 From the SiliconANGLE Media Office in Boston, Massachusetts, it's theCUBE. Now, here's your host, Dave Vellante. Welcome to this week's CUBE Insights, powered by ETR. Today is November 8th, 2019, and 2019. And I'd like to address one of the most important topics on the minds of a lot of executives. I'm talking about CEOs, CIOs, Chief Information Security Officers, boards of directors, governments, and virtually every business around the world. And that's the topic of cybersecurity. The state of cybersecurity has changed really dramatically over the last 10 years. I mean, as a cybersecurity observer, I've always been obsessed with Stuxnet, which the broader community discovered the same year that the CUBE started in 2010. It was that milestone that opened my eyes. Think about this. It's estimated that Stuxnet cost a million dollars to create, that's it. Compare that to an F-35 fighter jet. It cost about $85 to $100 million to build one. And that's on top of many billions of dollars in R&D. So Stuxnet, it hit me like a ton of bricks that the future of war was all about cyber, not about tanks. And the barriers to entry were very, very low. Here's my point. We've gone from an era where thwarting hacktivists was our biggest cyber challenge to one where we're now fighting nation states and highly skilled organized criminals. And of course, cyber crime and monetary theft is the number one objective behind most of these security breaches that we see in the press every day. It's estimated that by 2021, cyber crime is going to cost society $6 trillion in theft, lost productivity, recovery costs. I mean, that's just such a staggeringly large number. It's even hard to fathom. Now the other sea change is how organizations have had to respond to the bad guys. It used to be pretty simple. I got a castle and the queen is inside. We need to protect her. So what do we do? We built a moat, put it around the perimeter. Now think of the queen as data. Well, what's happened? The queen has cloned herself a zillion times. She's left the castle. She's gone up to the sky with the clouds. She's gone to the edge of the kingdom and beyond. She's also making visits to machines and the factories and hanging out with the commoners. She's totally exposed. Listen, by 2020, there's going to be hundreds of billions of IP addresses. These are going to be at endpoints and phones, TVs, cameras, tablets, automobiles, factory machines, and all of these represent opportunities for the bad guys to infiltrate. This explosion of endpoints that I'm talking about has created massive exposures and we're seeing it manifest itself in the form of phishing, malware, and of course the weaponization of social media. You know, if you think that 2016 was nuts, wait till you see how the 2020 presidential election plays out. And of course there's always the threat of ransomware. It's on everybody's minds these days. So I want to try to put some of this in context and share with you some insights that we've learned from the experts on theCUBE. And then let's drill into some of the ETR data and assess the state of security, the spending patterns. We're going to try to identify some of those companies with momentum and maybe some of those that are a little bit exposed. Let me start with the macro and the challenge faced by organization and that's complexity. Here's Robert Herchevek on theCUBE. Now you know him from the Shark Tank but he's also a security industry executive. Herchevek told me in 2017 at the Splunk.conf conference that he thought the industry was overly complex. Let's take a look and listen. I think that the industry continues to be extremely complicated. There's a lot of vendors, there's a lot of products. The average Fortune 500 company has 72 security products. There's a stat at RSA this year that there's 1500 new security startups every year, every single year. How are they going to survive? And which ones do you have to buy because they're critical and provide valuable insights and which ones are going to be around for a year or two and you're never going to hear about it again. So it's an extremely challenging, complex environment. So it's that complexity that has led people like Pat Gelsinger to say security is a do-over and that cybersecurity is broken. He told me this years ago in theCUBE and this past VM world, we talked to Pat Gelsinger and remember, VMware bought Carbon Black which is an endpoint security specialist for $2.1 billion and he said that he's basically creating a cloud security division to be run by Patrick Morley who is the Carbon Black CEO. Now many have sort of questioned and been skeptical about VMware's entrance into the space. But here's a clip that Pat Gelsinger shared with us on theCUBE this past VM world. Let's listen and we'll come back and talk about it. And this move in security, I am just passionate about this. And as I said to my team, if this is the last thing I do in my career is I want to change security. We're just not are satisfying our customers. They shouldn't put more stuff on our platforms. National defense issues, huge problems. It's just terrible. And I said, if it kills me, right, I'm going to get this done. And they says, it might kill you Pat. So this brings forth an interesting dynamic in the industry today. Specifically, Stephen Smith, the CISO of AWS at this year's reinforce, which is their security conference, Amazon's big cloud security conference, said that this narrative that security is broken, it's just not true, he said. It's destructive and it's counterproductive. His and AWS's perspective is that the