 Hello, I'm John Furrier with SiliconANGLE Media, co-host of theCUBE. We are here on the ground, here in Santa Clara, California, at Centrify's headquarters, with Tom Camp, the CEO of Centrify, and Parham F. Takari, who's the co-founder and senior fellow at ICIT, which is the Institute of Critical Infrastructure Technologies. Here to talk about security conversation guides, welcome to theCUBE's on the ground. Thank you. Great to be here. Great to see you again, Tom. Yeah, absolutely. Congratulations on all your success, and Parham, the GovCloud is hot. We're just in D.C. with Amazon Web Services, Public Sector Summit, and it's gotten more and more to the point where cyber is in the front conversation and the political conversation, but on the commercial side as well, there's incidents happening every day. Just this past month, HBO, Game of Thrones has been hijacked and ransomed. I guess that's ransomware, technically, and a hack. That's high profile, but case after case of high profile incidents on the commercial side. Public sector side, nobody knows what's happening. Why is security evolving slow right now? Why isn't it going faster? Can you guys talk about the state of the security market? Yeah, well, you know, I think first of all, you have to look at the landscape. I mean, our public and private sector organizations are being pummeled every day by nation states, mercenaries, cyber criminals, script kiddies, cyber jihadists, and they're exploiting vulnerabilities that are inherent in our antiquated legacy systems that are put together by, you know, with a Frankenstein network, as well as devices and systems and apps that are built without security by design. And we're seeing the results, as you said, right? We're seeing an inundation of breaches on a daily basis and many more that we don't hear about. We're seeing weaponized data, excuse me, being weaponized and used against us to make us question the integrity of our democratic process. And we're seeing now a rise and focus on what could be the outcome of a cyber kinetic incident, which ultimately, in the worst case scenario, could have a loss of life. And so I think, you know, as we talk about cyber and what it is we're trying to accomplish as a community, we ultimately have a responsibility to elevate the conversation and make sure that it's not an option, but it is a priority. Yeah, no, look, I mean, here we are in a situation in which the industry is spending close to $80 billion a year and it's growing 10%. But the number of attacks are increasing much more than 10%. And as Parham said, you know, we literally had an election impacted by cybersecurity. It's on the front page with HBO, et cetera. And I really think that we're now in a situation where we really need to rethink how we do security in as enterprises and as even individuals. And it seemed to talk about just HBO, I thought about the government you mentioned, that just the chaos that's going on here in America, you almost don't know what you don't know. And with the whole news cycle going on around this, but let's get back to this notion of critical infrastructure. I love that name that you have in your title, ICIT Institute of Critical Infrastructure because certainly the government has had critical infrastructure. There's been bridges and roads and whatnot, they've had the DNS servers, there's been some critical infrastructure, the airports and whatnot. But for corporations, the critical infrastructure used to be the front door and then their data center. Now with cloud, no perimeter, we've talked about this on the queue before, you start to change the notion of what critical infrastructure is. So I guess, Param, what does critical infrastructure mean from a public and commercial perspective, Tom, you can talk about it. And what's the priorities for businesses and governments to figure out what's the order of operations to get to the bottom of making sure I'm insecure? Yeah, it's interesting, it's a great question. When most people think about critical infrastructure as legacy technology or legacies, it's roads, bridges, it's dams. But if you look at the Department of Homeland Security, they have 16 sectors that they are tasked with protecting and includes healthcare, finance, energy, communications. So as we see technology start to become more and more ingrained in all these different sectors, and we're not just talking about data, we're talking about ICS-SCADA systems, a digital attack against any one of these critical infrastructure sectors can have different types of outcomes, whether you're talking about a commercial sector organization or the government. One of the things that we always talk about is really the importance of elevating the conversations I mentioned earlier and putting security before profits. I think ultimately we've gotten to the situation because a lot of companies do a cost-benefit analysis. So you know what, maybe in the healthcare sector, and ultimately it'll be cheaper for me to be breached, pay my fines, deal with potentially even the loss to my brand in terms of brand value, and that'll be cheaper than investing what I need to to protect my patients and their information, and that's the wrong way to look at it. I think now as we were talking about this week, the cost of all this is going higher, which is gonna help, but I think we need to start seeing this fundamental mind shift in how we are prioritizing security. As I mentioned earlier, it's not an option, it must be a requisite. Yeah, I think what we're seeing now is in the years past, the hackers would get at some bits of information, but now we're seeing with HBO, with Sony, they can strip mine an entire company, right? Yeah, put them out of business. Exactly. The money that they're dealing with ransomware, which is a little bit higher profile ransomware, I mean, there's a specific