 Live from San Francisco, it's theCUBE. Covering RSA Conference 2020 San Francisco, brought to you by SiliconANGLE Media. Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at RSA 2020, a really special segment. As you can tell, it's really quiet here. It's not like normal theCUBE action. We're here before the expo hall even opens on Thursday morning with a very special guest. We pulled them away from crazy busy week if not more. It's Rohit Guy, the president of RSA. Rohit, great to see you again. Always a pleasure. Thanks, Jeff. Absolutely. So I really was looking forward to this. I was really impressed by the opening keynotes. First to roll out George Takei. That's a pretty bold move. Even more built is to try to follow him up. Totally. Congratulations and that was pretty brave. Appreciate it. Thank you. That was quite a hurdle to follow George Takei. Right. And I just want to get kind of these other things that were kind of bubbling above the surface out of the way. You know, a big piece of news. I think a week it came out before the show is that RSA was sold to Symphony, I believe? Symphony Technology Group. Right. So give us a little bit of the story there. Absolutely. So, you know, we entered into a definitive agreement. Symphony Technology Group acquiring RSA from Dell Technologies. What this does is it basically clarifies the sum lines for Dell Technologies to focus on intrinsic security. And RSA can focus on managing digital and cyber risk. And, you know, we are excited about the opportunity to become agile and independent and kind of play in a smaller company setting to pursue our futures. So we're super excited to be part of Symphony. Yeah, that's great. And the other thing that's kind of appalled, I mean, just to put it out there, is the coronavirus thing. And, you know, Mobile World Congress, completely different show, but a big show. Probably the first big show of our industry this year was canceled. Yes. 100,000 plus people. So I just wonder if you can share, you know, kind of what was some of your thoughts and the team's thoughts. Cause this, we were all curious to see well, how is this going to happen? There was a couple of dropouts, but I think it's been a very good week. It has been a great week. You know, what I'll say is it was a demonstration of resilience and part of their attendees. You know, when we analyzed the situation, what we noted was about 82 plus percent of our attendees are from the Americas, right? So, you know, there was a core set of attendees that were perhaps not as impacted in terms of travel, et cetera. So we decided to move forward. We've been in close collaboration with the CDC and the mayor's office right here, Mayor London Breeds office right here in SF to make sure it's going to be a safe event for everyone. And, you know, the team put together a great kind of set of, you know, measures to make sure everyone has hand sanitizers. And then, you know, we made sure that we did what was needed to manage the risk. And ensure resilience through this sort of, you know, very global risk that is playing out. So very proud of the team. And we garnered 40,000 plus attendees despite, you know, despite the coronavirus issue. Well, you know, good job. I'm sure it was touch and go and a real sensitive situation. And I can tell you a lot of other people and event organizers, you know, we're getting ready to head into a very busy event season. It's what we do. And so, you know, a nice kind of lead indicator from you to execute with caution. I appreciate it. Thank you. So let's jump into the fun stuff. So your keynote was not really talking that much about bad guys and technology and this or that. You talked about storytelling and you got very much into kind of the human element, which is the theme this year. But really the role of stories, the importance of stories and most importantly for the security industry to take back their story and not let it get away from them. That's, you summed it up really well, Jeff. And you know, what I said is, hey, if the theme of the conference is the human element, let's explore what intrinsically makes us human. And the point, you know, you all know Harari's point that it is stories that make us human. And I feel we have lost control of the narrative as an industry and as such, we need to take that back and make sure we clarify the role of all the human characters in our story. Because until we do that, until we change our story, we have no shot at changing our reality. Right. But you're kind of in a weird spot, right? It's the classic spy dilemma. You can't necessarily tell people what you know because then they'll know that you know it and you might not be able to get more better information down the road. So, as you said in your keynote, you don't necessarily have the ability to celebrate your wins and a DDoS attack thwarted doesn't make the news. I keep thinking it's like a ref in a game or like an offensive lineman in football. You only hear about them that one play when they get the holding call. Not the 70 other players where they did their jobs. So it's a unique challenge. It is a challenge. It is not an easy problem. And there's a couple of recipes that I put out there for us to consider as an industry. Recipe one is we can celebrate our successes at a collective level, right? So just like we put our breach reports, et cetera, in terms of what the statistics are, where the breaches are animating from, we can talk about defensive strategies that are working at a collective level as an industry and share that sort of best practices, recipes to win, that would be a fine start. I think another area, another point that I made was that we don't have to win for the hacker to lose. 71% of the breaches were motivated by financial gains. And as such, if we, despite breaches, which is not a win for us, if we deny financial gain to the hackers, we make them lose. And they are subject to the same laws of economics. They have a profit and loss statement. They're spending resources for gain. And when we deny them gain, we make them lose. So those are a couple of ideas on how we can begin to change the narrative. Right. So the other piece of the human part is the rise of the bots, right? And the rise of AI. And the rise of these increasingly smart and sophisticated machines. I think I saw one of those threat reports that we talked about on air, was that people are an increasingly targeted group. We hear it all the time. We hear about social engineering. As that gets more complicated, how does the role of people change? Because clearly they can't monitor tens and tens and hundreds of thousands of concurrent attacks all the time. Absolutely. So the bad guys are using AI. I cited the example of a deep fake audio clip that actually duped the CEO into initiating a wire transfer. So they're using all these sophisticated attacks. So to your point, we cannot rely on the end user to discern through these very sophisticated, it's unfair for us to think of them as the first line of defense. We have to, on the IT side, we have to bring in technology, make the