state of cloud security is actually strong. Kind of reminded me of a heavily messaged state of the union address by the president of the United States. At the same time, in many ways, AWS is doing security over. It's coming at it from the standpoint of a clean slate called cloud and infrastructure as a service. Here's my take. The state of security in this union is not good. Every year we spend more, we lose more, and we feel less safe. So why does AWS's securities are, see it differently? Well, Amazon uses this notion of a shared responsibility security model. In other words, they secure the S3 buckets, maybe the EC2 infrastructure, not maybe the EC2 infrastructure, but it's up to the customer to make sure that she is enforcing the policies and configuring systems that adhere to the edicts of the corporation. So I think this shared security model is a bit misunderstood by a lot of people. What do I mean by that? I think sometimes people feel like, well, my data's in the cloud and AWS has better security than I do. There we go, I'm good. Well, AWS probably does have better security than you do. Here's the problem with that. You still have all these endpoints and databases and file servers that you're managing and that you have to make sure comply with your security policies. Even if you're all in the cloud, ultimately you are responsible for securing your data. Let's take a listen to Katie Jenkins, the CISO of Liberty Mutual on this topic. We'll come back. So the shared responsibility model is, I think that's an important speaking point of this whole ecosystem. At the end of the day, Liberty Mutual, our duty is to protect policy holder data. It doesn't matter if it's in the cloud, if it's in our data setters, we have that duty to protect. It's on you. All right, so there you have it from a leading security practitioner. The cloud is not a silver bullet. Bad user behavior is going to trump good security every time. So unfortunately the battle goes on. And here's where it gets tricky. Security practitioners are drowning in a sea of incidents. They have to prioritize and respond to, and as you heard Robert Herjavek say, the average large company has 75 security products installed. Now we recently talked to another CISO, Brian Lozada, and asked him, what's the number one challenge for security pros? Here's what he said. The lack of talent. I mean, we're starving for talent. Cyber security is the only field in the world with negative unemployment. We just don't have the actual bodies to actually fill the gaps that we have. And in that lack of talent, CISOs are starving. We're looking for the right tools to actually patch these holes and we just don't have it. Again, we have to force the industry to patch all of those resource gaps with innovation and automation. I think CISOs really need to start asking for more automation and innovation within their program. So bottom line is we can't keep throwing humans at the problem. Can't keep throwing tools at the problem. Automation is the only way in which we're going to be able to keep up. All right, so let's pivot and dig into some of the ETR data. First, I want to share with you what ETR is saying overall, what their narrative looks like around spending. So in the overall security space, it's pretty interesting what ETR says and it dovetails into some of the macro trends that I've just shared with you. Let's talk about CISOs and CISOs. ETR is right on when they tell me that these executives no longer have a blank check to spend on security. They realize they can't keep throwing tools and people at the problem. They don't have the bodies. And as we heard from Brian Lazada, and so what you're seeing is a slowdown in the growth, somewhat of a slowdown in security spending. It's still a priority, but there's less redundancy. In other words, less experimentation with new vendors and less running systems in parallel with legacy products. So there's a slowdown in adoption of new tools and more replacement of legacy stuff is what we're seeing. As a result, ETR has identified this bifurcation between those vendors that are very well positioned and those that are losing wallet share. Let me just mention a few that have the momentum and we're going to dig into this data in more detail, Palo Alto Networks, CrowdStrike, Okta, which does identity management. Cisco is coming at the problem from its networking strength. Microsoft, which recently announced Sentinel for Azure. These are the players and some of them that are best positioned, I'll mention some others, from the standpoint of spending momentum in the ETR data set. Now here's a few of those that are losing momentum. Checkpoint, Sonic Wall, ArcSight. Dell EMC, which is RSA, it's kind of mixed. Talk about that a little bit, IBM, Symantec, even FireEye is seeing somewhat higher citations of decreased spending in the ETR surveys and data set. So there's a little bit of a cause for concern. Now, let's remember the methodology here. Every quarter ETR asks, are you green, meaning adopting this vendor as new or spending more? Are you neutral, which is gray, are you spending the same or are you red? Meaning that you're spending less or retiring. You subtract the red from the green and you get what's called a net score. The higher the net score, the better. So here's a chart that shows a ranking of security players and their net scores. The barge show survey data from October 18, July 19 and October 19. In here, you see strength from CrowdStrike, Locta, TwistLock, which was acquired by Palo Alto Networks. You see Elastic, Microsoft, Illumio, the