 from Las Vegas. It's theCUBE, covering QALIS Security Conference 2019. Welcome to you by QALIS. Hey, welcome back, everybody. Jeff Frick here with theCUBE. We're at the Bellagio in Las Vegas. It's actually raining outside, which is pretty odd, but I'm sure the desert is happy. We're here at the QALIS Security Conference. It's been going on for 19 years. It's our first time here. We're excited to be here, but we've got a really familiar guest on. She's been on a number of times at Nutanix Next Conferences and Girls Who Code Conferences, et cetera. So we're happy to have back Wendy Pfeiffer. She's the CIO of Nutanix, and as of August early this year, a board member for QALIS. So, Wendy, great to see you. Nice to see you again, too. So it's raining outside. I'll have to get out. I know, it's pretty cool. Actually, it's cool coming in on the plane, but let's jump into a little bit from your CIO role. We're talking a lot about security and the age-old thing came up in the keynote. There's companies that have been hacked, and then there's companies that have been hacked and don't know it yet. But we're introducing a third type of the company here as one of the themes, which is that you actually can prevent, not necessarily getting hacked, but kind of the damage and destruction and the duration once people get in. I'm just curious from your CIO hat, how do you look at this problem that the space is evolving so quickly? How do you kind of organize your thoughts around it? Yeah, for me, first of all, it starts with good architecture. So whether it's our own products running or third-party products running, we need to ensure that those products are architected for resilience. And that third kind of company, the resilient company, is one that has built an architecture and a set of tools and services that are focused on knowing that we will be hacked, but how can we minimize or even eliminate the damage from those hacks? And in this case, having the ability to detect those hacks when they're incoming and to stop them autonomously is the key to QALIS's play and the key to what I do as CIO at Nutanix. Right. So one of the other things that keeps coming up here is kind of the budget allocation to security within the CIO budget. And I think Mr. Clark said that, if you're doing 3% or less, you're losing and you got to be spending at least 8%. But I'm curious, because to me it's kind of like an insurance story. How much do you spend? How much do you allocate? Because potentially the downside is ginormous, but you can't spend 100% of your budget just on security. So how do you think about kind of allocating budget as a percentage of spend versus the risk? Well, I love that question. That's part of the art of being a CIO, a CISO. First of all, we have a mixed portfolio of opportunities to spend, to hold, to divest at any one time, and IT portfolio management has been around for 30 years, 40 years, almost as long as some of the people that I know. However, we always have that choice, right? We're aware of risk, and then we have the ability to spend. Now, of course, perfect security is to not operate at all, but that's swinging too far the wrong way. And then we also have that ability, maybe to not protect against anything and just take out a big old cybersecurity policy. And whereas that policy might help us with lawsuits, it wouldn't necessarily help us with ongoing operations. And so it's somewhere in the middle. And I liked some of the statistics that they shared today. One of the big ones for me was that companies that tend to build resilient worlds of cybersecurity tend to spend about 10% of their total IT operating budgets on cybersecurity. That makes sense to me, and it reflects my track record at Nutanix and elsewhere, roughly in that amount of spending. Now, checking the box and saying, well, we're spending 10% on cybersecurity, doesn't really buy us that much. And also we have to think about how we're defining that spend on cybersecurity. Part of that spend is in building resilient architectures and building resilient code. And that's sort of a dual purpose spend because that also makes for performant code. It makes for scalable, supportable code, et cetera. So we can do well by doing good in this case. So again, just to stay on that beam for a minute, so when you walk the floor at RSA and there's 50,000 people and I don't even know how many vendors, and I imagine even your IT portfolio to now around security is probably tens of products, if not hundreds, and certainly tens of vendors. Again, how do you kind of approach it? Do you have trusted advisors around certain point solutions? Are you leveraging system integrators or other types of specialists to help you kind of sort through and get some clarity around this just kind of mess? Well, all of us actually are looking for that magic discernment algorithm. Wouldn't that be great? Haven't found it yet. You can just walk up to a vendor and apply the algorithm and aha, there is one who's fantastic. We don't have that. And so we've got a lot of layers of ingest. I try to leave room in my portfolio for stealth and emerging technologies because generally the more modern the technology is, the more it's keeping pace with the hackers out there and the bad guys out there. We do have sort of that middle layer that's around the ability for us to operate at scale because we also have to operate these technologies. The most cutting edge technology sometimes lacks some of the abilities for us to ingest them into our operations. And then there's sort of the tried and true bedrock that hopefully is built into products that we consume everything from public cloud services to hardware and so on. And so there's this range of choices. What we have to do ultimately is we use that lens of operations and operational capability. And first of all, we also ensure that anything we ingest meets our design standards. And our design standards include some things that I think are fascinating. I won't go into too much detail because I know how much you love this detail. But things like, are the APIs open? What does integration look like? What's the interaction design look like? And so those things matter, right? Ultimately, we have to be able to consume the data from those things and then they have to work with our automation, our machine learning tools. Today at Nutanix, for example, I'm happy to say we catch most if not all of any of the threats against us and we deal with well over 95% of