technology more usable. So you don't have to pay attention to this, you know, one millimeter by one millimeter lock at the end of, at the corner of the browser to realize whether a web interaction is safe or not. We need to make more usable software. We need to do a better job of managing and reducing vulnerabilities to reduce the attack surface. So IT has to step up in that regard. And then on the security teams, I think they have to step up to use AI to detect bot-initiated attacks. So we are not leaning on the human to discern what is an anomalous interaction and what could be a phishing or a smishing attack, et cetera. You know, we need to bring AI to fight the good fight on our behalf. Right. So the other kind of angle on that, I thought was really interesting, Wendy's keynote, a couple of keynotes after you're from Cisco. Yeah. Talked about, you know, a thing that we see over and over in tech, which is really kind of the democratization of security and get it out of just the hallowed halls of the super brilliant, you know, C-Socks and technologists that are just security and open it up to everybody. So make them part of the solution, not those pesky people that keep clicking on links that they're not supposed to. Absolutely. She did a great job of kind of making that point. And you know, the way I think about it is again, we need to move from a culture of elitism to a culture of inclusion, until we really get the, you know, get the steaming going, not just within the security professionals, which we are doing a better job of certainly in the industry, but we have to team with the user, the IT, and the business teams in order to have a shot at tipping the balance in our favor. Yeah, it's really funny, because that kind of democratization theme is something that we see kind of across many levels of technology, whether it's in big data and get away from the data scientists and doing your own reports and having access to your own marketing material and you know, it's kind of funny that now we're just hearing it here, I guess the last bastion of we're the smartest people in the room. No, no, you need to use all the brain power. All the brain power. I use the phrase, let's stop being stem snobs and let's be more inclusive and you know, garner the entire spectrum of the diverse talent pool that we have available. And you know, making the point, perhaps a provocative point, that the cyber talent gap, a bit of it might be actually self-inflicted because we have been in this sort of elitism mindset. Right, and I think one of the themes that you talked about in your keynote was because of kind of the elite mindset, we only want to focus on the elite challenges. And in fact, it's not the hardest challenges that are necessarily the most dangerous or the ones that are most frequently used. It doesn't have to be the craziest hardest way. Absolutely, it does not. Yeah, the point I made was preparing for the worst does not prepare you for the likely and the statistics are overwhelming. 60% of the breaches were on the back of six stolen credentials. That's a pretty table stakes, basic issue that ought to be just taken off the table. And if you take care of the basics, then we can focus on energy on the corner cases, but let's first prepare for the likely before we get to the worst situations. Right, so Rowan, I'm curious to get your take as you've been here for the last couple of days. You know, you did a whole lot of work getting into that keynote and getting this thing up and off the ground, but you've had a couple days to be here, walk around, talked to a lot of customers and clients, partners. Wonder if there's anything that's kind of come up as a theme that you either didn't expect or kind of reinforced some of the thoughts that you had coming into this week. Absolutely, I think if I were to net it out, Jeff, what I'm sensing is there is a whole movement to shift security left, which is this whole idea of IT stepping up as the first line of defense, reduce cyber exposure, take care of patching, multi-factor authentication, reduce the attack surface, intrinsic security, right? So, you know, dev ops, sec dev ops, take care of it right up front before the apps even get built, right? Then there is another movement to shift things right, which is take care of the new aspects of the attack surface. What the hackers always take advantage of are the areas where they sense we are unprepared. And for a long time, they've seen us being unprepared in terms of reducing the attack surface, and then they go after the new aspects of the attack surface. And what are those? IT, IOT, OT, data as an attack surface and the edge, right? So, these are areas where there's a lot of activity, a lot of innovation, you know, we're on the floor here, if you walk the corners, shifting left, shifting right, as in all the new aspects of the attack surface. I'm seeing a lot of conversations, a lot of innovation in that area. Yeah, well, there's certainly no shortage of innovation in the companies here, and in fact, I think it's probably one of the biggest challenges that I think of from a buyer's perspective is to walk this floor and to figure it all out, because I don't know how many thousands of vendors there are, but there's really big ones, and there's lots of little ones, like you say, tucked in the corner on kind of the cutting edge of the innovation. What advice do you give to people who it's their first time coming to RSA? Yes, I think it's a huge challenge for customers. There's 14 of every category. I think the customers, what they have to see is they have to think about the recipe rather than they have to focus not on the tool but the concept behind the tool and think about the architecture, right? And they should seek out vendors that take this platform approach. It is, you know, the market hasn't consolidated that much where they can just go to a few vendors, but when they build their architecture, they should choose vendors that behave well as a puzzle piece in the jigsaw puzzle that our customers are having to assemble together, right? That they're investing in the API integrations on the edges so they can slot in and be part of a broader solution. That's a key, key criteria that customers should utilize in their selection of the vendors. Yeah, that's good advice and they should be listening. So, Rohit, thanks again for your time. Congratulations on a week and I hope you get that weekend of absolutely nothing coming up in just a couple of days that you talked about on the keynote. I absolutely do. The joke I made was the only time I'm okay being labeled as useless in the weekend after RSA conference. So, I fully look forward to being useless over this weekend. It's been a great week and thank you again for having me on the show. All right, two more days, 48 hours. All right, thanks again. These are Rohit, I'm Jeff. You're watching theCUBE. We're at RSA 2020. The year we're going to know everything with the benefit of hindsight. We're not quite there yet, but we're trying to get a little closer. Thanks for watching. We'll see you next time.