 Welcome to theCUBE Studios in Palo Alto, California for RSA conference keynote coverage and conference coverage. I'm John Furrier, host of theCUBE. We're breaking down the keynote of RSA day one kickoff. We hear Mark Nenek Hoven, who's the Distinguished Cloud Stretch at Lacework. Mark, former CUBE alumni and expert and security has been on many times before. Mark, great to see you. Thanks for coming on and helping me break down RSA conference 2021 virtual this year. Thanks for joining. Happy to be here. Thanks for having me, John. You know, one of the things Mark about these security conferences is that interesting. RSA was the last conference. We actually did interviews physically face to face and then the pandemic went down and it was a huge shutdown. So we're still virtual coming back to real life. So we're in their virtual this year. So kind of a turn of events, but that was kind of the theme this year in the keynote is changing the game on security. The script has been flipped connectivity everywhere, security from day one being reinvented. Some people holding on to the old way. Some people trying to get on the future wave. Clearly you got the laggards and you got the innovators all trying to kind of find their position. This has been obvious in this keynote. What's your take? Yeah, and that was exactly it. They used that situation of being that last physical security conference somewhat to their advantage to weave this theme of resiliency. And it's a message that we heard throughout the keynote. It's a message we're going to hear throughout the week. There's a number of talks that are tying back to this. And it really hits at the core of what security aims to do. And I think aims is really the right word for it because we're not quite there yet. But it's about making sure that our technology is flexible, that it expands and adapts to the situations because as we all know this year, basically upended everything we assumed about how our businesses were running, how our communities and society was running. And we've all had to adapt. And that's what we saw at the keynote today was they acknowledged that and then woven into the message to drive that home for security professionals. Yeah, and to me, one of the most notable backdrops to the entire thing was the fact that the RSA continues to operate from the sellout when Dell sold them for two billion dollars to a consortium private equity company, Symphony Technology Group. So there they're operating now on their own. They're out in the wild. As you said, cybersecurity threats are ever increasing. The surface area has changed with cloud native. Basically RSA is a 3,000 person startup basically now. So they got secure ID, the old token business. We all, if anyone's had had those IDs, know it's pretty solid. But now they got to kind of put this event back together. And Mobile World Congress is right around the corner. They're going to try to actually have a physical event. So you have this pandemic problem of trying to get the word out and it's weird. It's kind of, I found it, it's hard to get your hands around all the news. It is. And it's, you know, we're definitely missing that element. You know, we've seen that throughout the year of people have tried to adapt these events into a virtual format. We're missing those elements of those sort of happenstance run-ins. I know we've run into each other at a number of events just sort of in the hall. You get to catch up. But you know, as part of those interactions, they're not just social, but you also get a little more insight into the conference. Hey, you know, did you catch this great talk or are you going to go catch this thing later? And we're definitely missing that. And I don't think anyone's really nailed this virtual format yet. It's very difficult to wrap your head around. Like you said, I saw a tweet online from one InfoSec analyst today who pointed out, you know, there were 17 talks happening at the same time, which, you know, in a physical thing, you'd pick one and go to it in a virtual, there's that temptation to kind of click across the channels. So even if you know what's going on, it's hard to focus in these events. Yeah, one conference that's got a really good, I think virtual platform is DockerCon. They have 48 panels, a lot of great stuff there. So that's one I'm more watching closely. It's coming up on May 27, check that one out. Let's get into this. Let's get into the analysis. I really want to get your thoughts on this because, you know, I thought the keynote was very upbeat. Clearly the realities are presenting you. Chuck Robbins, the CEO of Cisco there, and you had a bunch of industry legends in there. So let's start with what you thought of Rohit's keynote and then we'll jump into what Chuck Robbins was saying. Sure, yeah. And I thought Rohit, you know, at first I questioned because he brought up and he said, I'm going to talk about tigers, airplanes and sewing machines. And, you know, as a speaker myself, I said, okay, this is either really going to work out well or it's not going to work out at all. Unfortunately, you know, Rohit is a professional, he's a great speaker, and it worked out. And so he tied these three examples. So it was Tiger King for Netflix at World War II, analyzing airplane damage, and a great organization in India that had pivoted from sewing into creating masks and other supplies for the pandemic. He wove those three examples through with resiliency and showed adaptation. And I thought it was really, really