business outcome here and it's not looking good. They go out of business. Oh, absolutely. And so, Centrify, we just recently sponsored a survey and nowadays, if you announce that you got breached and you have to announce, because you have to tell your shareholders, you have to tell your customers, your stock drops on average 5% in a day. And so we're talking about billions of dollars of market capitalization that can disappear with a breach as well. So we're beyond, it's like, oh, they stole some data, we'll send out a letter to our customers and we'll give them free experience for a year or something like that. Now it's like all your IP, all the content. And John, I think you raised a very good point as well. In the case of the federal government, it's still about the infrastructure being physical items. And of course, with internet of things, it's now connected to the internet. So it's really scary that a bridge can flip open by some guy in the Ukraine or Russia fiddling with it. But now with enterprises, it's less and less physical to store and we're now going through this massive shift to the cloud and more and more of your IP is controlled and run. And it's the complete deprimitization that makes things even more complicated. It's interesting you mentioned the industrial aspect with the bridge, because this is actually a real issue with self-driving cars. This is on everyone's mind. We're just covering some content, covering Ford's event yesterday in San Francisco. Again, it's a huge problem, hacking of the cars. So industrial, industrial IoT opens up, again, the surface area. But this kind of brings the question down to customers that you guys have, or companies or governments. How do they become resilient? How do they put steps in place? Because it's just talking to someone who runs a major port in the US and the issues there are maritime, right? So when you talk about chemical infrastructure, container ships, obviously you worry about terrorists and other things, bad things happening. But just the general IT infrastructure is Neanderthal. It's like 30 years old. So you have legacy infrastructure, as you mentioned. But businesses also have legacy. So how do you balance where you are? How do you know the progress bar of your protection? How do you know the things you need to put in place? How do you get to resilience? Yeah, but see, I think there also needs to be a rethink of security because the traditional ways that people did it was protecting the perimeter, having antivirus, firewalls, et cetera. But things have really changed. And so now what we're seeing is that identity has become the top attack vector going in. And so if you look at all these hacks and breaches, it's the stealing of usernames and passwords. So people are doing a good job of, the hackers are social engineering, the actual users. And so kind of a focus needs a shift of securing the old perimeter to focusing on securing the user. Is it really John Furrier trying to access email? Can we leverage biometrics in this? And trying to move to the concept of a zero trust model and where you have to, can't trust the network, can't trust the IP address, but you need to factor in a lot of different aspects. Just following the story about blockchain because we've been covering a lot of the blockchain, immutable, encrypted, the wallets, which are. Yeah, yeah. That's like, hey, why don't, let's just go to the wallet when they store the money. Now we own that encrypted data. So again, this is, the hackers are fast. So again, back to companies because they have to put, they have shareholder issues or they have some corporate governance issues. But at the end of the day, it's a moving train. How does the government offer support? How do companies put it in place? What do they need to do? Yeah, well, from, there's a couple of things you can look at. First of all, as a think tank, we are active on Capitol Hill working with members of both majority majority sides who are actively proposing bipartisan legislation which provides meaningful movement forward to secure and address some of the issues you're talking about. Senator Marquis recently put out the Cyber Shield Act which creates a type of score, right? For a device kind of like the energy star in the energy sector. So just this week, ICIT put out a paper in support of an amendment by Senator Lindsey Graham which actually addresses the inherent vulnerabilities in our election systems, right? So there's a lot of good work being done and that really goes to the core of what we do and the reasons that we're partnering together. ICIT is in the business of educating and advising. We put out research, we make it freely available, we don't believe in commoditizing information, we believe in liberating it. So we get it in the hands of as many people as possible and then we get this objective research and use it as a stepping stone to educate and to advise and it could be through meetings, it could be through events, it could be through conversations with the media but I think this educational process is really critical to start to change the mind as far as talking about it. If I can add to that, I think what really needs to be done with security is better information sharing and it's with other governments and enterprises that are under attack sharing that information as opposed to only having it for themselves and their advantage. And then also what's required is better knowledge of what are the best practices that need to be done to better protect both government and enterprises. Well, because I wanna shift gears and talk about CyberConnect event, which is coming up in November, an industry event, you guys are sponsoring and Centrify but you guys are also involved is running the content program. It's an independent event, it's targeted to the industry, not as a Centrify user