 From around the globe, it's theCUBE, presenting Accelerating Automation with DevNet, brought to you by Cisco. We're back, this is Dave Vellante and TK Keonini is here. He's a distinguished engineer at Cisco. TK, my friend, good to see you again. How are you? Good, I mean, you and I were in Barcelona in January. And you know, we saw this thing coming, but we didn't see it coming this way, did we? No, no one did. But yeah, that was right before everything happened. Well, it was weird, right? I mean, we were, you know, it was in the back of our minds in January. We said, Barcelona hasn't really been hit yet. It looked like it was really isolated in China, but wow, what a change. And I guess I'd start with the, we're seeing really a secular change in your space and security, identity access management, cloud security, endpoint security. I mean, all of a sudden these things have exploded as the work from home pivot has occurred. And it feels like these changes are permanent or semi-permanent. What are you seeing out there? Yeah, I don't think anybody thinks the world's going to go back the way it was. To some degree, it's changed forever. You know, I do a lot of my work remotely. And so, you know, being a remote worker isn't such a big deal for me, but for some it was a huge impact. And like I said, you know, remote work, remote education, you know, everybody's on the opposite side of a computer. And so the digital infrastructure has just become a lot more important to protect and the integrity of it essentially is almost our own integrity these days. Yeah, and when you see that, you know, that work from home pivot, I mean, you know, our estimates are along with our partner at ETR, about 16% of the workforce was at home, working from home prior to COVID. And now it's, you know, north of 70% plus. And that's going to come down maybe a little bit over the next six months. We'll see what happens with the fall surge. But people essentially expect that to, you know, at least double that 16%, you know, going forward indefinitely. So what is that, what kind of pressure does that put on the security infrastructure and how organizations are approaching security? Yeah, I just think from a mindset standpoint, you know, what was optional maybe last year is no longer optional. And I don't think it's going to go back. I think a lot of people have changed the way, you know, they live and the way they work. And they're doing it in ways, hopefully that in some cases yield more productivity. Again, you know, usually with technology that's severely effective, it doesn't pick sides. So the security slant to it is, it frankly works just as well for the bad guys. And so that's the balance we need to keep, which is we need to, you know, be extra diligent on how we go about securing infrastructure, how we go about securing even our social channels. Because remember, all our social channels now are digital. So that's become the new norm. You know, you've helped me understand over the years. I remember a line you shared with me in the Cube one time is that the adversary is highly capable as sort of the phrase that you used it. And essentially the way you describe it is, you know, your job as a security practitioner is to decrease the bad guys return on investment, you know, increase their cost, increase the numerator. But as work shifts from home, I'm in my house, you know, my Wi-Fi and my, you know, router with my, you know, dog's name is the password. You know, it's much, much harder for me to increase that denominator at home. So how can you help? Yeah, I mean, it is truly, when you think, when you get into the mind of the adversary and, you know, the cyber crime out there, they're honestly just like any other business, they're trying to, you know, operate with high margin. And so if you can get there, if you can get in there and erode their margin, they'll frankly go find something else to do. And again, you know, you know, the shift we experience day to day is, you know, it's not just our kids are online in school and our work is online, but all the groceries we order, you know, this Thanksgiving and holiday season, a lot more online shopping is going to take place. So, you know, everything's gone digital. And so the question is, you know, how do we up our game there so that we can go about our business effectively and make it very expensive for the adversary to operate and take care of their business because it's nasty stuff. I want to ask you about automation, you know, generally, and then specifically how it applies to security. So we, I mean, we certainly saw the ascendancy of the hyperscalers and of course, they really attacked the IT labor problem. We learned a lot from that and IT organizations have applied much of that thinking. And it's critical at scale. I mean, you just can't scale humans at the pace that technology scales today. How does that apply to security? And specifically, how is automation affecting security? Yeah, it's the topic these days. You know, businesses, I think, realize that they can't continue to grow at human scale. And so the reason why automation and things like AI and machine