 from the Wynn Resort in Las Vegas. It's theCUBE, covering .next conference 2016. Brought to you by Nutanix. Now here are your hosts, Dave Vellante and Stu Miniman. We're back, Keith Stewart is here. We're going to talk security. He's the vice president of strategic markets and business development at V-Armor, aka V-Amor. V-Amor, we love security, that's why we're here. We love V, welcome. Thank you very much. I'm really excited to be here and seeing you guys again. Yeah, this is a good show. There's been a lot of energy here, a lot of talk about basically transforming infrastructure and security is a big part of that. So give us the update on V-Armor. Absolutely, right? Security is fundamentally a board level conversation these days. Everybody needs to have an understanding and awareness of what they're doing. And as people make this journey to cloud, as they look to transform not just their infrastructure stack but their operations, security's got to be at the heart of that. And really at V-Armor, our fundamental belief is pretty simple. Security shouldn't be a barrier to embracing cloud. In fact, security should be a reason to embrace cloud. The move to cloud should make you more secure because you can build it into the fabric of your data center operations. So Stu now is rolling his eyes because he knows I'm going to take over the interview and talk about security as a board level topic. So our boards in your view, talking about security in the right way, how should boards be discussing security with CISOs and CIOs? Security at the end of the day is a conversation about risk management and it's a conversation about compliance and governance, right? And so that starts with people that move to process but ultimately there's a major technology element to that. So one of the conversations that we have with senior executives is about the combination of all three of those pieces, making sure that you're modernizing your people and your staff, you're getting the training right, you're working through your processes, but fundamentally if your security architecture is based on technologies that were invented before the iPhone, you're probably not keeping up with what the bad guys are doing. So getting all three of those pieces right is fundamental in order to secure yourself as you move to cloud. So several years ago, even three, four, five years ago, we'd interview people on theCUBE, executives, IT practitioners say, you know, we've never been hacked. You don't hear that much anymore. In fact, the conversation has shifted from we need to thwart penetration to we have been and will continue to be infiltrated. It's all about the response. Is that a valid premise? The risk model has certainly shifted to a recognition that the bad guys are gonna get in. They're gonna find a way. Whether it's spearfishing, whether it's some new malware variant, if you're relying exclusively on preventative techniques, you're not gonna get yourself where you need to be. So that transformation of people, processes, and technology means moving to technologies that can react and respond in a much finer granularity than historically what's been possible. So if you're reliant on technologies that are based on agents, where somebody can take over the workload and then turn off the agent, that's probably not the right place to be for your primary controls. Agents have a place in this world, but fundamentally, your primary controls need to be resilient. They need to be independent of the underlying infrastructure layers so that they're portable as you move from legacy infrastructure stacks, converged infrastructure, potentially public cloud infrastructure with a consistent set of controls. Keith, what about ransomware? I mean, we've gone from something that's just disruptive or damaging to just emulating and destroying with ransomware. Ransomware ups the stakes, nation-state actors and state-sponsored espionage up the stakes. We spend time with a lot of different verticals and a lot of different customers. There's a law firm that comes to mind that we've worked with Nutanix very strongly at. These guys realized, frankly, perhaps a little bit late, that they have not just their own critical data, but they house all the most sensitive data of all of their clients. If you think about what we would all give a law firm, we give them our personnel information. We give our law firms sensitive financial transactions, M&A activity, all of that's extremely valuable data. That all needs to be secured. And this idea of segmenting groups of assets, so-called micro-segmentation, very important in the law community, because I've got stewardship over so many different customers. It's almost cloud-like when we think about tenants sharing common infrastructure, but in a law context, that's about different clients in their specialty data. All needs to be compartmentalized and very carefully controlled inside the firm. So take it from your comments. You don't use agents. We do not use agents. VArmor is 100% independent of the underlying infrastructure layer that we sit on, and independent of the workloads themselves. So you can go to our website. You can download VArmor software. You can install it in 15 minutes. You don't require any changes to the underlying topology. You don't require any changes to the workloads you already have in place. Okay, so that means you can fit into really that hybrid cloud model, and what is the discussion customers are having about security on-prem versus public cloud? You know, we hear