 So, you know, it's interesting when you look at the challenge from an enterprise, right there bring your own device to work There's the technology piece and then security implications But most of the large enterprises are actually dealing with the legal implications of what it means to bring your own device especially for contractors or Temporary staff in terms of okay, they bring their own device and now their devices at home Do they? Is it are they still working for the company if they respond to email? Whereas if it was a device issued by the company, it's a different problem So, you know, it's you look at the technologies you look at the security But when you look at an enterprise and all the things that they have to deal with Security is sort of maybe the last element that they have to check off Before they even get to it right like they have to address all these other issues So and by the time they get to that we better have solved the problem because now that's the only thing that's stopping them from Allowing them to bring your own device to work What I see happening is that the measures that some enterprises have because they have these well-loaned more in trails are so draconian For endpoint users that they'll just bypass the security anyway So just start using it wherever they can get it But I can't get that document off of my mail server because of this antivirus phishing attempt mail Gateway they have in place. I'll just have them mail it to somewhere else and I'll put it on my home machine They'll bypass security just to get their job done and that's a big problem I think ultimately if you chop the problem up, you really have a problem of secure connectivity How you secure the platforms and how you secure the apps and the problem with that is Ordinarily you will have those approaches segmented both by solution type by who operates them how they're scored how they're managed how they interface with compliance engines And so without kind of an end-to-end solution to how you look at workflow. I mean applications and information Is not particularly useful if people don't have access to it and they don't consume it So I think the notion of spreading out across those three areas gives you a way of focusing on how you deal with Again that the connectivity to the platforms that secure app and serve up information And so if you talk to so an awful disclosure, I'm an advisor to bromium So sort of that cute accent that that that Simon Crosby has I I think from the perspective of what it means to manage So you can't say it doesn't work. No because it does I haven't have a laptop running with it and I give it to my kids So that's an ultimate test so I think ultimately the approach of if fundamentally we don't trust the operating system We have to have ways of allowing user to trust the experience that they're having without doing that kind of pop up of are you sure are you sure Are you really really sure right so and that's just on the consumption end But we need that capability of tying in telemetry and intelligence across The things we use to connect to our platforms the platforms then have to expose and allow people to standardize in the way in Which they can alert both the endpoints as well as the network components that need to then alert for example the applications that they need to That they are potentially under attack because today we have complete Abstraction like the network could be under attack. They absolutely never know about it and vice versa You got no consistent way of of defending those three approaches. Well, what is scary, right? But you know, we're living in the first generation of cyber warfare in our lifetime where a lot of stuff's going on Just for them on the countries. So the question is is that on a scale of one to ten ten being you know No problem zero is a total fail With security where are we as an industry? I mean, how bad is it? I mean really how bad are we with security right now in terms of compared to what in terms of a timeline and when Because this is a this is a problem, right? It's like you can either say it's same as it ever was or you have just an escalation given the availability of technology and social Media where we all want to go. So like Rome. I don't like about bromium is his ideas It's disruptive concept that takes them to count the preferred user experience, right? So that is mobile Yep, it's relatively invisible and security needs to be invisible until it's needed and The thing is is if you don't have you have something like that on your endpoint device, it will protect you But if you don't have it, it won't protect you. So you need to actually make sure it's on all your endpoints We don't have consistency that we don't have consistency at all I mean, it's bad same as it ever was means it was bad But how bad is it and and with the preferred user experience and not just user experience the enterprises themselves are Migrating to cloud mobile social all the trends that we're talking about so so this whole new experience message that the emmer's putting out It's legit marketing. I mean there are new experiences, right? And there are new apps and there are new threats So so it's a squeezing the balloon problem, right? I mean you could say if you just if you say the security is pretty much in stasis depending upon the influx and Of new disruption new technology we go from apps app focused and that works up focused to informations focused security it literally is the same as it ever was with You know the problem being my focus is now on protecting applications and information And when those attack vector shift because the industry swings there are people pay attention to it Then you go pay attention to the thing that other people