learning have a lot of value is because everyone's trying to expand and operate at machine scale. Now, I mean that for businesses. I mean that for, you know, education and everything else. Now, so are the adversaries, right? So it's expensive for them to operate at human scale and they are going to machine scale. Going to machine scale, a necessity is that you're going to have to harness some level of automation. Have the machines work on your behalf. Have the machines carry your intent. And when you do that, you can do it safely or you could do it dangerously. And that's really kind of your choice. Just because you can automate something doesn't mean you should. You want to make sure that, frankly, the adversary can't get in there and use that automation on their behalf. So it's a tricky thing because, you know, when you take the phrase, you know, how do we automate security? Well, you actually have to take care of securing the automation first. Yeah, we talked about this in Barcelona where you were explaining that, you know, the bad guys, the adversaries are essentially, you know, weaponizing using your own tooling which makes them appear safe because they're hiding in plain sight. Right, that's scary. Well, they're clever given that, you know, there's this phrase that they always talk about called living off the land. There's no sense in them coming into your network and bringing their tools and being detected. You know, if they can use the tools that's already there, then they have a higher degree of evading your protection. If they can pose as Alice or Bob who's already been credentialed and move around your network, then they're moving around the network as Alice or Bob. They're not, you know, marked as the adversary. So again, you know, having the detection methods available to find their behavioral anomalies and things like that become paramount but in also, you know, having the automation to contain them, to eradicate them, to, you know, minimize their effectiveness without, I mean, ideally without human interaction because you just can, you move faster, you move quicker. And I see that with an asterisk because if done wrong, frankly, you're just making their job more effective. I wonder if we could talk about the market a little bit. I mean, the security space, cybersecurity is 80 plus billion which by the way, it's just a little infinitesimal component of our GDP. So we're not spending nearly enough to protect that massive GDP. But guys, I wonder if you could bring up the chart because when you talk to CISOs and you ask them what's your biggest challenge? They'll say, lack of talent. And so what this chart shows, this is from ETR, our survey partner. And on the vertical axis is net score. And that's an indication of spending momentum on the horizontal axis is market share which is a measure of presence, pervasiveness if you will, inside the data sets. And so there's a couple of key points here. I wanted to put forth to our audience and then get your reaction. So you can see Cisco highlighted in red. Cisco's business and security is very, very strong. We see it every quarter. It's a growth area that Chuck Robbins talks about on the conference call. And so you can see on the horizontal axis you've got, you know, big presence in the data set. I mean, Microsoft is out there, but they're everywhere. But you're right there in that data set. And then you've got for such a large presence you've got a lot of momentum in the marketplace. So that's very impressive. But the other point here is you've got this huge buffet of options. There's just a zillion vendors here and that just adds to the complexity. This is of course only a subset of what's in the security space, you know, the people who answered for this survey. So my question is how can Cisco help simplify this picture? Is it automation? Is it, you know, you guys have done some really interesting tuck in acquisitions and you're bringing that integration together. Can you talk about that a little bit? Yeah, I mean, that's an impressive chart. I mean, when you look to the left there, it's, I had a customer, you know, tell me once that, you know, I came to this trade show looking for transportation and these people are trying to sell me car parts. That's the frustration customers have, you know. And I think what Cisco has done really well is to really focus on outcomes. What is the customer outcome? Cause ultimately that's, that is what the customer wants. You know, there might be a few steps to get to that outcome but the closest you can get to delivering outcomes for the customer, the better you are. And I think security in general has just year over year been just ridden with you need to be an expert. You need to buy all these parts and put it together yourself. And I think those days are behind us, but particularly as security becomes more pervasive and we're, you know, we're selling to the business. We're not selling to the, you know, t-shirt wearing hacker anymore. Yeah, so well, how does cloud fit in here? Because I think there's a lot of misconceptions about cloud people. Yeah, I put my date in the cloud, I'm safe, but