over and over again that I need security built into the new infrastructure stack, right? I need the ability to see networks, see applications, see users across that new stack, but I also need a technology that's gonna help me with my existing environment. We'd all like to be off of the legacy environment faster. We probably won't get there as fast as we would like, but I still need visibility and control over that environment. So VArmor has spent a lot of time building technology that can seamlessly insert into the legacy environment as well as the new environment. You know, one of the points that I think was made in one of the keynotes earlier on today is about this transition between a hardware-centric world to a software-centric world, and certainly there's a ton of economics that are underlying that. There's a ton of efficiencies that underlie that, but you know, the trade winds blowing from Seattle tell us that it's also got about making it easier. It's gotta be simple. It's gotta be easy, and so the technology in this move to software is gotta be easy to insert and easy to operate for non-expert users. Do organizations understand, I want to come back to the board level stuff if we could, because it just got me going, do organizations understand the value of their data? Let me stop there. I think organizations are definitely understanding the business context, the value of their data. I think in the last 18 months, the recognition of that value to others in ways that perhaps the company didn't originally understand is becoming more and more valuable, whether it's purely for destructive purposes to Stu's point, whether it is the value of selling it on the black market. We spent a lot of time with healthcare providers. There's another healthcare provider that comes to mind that we've worked with Nutanix on. Healthcare has got a really challenging problem these days. They are digitizing probably faster than any other vertical. They're moving from paper-based processes to all digital, and yet they've got arguably the largest compliance and regulatory mandate of all, and they're not equipped. They're not equipped with the right staff. They're not equipped with the right technologies. So there's an excellent example of a group of people that it is fundamental that the technology be easy to insert and easy to operate. I know Nutanix has done a great job at bringing hyper-converged technology and cloud technology into healthcare verticals to help people navigate that journey. It's one of the big reasons why we spent a lot of time in healthcare as well. Yeah, so where I was going with the question on data value is the lack of understanding of data value, does it lead companies to have a difficult time appropriately securing their business, understanding whether it's the value of data, assets, IP, et cetera. Are they able to appropriately secure their business given that lack of knowledge? Inevitably, many boards haven't been built with cybersecurity skill sets as a core part of the selection criteria. We're seeing that change. We're seeing more and more demand for that kind of expertise living on the board and within the management team that reports up to the board. And so I do think that there's some changes there. I come back to Stu's point. I think in the last 18 months, this notion that nobody wants my data, I'm never gonna be breached. I can use preventative approaches and that'll be fine and that the board's gonna sign off on that. That's done. Target started the change of that. Sony certainly changed that. Some of our friends in healthcare talk about a major lawsuit that was filed. There was a university-based health system that had a breach and had a multi-billion dollar lawsuit show up on their door within 48 hours. You don't get a multi-billion dollar lawsuit constructed in 48 hours. That paper was sitting waiting for the breach to get announced and then the suit shows up. So I absolutely think when we're now having a conversation about liability and risk that goes up into the billion dollars, boards are shifting. Do they need to go further farther? Potentially, but that shift is happening. Well, I mean, and so what should the discussion be? Should it, you have mentioned that increasingly boards are putting security-oriented folks on their boards. I presume you would agree that it shouldn't be GeekSpeak, however. It should be about things like what is the value of their data? What's the right regime for security? Whose responsibility? Is it a shared responsibility? What's our response mechanism and our response plan? Who's gonna lead that? Are those the right questions and are those happening? I think those are the right questions. I do think it comes back to our people processes and technology piece. But I think that there's an easy litmus test that starts to get you down that road without delving into GeekSpeak, which is really about modernity. Are you, are our processes up to date? When was the last time we reviewed them? When was the last time we did staff training on this? Do we do staff training with somebody new and current and well-versed in current threats? Or do we do that in the old way? When was the last time we trained the board? And I'd come back to the technology point again. Are we using old tech? Are we using new tech? Are we using technology that was invented a decade or two decades ago? Or are we exploring and pushing the envelope on new approaches that we can keep up with the bad guys? I know if I were on a board of directors, I would