieces of the puzzle that we know can give us immediate returns and we can measure against those returns. And then what about the scale of the bets? We've talked about this a few of the other guests that came on, because again, they're kind of liking it to insurance. You need to have some. You could be probably over-insured and there's not infinite resources. So there's always a ying and yang on how much do we invest and then what came up in the kickoff this morning and then how do we measure success? Because obviously success would be no problems but you probably need a much softer way to measure success. Yeah, very true. So this came up earlier in the discussion and that is you gotta get the board thinking about a risk posture where there are trade-offs, right? And you can't ask them, you can't use fud on the board. You're gonna freak them out, right? You have to say, this is what I have to do to enable this business unit to operate at this velocity. And if they don't want that risk, here's the velocity that they ought to be operating within because we are less exposed at that velocity. And so translating it into these sorts of terms that the board understands in the world of business, they're well experienced in advising you on how to operate your business. They've thought about travel risks, they've thought about plant closure risks and they've thought about employee lawsuit risks, translate security into risks that they can also understand and then present your measurements and your investment trade-offs in that context. That's what the best practice appears to be. It's still really hard. And so here's the knock, right? You could have all that great thinking and still struggle because of the degree of difficulty here and you just have to keep at it. Now, unfortunately, the SISO on the agenda at the board meeting was down toward the end of the day and just before him was the CMO and the head of sales and operations and they're like, we gotta go, we gotta go, we gotta go, it's digital transformation, we gotta go, we gotta go, we gotta go. Competitors are going like crazy, speed, speed, speed, digital transformation. That's what you beat us up about last quarter. So as people are trying to really evolve their companies, they're trying to move to a more digital platform, they're trying to innovate faster, they're trying to enable more people in the company to have access to the data and access to the tools so they can innovate faster. Does that then bang up when he sits down and the SISO stands up? So digital transformation is an opportunity, right? To me, it's just code for reinventing business around customer engagement. For many companies that have direct relationships to their customers in a broad form, at least it's that for them. That means there's an investment elasticity opportunity and so building security into that velocity we talked about or the mode of digital transformation that you're going to deliver is really, really key. So it's less about defending security as a horizontal utility that is generic and hard to place within the context of that digital transformation, that customer engagement, that velocity of business, it's that latter scenario. Actually, one of the folks on the panel that I was on, Debbie from PNC Bank, made a great point. She talks about security as part of the brand, part of the brand promise. We want people to trust our brand and so more and more, I would argue that the monetization and the maturation of the attack life cycle and the ability to take customer records and sell them has forced us to realize that's a distinct business risk. So losing all of our customer data is a huge business risk that business people now understand and you can equip them to reduce that risk with good security measures and while you're doing digital transformation, you have an opportunity to bake it in. So now you can suddenly say, hey look, we can fit that into the overall architecture. You want it to be a collaborative part of the new design versus an overlay which has typically been the approach when we've automated business on top of IT and then wrap security around that. It's funny, you're the first person that's ever really tied security to trust and trust to brand because there's always an ongoing conversation about do brands matter? What is a brand, how are brands defined in an increasingly competitive world? So is security in that context table stakes or is it a competitive advantage? Well, let me ask you a question. How's Yahoo's brand today? Not so good. After repeated losses, right? I could name plenty. And so the circumstance and the experience and our ability to absorb that experience, frankly, through a lot of reporting, has helped us to know what we're up against, right? And what are the downsides? And that's just education. And so I think that's the good part of FUD, right? When things are reported accurately and we understand that these things have happened even if we learn a bit later, that's very necessary for us to say this is what needs to be done, just like anything else, right? When transportation evolved and we re-invented business at the speed of our new transportation happens and the way we collaborate, that was an impact. We now have to continue to think about business as being more digital and has to be more secure. Well, Joe, it's been a great conversation and the other thing you nailed. You're the first person that ever talked about digital transformation is redefining your business process around customer engagement. That is spectacular. Well, thanks for sharing that. We'll use that. All right, thanks for stopping by. You bet. He's Joe Gottlieb. I'm Jeff Rick. You're watching theCUBE. We'll catch you next time.