core Palo Alto classic, Splunk, looking strong, Cisco, Fortinet, the Zscaler is starting to show somewhat slowing net score momentum. Look at Carbon Black. Carbon Black is showing a meaningful drop in net score. So VMware has some work to do, but generally the companies to the left are showing spending momentum in the ETR dataset and I'll show another view on net score in a moment. But I want to show a chart here that shows replacement spending and decrease spending citations. Notice the yellow. That's the ETR October 19 survey of spending intentions and the bigger the yellow bar, the more negative. So Sagar, the director of research at ETR pointed this out to me that, look at this, there are about a dozen companies where 20%, a fifth of their customer base is decreasing spend or ripping them out, heading into the year end. So you can see Sonicwall, CA, ArcSight, Symantec, Carbon Black again, a big negative jump. IBM, same thing. Dell EMC, which is RSA, Slyte Uptik, that's a bit of a concern. So you can see this bifurcation that ETR has been talking about for a while. Now here's a really interesting cut, another interesting kind of net score. What I'm showing here is the ETR data sorted by net score, again higher is better, and shared in, which is the number of shared accounts in the survey, essentially the number of mentions in that October survey with 1,336 IT buyers responded. So how many of that 1,300 identified these companies? So essentially it's a proxy for the size of the install base. So showing up on both charts is really good. So look, CrowdStrike has a 62% net score with 133 shared accounts. So a fairly sizable install base and a very high net score. Okta, similar, Palo Alto Networks, and Splunk, both large continue to show strength. Again, net scores are 44% and 313 shared in. Fortinet shows up in both. Proofpoint, look at Microsoft and Cisco with 521 and 385 respectively on the right hand side. So big install bases with very solid net scores. Now look at the flip side, go down to the bottom right to IBM, 132 shared accounts with a 14.4% net score, that's very low. Checkpoint, similarly, same with Symantec. Again, bifurcation that ETR has been citing really stark in this chart. All right, so I want to wrap and from, you know, in some respects, from a practitioner perspective, this guy, Erexy, is falling. You got an increased attack surface. You've got exploding number of IP addresses. You got data distributed all over the place, tool creep, you got sloppy user behavior, overwork security ops staff, and a scarcity of skills. And oh, by the way, we're all turning into a digital business, which is all about data. So it's a very, very dangerous time for companies and it's somewhat chaotic. Now chaos, of course, can mean cash for cyber security companies and investors. This is still a very vibrant space. So just by the way of comparison in looking at some of the ETR data, check this out. What I'm showing here is companies in two sectors, security and storage, which I've said in previous episodes of breaking analysis, storage and especially traditional storage disk arrays are on the back burner, spending-wise, for many, many shops. This chart shows the number of companies in the ETR dataset with a net score greater than a specific target. So look, security has seven companies with a 49% net score or higher. Storage has one. Security has 18, above 39%, storage has five. Security has 31 companies in the ETR dataset with a net score higher than 30%, storage only has nine. And I like to think of 30% is kind of that, you know, the point at which you want to be above that 30%. As you can see, relatively speaking, security is an extremely vibrant space, but in many ways it is broken. Pat Gelsinger called it a do-over and is affecting a strategy to fix it. You know, personally, I don't think one company can solve this problem. It's certainly not VMware or even AWS or even Microsoft. It's too complicated, it's moving too fast. It's so lucrative for the bad guys with very low barriers to entry, as I mentioned. And as the saying goes, the good guys have to win every single day. The bad guys, they only have to win once. And, you know, those are just impossible odds. So in my view, Brian Lozada, the CISO that we interviewed nailed it. The focus really has to be on automation. You know, we can't just keep using brute force and throwing tools at the problem. Machine intelligence and analytics are definitely going to be part of the answer, but the reality is, AI is still really complicated too. How do you operationalize AI? You talk to companies trying to do that. It's very, very tricky. Talk about lack of skills. That's one area that is a real challenge. So I predict the more things changed, the more you're going to see this industry remain a game of perpetual whack-a-mole. There's certainly going to be continued consolidation and unquestionably, M&A is going to be robust in this space. So I would expect to see continued stories in the trade press of breaches. And you're going to hear scare tactics by the vendor community that want to take advantage of the train wrecks. And I wish I had better news for practitioners. But frankly, this is great news for investors if they can follow the trends and find the right opportunities. This is Dave Vellante for Cube Insights, powered by ETR. Connect with me at David.Vellante at siliconangle.com or at D.Vellante on Twitter. Or please comment on what you're seeing in the marketplace in my LinkedIn post. Thanks for watching. Thank you for watching this breaking analysis. We'll see you next time.