 From Las Vegas, it's theCUBE, covering QALIS Security Conference 2019. Welcome to you by QALIS. Hey, welcome back, everybody. Jeff Frick here with theCUBE. We're at the QALIS Security Conference in Las Vegas. This show's been going on, I think, 19 years. It's our first time here. We're excited to be here. And we've got, you know, there's always these people that go between the vendor and the customer and back and forth. We've had it go in one way. Now we've got somebody who was at QALIS and now is out implementing the technology. We're excited to welcome Grant Johnson. He is the director of risk and compliance for Ancestry. Grant, great to see you. Thank you for having me. Great to be here. Yeah, so it is always interesting to me, and there's always a lot of people at these shows that, you know, kind of go back and forth between, you know, kind of creating the technology and delivering the technology versus implementing the technology and executing it at the customer side. So you saw an opportunity at Ancestry. What opportunity did you see and why did you make that move? It's also a good question. I, you know, was really happy where I was at. I worked here at QALIS for a long time, and but I had a good, a colleague of mine from way back just say, hey, look, took over as the chief information security officer at Ancestry and said, I've got an opportunity here. Do you want it? I said, hey, sure. I mean, it was really kind of a green field. It was the ability to kind of get in on the ground floor designing the processes, the environment, the people and everything to what I saw is really kind of a really cool opportunity. They were moving to the cloud, complete cloud infrastructure, which was, you know, a few years ago, you know, little uncommon. So it was just an opportunity to learn a lot of different things and kind of be thinking through some different processes and a way to fix it. So you've been there for a little while now, over three years. So kind of what was the current state and then what was the opportunity to really make some of those changes as kind of this new initiative with this new CISO? No, yeah. You know, we were traditional, you know, a server data center kind of background and everything like that. But with the way the company was starting to go as we were growing it, really just crazy, just at a crazy clip to where we really couldn't sustain. We wanted to go global. We wanted to have, you know, move ancestry out to Europe and to other environments and just see the growth that was going to happen there. And there just wasn't a way that we could do it with the traditional data center model or plugging those in over the place. So the idea is we're going to go to a cloud and with going to the cloud, we could really rethink the way that we do security and vulnerability management. And you know, as we went from a more traditional model, which is where you scan and tell people to patch and do things like that to where we can try to start to bake vulnerability management into the process and do a lot of different things. And you know, we've done some pretty cool things that way, I think, as a company. And you know, always evolving, always trying to be better and better every day, but it was a lot of fun and it's been really kind of a neat ride. So was there a lot of, you know, kind of app redesign and a whole bunch of kind of your core infrastructure, not boxes, but really kind of software infrastructure that had to be, you know, kind of redone around kind of a cloud focus so you could scale? Yeah, there absolutely was. We really couldn't lift and shift. We really had to take, you know, because we were taking advantage of the cloud environment, if we just lifted and shifted our old infrastructure in there, it wasn't going to take advantage of that cloud expansion like we needed it to. We needed it to be able to kind of handle a tide of high tide, low tide versus those traffic times when we're high and low. So it really took a rewrite and it was a lot of really neat people coming together. We basically, at the onset of this right when I started in 2016, the chief technology officer got up and said, you know, we're going to burn the ships. We have not signed a contract for our data center to rune in 18 months. So we have to go to the cloud. And, you know, it was really neat to see hundreds of people really come together and really make that happen. I've been involved, you know, in the corporate world for a long time in IT and a lot of those kind of projects fail and it was just really neat to see a big project like that actually get off the ground. Right, right. Now it's funny the burning the ships analogy is always an interesting, you know, Arnold Schwarzenegger, you know, never have a plan B because if you have a plan B, you're going to fall back. So just, you know, commit and go forward. A lot of truth to that. You're flying without a net, whatever, whatever kind of better for you want to use on that one. Yeah, but you have to succeed and there's a lot that'll get it done. I think if you just don't have that plan B. Right, so talk about kind of where Ancestry now is in terms of being able to roll out apps quicker in terms of being able to scale much larger in terms of being able to take advantages of a lot more, you know, kind of attack surface area which probably in the old model was probably not good. Now those are actually new touch points for