 All right everybody, welcome back to Las Vegas. This is Dave Vellante with Rob Stretching. You're watching theCUBE's continuous coverage of HPE Discover 2023. We go out to the events and extract the signal from the noise. We've been doing that 13 plus years around HPE and now of course HPE. Bobby Ford is here. He's the Senior Vice President and Global Chief Security Officer at Hewlett-Packard Enterprise. Bobby, it's great to see you. Thanks for coming on. First time in theCUBE. It is the first time, so that means I've officially arrived. Yeah, yes. So thanks for having me. You got it. I want to start. We hadn't met until just now, but I knew you from your stage performance at Antonio's All Hands on, I think it was April 4th. It was. Down at Storage Day. Yeah. Down, they flew the analysts down. Right. What they did is they invited the analysts into the All Hands meeting. They kicked us out before the Q and A, but it was still really cool. And Bobby was the MC. And I guess you guys rotate the MC. So you were there that day and it's a big party. I mean, it was unbelievable, the cultural injection. It's very different. And I think it speaks to the culture that we have at HPE. We really like to have a good time and we like each other. And that's always a plus. When you like what you do, and you like the people that you do it with. Well, like I said, we've been covering HPE and then HPE for 13 years. And when the company was splitting apart, it was very painful. And you could just sort of see it in everybody. At that meeting, I mean, people were proud. They were nodding. They were cheering. It was very cool. Congratulations. I'm glad you were able to make it. Yeah, me too. It was really eye-opening. Hadn't been back in Houston for a while. Anyway, let's talk cloud security, hybrid cloud security, your role. Start with your role. What do you do with it? Do you spend time like internal security, making sure HPE is secure? Or you spend sales guys, I'm sure dragging you out all the time. Yeah, so I do a little bit of both. So I'm responsible for our enterprise cyber security. That's how do we protect HPE? How do we protect HPE assets? How do we protect HPE data? But I'm also responsible for our cloud security services organization. And that's how do we protect our cloud environment that we give access and we have customers in? So around Green Lake. Around Green Lake, yeah, yeah, exactly. Exactly, yep. Well, so how do you do it? I mean, what is different about what you're trying to do than sort of conventional security? Yeah, so we recently conducted a research report with the Pondamine Institute. And one of the stats that stood out in that report to me was something like 68 or 70% of people are concerned or 58%, sorry, 58% of people are concerned about security as it relates to their cloud transformation journey. And you would think that that number is low and it's not that the others are not concerned about security. But I think that many people have this misperception that once you go to the cloud, once you go to the public cloud, that you no longer have to worry about security. And that's not the case. And so what we've discovered in the public cloud world, the private cloud, the hybrid cloud model is that security becomes a shared responsibility between you, the cloud provider, and then those that you have interconnectedness with. So in my role, back in the day, I would focus only on our internal program, but now I'm having more and more conversations with customers because it is a shared responsibility that we have with them as it relates to cybersecurity. So I'm going to ask you to put on your internal security hat and then talk about your sort of external and your customer one. As a CSO, when you have, you've got stuff running on-prem, you've got data centers all over the place, I presume you've got stuff going on in the clouds, you know, your partners with all the cloud companies. Each cloud has a different, you know, its own shared responsibility model. It's got its own primitives. You've got to connect to those. So it's a complicated situation for a lot of CSOs. Yeah. How do you see that evolving and how are you and your peers trying to sort of reconcile all those differences and understand all those shared responsibility models? Do you just say, you know what, we're going to go monocloud or do you say, okay, we're going to have to somehow create an abstraction layer and simplify across those clouds? I've been doing cyber for a while. And I've, you know, I'm a technologist at heart. And I think that as it relates to the cloud, we've gone through several iterations. And when I say we, I mean the security professionals, we've gone through several iterations of how we respond to the cloud. And I think our first response was cloud never. We just didn't trust that we wanted our data and our assets, our infer and our environment. So it was cloud never. And then we, you know, morphed into cloud maybe. So we started thinking maybe it's not that bad. We started taking tours of their facilities and we started having conversations with their security people. It was like maybe cloud. And then I think we got to this point where it was cloud only, public cloud only. And it was like, you know, cloud first, cloud only. No one wants to build any type of data center. I want to get rid of it. I think that where we are now, I would call it cloud when it's right. I love Antonio's keynote. He called it cloud smart. And I think that's where we are. And in this cloud smart world, I think that it will only be, I mean, it will only become more complex. So I tell any of, you know, the SISOs that I know, if you're not comfortable working in complexity, you should probably get another job. Yeah, I think you hit on a great point. And I think Antonio and everybody has been talking about the edge hybrid cloud. How do you stretch across that? What are you seeing? Cause you must be, I mean, you know, I was with HPE a long time ago and we had cloud back then even, and it was when you started to look at all of the different data centers, all of the different partners, and especially where