 Okay, we're back with Jim Shook, who is the Director of the Cybersecurity and Compliance Practice at Dell Technologies. Jim, good to see you. Thanks for coming on theCUBE. Dave, thank you. Delighted to be here in person with you. That's great to be in studio. It's always a better conversation, right? So for our audience, Jim is someone who spends an enormous amount of time with customers. So we're going to dig into what's changed in the conversations, and in particular, who are the decision makers these days regarding cybersecurity and data protection versus in the past. Jim, what about it? What's changed? Who's driving the bus these days? Yeah, I've had a good perspective on this, Dave, because I've been talking to our customers now about cyber resilience and recovery from ransomware destruction for eight years. And we've really evolved the conversation over that time. One of the things I've seen that I think is really important is we've moved from having just, say, IT and infrastructure at the table to talk about these things. We added along the way that cybersecurity took an interest, obviously. We get risk and compliance from time to time, but even legal will get involved. Now it's a lot of seats at the table are taken by people who are focused on the business. Sometimes it's the C-suite, sometimes it's heads of business lines, but that's been a really important development. And audit, too, right? Audit, in some cases, from a process standpoint, is like the last line of defense. Actually, backup and recovery is the last line of defense, and we're going to talk about that a little bit. But as you point out, and I'll share with the audience, I've observed, and I think most people understand this, exactly what Jim was saying, that cyber, it was once the domain of IT and the SecOps team, and then it became a boardroom issue, and it now feels as though it's organization-wide. And Jim, has cybersecurity in your mind gone mainstream, and if so, why is that? It definitely, definitely has, especially over that same timeframe. We get more and more digitally oriented over time, and so businesses have realized that they are digital. And so cyber security, cyber attacks are a threat to the business, just as any other threat would have been before cyber really came along and became an issue. So if you're not protecting against those threats and have the ability to be resilient to them, you're not protecting your business. And it's everybody's job to do that. I think it's really interesting that the business has become more involved, and that's also evolved the conversation to focus more on outcomes. What happens, how can we return to business and how much time versus say, let's buy the next shiny toy or have a cyber control that does this, it's more focusing on the business outcome. It seems like there was a change. When the board started to get involved, it was almost like prior to that, it's kind of early last decade, let's say, it was like this, there was a mentality of failure equals fire. So a lot of times people were like, don't talk about that. And we saw that change where folks who understand cyber would come to the board and say, no, you are going to get attacked, you were going to get infiltrated, it's going to happen. So it's all about that response and you got to be transparent. Do you agree with that, that that sort of failure equals fire mentality has changed and there's now much more transparency and that's part of this sort of mainstream awareness? Yeah, clearly. And it's been a really good development. It used to be a lot of times cyber security teams would not get involved in these conversations because their thought was well, if we're having a recovery conversation, if we're working on being more resilient, we failed at our job. They've realized that's not the case. The attackers are going to be successful sometimes and part of a good cyber practice is the resilience and the ability to recover if those attacks are successful. Now, Jim is a lawyer. So, and there's an intersection going on at the board level between cyber security and legal issues. So, Jim, we want to understand that from your, put on your legal hat for a second. What's that board discussion like these days? It's really interesting. The board is aware that these are risks to the business so they have to become more involved. There's regulatory pressure. The SEC has been looking at new rules that might come out this month. They might come out in the fall that's going to require the board to take more interest and have more expertise in these areas. There's just risk to the business and that's always what one of the things that the board has focused on. And I'll give you a really good example where the board's getting more involved. It's in the idea of having to pay a ransom. So a lot of times I would hear from customers, well, we're not worried about this problem. Worst case, we'll just pay the ransom. Why not? Yeah. And they don't understand sometimes there is no ransom to pay. Sometimes it takes longer to recover if you have the ransom. But from the board perspective, I think where they got interested is there are some laws that will prevent you from paying a ransom depending on who gets the money. So those get really complex. It's very difficult to tell who's going to get the money. So you may make a payment and then get in trouble later on even though you've been diligent with your process. That's high risk. And so the better outcome is to not have to pay the ransom. It's to be prepared to recover. Clearly, but I got to ask you. So you're saying it's illegal because not necessarily to pay a ransom but it's illegal to what pay a felon? Yeah, there are laws on the books in the financial industry that say you can't do business with certain restricted nationals or geographical areas. So North Korea is a really good example of that. If you do business with them and paying a ransom to them would be doing business with them, you violated