customers. No, yeah. You know, it's a brave new world in a lot of aspects. I mean, to the first part of that, we're, you know, just a few days away from Cyber Monday which is, you know, our normal rate clip of transactions is about 10 to 12 transactions a second. During... It's a still a bump. It's Cyber Monday, still a bump. It's still huge for us. We... We have internet at home now. You don't have to go to work to get on there. You know, it's crazy. I don't get it. It still is, but you know, over the course of that weekend, kind of starting on Thanksgiving, we scale to have about 250 transactions a second. So, you know, that was kind of one of the good parts of the cloud that we do invest in the big iron and the big piping for your peak times of the year or in that sits, you're at seven to 10% utilization during the rest of the year, but you can handle those peaks well. So I mean, we're just getting into that time of year. So we're kind of, that's where our cloud expansion, where a lot of the value for that has come. In terms of attack surface, yeah, absolutely. I mean, you know, five years ago, I didn't even know what a container was. And we're taking advantage of a lot of that technology to kind of be able to move nimbly. You can't spin up a server fast enough to meet the demands of user online clicking things. You really have to go with containers and that also increases what you really need to be able to secure with people in the process and technology and everything like that. So it's been a challenge. It's been really kind of revitalizing and really kind of neat to me to kind of get in there and learn some new things and new stuff like that. That's great. So I want to ask you, it's made a little sensitive, not too sensitive, but kind of sensitive, right? It's with 23andMe and Ancestry and DNA, you know, kind of registries, et cetera. It's opened up kind of this whole new conversation around cold case and privacy and blah, blah, blah. I don't want to get into that. That's a whole different conversation. But in terms of your world and in terms of risk and compliance, that's a whole different type of a data set, I think, than probably existed in the early days of Ancestry.com where you're just trying to put your family tree together. So, you know, how does that, you know, kind of increased value, increased sensitivity, increased, you know, potential opportunity for problems impact the way that you do your job and the way that you structure kind of your compliance systems. Boy, that is, yeah, I mean, honestly, that's part of the reason why I joined the company is I really kind of saw this opportunity kind of be a part of, you know, really a new technology that's coming online. You know, I'd have to say... Or is it no different than everyone else's personal information and those types of things. It's just maybe just higher profile in the news today. Not at all. No, I mean, it kind of inherent within our company. We realized that, you know, our ability to grow and stay affable or just alive as a business, we pivot on security. And security for us and privacy is at the forefront. And I think one of the key changes that's done from maybe in other companies that I get is people from our development teams to our operations teams, to our security department, to our executives, we don't have to sell security to them. They really get it. It's our customer privacy and their data. We're asking people to share their most personal data with us. We can't, you know, we can give you a new credit card or you can get a new credit card number issued. We can't give you a new DNA sequence. So once it's out there, it's out there and it's just, it is the utmost to us. And like I said, we don't have to sell security internally. And with that, we've gotten a lot of support internally to be able to implement the kind of things that we needed to implement to keep that data as secure as we can. Well, that's nice to hear and probably really nice for you to be able to execute your job. You don't have to sell security. This is important, important stuff. All right, good. So you're jamming through the digital transformation. If we talk a year from now, kind of what's on your plate for the next year? You know, we just continue to evolve. We're trying to still continue to build in some of those processes that make us better, stronger, faster as we go through to respond to threats and just really kind of handle the global expansion that our company's undergoing right now and just want to keep the lights on and make sure that nobody even thinks about security when they can do this. And I think, you know, I can't speak for them, but I think we really want to lead the world in terms of privacy and customer trust and things like that. So there's a lot of things that I think we've got up coming up that we really want to want to kind of lead the way on. Good, good. That's a great, I think that's a great objective and you guys are in a good position to be, to be the shining light, to be, you know, kind of guiding in that direction. Because it's important stuff, but really important stuff. We hope so, we really do. Well, Grant, nothing but the best to you. Good luck and keep all that stuff locked down. Thank you so much. Thanks for helping me. He's Grant, I'm Jeff, you're watching theCUBE. We're at the Qualys Security Conference at the Bellagio in Las Vegas. Thanks for watching, we'll see you next time.