aren't paying attention to and the let go the balloon and squeezes out The other end I mean we have new vectors new attack methodologies We're inundated but we also have opportunity because it's easy to talk about negativity But whether you like the term big data or not there are people doing amazing things with the With the lakes and mountains of data that we have of exported security telemetry to make decisions faster better and focused on the things That matter most so you know cloud virtualization automation all this stuff has a dark side But it also has a fantastic set of upside if people in the industry can harness the capabilities that are offered So okay, so we're able to harness that big data in all the analysis It does to actually provide somewhat of an early warning system Yep, because if we can get warned earlier about a breach if I can get warned within one minute But it's a lot better than like four months of evidence after it's happened After it's happened. I can at least stop it fast enough, right, but you're still all talking about detection So we are improving on our ability to detect but I think Virtualization allows you to for the time to recover We've also got better tools now then you know the past And how you would recur if you had a breach and just had physical systems, right? So I think there are benefits but What I find amazing even though we've had security around for so long and then it's a sort of industry of its own that we Continue to release technology that still needs to have security bolted on I mean that's the fundamental thing right like we don't take what we do seriously enough to say security should be fundamental Or it should just be there and we shouldn't need third-party products So it's hard to yeah And that is is that there needs to be as part of our Development cycle for software even today better security controls of the software and better testing of it so that we can when it goes out It's sitting better than it was before they look at the new arguments So the new old arguments which is oh, we should make software Manufacturers liable for breaches right that's an old argument But then you also have whole new markets opening up for cyber insurance for ways of saying well If you are breach because of this figure software, you know, you can mitigate that cost by buying insurance All of this rolls around the fact that for example detection is hard Prevention is even harder. So in many cases, you know the approach to how we do things leveraging technology We had 15 20 years ago might open the opportunity for things like deception, which is you know, you're going to get owned You can't prevent it you like to detect it But you like to detect it before you're breached and then do things that break automation and make the cost of the attack more expensive And that's where things like intrusion deception as opposed to intrusion prevention or detection come into play So you're able to leverage a lot of new technology and virtualization at many layers as well as Technology and capabilities that we're seeing out of big data to use security intelligence and analytics to make better decisions faster So that's why I said it's the same size bubble Right sometimes you blow it up and it gets bigger, but then you shrink it you squeeze one side it pops out the other I mean we we fundamentally haven't made huge Leaps forward, but you know, we have the opportunity to all right. That's good. That's a good thread So obviously big data analytics is obvious you've prevented you've predicted analytics to help do things Some of the deception things you're doing is with virtualization you do all kinds of cool things recovery protect I want to ask you guys to think outside the box and and and lend your perspective to what's possible That's not yet on the radar that could be a disrupter Like because we just talked to Todd Nielsen about Microsoft's missed decade. They miss search Microsoft stood for missed all of the key markets search tablet and phone and so so They just missed those new new entrance came in so what new thing could come out that could just change all this for the better any creative visions That is completely outside the box So, I mean if you look at just security again, right? There is a lot of work in separating personal data from the app, right? So that you can make the apps stateless so that you can if there's compromises there You can upgrade them patch them do everything you want and your data is always separate that concept if it's applied to all the apps across You know all the layers in in the data center, right all the technologies the ability to recover and secure those systems It's just much better everything's kind of stateless right because all your data is separated out and it's in a central place And then you kind of again it goes back to the data-centric security model Which is you secure the data you really don't care about everything else because it can't compromise the data to do security anything well data security where the policies and Sort of the security controls are flexible So we still live in a world where the security controls are from the day when everything was static and physical and We haven't Reached the mindset where we're saying that even the security can be flexible agile just in time to find That requires a whole new model because we have to trust that and we have to make sure that that's implemented correctly Otherwise your security control cannot be really relied on So it's a lot of that's awesome stuff. We got to get done I think you can simplify it by basically saying that look security needs to become programmatic It needs to be enforced in platforms both infrastructure and at the code layer You can eliminate, you