 The Cube's live coverage is made possible by funding from Dell Technologies, creating technologies that drive human progress. Welcome back to Barcelona, everybody watching The Cube's coverage of MWC23. My name is Dave Vellante. Just left a meeting with the CEO of Cisco, Chuck Robbins, to meet with G2 Patel, who's our executive vice president and general manager of security and collaboration at Cisco. You never leave a meeting with Chuck Robbins to meet with G2 Patel. That's about it. I said, hey, I got an interview to do, right? So, and I'm excited about this. Thanks so much for coming on. Thank you for having me. It's a pleasure. I mean, you run such an important part of the business. I mean, obviously the collaboration business, but also security. So many changes going on in the security market. Maybe we could start there. I mean, there hasn't been a ton of security talk here at G2 because I think it's almost, you know, assumed. It was 45 minutes into the keynote yesterday before anybody even mentioned security. Oh, right. So, but it's the most important topic in the enterprise IT world. And obviously it's important here. So why is it you think that it's not the first topic that people mentioned? You know, it's a complicated subject area and it's intimidating. And actually that's one of the things that the industry screwed up on. Where we need to simplify security so it actually gets to be relatable for every person on the planet. But if you think about what's happening in security, it's not just important for business. It's critical infrastructure that if you had a breach, you know, lives are cost now because hospitals could go down, your water supply could go down, your electricity could go down. And so it's one of these things that we have to take pretty seriously. And it's 51% of all breaches happen because of negligence, not because of malicious intent. It's that low. Interesting. Someone else told me the same thing. You thought it'd be higher. I always say bad user behavior is going to trump good security every time. Every single time. You can't beat it. But you know, it's funny. Every single time. Earlier part of last decade, you could see that security was becoming a board level issue. It was on the agenda every quarter. And I remember doing some research at the time. And I asked, I was interviewing Robert Gates, former Defense Secretary. And I asked him, yeah, but you know, we're getting attacked, but don't we have the best offense? Can't we have the best technology? He said, yeah, but we have so much critical infrastructure, the risks to the United States are higher. So we have to be careful about how we use security as an offensive weapon. You know, and now you're seeing the future of war involves security and what's going on in Ukraine. It's a whole different ball game. It is, and the scales always tip towards the adversary, not towards the defender, because you have to be right every single time. They have to be right once. Yeah, and to the other point about bad user behavior, it's going now beyond the board level to it's everybody's responsibility. That's right. And everybody's sort of aware of it. Everybody's been hacked. And that's where it being such a complicated topic is problematic. It is, and it's actually what got us this far will not get us to where we need to get to if we don't simplify security radically. You know, the experience has to be almost invisible. And what used to be the case was sophistication had to get to a certain level for efficacy to go up. But now that sophistication has turned to complexity. And there's an inverse relationship between complexity and efficacy. So the simpler you make security, the more effective it gets. And so I'll give you an example. We have this great kind of innovation we've done around passwordless, right? Everyone hates passwords. You shouldn't have passwords in 2023. But when you get to passwordless security, not only do you reduce a whole lot of friction for the user, you actually make the system safer. And that's what you need to do is you have to make it simpler while making it more effective. And I think that's where the future is going to hold. Yeah, and CISOs tell me that they're, you know, zero trust before the pandemic was like, yeah, yeah, zero trust. And now it's like a mandate. Every CISO you talk to says, yes, we're implementing a zero trust architecture. And a big part of that is that if they can confirm zero trust, they can get to market a lot faster with revenue generating or, you know, critical projects. And many projects as we know are being pushed back, you know, because of the macro, but projects that drive revenue and value, they want to accelerate in a zero trust confirmation allows people to, you know, rubber stamp it and go faster. And the whole concept of zero trust is least privileged access, right? But what we want to make sure that we get to is continuous assessment of least privileged access, not just a one time at logger. This thing's changed. So for example, if you happen to be someone that's logged into the system and now you start doing some anomalous behavior that doesn't sound like Dave, we want to be able to intercept, not just do it at the time that you're authenticating Dave to come in. So you guys got a good business. I mentioned the macro before. The big theme is consolidating redundant vendors. So a company with a portfolio like Cisco's obviously has an advantage there. You know, you guys had great earnings. Palo Alto is another company that can consolidate. Tom Gillis, great pickup. You guys amazing, you know, great respect. Just sat in a little webinar session with him where he was peeking out with the analysts. So learned a lot there. Now you guys have some news at the event with Mercedes. Take us through that and I want to get your take on hybrid work and what's happening there. But what's going on with Mercedes? Yes, look, it all actually stems from the hybrid work story, which is the future is going to be hybrid. People are going to work in mixed mode. Sometimes you'll be in the office, sometimes at home, sometimes somewhere in the middle. One of the places that people are working more and more from is their cars. And connected cars are going to be a reality. And in fact, cars sometimes become an extension of your home office. And many a times I found myself in a parking lot because I didn't have enough time to get