well done, first of all, but as a cloud guy, I was really excited as well that that first example was Netflix and he was referencing Chaos Monkey, which is a chaos engineering tool, which I don't think a lot of security people are exposed to. So we use it very often in cloud building where essentially this tool will purposely blow up things in your environment. So it will down services, it will cut your communications off because the idea is you need to figure out how to react to these things before they happen for real. And so getting keynote time for a tool like that, a very modern cloud tool, I thought was absolutely fantastic, even if that's not so well known or not a secret in the cloud world anymore, it's very commonly understood, but getting a security audience exposure to that was great. And so, you know, Roe hits a pro and it was a good kickoff. And yeah, very upbeat, a lot of high energy, which was great for virtual keynote because sometimes that's what's really missing is that energy. And we like Roe too, he's got charisma. He also has a hand in the pulse. I think the chaos monkey point you're making is a great call out because it's been around the DevOps community, but what that really shows, I think, and puts the exclamation point around this industry right now is that DevSecOps is here and it's never going away and cloud native and certainly the pandemic has shown that cloud scale, speed, data, and now distributed computing with the edge, 5G has been mentioned as you said, this is a real deal. This is DevOps. This is infrastructure as code and security is being reinvented in it. This is a killer theme and it's kind of a wake-up call. What's your reaction to that and what's your take? Yeah, it absolutely is a wake-up call and it actually blended really well into Roe hit second point, which was around using data. And I think, you know, having these messages put out to what is the security conference for the year always is really important because the rest of the business has moved forward and security teams have been a little hesitant there. We're a little behind the times compared to the rest of the business who are taking advantage of these cloud services, taking advantage of data being everywhere. So for security professionals to realize like, hey, there are tools that can make us better at our jobs and help us keep pace with the business is absolutely critical because like you said, as much as I always cringe when I hear the term DevSecOps, it's important because security needs to be there. The reason I cringe is because I think security should be built into everything but the challenge we have is that security teams are still, a lot of us are still stuck in the past to sort of put our arms around something and you know, if it's in that box, I'm good with it. And that just doesn't work in the cloud. We have better tools, we have better data and that was really Roe hit's key message was those tools and that data can help you be resilient can help your organization be resilient and whether that's the situation like a pandemic or a major cyber attack, you need to be flexible you need to be able to bounce back. You know, when we actually have infrastructure as code and no one ever talks about DevOps or DevSecOps, you know, it's over, it's in the right place. But I want to get your thoughts and see if you heard anything about automation because one of the things that you bring up about not liking the word DevSecOps is really around having this new team formation, how people are organizing their developers and their operations teams. And it really is becoming programmable and that's kind of the word, but automation scales it. So that's been a big theme this year. What are you hearing? What did you hear in the keynote? Any signs of reality around automation, machine learning? You mentioned data. Did they dig into automation? Automation was on the periphery. So a lot of what they're talking about only works with automation. So, you know, the Netflix shout out for Chaos Monkey absolutely is an automated tool. To take advantage of this data, you absolutely need to be automated. But the keynote mainly focused on sort of the connectivity and the differences in how we view an organization over the last year versus moving forward. And I think that was actually a bit of a miss because as you rightfully point out, John, you need automation. The thing that baffles me as a builder, as a security guy is that cyber criminals have been automated for years. That's how they scale. That's how they make their money, yet we still primarily defend manually. And I don't know if you've ever tried to beat, you know, the robots and everything or really complicated video game. We don't tend to win well when we're fighting automation. So security absolutely needs to step up. The good news is looking at the agenda for the week, taking in some talks today. While it was a bit of a miss in the keynote, there is a good theme of automation throughout some of the deeper dive sessions. So it is a topic that people are aware of and moving forward. But again, I always want to see us move faster. Was there a reason Chuck Robbins headlines or is that simply because they're a big, you know, 800 pound gorilla in the networking space? You know, why Cisco? Are they relevant in security? Is that signaling that networking is more important? I'll see 5G at the edge. But is Cisco the player? I know obviously Cisco has a massive business and they are a huge player in the security industry. But