know, stupid human coding tricks by not letting people make mistakes by enforcing it at the platform layer That that includes, you know, stlc functionality that includes the ability to make sure that we don't have the same Oh wasp top 10 for the next 600 years. We still have buffer overflows and sequel injection. How stupid is that? That's ridiculous right and so you can secure you can have the most best Awesome virtual anything from a security perspective and if developers continue to put crap in code You can get crap out of it, right? So what we ultimately need I think is if security becomes programmatic and you can make calls and instantiate policy via API and you can essentially make it part of the application Experience from the perspective of how a developer interacts with security. It's a win and we've gotten to the point now that we know How to write API's we know how to essentially use telemetry and signaling We know how applications can better and effectively more securely communicate with components inside and outside their own ecosystems The next decade is going to be spent applying the stuff We've had in the last 20 years that wasn't ready for prime time that the industry wasn't ready for the compute cycles weren't there the cost of compute was not there and leveraging all this awesome stuff to essentially make security More meaningful more impactful and more easy to use Hey, what's your take on that? Well, I think actually what's happening is is that while I can secure the environment and all these practices would come into play at some point in time When the attack happens, I have to be able to do good forensics on it regardless and the amount of data I get is huge So forensics is moving out into petabyte scale and that's very hard to do in any time frame big data problem What it's a huge big data problem and that is being solved now There's people doing research on it now how to solve big data problems for forensics Well, there's vendors actually who have for example or leveraging Hadoop backends to do analytics from output from any number of platforms security their physical security their ACH wire transfers and Financial service institutions all sorts of stuff to be able to consolidate I think I think I think it's a perfect storm things are coming together relative to the infrastructure where it's just a mindset shift one Get on with a new environment and modern era as we've been saying here on the cube all week and do something good So we have one final question left So what I'm going to do is ask each of you guys to comment on the following The genie in the bottle you rub the bottle genie comes out. You're granted three wishes to fix this security Not problem change it to the modern era Rub the bottle genie comes out and says you have three wishes. What are your three wishes? Oh It could be anything that company To get it to this perfect to the ideal state for innovation and some disruption I think standardization API's an approach Yes, telemetry and in our interoperability at that same level using those APIs such that you can have an ecosystem That truly does add value at specific layers where you where you do best and ultimately then a way of being able to give me visibility and Different panes of glass for areas of security that are important to me fractured over the different disciplines that we have It's a very tactical wish list frankly because the suffering over 20 years So I'd agree with the API. So I think the openness from all the applications to be allow other products to plug in or even just fetch data Or insert controls is important on the analytics and the detection I think there's a lot of technology But what I don't see is a mindset of sherry So I would it would be great if there was a social media kind of technologies available to even share the breach information Between companies right it's just automated You don't even have to have sort of manual processes to share that data because I think Even if you look at just energy as you have fluctuation in energy It'd be great to know that there is fluctuation so that if you're going to evacuate all your VMs elsewhere that couldn't that's going to cause sort of a Probably a potential target for that data center to become the attack point Right, so there's there's going to be new threats that come out as we start using some of these new technology So that would be the second is open sharing of the data as well. And then third I would say is just Maturity about how we are adopting all these technology and trying to include security along the way so that it's not left behind That's my first one is Including everybody in the the process of making these choices in the data center plans that we have in the future Have to include security at the beginning It's no it should no longer be a bolt-on It has to be there from the very beginning Even at the lay of the code or be during the initial design phases and feature solution changes The other one that I have is I actually want the security to be invisible. I shouldn't know it's there It should not get in my way of doing my job Just prevent me from doing the wrong thing, but don't be draconian about it. Be nice about it Nice wishes exactly. It's a nice wish That's all nice Security space. I was waiting to hear get rid of XYZ company, but that's a separate panel Okay, that is a security panel obviously a lot going on a modern era a shift And it's going to take a lot of critical mass to Get things that have been worked on for 20 years kind of level set in the new environments with guys. Thanks Chris Ed Hema. Thanks for coming on the cube. I appreciate this great expert advice We'll be right back with our next guest after this short break. Thank you very much