those laws. Yeah, this is where you definitely need somebody who understands the law to figure this stuff out. All right, let's talk about misconceptions. What are the most common misconceptions that you see in cybersecurity that people really need to understand? I think I still see a lot of the same ones but fortunately we've all learned along the way and I don't see them quite as frequently. A big one is that the thought that we've already invested in disaster recovery and that's going to cover us for a cyber recovery situation. And that's just not the case. The technologies that you have for outages and natural disasters are still as important as they ever were. Think about backup, think about replication, even continuous data protection. They're not going to help you very much in a what we would call severe but plausible cyber disruption. So you have to look at those things separately. You're not, you spend a lot of money and time. It's just not going to help you that much in those types of disruptions. What about the cloud? I mean, a lot of people think, well, I got my data in the cloud. Those guys have awesome security, which they do by the way. They do. But does the cloud solve my problem? Do I have to not worry about it? If my data's in the cloud? I think there's still some misconceptions out there. And if you think about in the cloud, the shared responsibility model, your cloud provider or your SaaS provider, whoever you're working with covers certain things, but you maintain responsibility for other things. And if you're not understanding where that point is, what is your responsibility? You're going to be in trouble. Ultimately, and I've heard this a lot from regulators, they don't care who you use as a partner, who you use for a cloud provider. It's on you to make sure that things work properly. Jim, are there any other misconceptions that you want people to know about? Yeah, there's a few that come to mind pretty quickly that I'm hearing frequently. One is we're not a target. We don't need to worry about this. And I think that totally misunderstands the landscape. Everybody's a target. You think about attacks like NotPetya, a lot of organizations were not focused on the target, but were collateral damage because sometimes malware does unexpected things. And really anybody who has a presence on the internet, the bad actors many times look for just the vulnerability that's out there. And if they can find it, they'll leverage it. They're not looking to see who has the vulnerability, just somebody has it, I get in, I lock up their data, I demand my data. They're knocking on doors and it's automated. Door's open, I'm going in. And if I get something out of it, great. If not, I'll move on. That's exactly. Another one is we have cyber insurance. And cyber insurance is definitely a component of an overall risk strategy. You help to transfer some of the risk, but it's not the strategy. You have to be secure. In fact, in today's world, if you don't have good cybersecurity, you may not be able to get a cyber policy at all. And in any case, an attack is always going to have costs related to it. There are going to be exclusions in insurance policies. You know, ultimately, an insurance policy is just a contract. And the terms of that contract control, there's no such thing as cyber insurance and everybody gets it. It's what you negotiate with the provider. That's a big one. I heard Warren Buffett on TV the other day. You know, they, you know, Berkshire owns Geico, saying they're now going to six, every six months they changed the policy. He'd love to go to a month. So, you know, you're exposed. Yeah, absolutely. It's a key component. And the third one is kind of along similar lines, but it's a technical side of it. We have turned on immutability on our storage platform. And that's a great control. We talk about that a lot in our data protection portfolio with our data domain. Turn on that retention lock, but it's not the destination. It's really a first step. It will make you much more resilient, but there's a lot of other things that you have to do to really build that resilience. Tell us why customers should trust Dell for their, you know, cybersecurity strategy generally. But, you know, you guys obviously, we're talking data protection and backup and recovery. Why Dell? I think there's a lot of reasons. I mean, we have a big practice group. So my group alone, eight years that we've, since we founded it, just out there to help customers understand and deal with these problems. That kind of fits into the whole idea of Dell's global scale and skill. We're everywhere. We have a lot of expertise. We have certainly a wide range of offerings, best in class among compute to storage to the things that we do in the cloud with the hyperscalers, our partners are consulting, all of those things really tie together. And Dave, those are becoming more important because a lot of customers are working on their cyber strategy, which includes a component of managing and the risk from their third party service providers. So as part of that, number one, they have to vet their partners. And number two, many of them are scaling back. They don't want to have 200, 300 people that they do business with. And so our ability to have those offerings to have all that global scale and skill is important. And then when they dive deeper and they have to make sure that their partners are doing the right things to protect them, the things that we do with secure development lifecycle, things that we do with the secure supply chain are really powerful. We don't talk about those enough, we're starting to talk about them more and surfacing those for our customers so that they understand what we're doing in that space. All right, Jim, thank you. Appreciate your time. Thanks, Dave. Okay, in a moment, I'll be back to share some new information about data protection and its relationship to a comprehensive cybersecurity strategy. Keep it right there.