 Well, we're welcome to this special CUBE conversation. John Furrier here in the CUBE's Palo Alto studio. We're here with Jonathan Nguyen, who's with formerly Verizon now with Fortinet. What's your title? Vice President of Strategy. Vice President of Strategy. But you really, I would say more of a security guru. You had notably with the author of the Verizon data breach investigative report. Great report. It really has been an interesting standard. Congratulations. It's great to have you here. Thanks, it was great. 16 years of Verizon and the security business ran that data breach investigations team. So yeah, that was a great honor in my career. So you called strategy because they don't want you to word cyber security in your title on LinkedIn in case they spearfished you. Is that right? No. You know, having started my career as a U.S. Foreign Service Officer, as a victim of the OPM data breach, everything that's about me is out there. I live in that perfect universe about how do you defend your identity when everything about you has been compromised to begin with? So many stories. I had a CUBE guest talk about LinkedIn and the tactics involved in spearfishing. And the efforts that people go in to attack that critical resource that's inside a perimeter. This is a big problem. This is the problem with cyber warfare and security and crime. Talk about that dynamic as this is, I mean, we always talk about the cloud change the perimeter, but of course, more than ever, this is really critical. So fundamentally as we begin going into digital transformation and notions about where data is today and the nature of computing. So everything has changed. And the notion of a traditional perimeter has changed as well. So I'm going to borrow a great analogy from my friend, Ed Amoroso, and he said, look, let's pretend this is your traditional enterprise network. And all of your assets are in there. And we all agree that that perimeter firewall is being probed every day by nation state actors, organized criminal syndicates, hacked of as anybody. Everyone's probing the environment. It's also dissolving because you've got staffers inside that are using shadow IT. So they're opening up that firewall as well. Then you've got applications and portals that need to be accessed by your stakeholders, your vendors, your customers. And so that traditional wall is gradually eroding. And yet that's where all of our data is, right? And against this environment, you've got this group, this unstoppable force, as Ed calls it, these nation state actors, these organized crime, these hacktivist groups, all highly sophisticated. And we all agree that with time and effort, they can all penetrate that perimeter. We know that because that's why we hire pen testers and red teamers to demonstrate how to get into that network and how to protect that. So if that's the case that we have this force and they're going to break in eventually, why are we still spending all of our time and effort to defend this traditional perimeter that's highly vulnerable? Well, the answer is of course, that we need to distribute these workloads into multiple clouds, into multi hybrid cloud solutions. The challenge has been, well, how do you do that with enough control and visibility and detection as you would have in a traditional perimeter because a lot of folks just simply don't trust that type of deployment. That's the state of the art. I mean, that's the state of the art problem. How to deal with the complexity of IT as with digital transformation as it becomes so complicated and so important at the same time. Yet cloud is also on the horizon. It's here. We see the results of Amazon Web Services, see what Azure is doing at Google, et cetera, et cetera. And some companies are building their own cloud. So you have this new model with cloud computing, data driven applications. And it's complex, but does that change a security paradigm? How does the complexity play into it? Absolutely. So complexity has always been the enemy of security. And at Fortinet, what we essentially do is that we help companies understand and manage complexity to manage risk. So complexity is only going to increase. So digital transformation, the widespread adoption of digital technologies to enable exponential and explosive productivity growth. Societal level changes. Also massively expand the interconnected nature of our society. More and more interconnections, accelerated cycles across the board, greater levels of complexity. That the challenge is going to be not about whether you're moving into the cloud. Everyone is going to move into the cloud. That is the basis of computing moving next. So in the Australian government, the US government, all the agencies have a cloud first migration initiative. It's not about whether it's not about, it's really about when. So how do you move forward with moving your computing and your workloads into the cloud? It many ways it goes back to fundamentals about risk management. It's about understanding your users and your systems, the criticality, the applications they're associated with and understanding what can you move into the cloud? And what do you keep on-prem in a private cloud, as it were? I want to ask you more about global, more about cybersecurity. But first, let's take a step back and set the table. What is the holistic and the general trend in cybersecurity today? I mean, what's going on in the landscape and what are the core problems people are optimizing for? Sure. So, across my 20 odd years in cyber, what we've seen consistently has been the acceleration of the volume, the complexity and the variety of cyber threats. So 10 years ago, 2007 or so, there were about 500 threat vectors. Today we're north of 5,000. And back at that point, there were maybe 200 vendors. Today we're north of 5,000 vendors. There was less than a billion dollars of cybersecurity spend. Today we're north of $80 billion of spend. And yet the same challenges pervade. And what's happening now, they're only becoming more accelerated. So in the threat environment, the criminal environment, the nation-state threat actors, they're all becoming more sophisticated. They're all sharing information. They're sharing TTP. And they're sharing in a very highly effective marketplace. The dark web cyber crime marketplace is an effective mechanism on sharing information of matching threat actors to targets. So the frequency, the variety, the intelligence of attacks, automated ransomware attacks is only going to grow. Across the board, all of us on this side of the fence, our challenge is going to be, how do we effectively address security at speed and scale? And that's the key. Because you can affect security very well in very discreet systems, networks, facilities. But how do you do it from the IoT edge, from the home area network, the vehicle area network, the personal area network, to the enterprise network, to then to a hybrid cloud, a highly