I think they're also representative of, you know, and this was definitely Chuck's message. They were representative of this idea that security needs to be built in at every layer. So even though, you know, I live primarily in the cloud technologies dealing with organizations that are built in the cloud, there is, you know, the reality of that we are all connected through a multitude of networks. And we've seen that with work from home, which is a huge theme this year at the conference and the improvements in mobility with 5G and other connectivity areas like Edge and Wi-Fi 6. So having a big network player and security player like Cisco in the keynote, I think is important just because their message was not just about inclusion and diversity for skills, which was a theme we saw repeated in the keynote, actually, but it was about building security and then from the start to the finish throughout. And I think that's a really important message. We can't just pick one place and say, this is where we're going to build security. It needs to be built throughout all of our systems. If you were a CISO listening today, what was your take on that? Were you impressed? Were you blown away? Did you fall out of your chair? Or was it just right down the middle? I mean, you might fall out of your chair just because you're sitting in it for so long, taking in the virtual event. And I mean, I know that's the big downside of virtual is that your step counter is way down compared to where it should be for these conferences. But there was nothing revolutionary in the opening parts of the keynote. It was just sort of beating the drum that has been talked about, has been simmering in the background from sort of the more progressive side of security. So if you've been focusing on primarily traditional techniques and the on-premise world, then perhaps this was a little, a bit of an eye-opener and something where you go, wow, there's something else out here and we can move things forward. For people who are more cloud native or more into that automation space, that data space, this is really just sort of a head nod and going, yep, I agree with this, this makes sense. This is where we all should be at this point. But as we know, there's a very long tail in security and in security organizations. So to have that message repeated from a large stage like the keynote, I think was very important. Well, we're going to be, the cube will be on site and virtual with our virtual platform for Amazon web services reinforced coming up in Houston. So that's going to be interesting to see. And you compare contrast like an AWS reinforce which is kind of there. I think they had the first conference two years ago. So it's kind of a new conference. And then you've got the old kind of RSA conference. The question I have for you, is it just a position of almost two conferences, right? You got the cloud native AWS which is really about shared responsibility, et cetera, et cetera, a lot more action happening there. And you got this conference here seem from the old school legacy players. So I want to get your thoughts on that. And I want to get your take on just the cryptographers panel because, as I'm not saying this is a state of the art that the old guys saying, get off my lawn, crypto. We're the crypto purists. They were trashing NFTs, which as you know, it's all the rage. So, and Ron Rivis who wrote, who co-created RSA public technology which is in everything these days. Is this a sign of just get off my lawn or is it a sign of the times trashing the NFTs? What's your take? Yeah, well, so let's tackle the NFTs then we'll do the contrast between the two conferences. But I thought the NFT, you know, Ron and Addy both had really interesting ways of explaining what an NFT was because that's most the discussion around the NFT is exactly what are we buying or what are we investing in? And so I think it was Addy who said, you know, it was basically you have a tulip then you could have a picture of a tulip and then you could have something explaining the picture of the tulip and that's what an NFT is. So I think, you know, but at the same time, he recognized the value potential for artists. So I think there was some definitely, you know, get off my lawn, but also sort of the cryptographer panel is always sort of very pragmatic, very evidence-based as shown today when they actually were talking about a paper by Schnorr who debates whether RSA or he has new math that he thinks can debunk RSA or at least break the algorithm. And so they had a very logical and intelligent discussion about that. But the cryptographers panel in contrast to the rest of the keynote, it's not about the hype, it's not about what's going on in the industry. It's really is truly a cryptographers panel talking about the math, talking about the fundamental underpinnings of our security things. As a big nerd, I'm a huge fan, but a lot of people watch that and just kind of go, okay, now's a great time to grab a snack, maybe move those legs a little bit, but if you're interested in the more technical, deeper dive side, it's definitely worth taking in. Yeah, super fascinating. And I think, you know, it's funny, they said it's not even a picture of a tulip, it's a pointer to a picture of a tulip, which is technically... That was it, yeah. It's interesting how, again, this is all fun. The NFTs are, I mean, you can't help, but get enamored by decentralization and that wave is coming. It's very interesting how you got a decentralization wave