 Live from Washington D.C., it's theCUBE, covering .conf 2017, brought to you by Splunk. Welcome back to our nation's capital here, Washington D.C., the CUBE, which is the SiliconANGLE TV's flagship broadcast, broadcasting live today and tomorrow from D.C. here at .conf 2017. Splunk's annual get together. Along with Dave Vellante, I'm John Walls, and now we're joined by Chidi Adams, who is the head of IT and security for Heartland Jiffy Loop. We all know Jiffy Loop for sure. Chidi, thanks for being with us, good to see you. Of course, thanks for having me. You know, before we jump in, I just, I was looking at your, kind of the portfolio of responsibilities earlier. Information security, application development, database development, reporting services, enterprise PMO, blah, on and on and on. When do you sleep, Chidi? I don't. That's the easy answer, right? The reality is I also have two young children at home, so between work and the family life, I'm up all the time. I imagine so. But I would have it no other way. How old are your kids? Three and two. Oh, you won't sleep for a decade. I know. And wait until they start driving. That's what they tell me, yeah. Then it gets even better or worse, depends on how you look at it. That's how you learn how to sleep on airplanes. Yeah. Let's look at, big picture, you know, security at Jiffy Loop. Your primary concerns these days, I assume, are very much laser focused on security, and what you're seeing. What are the kinds of things that kind of keep you up at night, other than kids these days? So we're a very large retailer, and brand recognition is something that we're very proud of. However, with that comes a considerable amount of risk. So the bad guys are also aware of Jiffy Loop. They understand that as a retailer, we have credit cards, we have very sensitive data. So when I started with Jiffy Loop about two and a half years ago, I started a program to focus not only on keeping the bad guys out, right? That's essentially table stakes in any security program, but also implementing a discipline approach around insider threat. And frankly, that's where Splunk has proved to be a significant value for our organization because now we have visibility with respect to both of those risks. Additionally, we've spent a lot of time just taking more of a risk-based approach to security. Right, quite often what happens, technologists tend to focus on implementing technology and kind of filling gaps that way. The first thing that we did was assess organizational risk based on our most critical assets, right? Once we were able to determine asset X, in most cases a data asset, was really critical to the organization, credit card data, we were able to build a unified solution and program to ensure that we protect not only our brand but our customers' data all the time. So, first I will say, I love Jiffy Loop. I'm a customer, I go there all the time, it's so convenient, great service, generally very, very customer service oriented, but I see your challenge with all this distributed infrastructure and retail shops around I would imagine there's somewhat of a transient, some turnover in an employee base and the bad guys can target folks and say, hey, here's a few bucks, let me in. So how do you use data and analytics? I mean, I'm sure you have all kinds of screening and all kinds of corporate policies around that, that's sort of one layer, but it's multi-dimensional. So how do you use technology and data to thwart that risk internally? Sure. So I think the key there is having a holistic program, that's a term that's thrown around a lot. So for me, that means a clear focus on people process technology. As I mentioned earlier, the tendency is to start with your comfort zone, so with us as technologists, it's technology, right? But the people aspect I have found in my career is always the largest variable that you have to account for. So disgruntled employees in retail, regardless of how robust and how strong a culture you create, you're always going to have higher turnover than any industry, particularly in the field. So having very tight alignment with HR operations, other stakeholders to ensure that, look, when someone leaves, we track that effectively and that's all data driven, by the way, so that we're able to track the life cycle of an employee, not only on the positive side when they enter the organization, but when they exit. If the exit is immediate, we have triggers and data driven events that alert us to that so we can respond immediately. And then I mentioned insider threat, right? It's not just employees out in the field, but globally, insider threat is probably the biggest blind spots for organizations. Again, the focus is on the outside. So when we look at things like data exfiltration, which is a risk in any large organization where there's a lot of change in transformation, you have to have a good baseline of activity that's going on and understand what activity is truly normal versus activity that could be anomalous and an indicator of a bad actor within the enterprise. And we have all that visibility and more now with Splunk. What is the role that Splunk plays? How has that journey evolved? I don't know if you've been there long enough, but pre-Splunk, post-Splunk, maybe you could describe that. Yeah, so pre-Splunk, we were very, very reactive. So let me answer that by providing a little more context about how we're leveraging