them autonomously. And so we're a living example of that resilient organization that is, of course, being attacked, but at the same time, hopefully responding in a resilient way. We're not perfect, knock on wood, but we're actively engaged. So shifting gears a little bit now to your board hat, which again, congratulations. So I'm curious, your perspective on breaking through the clutter from the board seat. A company's been doing this for 19 years, still a relatively small company, but Philippe talked a lot about company, or excuse me, industry security initiatives that have to go through. What are some of the challenges and opportunities you see sitting at the board seat instead of down in the nitty gritty, down in the CIO? Well, first of all, QALUS is financially a well-run, responsible organization. One of Philippe and the leadership team's goals has always been to operate profitably and to have that hedge. And so what that means is that as consumers, we can count on the longevity of the organization and the company's ability to execute on its roadmap. It's the roadmap that I think is particularly attractive about QALUS. I am who I am, I'm an operator, I'm a technologist. Although I'm a board member and I care about all dimensions of the company, the most attractive component is that this roadmap and those 19 years of execution are now coming to fruition at exactly the right time for those of us who need these tools and these technologies to operate. This is a different kind of platform and it's instrumented with machine learning, with AI, at a time when the attackers and the attacks are instrumented that way as well. As you mentioned, we have a lot of noise in the market today and these point solutions, they're going to be around for a while, right? We operate a messy and complex and wonderful ecosystem, but at the same time, the more that we can streamline, simplify and sort of raise that bar and the more we can depend on the collected data from all of these point tools to instrument our automated responses, the better off we'll be. And so this is a platform whose time has come and as we see all of the roadmap items sort of coming to fruition, it's really, really exciting. And it's, just speaking for a moment as someone who's been a leader in various technology companies and the security and technology space for some time, one of the most disappointing things about many technology startups is that they don't build in that business strength to have enough longevity and have enough of a hedge to execute on that brilliant vision. And so many brilliant ideas have just not seen the light of day because of a failure to execute. In this case, we have a company with a track record of execution that's monetized the build out of the platform and now also these game changing technologies are coming to fruition. It's really, really exciting to be a part of it. So Wendy, you've mentioned AI and machine learning probably, I don't know if you can check the transcript a number of times in this interview. So it's really interesting, there's always a lot of chatter in the marketplace but you talked about so many threats come in and we heard about in the keynote. It's not really for somebody sitting in front of a screen anymore to pay attention to this stuff. So when you look at the opportunity of machine learning and artificial intelligence how that's going to change the role of the CIO and specifically within security, I wonder if you can share your thoughts on what that opens up. Absolutely, so there's kind of two streams here I'd love to talk about. The first is that we've had this concern as we've moved to public cloud and IT that IT people would be left behind. But in fact, after sort of a little DevOps blip where non IT people were writing code that was then consumed by enterprises we're now seeing the growth of IT again and what this relates to is this, in the past when we wanted to deploy something in public cloud, we had to be able to compose and express infrastructure as code. And folks who are great at infrastructure are actually pretty lousy at writing code. And so that was a challenge. But today we have low code and no code tools, things like workado, for example, that my team uses, that allow us to express the operational processes that we follow, sort of the best practices and the accumulated knowledge of these IT professionals. And then we turn the machine on that inefficient code and the machine improves and refines the code. So now adding machine learning to the mix enables us to have these IT professionals who know more than you'd ever imagine about storage and compute and scaling and data and cybersecurity and so on. And they're able to transform that knowledge into code that a machine can read, refine, and execute against. And so we're seeing this leap forward in terms of the ability of some of these tools to transform how we address the scale and the scope and the complexity of these challenges. And so on the one side, I think there is new opportunity for IT professionals and for those who have that operational expertise to thrive because of these tools. On the other side, there's also the opportunity for the bad guys in the cyberspace to also engage with the use of these tools. And so the use of these tools at sort of a baseline level isn't enough. Now we need to train the systems. And the systems need to be responsive, performant, resilient, and also they need to have the ability to be augmented by, to be integrated with these tools. And so suddenly we go from having this utopian AI future where the good looking male or female robot is the nanny for our kids to something much more practical that's already in place, which is that the machine itself, the computer itself, is refining and augmenting the things that human beings are doing and therefore able to be, first of all, more responsive, more performant. But also to do that layer of work that is not unique to human discernment. Right. We hear that over and over because the press loves to jump on the general AI theme. It's much more fun to show robots than really the applied AI, which is lots of just kind of like DevOps, lots of little improvements in lots of little places. Exactly. Exactly. You know, I mean, I kind of like the stories of our robot overlords taking over too. But the fact is, at the end of the day, it's just math. It's just mathematics. That's all it is. It's compute. So Wendy, before I let you go, I want to talk about women