want to know, I mean, I am on a board of directors, but we don't have this, I mean, I'm a public company. It would be, the question I would have is, when was the last time we practiced a response to a security breach? Do we give our people the resources to do that? You know, you used to, you mentioned that security increasingly has to be a fundamental part of risk management, compliance and governance. I think disaster recovery, not enough companies even today practice disaster recovery. Should organizations and do organizations practice a response to a security breach? This again, it's a great point, clearly DR and more orientation on failure scenarios and failure scenario, failure scenario planning matters. But I would come back to the point about making it easier, right? Part of the challenge with a lot of those tests today is that they're big and complex and require a lot of moving parts because the underlying technology stacks and the processes and the runbooks that operate them are brittle, they're fragile. They're not based on well-defined interfaces, whether they're people interfaces or API-based interfaces. They're not these ideas of broad-scale failure domains and DR, we're not built into those underlying technologies. A lot of the technologies were designed in the box mentality. I'm gonna build a thing. It's gonna be a big thing, really big, because we like big things and it's gonna be metal, it's gonna be heavy, because we like big metal heavy things and that's great and we all feel really, really good about that. But it's that technology orientation and the processes and the people you wrap around that that make it so challenging and expensive to go down and do DR-based fail-overs. We had a very, very large public cloud provider or public cloud user in our office two weeks ago and they've taken on the Netflix chaos monkey, chaos gorilla-oriented approach so that continual lifestyle testing and failure testing is just part of rolling out new applications and when you can build that kind of CI-CD pipeline into your application development process, then these things that used to be big and clunky and the people and process equivalent of that big, heavy box don't need to be quite so hard and complicated. And you look at some of the demos that we've seen here at the show that the Nutanix guys have put on. Simplicity, make it easy, make it resilient. That doesn't mean that it's not hard. There's a ton of complexity and innovation happening under the hood, but the user shouldn't be forced to go through that to do these basic fundamental business processes. You're seeing some other innovations too, like visualizations becoming increasingly important. Automation, you're seeing efforts to automate the runbook, for example. It's like, that's tedious. Like filling out a police report. Nobody wants to do it, but where are we in terms of some of those innovations in terms of attacking the problem? I think it comes back to this idea of building simplicity into the fabric of what you're doing. So when you've got well-defined, functionally complete APIs to get a little technical on that, that puts us on the path to do these kinds of automation frameworks. I was on site yesterday with a healthcare organization and it's an immense form of frustration for the application development teams and the server teams to have to go through paper-oriented processes, security processes, network reconfiguration processes. I mean, their change ticket is their system of record for defining what's happening in the environment. That's our cane. That's what we did 10 years ago. There's a better way. It requires embracing some of these new cloud technologies, but you can do that in a way where you don't have to give up on the security, the operations, the risk management systems you had before. If cloud is going to matter as a movement, right? It's going to matter because we do important things with it. We don't put our basic, simple storefront websites. We put fundamental critical things, medical healthcare records, payment processing systems, inventory management systems, things that are core to the underlying business. To do that, you got to build security in. You shouldn't have to give up on network, application, user-based controls when you make this transition, but it should be easy. It shouldn't be so hard. We're running against the clockkeeper. My last question is, what should be in the checklist of a CIO, security checklist, specifically in the context of that board-level discussion? Top two or three things. I think you got to ask yourself, have I a modern incident management and incident response process, right? And the technology components that are going to support that. Do I have either sufficient staffing, in the answer there's probably no, or sufficient technology that can help me augment my staffing in order to react and respond? And have I got a plan for security to be part, an integral part of my long-term architectural plan for the business, right? Can I, do I have a plan that makes security a part of every business decision that we make in IT? If I have those things, I'm in a pretty good state of affairs. If I'm back in the old days where security lives in a silo with big giant pieces of tin, I'm probably not going to make the journey. Extracting the security signal from the noise, Keith Stewart, thanks very much for coming with us. Thanks very much guys. Appreciate it. All right, keep it right there, and I'll be back with our next guest right after this short break.