 Live from Boston, Massachusetts, it's theCUBE. Covering AWS Reinforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. Everyone, welcome back to theCUBE's live coverage here in Boston, Massachusetts for AWS Reinforce, Amazon Web Services first inaugural conference around cloud security. I'm John Furrier, my co-host Dave Vellante. Our next guest is Katie Jenkins, SVP, Senior Vice President, CISA, Chief Information Security Officer with Liberty Mutual, big company, lot of activity, insurance, probably a lot of action on your side, welcome to theCUBE. Thanks so much. Thanks for coming on. Don't be here. So you've been in the job for about a year, tell us about what's going on in Liberty Mutual. You guys have a large company, a hundred plus years old. You're the CISA, you're in charge, you're running everything. We're at a security conference, tell us the reality, what's going on in the real world? Yeah, well this is super exciting that Reinforce of course is in Boston, this is Liberty Mutual's hometown. As you mentioned, a hundred and seven year old security, not security company, insurance company, but we're doing really cool things in technology and security specifically. I would say to kind of bring this gathering together where you have a real rich pool of security talent, of security innovators that really mashes up with what we're doing. So Liberty Mutual has made a very significant commitment to moving to the public cloud for our technology and computing needs. We're in about year three of that journey, maybe 25% of our workload in the public cloud. And it's really been a catalyst for not just transforming our technology organization but transforming the way security does its work and the way security engages with our development community. Well you're the head honcho as they say, there's a CISA, but you've had 20 plus years in cybersecurity. This is now kind of a new category with Reinforce being a branded show for AWS. Obviously this deserves its own conversation and industry, there's a lot of action going on. What does cloud security mean to you? Because this is the focus of this show. I mean it's not just pure cloud, there's a lot of on premise and on cloud interactions with hybrid, et cetera. You guys have been doing tons of IT over the generations with Liberty Mutual, but cloud security is the focus. What does that mean to you guys from a cyber security standpoint? Yeah, in a word, enablement, I think that the public cloud offers us a really interesting opportunity to reinvent security, right? So if you think about all of the technologies and processes and many of which are manual over the years, I think we have an opportunity to leverage automation to make our work easier in some ways to avoid the situation where we have error or oversight. Gosh, we encrypted everything, but this set of assets over here, so through using automation and enforcement, it's an exciting opportunity to further develop our security capabilities. But also cloud security, cloud in general has a transformation of the way that our practitioners do work through agile and it means that security has to work with our technologists in a different way. Right? So you've had a really interesting background. You've worked for a company that does audits, I can infer from that. You've worked for services company, you've worked for a technology vendor, you've worked as a practitioner, so you've seen it all sides. And Amazon made some comments yesterday that said, look, the narrative in the security industry has always been fear, fear, fear. And we'd like to put forth a narrative that is about, listen, the state of security is really good and strong, the union is strong, and we got to work together on a positive message. So my question is, are you an optimist? A reluctant optimist. I think the days of having security be something that's fearful are just not, they're not doing us any justice in that area. I mean, security is an area of partnership. There's very little of what we do in security that's just done by security practitioners. We need asset managers. We need compliance people. We need the privacy team. We need our auditors. We need procurement. I mean, there's just so many different parties involved in security that if we're just instilling fear in everyone, I think it'll be difficult for us to get that partnership. And we need to empower people, right? We need to both empower our developers to do their work in a secure manner, and we have to empower our whole workforce and our trusted third parties to make good decision. We're educating them on how to prevent phishing attacks. We're doing all sorts of kind of culture-based initiatives, recognizing that if it's just the security folks doing security, we're going to have a big gap. One of the things that we were discussing with a lot of other CISOs who we've been talking privately off the record in the hallways and private briefings is the common theme of integration as a big part of dealing with ecosystem, either suppliers and or different teams within their different pillars of how they're organized internally and externally. And then also reducing the number of security vendors that they've been buying products from to get some also in-house coding teams working more closely on the use cases that matter. So this has become kind of a CISO conversation where what is that criteria? How do you figure out? Who do you have as suppliers? Who's going to be around for the long haul? Who's going to be that partnership for the enablement? So rather than having hundreds of vendors, we want to get them down to a handful. Is that something that you think about or is that the trend that you see is happening now? It is a trend. I think it starts at how we even procure and select our suppliers. I mean, we are really giving a lot of thought to the area of third party risk management and do we understand not just the elements of cyber risk and engaging with a third party, but privacy and continuity kind of risk too. So it starts there. I don't have a sort of fabricated number in terms of I'm trying to go from X number of vendors down to Y, but I think that there's a very purposeful thought process that we're undergoing to say, yeah, we recognize for certain technologies we want to have different providers to provide some of that redundancy. So let's be smart about that and let's make sure we really understand where those overlapping capabilities are because we don't want to be wasteful either, right? And the spend question comes up too around DevOps because what we're seeing is the DevOps and security paradigms are kind of coming together in terms of the concepts, agility. You can do some prototyping, hackathon, do some things and then ultimately trying to get into production are two different animals. So that enablement of doing