you are working with so many different clouds. How does that complexity play in? Especially when you have edge, you have hybrid. Any time you're dealing with a complex environment, I think it's critically important that you have a great framework. The reason why I'm at HPE, honestly, and I don't say this, you know, because HPE pays me, they do, but that's not why I say this. I think that the framework has to be edge to cloud. And if you're a security professional, I used to call it data to cloud, but I was just like, because it's not always data at the edge, but it's edge to cloud. And when I say it's not always data, I mean you could sometimes have sensors or just input, output. So I think you have to think edge to cloud in your security framework, which we wrote a white paper, how security practitioners should think about security from edge to cloud, because I think that's the only way you can tackle that complexity. Understanding that you can't secure everything. So it's critically important that you prioritize and that you take a balanced approach and you look at security from the edge to the cloud. So the premise that we put behind this thing we call super cloud is the more consistent you can make that experience, the better that experience is going to be, the less muck they're going to have to deal with and the safer it will be. So I'm asking you now to put on your sort of external hat. When you think about Green Lake and your promise to customers, how do you talk about that shared responsibility model? What are you responsible for? What's the customer responsible for? I think it depends on the nature of the relationship that we enter into with the customer. And they have to understand, hey, where are my workloads? And what relationship do I have? What third parties engage? Where do I have connectedness? And then who's responsible for monitoring that connectedness? And honestly, it's a case by case basis. I mean, it's done on a case by case basis. So it's not one size fits all. So what I would say, and this is to any of the sites those that I talked to that are customers of ours, it's important that you have conversations. It's important that you have conversations and that you understand with your internal teams where you're responsible and securities prevent, detect, respond, where you're responsible for prevent, where you're responsible for detect, where you're responsible for respond, and then where HPE is responsible. So I like how you described it for it, like first phase was like cloud in no way. And you got that from a lot of customers, and particularly in financial services, and maybe then, hey, we're all in, but nobody's really all in. But the other piece is the cloud, the definition of cloud has changed. It's expanded. We were talking to Xavier Poisson yesterday. And he's, I've said this before, the cloud is an operating model. Dave, get it. And I'm like, okay, I'm with you. So the cloud is now the first line of defense, however you want to define that cloud. So I'm interested in how the CISO's role has changed as a result of that. So you got the cloud, now you're asking developers to ship left and deal with it. You've got audit in the back end, they're kind of the last line of defense. So how has that role evolved and evolving? Like I spoke to earlier, I think that we've come to a place where we recognize that A, we can't secure everything. And I think that that's really important to recognize that you can't secure everything. So then how do I prioritize what's most important to the organization? How do I prioritize what's most critical to the organization? I think B, it's evolved in that, I understand, like I said, it's going to be complex. And I think that hybrid is here to stay. And so understanding that, hey, I can't secure everything. It's going to be complex. How do I then prioritize in my hybrid world what's most important, and then make sure I have the right controls in place to secure it? I remember I was, years ago, I was interviewing Robert Gates, former Defense Secretary. And it was at the time when security was becoming a board level issue. And he sat on a lot of boards and he's like, it's absolutely a board level issue for the ones I sit on. And since that time, we've seen it go from, just the SecOps team, the security guys, folks like you have been in it their whole life. Oh yeah, security, that's somebody else's problem. And it trickles up to the board. Now it's sort of trickling out throughout the organization. So my question is, well, first of all, statement, bad user behavior beats good security any day. So how do you create a security-aware culture? That's a phenomenal question. Thanks for asking it. I think that most people today, and maybe it's just because I've been doing it so long, that I think most people are aware. I think most people are aware of security risks. Most people have been impacted personally. Remember, there was a time when the only time you were concerned about something happening, a data breach, or you were concerned about compromise was at work. Because you still did your banking at the bank. So the only time you were concerned about cyber security was at work. You were air-gapped. Yeah, exactly, but now that we're doing everything online, now I've discovered that I went from people thinking, hey, security is doing too much in the company culture. Hey, you're doing too much to people saying, you're not doing enough. They're pushing you because, again, personally they're seeing the impact of cyber attacks and they're seeing the impact of cyber risk. So I think that the culture is actually more aware now than it's ever been, and then our responsibility, and it's something that I don't, so no one is watching this interview that works at HPE, right? So I can say, okay, and no one is listening. I guarantee you, we're filtering it on the phone. No, I mean. This is private, right? So no one that works for HPE is anywhere around, right? Okay, cool. So I wanna get us to a point where we're equipping people to actually respond themselves. And what I mean by that is, imagine if you will, this is me being