coming, yet a lot of people want to hang on to the centralized view. Okay, this is an architectural conflict. Is there a balance in your mind as a techie? We look at security, certainly as the perimeter's gone, that's not even debate anymore, but as we have much more of a distributed computing environment, is there a need for some centrality and or is it going to be all decentralized in your opinion? Yeah, and that's actually a really interesting question. It's a great setup to connect both these points of sort of the cryptographers panel and that contrast between newer conferences and RSA. Because the cryptographers panel brought up the fact that you can't have resilient systems unless you're going for a distributed systems, unless you're spreading things out because otherwise you're creating a central point of failure, even if it's at hyperscale, which is not resilient by definition. So that was a very interesting and very valid point. I think the reality is it's a combination of the two, is that we want resilient systems that are distributed, that scale up independently of other factors. So if you're sitting in the cloud, you're going multi-region or maybe even multi-cloud, you want this distributed area, just for that as Werner from AWS calls it, the reduced blast radius. So if something breaks, not everything does. But then the challenge from a security and from an operational point of view is you need that central visibility. And I think this is where automation, where machine learning and really viewing security as a data problem comes into play. If you have the systems distributed, but you can provide visibility centrally, which is something we can achieve with modern cloud technologies, you kind of hit that sweet spot. You've got resilient underpinnings in your systems, but you as a team can actually understand what's going on, because that was yet another point from Carmella and from Ross on the cryptographers panel when it comes to AI and machine learning. We're at the point where we don't really understand a lot of what's going on in the algorithm. We kind of understand the output and the input. So again, it tied back to that resiliency. So I think that key is distributed systems are great, but you need that central visibility and you only get there through viewing things as a data problem, a heavy automation and modern tooling. Great, great insight, Mark. Great, great call out there, great point tied in there. Let me ask you a question on your take on the keynote and the conference in general's first day gets going. Do you see this evolving from the classic enterprise kind of buyer, supplier relationship to much more of a CISO driven or CXO driven? I need to start building about my teams. I got to start hiring developers. Not so much an operation side. I mean, I'll see info seconds. These industries are not going away. People are still buying tools and stacking up the tool shed, but there's been a big trend towards platforms and shifting left from a developer CI CD pipeline standpoint, which speaks to scale on the cloud native side and that distributed side. So is this conference hitting that marker? You still think there are more hardware and service systems people? What's the, what's the makeup? I think we're definitely starting to see a shift. So a great example of that is the CSA, the cloud security alliance always runs a day one or day zero summit at RSA. And this year it was a CISO executive summit. And whereas in previous years, it's been practitioners. So that is a good sign. I think that's a positive sign to start to look at a long ignored area of security, which is how do we train the next generation of security professionals? We've always taken this traditional view and we've, you know, people go through the standard. You get your CISSP, you hold on to it forever. You know, you do your time on the firewall. You go through the standard thing, but I think we really need to adjust and look for people with that automation capability with development, with better business skills and definitely better communication skills because really as we integrate, as we leave our sort of protected little cave of security, we need to be better business people and better team players. Well, Mark, I really appreciate you coming on. You're a CUBE alumni and a trusted resource and verified trusted contributor. Thank you for coming on and sharing your thoughts on the RSA conference and breaking down the keynote analysis the RSA conference. Thanks for coming on. Thank you. Well, while we got you here, take a minute to plug what you're doing at Lacework, what you're excited about. What's going on over there. Sure, I appreciate that. So I just joined Lacework. I'm a weekend. So I'm drinking from the fire hose of knowledge and what I've found so far, fantastic platform, fantastic teams. It's got me revved up and excited again because we're approaching security from the data point of view. We're really, we're born in the cloud, built for the cloud, and we're trying to help teams really gather context. And the thing that appealed to me about that was that it's not just targeting the security team. It's targeting builders. It's targeting the business. It's giving them that visibility into what's going on so that they can make informed decisions. For me, that's really what security is all about. Well, I appreciate you coming on. Thanks so much for sharing. Thank you. Okay, CUBE coverage of RSA conference here with Lacework. I'm John Furrier. Thanks for watching.