innovative things is agility, right? That's been a key theme, a positive theme. And the question is, is there a funding model? Does it automatically get security funding and where's the spend? Is your spend going up? And so all the monetary spend questions come up. How do you deal with that holistically and how do you think about the spend conversation? Yeah, it's a really interesting one because of course, expense pressures, I'm not immune to those. But I also think that we're in a position where our executive leadership team understands the value of the work that we're doing, understands the important to our policy holders. So it's less often a need to justify why we need more spend. It's a demonstration of using that spend responsibly. An understanding where we might have an uplift from something that we've automated to say, well now we have these resources that could be doing something else. There's always a something else in security, right? So if we're committed to re-skilling and making sure that people are evolving, the work that they do and the talents that they have to address a different kind of... So no rule of thumb per se, it's more of your management recognizes the criticality of it. Therefore, you can make those calls on your own, build it in, build it in the projects. I ask tough questions and it demonstrates that we're making responsible decisions but I think it comes down to knowing your technology and your team. So the skills gap obviously is a huge challenge in your industry. We talked to somebody yesterday, they said we just can't find people, so we have to bring them in and train them ourselves. We have to homegrown and take the long view. Amazon talks about the shared responsibility model and a lot of small companies don't really understand that and things misunderstood. Obviously Liberty Mutual gets it. My question is, as you see Amazon focusing on the compute and the storage and the database layer and you guys have the opportunity to focus on other areas that are your responsibility, that shared responsibility model. Have you been able to shift resources? How have you handled that? Do you retrain people? Has it freed up? Has it freed up time to do some of those more strategic things that you want to do, maybe respond more quickly, prioritize better, automate, et cetera, et cetera. Can you talk about that from your perspective? So the shared responsibility model is, I think that's an important speaking point to this whole ecosystem. At the end of the day, Liberty Mutual, our duty is to protect policy holder data. It doesn't matter if it's in the cloud, if it's in our data setters, we have that duty to protect. So I think a lot about the skills that we will need in the future. So I've referenced sort of vaguely that yeah, the compliance area is a particularly interesting area where we have opportunities to be able to more easily and cleanly produce artifacts that our auditors need to really bring automation to a process that just has a very steep history and being manual in nature. So yeah, I understand that tomorrow we're not going to ask everyone to make a big switch and all become developers, but we do. We send plenty of people to this conference and they are participating in the tracks on how to bring automation to compliance. And I think we invest pretty heavily in training opportunities for people. How do you look about the vendor lock-in conversation because of cloud, the value purpose certainly shifts. And the old model was, oh, you buy a supplier and you're in, you're locked in with database or whatever. With cloud, there's a lot of switching cost opportunities to move around, but also people are generally settling in on one main cloud and having maybe a hybrid backup cloud or multi-cloud as a secondary because of the focus of the teams. How do you view the lock-in when you deal with suppliers because you don't want to be stuck with one supplier if you have the need to be agile. You want to have options. How do you guys think about that? Because it being agility is key for you guys to be successful, not so much just dealing with the vendors. Yeah, it does come down to balance. We do leverage multiple cloud providers, right? I think that if we're too focused on making sure that we have that portability and we could quickly move from one to another, then we miss an opportunity to kind of deeply leverage some of the services, for example, that the AWS provides. But we also, you know, we've been around the block a few times, right? Not your first rodeo. Yeah, exactly. And I think that it's important to have that perspective and prepare for the future. Do you attend board meetings regularly? I do. I do present out to our board of directors. Is that a sort of frequent thing, once a year, once a quarter? I'm interested in what the board conversation is like with the CISO. It happens in a couple of different contexts, whether it's specific to sort of an audit readout or sort of a general state of security type report out. But yeah, we have a really engaged board that asks great questions about our partners, right? About things that are more culture based in terms of how we're doing with our anti-fishing protection. And we talk about technology architectures too and the work that we're doing to make sure that we're being more fine grain in the way that we're authenticating users and devices no matter where they work in a more secure way. They're interested in that. So I feel pretty lucky to both have the opportunity and get to speak pretty deeply to our program. Would you say the conversation is more of a strategic nature with the board? Is it more tactical? You just mentioned some tactical items. Is it more metrics driven or sort of a combination of all three? It's a combination, right? I think they want to see demonstrated progress against areas that we've self identified as areas that we'd like to improve, but they're also looking to see that I have a vision for where we're going. They're fully cognizant of the work that we've done in the public cloud and want to understand that the level of trust that they had in our security program on-premise will perpetuate and advance into the cloud, so. When you look at cloud security and now security and Joe, you guys have, you've had a perspective on both sides and clouds certainly accelerating and evolving fast. When you find a legacy app that you're working with, we've heard other ceaseless we've talked to who have had frank conversations and said, look it, we're deciding whether we're going to lift and shift it or rebuild. And so there's been some visibility into when it's great to lift and shift and when it's great to rebuild. So that's been a conversation that, I don't think it's been fully baked out yet in the full narrative in the industry, but it's one people are