 The Cube presents Ignite 22, brought to you by Palo Alto Networks. Hey, welcome back to Vegas. Great to have you. We're pleased that you're watching the Cube, Lisa Martin and Dave Vellante. Day two of theCUBE's coverage of Palo Alto Ignite 22 from the MGM Grand. Dave, we're going to be talking about data. No, I love data. I do know you love data. Survey data. There is a great new survey that Palo Alto Networks just published yesterday. What's next in cyber? We're going to be digging through it with our CMO. Who better to talk about data with than a CMO that has a PhD in machine learning? We're very pleased to welcome to the program, Zaynab Osmeir, CMO of Palo Alto Networks. Great to have you. Thank you for joining us. It's a pleasure to be here. First, I got to ask you about your PhD, your background as a CMO is so interesting and unique. Give me a little bit of a history on that. Oh, absolutely. Yes. Yes, I admit that I'm a little bit of an untraditional marketing leader. I spent probably the first half of my career as a software engineer and a research scientist in the area of machine learning and speech signal processing, which is very uncommon. I admit that. It honestly, it has actually helped me immensely in my current role. I mean, you've spoken to Lee Claridge, I think, a little while ago. We have a very tight and close partnership with product and engineering teams at Palo Alto Networks. And cybersecurity is a very complex topic. And we're at a critical juncture right now where all of these new technologies, AI, machine learning, cloud computing, are going to really transform the industry. And I think that I'm very lucky as somebody who's very technically confident in all of those areas to partner with the best people and the leading company right now. So I'm very happy that my technical background is actually helping in this journey. Wait, aren't you like a molecular biologist? I'm a reformed medical. Yes. Okay. Well, there you go. There you go. Yes. But. A math guy over here. Yeah. You guys just, the story that I tease, the amount of data in there is unbelievable. This has just started in August. So a few months ago, Fresh Data, you surveyed 1,300 CXOs globally. That's right. Across industries and organizations are saying, you know, hybrid work and remote work became status quo like that. Yes. A couple of years ago, everyone shifted to multi-cloud. And of course, the cyber criminals are sophisticated and they're motivated and they're well funded. What are some of the things that you think that the survey really demonstrated that validate the direction that Palo Alto Networks is going in? That's right. That's right. So we do these surveys because first and foremost, we have to make sure we're aligned with our customers in terms of our product strategy and the direction. And we have to confirm and validate our very strong opinions about the future of the cybersecurity industry. So, but this time when we did this survey, we just saw some great insights and we decided we want to share it with the broader industry because we obviously want to drive thought leadership and make sure everybody is in the same level of field. Some interesting and significant results with this one. So as you said, this was 1,300 C-level cybersecurity decision makers and executives across the world. So we had participants from Europe, from Japan, from Asia Pacific, Latin America, in addition to North America. So one of the most significant stats or data points that we've seen was the fact that out of everybody interviewed, 96% of participants had experienced one or more cybersecurity breaches in the past 12 months. That was more than what we expected, to be honest with you. And then 57% of them actually experienced three or more, so those stats are really worth sharing in terms of where the state of cybersecurity is. What also was personally interesting to me was 33% of them actually experienced an operational disruption as a result of a breach, which is a big number, it's one third of participants. So all of these were very interesting. We asked them more detailed questions around, you know, how many, like obviously all of them are trying to respond to this situation. They're trying different technologies, different tools, and it seems like they're in a point where they're almost have too many tools and technologies because, you know, when you have too many tools and technologies, there's the operational overhead of integrating them, it creates blind spots between them because those tools aren't really communicating with each other, so what we heard from the responders was that, on average, they were on like 32 tools, since 22% was on 50 or more tools, which is crazy, but what they, what the question we asked them was, you know, are you looking to consolidate? Are you looking to go more tools or less tools? Like, what are your thoughts on that? And a significant majority of them, like about 77%, said they are actively trying to reduce the number of technologies that they're trying to use because they want to actually achieve better security outcomes. I wonder if you could comment on this, so early on in the pandemic, we have a partner, survey partner, ETR, Enterprise Technology Research, and we saw a real shift, of course, because of hybrid work, toward endpoint security, cloud security, they were re-architecting their networks and new focus on different thinking about network security and identity. You play in all of those and partner for identity. I almost, my question is, was there kind of a knee-jerk reaction to get point tools to plug some of those holes? And now they're re, because we said at the time, this is a permanent shift in thinking, what we didn't think through, it's coming to focus here at this conference is, okay, we