visionary, imagine if you will, you get into work super early, and you work in New York, and you receive this phishing email. You know it's a phishing email, right? Because you're so smart, you're brilliant. So you know it's a phishing email, but it wasn't just sent to you, it was sent to 20,000 other employees, but because you're so diligent, you got to work super early in New York City. Imagine if you had the power to pull that email from your fellow colleagues. How wonderful would that be? I want us to get to that point. Right now, the way that we do security is, the employee sees it, they respond to the security team, the security team sees it, they evaluate it. And you've already told them it's a phishing email. After they evaluate it, they contact the IT team. The IT team then takes action to pull the email. Imagine if we equipped you to do that yourself. Yeah, I think that's the key, is that it's everybody's responsibility. Exactly. And it's enabling everybody. And I think we actually had a SAS poly, SAS Catoon, or not SAS Catoon. SAS Catchewan. SAS Catchewan, Polytechnicon. And they talked about how they're actually using GreenLake now because they got hit. And they got hit by ransomware and it was encrypting all of their VMs and taking them down. And actually, HPE helped bring them back. But now they're actually using GreenLake. So to their point, their director of IT who was on here was talking about the fact that our vice president of IT was talking about how that was a really important lesson about how they responded and how they use GreenLake. Do you see a lot of customers looking to you and saying, well, how do you use GreenLake? How do you use this in that model? Yeah, absolutely. And what I think the biggest, not the biggest benefit, but one of the biggest benefits of GreenLake is that it allows you to manage that hybrid world from a single platform, which is phenomenal. Because then when you're thinking about, all right, training up new users or onboarding new users, right? So that they can do the management as well. You're not training them or onboarding them onto multiple platforms, but it's a single platform. So like you were saying, it's a consistent experience as it relates to management of those different workloads or those different cloud environment. So I want to double unpack that vision that you just laid out. And think about cloud as, I just kind of redefined it in our clouds everywhere. The thing about GreenLake and this hybrid cloud, the super cloud is it really democratizes security. Because you've got the best sec-op pros in the world worrying about physical security, all their responsibility. Okay, check. That example you just gave about the phishing, when stuff goes wrong, you can fix it at scale really fast. That's that vision. And then the other thing is, I presume if you make mistakes, you don't make the same mistake twice at the back end anyway. Now, and if you can get the employees and the users to that level, that scales as well. That's a different world than, like you said. And what we used to. Because like we say it all the time, security is everyone's responsibility. I say, well, if it's everyone's responsibility, why not empower and enable everyone? How about AI? What? How about AI? What is that? That's something they invented last year, last November? AI. Alan Iverson? Practice is in practice. We're talking about practice, what are you talking about? We can talk basketball. Celtics made some big grades. Excited about that? Yes we are. Have you seen the evidence of the attackers using AI, or is it still too sort of hard to find? People love to ask security professionals, like what keeps you up at night? What keeps you up at night? And when I hear that, what I hear is what are you most concerned about? And so what am I most concerned about? I'm most concerned that the adoption of advanced technologies by our adversaries is outpacing ours. So to answer your question, yeah, but they've been using it long before, like they didn't just start using large language models, they've been using it. But the scary part in what's been introduced and everyone's talking about chat GBT-4 is that now individuals that don't understand AI are able to use AI. That's the scary part. That was the scary part when we went from, people needing to really know how to write code to attack you, to someone just needing to download an app. Like that's all I gotta do now, I can attack, download an app. Script kitty. Yeah, exactly, that was the scary part. That's what we're witnessing now in the adversary community with the adoption of AI. I say all of that to say, I'm a huge fan of generative AI. Like a huge, huge, so again, no one's watching this, like no one's listening, no one's watching. Okay, cool. I haven't written a text message, now don't tell this to my mother in about three months. Because whenever she texts me, I cut it, paste it in the chat GBT, and it's like write a response to my mother right to this text message. And it's so thoughtful and it's caring. And then I just send it right back to her. She sent me a card the other day saying that I was so responsive lately and she thanks me so much and she loves me so much. And I was like, you're welcome, right? Like no problem. So I'm a huge fan of it, but it's a tool. It's absolutely a tool. And like any tool, it could be used for good, but it can also be used for bad. Yeah, it's a new level. I mean, there was ransomware as a service. Any knucklehead could be a ransomware as to now. Exactly. These phishing emails are now actually well-written. Very well-written. Absolutely well-written and more targeted. Like they're well-written and they're targeted. All right, we got to go. Bobby, you're amazing. And would love to have you back on SuperCloud. Yeah, please do. Yeah, July, so we'll follow up on that. Absolutely, please do. Thanks for the conversation. You're very welcome. All right, Rob Stretching, Dave Vellante. Day three, HPE Discover 2023. You're watching theCUBE up next. The men behind the curtain, Jim Jackson and Jason Newton will be up. Keep it right there. You don't want to miss this.