talking about. What's your view on when you have a legacy app and you want to lift and shift it or rebuild it, what goes through your mind? What's the conversation like in Liberty? It's a conversation that we have. We have legacy, I won't hide behind that. But it's not a conversation and a decision that's just made by technologists, right? I think we have to articulate what the options are and that has to be a joint decision with our business partners. I think generally I'm not preferring a lift and shift because I think that we are maybe overlooking some of the opportunities to make some of those as security improvements that I see. But when we can get an application that's using our software development pipelines that we have embedded security controls, we have better visibility, we have better enforcement in ensuring what we know, that we know what's going into the cloud, has met a number of our security standards, so to speak. That's a much better position for us to be in. So this notion of multiple clouds, I'm interested in how you handle that. You take separate teams, is it the same team, sort of handling everything? And it's sort of a follow-up on that is, I'm interested in your relationship with AWS and how that's affected your business. Yeah, so the security team does not own the cloud environment, so to speak. That's a secure DevOps team within our infrastructure organization and they're very close partner of ours, right? So yes, I do have resources that are specialists in AWS versus other clouds and others that are identity and access management specialists and are able to work on the development of those patterns across different cloud environments, right? There's nothing bad that I can say about the relationship with our AWS partners. I think we felt very supported in understanding what we're trying to do and introduce us to new services and introducing, probably most importantly, introducing us to other customers that have been, you know, are a little bit ahead of us in their journey so we can hopefully not repeat any of these things. Amazon helping you with the security piece as well. I mean that's something that they, with the sheer responsibility there, they're working with you on this. Sure. Securing those workloads as you move to the cloud. We've definitely leveraged their expertise. And you mentioned that you guys kind of made a decision a few years ago to go all in on the cloud. How has that affected your business? What kind of results have you seen? Has it met expectations? Has it exceeded, you know, behind? I mean, as I mentioned, we do still have a lot of our technology on-premise, but for the use cases that have, you know, really seen that rapid acceleration, you know, agile practices of allowed teams to develop code so much more quickly, I think that business is generally delighted that their needs are being far more quickly met, Ben. Yeah. So I can ask you, there's a perpetual line in the men's room. It's quite long. So what's it like to be- It's not long in the ladies' room. I was going to say, I don't think it is because I would say the proportion of women here is actually lower than even the industry and most conferences that we attend. So what's it like being a woman in this male dominated security business? I've been in it so long that I certainly have grown a little bit accustomed to it, but not so accustomed that I'm not motivated on a daily basis to bring more women in. I think that security just has tremendous opportunities and, you know, certainly the marketing of security professionals is hoody, wearing, white male, kind of persona. Just- And there were opportunities for women. What are some of those opportunities for women who are STEM, science, like my two daughters all STEM, love public policy, the sociology impact, society impact that's here. There's a lot of range of skills. What are some of those that you would inspire someone to- I studied math as an undergrad. We didn't have security back then. I've since gotten a master's degree in cybersecurity, so that's cool. But, you know, I think a great security professional is a great communicator, a great collaborator. I need technologists, I need developers, I need process experts. I need people that think, you know, very deeply about, you know, assurance type control. So, we have tried to attract people out of other, you know, technology realms. And it's just not just math or computer science. There's creativity involved. There's a lot of, you know, things that blend itself to all kinds of diversity. There is. I mean, you think about human psychology, right? I mean, we just totally transformed one of the systems that we use for approving, for managers to approve the access of their people, right? The past system was ugly. People didn't know how to interact with it. I mean, that user experience expertise that overlaid and how we developed our new platform just makes all the difference to make sure that it's actually a valuable process. Now, like, I'm so frustrated, I'm just going to sign off on this, because I give up for what I want to do. That's really interesting, because you spend a lot of time and effort and money on things that drive revenue. But this drives so much productivity and business value that, you know, it's not maybe direct dollars, but clearly there. I have a question. When you recruit people, presumably you tap your network, and it's not just the good old boys network, you're tapping women. Are you able to successfully, you know, find women or young women in particular that you can attract and recruit into your business as security practitioners? Have you had much success there? Yeah, so we definitely are outpacing industry numbers in terms of women insecurity. We have a long way to go. You know, historically excluded people, right? Not just women, people of color. I mean, we just have a long ways to go, right? And I think it takes more than sitting back and waiting for a recruiter to bring me a slate of candidates to say, no, I know people, and I know people that know people, and I really have to invest myself and make sure that my leaders know that that's my expectation of them, right? I mean, I think that we feel that the diversity of thought, no matter how that diversity is expressed, is really important to doing the work that we do. So let us know how we can help in Silicon Valley. Days here in Boston as well. Love to help get the word out. So anything you need from us, let us know. Katie, thanks so much for those great insights. Thank you. Love to have you on theCUBE again sometime. Thanks for coming on. Very good. SVPC, so Liberty Mutual here on theCUBE, extracting the signal, sharing the reality of what's going on in the security equation for cloud security. I'm John Furrier, Dave Vellante. We'll be right back after this short break.