distributed ecosystem. And how do you have visibility and scale across that when the interval of detection between the detonation of malware to the point of irrecoverable damage is in seconds? So tons of attack vectors, but also I would add to the complicated situation further is the surface area. You mentioned IoT. We've seen examples of IoT increasing more avenues in. Okay, so you got more surface area, more attack vectors with technology, malware is one. We've seen that in ransomware, certainly number one. But it's not just for financial gains. Also, there's terrorism involved. So it's not just financial services get the cash and embarrass a company. It's I want to take down that power plant. So is there a common thread? Because I mean, every vertical is going to have their own or injury issues have their own kind of situation contextually, but is there a common thread across the industries that cyber security? Is there a baseline that you guys are attacking and that problems are being solved? Can you talk about that? So at the heart of that is a convergence of operational technologies and information technology. Operational technologies were never designed to be IP enabled. They were air gap, never designed to be integrated and interconnected with information technology systems. The challenge has been, as you said, is that as you go through digital transformation become more interconnected. Now, how do you understand when a thermostat has gone offline or a conveyor belt has gone offline or a furnace is going out of control? How do you understand that the HVAC system for the operating theater, the surgery theater is operating properly. Now we have this notion of functional safety and you have to marry that with cyber security. And so in many ways, the traditional approaches are still relevant today. Understanding what systems you have, the users that use them and what's happening in that and to detect those anomalies and to mitigate that in a timely fashion. You know, those same themes are still relevant. It's just that they're much, much larger now. Let's get back to the perimeter erosion issue because one of the things that we're seeing on the Cube is digital transformation is out there. And that's a kick around as a buzzword, it's out there, but certainly it's relevant. People are transforming to digital business. Peter Burris, head of research at Wikibon, talk with us all the time. And it's a lot involves IT business process, putting data to work, all that good stuff, transforming the business, try to drive revenue. But security is more course and sometimes we're seeing it being unbundled from IT and reporting directly up to either the board level or sea level. So that being said, how do you solve this? I'm a digital transformation candidate, I'm doing it. But I got, I'm mindful of security all the time. How do I solve the security problem, cybersecurity problem? Just prevention, other things, what's the formula? Okay, so the heart of cybersecurity is risk management. So digital transformation is the use of digital technologies to drive exponential productivity gains across the board. And it's about data driven decision making versus intuitive led human decision making. So the heart of digital transformation is making sure that the business leaders have the timely information to make decisions in a much more timely fashion so that you have better business outcomes and better quality of life, safety if you will. And so the challenge is about how do you actually enable digital transformation that comes down to trust? And so again, across the pillars of digital transformation and they are first IoT. These devices that are connected to collect, share information to make decisions. The sheer volume of data, the zettabytes of data that will be generated in the process of these transactions. Then you have ubiquitous access and you're going to have 5G. You have this notion of centralized and distributed computing. How will you enable those decisions to be made across that board? And then how do you secure all that? And so at the heart of this is the ability to have automated, and that's key, automated deep visibility and control across an ecosystem. So you've got to be able to understand at machine speed what is happening. How do I do that? What do I do? Do I buy a box? Is it a mindset? Is it everything? What's the, how do I stop the cyber attacks? You need a framework of automated devices that are integrated. So a couple of things you're going to need. You're going to need to have the points across this ecosystem where you can detect. And so whether that is a firewall on that IoT edge or in the home or that's an internally segmented firewall across the enterprise network into the hybrid cloud. You're also going to need to have intelligence. And by intelligence I mean you're going to need a partner who has a global infrastructure of telemetry to understand what's happening in real time in the wild. And once you collect that data, you're going to need to have intelligence analysts, researchers that can put into context what that data means because data doesn't become information on its own. You have to have someone analyze that. So you have to have a team of four net, we have hundreds of people who do just that. And once you have the intelligence, you've got to have a way of utilizing it, right? And so then you've got a way of orchestrating that intelligence into that large framework of integrated devices so you can act. And in order to do that, effectively you have to do that at machine speed. And that's what I mean by speed and scale. The big challenge about security is the ability to have deep visibility and control at speed, at machine speed. And that's scale from that IoT edge way across into the cloud. Scale's interesting. So I want to ask you about the four net. How are you guys at four to net solving this problem for customers? Because you have to, is it the totality of the offering? Is it someone here, technology here? And again, you got 5,000 tech vectors. You mentioned that earlier. And again, you did the defense report of Ryzen and your former jobs. You kind of know the landscape. What does four net do? What do you guys, how do you solve that problem? So from day one, every CISO has been trying to build the fabric. We didn't call it that. But from my first packet filtering firewall to my first stateful firewall, then I deployed intrusion detection systems. And when all that generated, far more or less I can manage, I deployed an SEM. And then I went to intrusion prevention. Then I had to look at logs. And so I went to an SIEM. And when that didn't work, I deployed sandboxing, which was called dynamic malware inspection back in the day. And then when that didn't work, I had to go to analytics. And then I had to bring in third party technology, third party intelligence feeds. And all along, I hoped I was able to make those firewalls and defense sensors, that