did that, but now we created another problem. Yeah, yeah, yes, yes, you're very right. I think, and it's very natural to do this, right? Every time a problem pops up, you want to fix it as quickly as possible. And you look, you survey, who can help you with that? And then you kind of get going, because cybersecurity is one of those areas where you can't really wait and do, take time to fix those problems. So that happened a lot, and it is happening, but what happened as a result of that? For example, I'll give you a data point from the actual survey that answers this very question. When we asked these executives, what keeps them at night, like up at night, like what's their biggest concern? A significant majority of them said, over having difficulty with data management. And what that means is that all these tools that they've deployed, they're generating a lot of insights and data, but they're disconnected, right? So there's no one place where you can say, look at it holistically and come to conclusions very fast about how threat actors are moving in an organization. So that's a direct result of this proliferation of tools, if you will, and you're right. And it's a natural thing to deploy products very quickly, but then you have to take a step back and say, how do I make this more effective? How do I bring things together, bring all my data together to be able to get to threats, detect threats much faster? Unintended consequence of that quick fix. And it becomes cyber resilient. We've been hearing a lot about cyber resiliency recently, and something that I was noting in the survey is that only 25% of execs said, yeah, our cyber resilience and readiness is high. And you found that there was a lack of alignment between the boards and the executive levels. And we actually spoke with, I think, BJ yesterday on how are you guys, and even some of your partners, how are you helping facilitate that alignment? We know security is always a board level conversation, but the lack of alignment was kind of surprising to me. Well, I think the good news is that I think cybersecurity is taking its place in board discussions more and more. Whether there's alignment or not, at least it's a topic, right? That was also out of the survey that we saw. I think, yes, we have a lot of a big role to play in helping security executives communicate better with boards and C-level executives in their organizations, because, as we said, it's a very complex topic, and it has to be taken from two angles when it's a board level discussion. One, how are you reducing risk and making sure that you're resilient? Two, how do you think about return on investment and what's the right level of investment, and is that investment going to get us the return that we need? What do you think of this? So, there's another interesting stat in here. What keeps executives up at night? You mentioned difficulty of data management. Normally, the CISO response to what's your number one problem is lack of talent. Number three there, yes. And this may be somewhat related to difficulty of data management, but maybe people have realized, you know what, I'm never going to solve this problem by throwing bodies at it. I got to think of a better way to consolidate my data, maybe partner with a company that can help me do that. And then the second one was security being left behind changes in the tech stack. So, we're moving so fast to digitize, and security's still an afterthought, and so it's almost as though they're going to rethinking the problems because they know that they can't just solve the issue by throwing more hires at it because they can't find the people. That is, you're absolutely spot on. What, the thing about cybersecurity skills gap, it's a real reality, it's very real. It's a hard place to be. It's hard to ramp up sometimes. Also, there's a lot of turnover. So, but you're right in the sense that a lot of the manual work that is needed for cybersecurity, it's actually more sort of much easier to tackle with machines than humans. It's a funny double click on the stat you just gave. In North America, the responders, when we asked them how they're coping with the skills shortage, they said we're automating more. So, we're using more AI, we're using more process automation to make sure we do the heavy lifting with machines and then only present to the people what they're very good at in making judgments, like last minute judgment calls. In the other parts of the world, the top answer to that question is how you're tackling cybersecurity skills shortage was we're actually trying to provide higher wages and better benefits to the existing people. So, there's a little bit of a gap between the two, but I think the world is moving towards the former, which is let's do as much as we can with AI and machines and automation in general, and then let's make sure it's more in an automation assisted world versus a human first world. We also saw in the survey that ransomware was the big concern in the United States, not that it's not a concern in other parts of the world, but it wasn't number one. Why do you think that is? Is it because the US has more to lose? Is it more high profile? Yeah, look, I mean, yes, you're right. So, most responders said number one is ransomware. That's my biggest concern going into 2023. For J-PAC and I think EMEA Europe, it was supply chain attacks. So, I think US has been hit hard by ransomware in the past year. I think it's like fresh memory and that's why it rose to the top in various verticals. So, I'm not surprised with that outcome. I think the supply chain is more of a, we've been hit hard globally by that and it's very new. So, I think a lot of the European and J-PAC responders are responding to it from a perspective of, this is a problem