you know, of course we know it's a shared responsibility model. So I'm interested in your thoughts on that. Is it really, is it a sense of complacency? A lot of the cloud vendors by the way say, no, the state of security is great in the cloud. Whereas many of us out there saying, wow, it's not so great. So what are your thoughts on that whole narrative and what's Cisco's play in cloud? I think cloud, when you look at the services that are delivered via the cloud, you see that exact pattern, which is you see customers paying for the outcome or as close to the outcome as possible. You know, no data center required, no disk drive required, you just get storage. You know, it's all of those things that are again closer to the outcome. I think the thing that interests me about cloud too is it's really punctuated the way we go about building systems. Again, at machine scale. So, you know, before when I write code and I think about, oh, what computer is it going to run on? Or, you know, what servers are you going to, is it going to run on? Those thoughts never crossed my mind anymore. You know, I'm modeling the intent of what the service should do and the machines then figure it out. So, you know, for instance, on Tuesday, if the entire internet shows up, the system, you know, works without fail. And on Wednesday, if only North America shows up, you know, so what? But there's no way you could staff that, right? There's just no human scale approach that gets you there. And that's the beauty of all of this cloud stuff is it really is the next level of how we do computer science. So you're talking about infrastructure as code and that applies to, you know, security as code. That's what, you know, DevNet is really all about. I've said many times, I think Cisco of the large established enterprise companies is one of the few, if not the only, that really has figured out, you know, that developer angle because it's practical to do. You're not trying to force your way into developers, but you know, I wonder if you could, you could talk a little bit about that trend and where you see it going. Yeah, no, that is truly the trend. Every time I walk into DevNet, the big halls at Cisco Live, it is Cisco as code. Everything about Cisco is being presented through an API. It is automation ready. And frankly, that is the love language of the cloud. It's machines, it's the machines talking to machines in very effective ways. So, you know, it is the, I think necessary, maybe not sufficient, but necessary for, you know, doing all the machine scale stuff. What's also necessary is to secure, if infrastructure is code, therefore what secure, what security methodologies do we have today that we use to secure code? Well, we have automated testing. We have threat modeling, right? Those things actually have to be now applied to infrastructure. So, when I talk about how do you do automation securely, you do it the same way you secure your code. You test it, you threat model, you say, you know, can my adversary exhibit something here that drives the automation in a way that I didn't intend it to go? So all of those practices apply. It's just everything has code these days. TK, I've often said that security and privacy are sort of two sides of the same coin. And I want to ask you a question. It's really, you know, to me, it's not necessarily Cisco and companies like Cisco's responsibility, but I wonder if there's a way in which you can help. And of course, this Netflix documentary circling around the social dilemma. I don't know if you have a chance to see it, but yeah, basically dramatizes the way in which companies are appropriating our data to sell us ads and creating our own little set of facts, et cetera. And that comes down to sort of how we think about privacy. And I mean, it's good from the standpoint of awareness. You know, you may or may not care if you're a social media user. I love TikTok, I don't care. But they sort of laid out this pretty scary scenario with a lot of the inventors of those technologies. You have any thoughts on that? And can Cisco play a role there in terms of protecting our privacy? I mean, beyond GDPR and California Consumer Privacy Act, what do you think? Yeah, I'll give you my humble opinion is you fix social problems with social tools. You fix technology problems with technology tools. I think there is a social problem that needs to be rectified. We weren't built as human beings to live and interact with an environment that agrees with us all the time. It's just pretty wrong. So yeah, that series did really kind of wake up a lot of people. It's probably every day I hear somebody ask me if I saw it. But I do think it also, with that level of awareness, I think we overcome it or we compensate by what number one, just being aware that it's happening. Number two, how you go about solving it, I think maybe come down to an individual or even a community's solution. And what might be right for one community might be not the same for the other. So you have to be respectful in that manner. Yeah, so it's almost, I think if I could play back what I heard is, yeah, technology maybe got us into this