group. Param, I wanna put you in the spot before we get to the CyberConnect event. You mentioned the elections. What's the general, and I'm still looking back, so I gotta ask the question because you're in the trenches down in DC. What is the general sentiment in DC right now on the hacking? Because as explained to my son the other day, I'm like, yeah, the Russians probably hacked everybody. So technically the election fell into that market basket of hacks. So maybe they did hack you. So I'm just hand waving that but it probably makes sense. The question is, how real is the hacking threat in the minds of the folks in DC around Russia and potentially China in these areas? Yeah, I think the threat is absolutely real but I think there has to be a difference between media on both sides politicizing the conversation. There's a difference between somebody going in and actually changing your vote from one side to the other. There's also the conversation about the weaponization of data and what we do know that Russia is doing with regards to having armies of trolls out there who are with fake profiles and are creating full conversations and steering public sentiment of perception in directions that maybe wasn't already there. And so I think part of the hysteria that we see I think we're fearful and we have a right to be fearful but I think taking the emotion and the politics out of it and actually doing forensic assessments from an objective perspective to understand what truly is going on. We are having our information stolen. There is a risk that a nation state could execute a very high impact digital attack that has a loss of life. We do know that foreign states are trying to impact the outcomes of our democratic processes. I think it's important to understand though how are they doing it and is what we're reading about truly what's happening kind of on the streets. And that's where the industrial thing you were kind of tying together. That's the loss of life potential using digital as an attack vector into something that could have a physical and ultimately deadly outcome. Yeah, we covered also that story that was put out about the fake news infrastructure. It's not just the content that they're making up. It's actually the infrastructure of fake news and botnets and whatnot. And I think Micro wrote a story on this where they actually detailed you can smear a journalist with 40K. Yeah. The agencies out there that are built for specifically these counter programs. Yeah, it's as a service. You know, go on a forum on the deep web and you can contract these types of things out. I mean, it's absolutely out there. And then what do you say to your average American friends that you say, hey, having a cocktail with you at dinner, hey, what's going on with security? What do you say to them? You should be worried, calm down, don't we're on it. What's the message that you share with your friends that aren't in the industry? Personally, I think the message is, you know, you need to be vigilant. You need to, it may be annoying, but you do have to practice good cyber hygiene. Think about your passwords. Think about what you're sharing on social media. We also talk and I personally believe that some of these things will not change unless we as consumers change what is acceptable to us. If we stop buying devices or systems or apps based on the convenience that it brings to our lives and we say, I'm not gonna spend money on that car because I don't know if it's secure enough for me, you will see industry change very quickly. So I think- Consumer behavior is critical. Absolutely. Definitely a piece of it. All right guys, so exciting event coming up. The Cube will be covering the CyberConnect event in November, the dates I think November. Sixth and seventh. Sixth and seventh in New York City, the Grand High. Talk about the curriculum because this is a unique event where you guys are bringing your sponsorship to the table but providing an open industry event. What's the curriculum? What's the agenda? What's the purpose of the event? Yeah, Tom. Okay, I'll take it. Yeah, I mean historically like other security vendors we've had our users conference, right? And what we found is that as you alluded to that there just needs to be better education of what's going on. And so instead of just limiting it to us talking to our customers about us we really need to broaden the conversation. And so that's why we brought in ICIT to really help us broaden the conversation, raise more awareness and visibility for what needs to be done. So this is a pretty unique conference in that we're having a lot of CSOs from some incredible enterprise as well as government. General Alexander, the form of the cybersecurity command is a keynote but we have the CSO of Aetna Blue Cross involved as well. So we wanna raise awareness in terms of what are the best practices? What are the leading minds thinking about security? And in parallel also for our customers we're gonna have a parallel track where if they wanna get more product focused technology. So this is not a center-fi event. This is an industry event. Black Hat is great, RSA is great but it's really more at the kind of the bits and bytes. They're very narrow but here's the, but you are only in a technique layer. Yeah. This is a big issue. What about these other issues? Will you discuss that? Oh, absolutely. Is it just identity or is it more? It absolutely is more and this is one of the reasons just at a macro level the work that we've done with center-fi for a number of years now. We have shared the same philosophy that we have a responsibility as experts in the cyberspace to move the industry forward and to really usher in almost a cybersecurity renaissance if you will. And so this is really the vision behind CyberConnect. So if you look at the curriculum we're talking about corporate espionage