I still don't know how to solve. And it's like I need the right infrastructure and I need the right visibility into my software supply chain. It's a very top of mind. So, those were some of the differences, but you're right. That was a very interesting regional distinction as well. How do you take this data and then bring it back to your customers to kind of close the loop? Do you do that? Do you say, okay, hey, we're going to share this data where they get real-time feedback? We often like to do that with data, say, okay, because when you do a survey like this, you're like, oh, I wish we asked A, B, and C, but it gives you and forms you as to where to double click. Is there a system to do that or a process to do that? Our hope and goal is to do this every year and see how things are changing and then do some historical analysis as to how things are changing as well. But as I said in the very beginning, I think we take this and we say, okay, there's a lot of alignment in these areas, especially for us, for our products, to see if where our products are deployed, to see if some of those numbers vary per product, because we, as a company, we address a lot of these concerns. So then it's very encouraging to say, okay, with certain customers we're going to go, we're going to have developed certain metrics and we're going to measure how much of a difference we're making with these stats. I mean, if you can show that you're consolidating the number of tools and show the business impact of that home run. Exactly, yes. Speaking of business outcomes, we have so many conversations around, everything needs to be outcome-based. Can security become an enabler of business outcomes for organizations? Absolutely. Security has to be an enabler. So it's back to the security lagging behind the evolution of the digital transformation and SAC. I don't think it's possible to move fast without having security move fast with digital transformation. I don't think anybody would raise their hands and say, I'm just going to have the most creative, most interesting digital transformation journey, but security is SAC. So I think we're past that point where I think generally people do agree that security has to run as fast as digital transformation and really enable those business outcomes that everybody's proud of. So yes, yes, it is. Sorry, so chicken and egg, digital transformation, cyber transformation, how are they related as one digital leading? They are two halves of the perfect solution. They have to coexist because otherwise, if you're taking a lot of risk with your digital transformation, is it really worth going through a digital transformation? So there's a board over here I'm looking at and it started out blank and it's what's next in cyber. And basically people can come through and they can write down, there's some great stuff in it, 5G cloud native, some technical stuff, automated mean time to repair, to remediation, somebody wrote AWS, the AWS guys left their mark, which is kind of cool. It's all I'm wondering, so we always talk about, we just talked about earlier, that cyber has become a board level issue. I think even go back mid last decade, it was really starting to gain strength. What I'm looking for, I don't know if there's anything in here that suggests this is going beyond the board. So it becomes this top down thing, not just the SOC, not just the IT, not just the board, now it's top down, maybe it's bottom up, middle out the awareness across the organization. And that's something that I think is, that is a next big thing in cyber. I believe it's coming. Cyber security awareness is a topic and there are companies who do that, who actually educate just all of us who work for corporations, on the best way to tackle, especially when the human is the source and the reason, knowingly or unknowingly, mostly unknowingly, of cyber attacks. Their education and awareness is critical in preventing a lot of this, before our tools even get in. So I agree with you that there is a cyber security awareness as a topic is going to be very, very popular in the future. Lena Smart is the CISO of MongoDB, does, I don't forget what she calls it, but she basically takes the top security people in the company, like the super geeks, and puts them with those that know nothing about security, and they start having conversations, and then so they can be empathic to each other's point of view, and that's how she gets the organization to become cyber aware. It's brilliant, it's so simple. Exactly, that's the beauty and it's the simplicity. And their programs, just to put a plug, there are programs where you can simulate, for example, phishing attacks with your employee base and your workforce, and then teach them, at that moment, when they fall for it, what they should have done. I think I can imagine family game night. I'm serious, that's a good little exercise for everybody. Yeah, exactly. It really is, especially as the sophistication and smishing gets more and more common these days. Where can folks go to get their hands on this juicy survey that we just announced? We have it online. So if you go to the Palo Alto Networks website, there is a big link to the survey from there. So for sure there's a summary version that you can come in and you can have access to all the stats. Excellent, it's been such a pleasure having you on the program, dissecting what's keeping CXOs up at night, what Palo Alto Networks is doing to really help organizations digitally transform cyber transformation and achieve that nirvana of cyber resilience. We appreciate so much your insights. Thanks very much. It's been a pleasure. Thank you. We're saying up Ozdemir and Dave Vellante. I'm Lisa Martin. You're watching theCUBE, the leader in live and emerging tech coverage.