platform integrated with intelligence, work somehow to detect the attack and mitigate that in real time. You know what we essentially do in the four net security fabric is we reduce that complexity. You know, we bring that level of auto. By the way, you're ad hoc, you're reacting in that mode. You're just, you know, I got to do this, I got to add that to it. So it's almost like sprawling, software sprawl, you just throwing solutions at the wall. Right. And a lot of that time, no one knows if the devices are properly configured. No one has actually done the third party technology integration. No one has actually met the requirements. It would have applied three years ago through the requirements today. The requirements three years from now. And so that's a huge level of complexity. And I think at the heart of that complexity, that's reflecting the fact that we're missing the basic elements in security across the day. The reason the large data tax and the data breaches didn't come because of advanced malware. They didn't happen with nation state threats. These were known vulnerabilities. The patches existed. They weren't patched. In my experience, 80% of all the attacks could be mitigated through simple intermediate controls. And then that's been- Deploying the patches, doing the job. Complexity. Patch management is sounds easy. It's hard. You know, some applications, there is no patch available. You can't take things offline. You have to have virtual patches or unintended consequences. And there are a lot of things that don't happen. There's the handoff between the IT team and the security team, and it adds complexity. And if you think about this, if our current teams are so overwhelmed that they cannot mitigate known attacks, exploits against known vulnerabilities, how are they going to be able to grapple with the complexity of managing zettabytes of data with an ecosystem that spans around the world that operates in milliseconds where now it's not just digital issues. It's health, safety, physical security. How can we trust a connected vehicle that is secure or not? Let's talk about the dynamic between machines and humans because you mentioned patches and this is argue it's a human mistake, but also you mentioned automation earlier. Balance between automation, using machines and humans because prevention and risk management seem to be the axis of the practice. It used to be all prevention. Now it's a lot more risk management. There's still a human component in here. How are you guys talking about that and how is that rendering itself as a value proposition for customers? Humans are the essence of both the challenge. In so many cases we have faulty passwords, we have bad hygiene. That's why security's awareness trading is so critical because humans are part of the problem. On one end, on the other end, within the stock, humans are grappling with huge amounts of data and trying to understand what is malicious, what needs to be mitigated and then prioritizing that. For us it's about helping the complexity, reduce the complexity of that challenge and helping automate those areas that should be automated so that humans can act better, faster as it were. Here with Jonathan Nguyen with Fortinet. I want to ask you about the ecosystem you mentioned that earlier and also the role of CISO's Chief Information Security Officers and CIO, essentially the executives in charge of security. So you have executives in charge of the risk management, don't get hacked, don't get breached and also the ecosystem of partners. So you have a very interesting environment right now where people are sharing information you mentioned that earlier as well. So you've got the ecosystem of sharing and you have executives in charge of running their businesses effectively and not to have security breaches happen. What's happening and what are they working on? What are the key things that Chief Security Officers are working on and with CIOs? What specifics are on their plate and what's the ecosystem doing around that too? Sure, so digital transformation dominates all discussions today and every CISO has two masters. They have a productivity master which is always the business side of the house and they have a security master which is ensuring that reasonable level of security is in the advent of managing risk, right? And that's the challenge, how do you balance that? So across the board, CISOs are being challenged to make sure that the applications, those digital transformation initiatives are actually occurring. At the same time, in the advent of a data breach, understanding the risk and managing the risk, how do you tell your board of directors, your governments that you're not only compliant but that you have handled risk to a reasonable level of assurance. And that means, in my opinion, across my experience, you've got to be able to demonstrate a couple of things. One, you have identified and adopted with third-party implementation and attestation of recommended best practices and controls. Second, you've implemented and used best-in-class products and technologies like Fortinet, products that have gone through clearances, gone through common criteria where things are properly certified and that's how you demonstrate a reasonable level. It's really about risk management, understanding what level of risk you'll tolerate, what level of risk you'll mitigate, and what level of risk you're going to transfer. And I think that's a discussion at the board level today. So make people feel comfortable, but also have a partner that could actually do the heavy lifting on new things. Because there's always going to be a new attack factor out there. Absolutely, so I think the key to it is understanding what you're really good at. And so one of the questions I ask every CISO is that when you look at technology, what is that your organization is really good at? Is it using technology, operationalizing that experience? Or is it really about ensuring that that firewall is integrated with your SIM, that the SIM works in trying to create your own threat intelligence? And I think one of the things that we do better than anybody else is that we reduce the level of complexity of that allowing our clients to really focus on providing security, using best-in-class technologies to do that. John, the final question, 2018, what's your outlook for the year for CISOs and companies with cyber right now? I think it's going to be an exciting time. I think there's going to be a focus back on basics because before we take this next evolutionary leap in terms of cyber and computing and the digital nature of our society, we've got to get the basics done right. And I think the way Fortinet's going, our ability to use the fabric to help manage risk and reduce risk is going to be the path forward. Just a cue, bringing you commentary and coverage of cybersecurity, of course, here in our Palo Alto studio. I'm John Furrier, thanks for watching.