Splunk. So Splunk Enterprise Security is our centralized hub. So data across the enterprise comes to Splunk Enterprise Security, we have a team of SOC analysts that work around the clock to monitor events that, again, could be indicators of something bad happening. So with that infrastructure in place, we've gone from a very reactive situation where we had analysts and engineers going to disparate systems and having to manually triangulate and figure out, hey, is this an event? Is this something worthy of escalation? How do we handle this? Now we have a platform, not only in Splunk, but with some other solutions that gives us data, one that's actionable. It's not hard to aggregate data, but to make that data meaningful and expose only what's legitimate from a triage and troubleshooting perspective. So those are some of the things we've done in Splunk that's played a role in that. Okay, talk about the regime for cybersecurity within your organization. I mean, it used to be, oh, it's an IT problem. In your organization, is it still an IT problem? Is the balance of the organization taking more responsibility? Is there a top-down initiative? I wonder if you could talk about how you guys approach that. That's a great question because it speaks to governance. So one of the things that I did almost immediately when I started with Jifilu was work very closely with the senior leadership team to define what proper governance looks like, because with governance, you've got accountability. And so what happens all too often is security is just this thing that's kind of under the table, it's understood we've got some technology and some processes and policies in place. However, the question of accountability doesn't arise until there's a problem, especially in the case of a breach. And most certainly when that breach leads to front page exposure, which was something I was very concerned about again, Jifilu being a very large retailer. Worked very closely with the senior leadership team to, first of all, identify the priorities. We can't boil the ocean. There are a lot of gaps. There were a lot of gaps. But working as a team, we said, look, these are the priorities. Obviously customer data, that's everything, that's our brand. We want to protect our customers, right? It's not just about keeping their vehicles running as long as possible. We want to be good stewards of their data. So with that, we implemented a very robust data management strategy. We had regular meetings with business stakeholders and education also played a critical role, right? So taking technology and security out of the dark room of IT, right? And bringing it to the senior leadership team and of course being a member of that senior leadership team and speaking to these things in a way that my colleagues in operations or finance or supply chain could readily connect with, right? And then translating that to risk that they can understand. So it's a shared responsibility. Absolutely. And I mean, a big part of security, you talked before about sort of keeping the bad guys out, that's table stakes. Big part of security, this day and age seems to be response. How effectively the organization responds. And as you well know, it's got to be a team sport. It's kind of a bromide. But the response mechanism, is it rehearsed? Is it trained? Can you describe that? Both and I agree response is critical. So you have to plan for everything, right? You have to be ready. So some of the things that we've done, one, we created a crisis management team, an incident response team. We have a very deliberate focus and a disciplined approach to disaster recovery and business continuity, which is often left out of security conversations, which is fascinating because the classic security triad is confidentiality, integrity and availability, right? So the three have to be viewed in light of each other. With that, we not only created the appropriate incident response teams and processes within IT, but then created very clear links between other parts of the business. So if we have a security event or an availability event, how do we communicate that internally? Who's in charge? Who manages the incident, right? Who decides that we communicate with legal HR, right? What does that ecosystem look like? All of that is actually clearly defined in our security policy and we rehearse it at least twice a year. Well, we just had Robert Herjavek on from their Herjavek group just a few minutes ago. And he brought up a point that's pretty interesting. He says, you know, security obviously is a huge concern. Obviously it's his focus. They said the problem is, or a problem is, is that the bad guys, the bad actors, are extremely inventive and innovative and keep coming up with new entry points, new intrusion points. And that's the big headache is they invent these really new fangled ways to thwart our systems that were unpredicted. So how do you, I mean, how does that sit with you? You know, you've got all these policies in place. You've got every protocol aligned and all of a sudden the door opens a different way that you didn't expect. Yeah, one of my favorite topics. That really speaks to the future and where I believe the industry is going. So traditionally security has been very signature based. In other words, we alert against known patterns of behavior that are understood to be malicious or bad. But a growing trend is machine learning, artificial intelligence. In