home and I was in a parking lot taking a conference call. And so we've made that section easier because we have now partnered with Mercedes and they aren't the first partner, but they're a very important partner where we are going to have WebEx available through the connected car natively in Mercedes. Ah, okay, so I could take a call. I can do it all the time. I find good service, pull over, got to take the meeting. I don't want to be driving, I got to concentrate. That's right. Or sometimes I'll have the picture on and it's not good. That's right. Okay, so it'll be through the console. It'll be through the console and many people ask me like how's safety going to work over there because you don't want to do video calls while you're driving. Exactly right. So when you're driving, the video automatically turns off and you'll have audio going on just like a conference call but the moment you stop and put it in park, you can have video turned on. Now, of course, the whole hybrid work trend, you know, seems like a long time ago, but it doesn't, you know, and it's really changed the security dynamic as well, didn't it? I mean, you know, immediately you had to go protect, you know, new end points. And those changes, I felt at the time were permanent and I think it's still the case, but there's an equilibrium now happening. People, as they come back to office here, number of companies are mandating back to work. Maybe the central offices or the headquarters were underfunded. So what's going on out there in terms of that balance? Well, firstly, there's no unanimous consensus in the way that the future is going to be except that it's going to be hybrid. And the reason I say that is some companies mandate two days a week, some companies mandate five days a week, some companies don't mandate at all, some companies are completely remote, but whatever way you go, you want to make sure that regardless of where you're working from, people can have an inclusive experience, you know, and when they have that experience, you want to be able to work from a managed device or an unmanaged device, from a corporate network or from a Starbucks, from on the road or stationary and whenever you do any of those things, we want to make sure that security is always handled and you don't have to worry about that. And so the way that we say it is the company that created the VPN, which is Cisco, is the one that's going to kill it because what we'll do is we'll make it simple enough so that you as a user never have to worry about what connection you're going to use to dial into what app. You will have one seamless way to dial into any application, public application, private application, or directly to the internet. I'm going to love hate with my VPN, it's protecting me, but you know, it's in the way a lot. It's going to be simple as ever. You have kids? I do have a 12 year old daughter. Okay, so not quite high school age yet. She will be shortly. No, but she's already, I'm not looking forward to high school days because she has a very, very strong sense of debate and she wins 90% of the arguments. So when my kids were that age, I got four kids, but the local high school banned Wikipedia. They can't use Wikipedia for research. Many colleges, I presume high schools as well, they're banning chat GPT, can't use it. Now at the same time, I saw recently on Medium, a Wharton school professor said he's mandating GPT, chat GPT to teach his students how to prompt in progressively more sophisticated prompts because the future is interacting with machines. You know, they say in five years we're all going to be interacting in some way, shape, or form with AI, maybe we already are. What's the intersection between AI and security? So a couple very, very consequential things. So firstly on chat GPT, the next generation skill is going to be to learn how to go out and have the right questions to ask, which is the prompt revolution that we see going on right now. But if you think about what's happening in security and there's a few areas which are, firstly, 3,500 vendors in the space, on average, most companies have 50 to 70 vendors in security, not a single vendor owns more than 10% of the market, you take out a couple of vendors, no one owns more than 5%, highly fractured market. That's a problem because it's untenable for companies to go out and manage 70 policy engines and going out and making sure that there's no contention. So as you move forward, one of the things that chat GPT will be really good for is it's fundamentally going to change user experiences for how software gets built. Because rather than it being point and click, it's going to be, I'm going to provide an instruction and it's going to tell me what to do in natural language. Imagine Dave, when you joined a company, if someone said, hey, give Dave all the permissions that he needs as a direct report to Chuck. And instantly you would get all of the permissions and it would actually show up in a screen that says, do you approve? And if you hit approve, you're done. The interfaces of the future will get more natural, will get more natural language kind of dominated. The other area that you'll see is the sophistication of attacks and the surface area of attacks is increasing quite exponentially. And we no longer can handle this with human scale. You have to handle it in machine scale. So detecting breaches, making sure that you can effectively and quickly respond in real time to the breaches and remediate those breaches is all going to happen through AI and machine learning. So I agree, I mean, just like Amazon turned the data center into an API, I think we're now going to be interfacing with technology through human language. I mean, I think it's a really interesting point you're making. Now, from a security standpoint as well, I mean, the state of the art today in my email is be careful, this person's outside your organization. I'm like, yeah, I know. So it's a good warning sign, but it's really not automated in any way. So two part question, one is can AI help with the phishing? Obviously it can, but the bad guys have AI too and they're probably going to be smarter than I am about using it. Yeah, by the way, Talos is our kind of thread detection and response kind of engine. And they had a great kind of piece that came out recently where they talked about this where there is going to be more sophistication of the