and how it's impacting commercial organizations we're talking about the role of machine learning based artificial intelligence. We'll be talking about the importance of encrypting your data about security by design, about what's going on with the botnet epidemic that's out there. So there absolutely will be a very balanced program and it has again driven and grounded in that research that ICIT is putting out in the relationships that we have with some of these key players. So the Institute of Critical Infrastructure Technology the think tank that you're the co-founder of has those broad, you bring that broad agenda to CyberConnect, correct? That's correct, absolutely. So this is awesome, congratulations. So I got to ask on the thought leadership side you guys have been working together. Can you just talk about your relationship between Centrify and ICIT, trust that you're independent, you guys are a vendor. Tell us about this relationship and why it's so important for this event. Well, absolutely. I mean, look, as a security vendor a lot of a big percentage of security vendors sell into the US federal government and through those conversations that a lot of the CISOs at these governments were pointing us to these ICIT guys, right? And we got awareness and visibility through that. And it was like they were just doing great stuff in terms of talking about, yes, Centrify is a leading identity provider but people are looking for a complete solution and looking for a balanced way to look at it. And so we felt that it would be a great opportunity to partner with these guys. And so we sponsored an event that they did Winter Summit and they did such a great job and the content was amazing and the people they had that we said, you know what? Let's make this more of a general thing and let's just, let's be in the background helping facilitate this but let the people hear about this good information. So you figured out the community model. Is it? You underwrote the content. No, because this is really what's works. You got enable, you're enabling this conversation and more than ever in the security space, love to get your perspective on this is that there's an ethos developing, it has been developed and it's expanding aggressively. Kind of open source on one side but security is all about data sharing. You mentioned the disclosure from the packing standpoint that's more of a statutory filing but here the security space is highly communicative. They talk to each other and there's a trust relationship so you're essentially bringing an independent event, you're funding it. Yeah, absolutely. It's not your event. This is an independent event. Absolutely. Yeah, and so I mean, Tom said it very well as an institute, we rely on the cap financial capital that comes in from our partners like Centrify and so we would be unable to deliver at a large scale the value that we do to the legislative community, to federal agencies in the commercial sector and the institute's research is being shared on NATO libraries and embassies around the world. So I mean, this is really a global operation that we have and so when we talk about layered security, right, we're not into a silver bullet solution and a lot of full experts out there would say, I have the answer. We know that there's a layered approach that needs to be done. Centrify, they have a technology that plays a part in that but even more important than that for us is that they share that same philosophy and we do see ourselves as being able to usher in the change that's required to move everything forward and so it's been a great, and we have a lot of plans for the next few years ahead. Absolutely. That's great work. You're bringing some great content to the table and that's what people want and they can see who's enabling it. That's great business model for everyone. I got to ask one question though about your business. I love the critical infrastructure focus and I like the value you guys are bringing but you guys have this fellow program. Can you just talk about this, because you're part of the fellow, should be at the level. And I don't want to say accreditation, it's not really going to be accredited. It's a badge, it's a bar. You guys have to explain the fellow program. That's a great question. At the Institute we have a core group of experts who represent different technology niches. They make up our fellow program and so as I discussed earlier, when we're putting out research, when we're educating the media, when we're advising Congress, when we're doing the work of the Institute, we're constantly turning back to our fellow program members to provide some of that research and expertise and sharing, not just providing financial capital but really bringing that thought leadership to the table. Centrify is a part of our fellow's program and so we've been working with them for a number of years. It's very exclusive and there is a process. You have to be referred in by existing fellow program member. We have a lot of requests, but it really comes down to, do you understand what we're trying to accomplish? Do you share our same mission, our same values and can you be part of this elite community that we've built? And so, you know, Centrify is a big part of that. And the cloud obviously is accelerating everything, the gov cloud actions certainly in your space and we know what's going on in our world. Yeah, absolutely. The world's moving at a zillion miles an hour. It's like literally a moving train. So congratulations, CyberConnect event in November. Great event, check it out. theCUBE will be there. We'll have live coverage, we'll be broadcasting, we'll be documenting all the action and bringing it to you on the CUBE, obviously siliconangle.com and ukeban.com. John Furrier here at Centrify's headquarters in California in Silicon Valley. Thanks for watching.