in tech. And you're a huge proponent of women in tech. You're very active on lots of boards. I think you're with Adriana on the Girls in Tech Board, which is where we last sat down. And you're making moves now. Obviously, you've already got a C title. Now you're doing more board work. I just wonder if you can kind of share your thoughts of how this kind of movement is progressing. It seems to have a lot of weight behind it. But I don't know if the numbers are really reflecting that. But you're on the front lines. What can you share as you're trying to help women not so much get into tech, but to stay into tech, I think, is what most of the stats talk about. Yeah, I've got a lot of thoughts on this. I think I'll try to bring all the vectors together. So I recently was awarded CIO of the Year by the Fisher Center for Data and Analytics. And thank you very much. And the focus there is on inclusive analytics and inclusive AI. And I think this is sort of a story that makes the point. So if we think about all of the data that is training these technology tools and systems, and we think about the people who are creating these systems and the leaders who are building these systems and so on, for the most part, the groups of people who are working on these things, technologists, particularly in Silicon Valley, they're not a diverse set of people. They are mostly male. They're overwhelmingly male. Many are from just a handful of countries and groups. It's mainly Caucasian males, Indian males, and Asian males. And because of that, this lack of diverse thinking and diverse development is being reflected in the tools in ways that eventually will build barriers for folks who don't share those characteristics. As an example, natural language processing tooling is trained by non-diverse data sets. And so we have challenges with that. For example, people who are older speak a little bit more slowly and have different inflections in general on how they speak. And the voice recognition tools don't recognize them as often. People who have heavy accents, for example, are just not recognized. As you know, I always have a phone. And this is my iPhone. And I have had an iPhone for 10 years. Siri, my helpful agent, has been on the phone in all those years. And in all of those years, I have had a daughter named Holly, H-O-L-L-Y. And every time that I speak to, I dictate to Siri to send a message, and I use my daughter's name Holly, Siri always responds with the spelling H-O-L-I, the Hindu holiday. Now, in 10 years, Siri has never learned that when I say Holly, I most likely mean my daughter. Especially in the context of the sentence. Exactly, never, ever, ever. Because Siri is an AI, if you will, that was built without allowing for true user input, true training at the point of conversation. And so that's bad architecture. There's a lot of other challenges with that architecture that reflect on cybersecurity and so on. One tiny example. But I think that now more than ever, we need diverse voices in the mix. We need diverse training data. We need folks who have different perspectives and who understand different interaction design to be not only as tech entrepreneurs, builders and leaders of companies, like girls in tech supports educating women, supporting women entrepreneurs. I'm also on the board of another group called TechQuald that's all about bringing US combat veterans into the technology workforce. There's another diverse group of people who again can have a voice in this technology space. There are organizations that I work with that go into the refugee, the permanent refugee camps and find technically qualified folks who can actually build some of this training data for analytics and AI. We need much, much more of that. So my heart is full of the opportunity for this. My head's on fire and just trying to figure out how can we get the attention of technology companies of government leaders. And before it's too late, our training data sets are growing exponentially year over year. And they're being built in a way that doesn't reflect the potential usage. I was actually thinking about this the other day. I had an elderly neighbor who spoke with me about how excited he was that he no longer could drive. He wasn't excited about that. He no longer could drive. He couldn't see very well and couldn't operate a car. And he was looking forward to autonomous vehicles because he was going to have mobility and freedom again. But he had asked me to help him to set up something that he had on his computer. And it was actually on his phone. But there were voice commands, but it didn't understand him. He was frustrated. So he said, could you help me? And I thought, man, if his mobile phone doesn't understand him, how's the autonomous vehicle going to understand him? So the very population who needs these technologies the most will be left out. Another digital divide. And now is the moment while these tools and technologies are being developed. A word about QALIS. When I was recruited for the board, they already had 50, 50 gender parity on the board. It wasn't even a thing. In my interviews, we didn't talk about the fact that I am female at all. We talked about the fact that I'm an operator, that I'm a technologist. And so that divide was already conquered on QALIS's board. That's so not true for many, many other organizations and leadership teams, particularly in California, Silicon Valley. And so I think there's a great opportunity for us to make a difference. First of all, people like me who have made it by representing ourselves and then people of every gender, every color, every ethnicity, immigrants, et cetera, need to, I'm begging you guys, stick with it, stay engaged. Don't let the mean people, the naysayers force you to drop out, reconnect with your original values and stay strong because that's what it's going to take. It's a great message. And thank you for your passion and all your hard work in this space. And at the end of the day, it drives better outcomes. It's not only the right thing to do and a good thing to do, but it actually drives better outcomes. We see that statistically. You measure it. All right, Wendy, again, always great to catch up and congratulations on the award and the board seat and look forward to seeing you next time. Thank you. All right, she's Wendy, I'm Jeff. You're watching theCUBE, we're at the QALIS Security Conference at the Bellagio in Las Vegas. Thanks for watching, we'll see you next time.