fact, at Jiffy Lube, we are experimenting with a concept that I refer to now as the security immune system, right? So leveraging machine data to proactively assess potential threats versus waiting for those threats to materialize and then kind of building that into our response going forward. I think a lot of that is still in the early phases, but I imagine that in the very near future that'll be a mandatory part of every security plan. We've got to go beyond kind of two dimensional signature base to true AI, machine learning, kind of taking action, not just providing visibility via response and alerts, but taking action based on that data proactively in a way that might not include a human actor at least initially. What's the organizational structure at your shop? Are you the de facto CISO? I am. And the CIO? I am, I wear both hats. Yeah, so that's interesting, right? You know where I'm going with this. There's always a discussion about, should you separate those roles? And I can make a case for either way that if you want the best security in IT, have the security experts managing that at the same time people say, well, it's like the fox watching the hen house and there's lack of transparency. Where do you, I mean, I think I know where you fall on this, but how do you address the guys that say that function should be split? What's the advantage of keeping them together in your view? Yeah, so I think you have to marry best practice with the realities of a particular organization. That's the mistake that I think many make when they set about actually defining the appropriate org structure. There's no such thing as a copy and paste org structure, right? So I actually believe, and I have no problem going on record with this, that the best practice does represent in reality a division between IT and security, particularly in larger organizations. Now, for us, that is more of a journey. And what you do initially in your end state are two different things, but the way you get there is incremental incrementally, right? You don't go big bang out of the gate. So right now they both roll up to me foreseeably they will roll up to me, but that works best for the Jiffy Lube organization because of some interesting dynamics. And the board of directors, by the way, given the visibility of security does have a say on that. So now that we're in transformation mode, they do want one person kind of overseeing the entire transformation of IT and security. Now in the future, if we decide to split that up, then I think we have to be at the right place as an organization to ensure that that transition is successful. I'm glad you brought up the board, Chidi, because to me it's all about transparency. If the CIO can go to the board and say, hey, here's the deal, we're going to get hacked. We have been hacked and here's what we're doing about it. Here's our response regime. And in a transparent way has an open conversation with the board. That's different than historically. A lot of times CIOs would say, all right, we got this covered because failure meant fired. And that's a mistake that a lot of boards made. Now eventually over time, the board may decide, look, the job's too big to have one person, which is kind of what you're, but how do you feel about that? I mean, what's your sentiment on that transparency piece? How often do you meet with the board and what are the discussions like? Yeah, great topic. So a few things. One, and you've hinted to this, is very important for the CIO or the CISO to have board level visibility. Board level access. I have that at Jiffy Lube. I've had to present to the board regarding the IT strategy. But I think it's also important to be an effective communicator of risk. So when you're talking to the board, what I've done is I've highlighted two things. And I believe this very strongly. As a security leader, you have to practice, do care and do diligence. Right, so do care represents doing your job within the scope of whatever your role is, right? Do diligence involves maintaining that over a course, a period of time, including product evaluations. If you have do care and do diligence, and you're able to demonstrate that, even if your environment is compromised, you have to have the enterprise, including the board realize that as long as those two things are in place, then a security officer is doing his job. Now what's fascinating is many breaches can be mapped back to a lack of do care and do diligence. That's why the security officer gets fired, to be very blunt. But as long as you have those scenes and you articulate very clearly what that represents to the board and the senior leadership team, and I think you just focus on doing your job and continue to communicate. John wanted to know if you had any Jiffy Lube coupons. Yeah, because I'm on the way home, I thought I'd just jump in. All out, but all. You got one right down the street from the house. Probably know me all too well because I take the kids cars there too. That's right. We'll hook you up, no worry about it. We appreciate the time. Thank you. A newly converted Dallas Cowboys fan, by the way. That's right. All right, perhaps here in Washington, we can work on that. We'll see about that. We'll see. Chidi, thanks for being with us. Thank you, appreciate it. Thank you very much. Chidi Adams from Heartland, Jiffy Lube. Back with more here on theCUBE in Washington, D.C. at .conf 2017, right after this.