folks that are the bad actors, the adversaries in using chat GPT to have more sophisticated phishing attacks. But today it's not something that is fundamentally something that we can't handle just yet. You still need to do the basic hygiene that's more important. Over time, what you will see is attacks will get more bespoke and in order they'll get more sophisticated and you will need to have better mechanisms to know that this was actually not a human being writing that to you, but it was actually a machine pretending to be a human being writing something to you and that you'll have to be more clever about it. Oh, interesting. And so you will see attacks get more bespoke and we'll have to get smarter and smarter about it. The other thing I wanted to ask you before we close is you're right on. I mean you take the top security vendors and they got a single digit market share and it's like it's untenable for organizations just far too many tools. We have a partner at ETR, they do quarterly survey research and one of the things they do is survey emerging technology companies and when we look at in the security sector, just the number of emerging technology companies that are focused on cybersecurity is as many as they're out there already. And so there's got to be consolidation. Maybe that's through M&A. I mean what do you think happens? Are companies going to go out of business? There's going to be a lot of M&A. You've seen a lot of companies go private. You know the big PE companies are sucking up all these security companies and maybe ready to spin them out and go back public. How do you see the landscape? You guys are obviously a acquisitive company. What do you thought about it? I think there'll be a little bit of everything but the biggest change that you'll see is a shift that's going to happen with an integrated platform rather than point solution vendors. So what's going to happen is the market's going to consolidate towards very few, less than a half a dozen integrated platforms. We believe Cisco is going to be one. Microsoft will be one. There'll be others over there. But this platform will essentially be able to provide a unified kind of policy engine across a multitude of different services to protect multiple different entities within the organization. And what we've found is that platform will also be something that'll provide through APIs the ability for third parties to be able to get their technology incorporated in and their telemetry ingested. So we certainly intend to do that. We don't believe, we're not arrogant enough to think that every single new innovation will be built by us. When there's someone else who has built that, we want to make sure that we can ingest that telemetry as well because the real enemy is not the competitor. The real enemy is the adversary and we all have to get together so that we can keep humanity safe. Do you think there's been enough collaboration in the industry? Not nearly enough. We've seen companies, security companies try to monetize private data before instead of maybe sharing it with competitors. And so I think the industry can do better there. I think the industry can do better. And we have this concept called the security poverty line. And the security poverty line is the companies that fall below the security poverty line don't have either the influence or the resources or the know-how to keep themselves safe. And when they go unsafe, everyone else that communicates with them also gets an exposure. So it is in our collective interest for all of us to make sure that we come together. And even if Palo Alto might be a competitor of ours, we want to make sure that we invite them to say, let's make sure that we can actually exchange telemetry between our companies. And we'll continue to do that with as many companies that are out there because that's better for the market, that's better for the world. The enemy of the enemy is my friend, the kind of thing. Now, as it relates to, because you're right, I mean, I see companies coming out. Oh, we do IoT security. I'm like, okay, but what about cloud security? Do you do that too? Oh no, that's somebody else. So that's another stovepipe. That's a huge, huge advantage of coming with someone like Cisco because we actually have the entire spectrum and the broadest portfolio in the industry of anyone else, from the user to the device to the network, to the applications, we provide the entire end-to-end story for security, which then has the least amount of cracks that you can actually go out and penetrate through. The biggest challenges that happen in securities, you've got way too many policy engines, with way too much contention between the policies from these different systems, and eventually there's a collision course. Whereas with us, you've actually got a broad portfolio that operates as one platform. We were talking about the cloud guys earlier. You mentioned Microsoft, they're obviously a big competitor in the security space. They're also a great partner. So that's why, to my opinion, the cloud has been awesome. It's like a first line of defense, if you will, but the shared responsibility model is different for each cloud, right? So do you feel that those guys are working together or will work together to actually improve? Because I don't see that yet. Yeah, so if you think about, this is where we feel like we have a structural advantage in this, because what does a company like Cisco become in the future? I think as the world goes multi-cloud and hybrid cloud, what'll end up happening is there needs to be, today all the CSPs provide everything from storage to compute to network to security in their own stack. If we can abstract networking and security above them so that we can acquire and steer any and all traffic with our service providers and steer it to any of those CSPs and make sure that the security policy transcends those clouds, you would actually be able to have the public cloud economics without the public cloud lock-in. That's what we call super cloud G2. It's securing the super cloud. Hey, thanks so much for coming. Thank you for having me. I really appreciate you coming to our editorial program. Such a pleasure. All right, great to see you again. Cheers. All right, keep it right there. Dave Vellante with David Nicholson and Lisa Martin will be back right after this short break from MWC23 live in the Fiat in Barcelona.