problem, but technology alone is not going to get us out of the problem. It's not like some magic AI bot is going to solve this. It's got to be, society has to really, really take this on as your premise. It's a good one. When I first started playing online games, I'm going back to the text-based adventure stuff like Muds and Moos. I did a talk at MIT one time and this old curmudgeon in the back of the room, we were talking about democracy and we were talking about the social processes that we had modeled in our game and this and that. And this guy just gave us the smackdown. He basically walked up to the front of the room and said, you know all you techies, you judge efficiency by how long it takes. He says democracy is completely the opposite, which is you need to sleep on it. In fact, you should be scared if somebody can decide in a minute what is good for the community. Two weeks later, they probably have a better idea of what's good for the community. So it almost has the opposite dynamic and that was super interesting to me. That's really interesting. You read the Lincoln historians and he was criticized in the day for having taken so long to make certain decisions but ultimately when he acted with confidence so to that point. But so what else you're working on these days that is interesting that maybe you want to share with our audience? Anything that's really super exciting for you or you? Yeah, you know, generally speaking, trying to make it a little harder for the bad guys to operate. I guess that's a general theme, making it simpler for the common person to use tools. Not tools. Again, all of these security tools, no matter how fancy it is, it's not that we're losing the complexity, it's that we're moving the complexity away from the user so that they can thrive at human scale and we can do things at machine scale. And kind of working those two together is sort of the magic recipe. It's not easy but it is fun. So that's what keeps me engaged. I'm definitely seeing, I wonder if you see it, just sort of obviously a heightened organizational awareness but I'm also seeing shifts in the organizational structures. You know, it used to be a sec ops team in an island. Okay, it's your problem. You know, the CISO cannot report into the CIO because that's like the Fox in the hen house. A lot of those structures are changing it seems and becoming this responsibility becoming much more ubiquitous across the organization. What are you seeing there? And what are you? Yeah, no, and it's so familiar to me because, you know, I started out as a musician. So, you know, bands are a great analogy. You know, you play bass, I bet guitar, you know, somebody else plays drums, everybody knows their role and you create something that's larger than, you know, the sum of all parts. And so that analogy I think is coming to, you know, we saw it sort of with dev ops where, you know, the developer doesn't just throw their code over the wall and it's somebody else's problem, they move together as a band. And that's what I think organizations are seeing is that, you know, why stop there? Why not include marketing? Why not include sales? Why don't we move together as a business, not just here's the product and here's the rest of the business? And so that's pretty awesome. I think we see a lot of those patterns, particularly for the high performance businesses. You know, in fact, it's interesting, for great analogy, by the way, and you actually see in that within Cisco, you're seeing sort of a, and I know sometimes you guys, you know, don't like to talk about the plumbing, but I think it matters. I mean, you got a leadership structure now, I've talked to many of them, they seem to really be more focused on how they're connecting, you know, across organizations and it's increasingly critical in this world of, you know, of silo busters, isn't it? Yeah, no, and you almost, as you move further and further away, you know, you can see how ridiculous it was before. It would be like acquiring a band and say, okay, all you guitar players go over here, all you bass players go over there, like what happened to the band? Like that's what I'm talking about is, you know, moving all of those disciplines, moving together and servicing the same backlog and achieving the same successes together is just so awesome. Well, I always feel better after talking to you, you know, I remember Art Koviello used to put out his letter every year and I was reading, I'd get depressed, you know, we spend all this money now, we're less secure, when I talk to you, TK, I feel like much more optimistic, so I really appreciate the time you spend on theCUBE, it's awesome to have you as a guest. Right, I love these sessions, so thanks for inviting me. And I miss you, you know, hopefully, you know, next year we can get together at some of the Cisco shows or other shows, but be well and stay weird like the sign says. Yeah, okay, doing my part. All right, TK Kinini, thanks so much for coming to theCUBE, we really appreciate it and thank you for watching everybody, this is Dave Vellante, we'll be right back with our next guest right after this short break.