 Hey, welcome back everybody. Jeff Frick here with theCUBE. We're in Palo Alto at the security and the boardroom event. It's put on by the Turtoff Group. They do a couple of these a year all across the country and they're all about security. But what's interesting is it's not really the tech conversation of security or the gadgets or a lot of the things we typically cover on theCUBE. But really more of this is about the boardroom and making it a boardroom topic and a boardroom conversation. So we're really excited to have our next guest. He's Brad Hibbert. He's the CTO of Beyond Trust. Brad, welcome. Oh, thank you. Glad to be here. So you just got off the keynote stage talking about CSOs and how do you help those guys do their job? They're in a crazy position. That's right, yeah. So I was just talking about how to make them feel more comfortable talking sort of the boardroom language and ways that they can work with vendors to help out with that. So it was a good panel. I think I had a number of good perspectives, I think, on the subject. Beyond Trust. Give us a background on Beyond Trust. Yeah, sure. So Beyond Trust, we're all about helping people manage the risks, sort of the internal risks in the environment. It's a new area for cybersecurity. It's a new layer of security, if you will. A lot of people are familiar with the perimeter-based security, things like vulnerability scanning, which we do, so attack surface closures, and so on. This is really more about when somebody's in the environment or compromise accounts, how do you really secure the environment from that type of access? So we have a number of products that can solve certain use cases around that. So this must be the PAM that you guys talked about? That's right, Privileged Access Management. So you say Privileged Access, so as you just said, that's people that are already on the inside. Yeah, so it could be anybody from administrators, leveraging shared accounts, and administrators that need elevated credentials, making sure that you control access to those credentials, and making sure that you ensure that they're using them appropriately, so that misusing them or misbehaving in some way, with all sorts of audit and capability behind that. It could be your desktop administrators, your developers. You just need elevated access in some way. What we're finding is that what hackers are doing now is they're going after things. Once they kind of get a footprint in the environment, they're going after the credentials. They're going after privileges, that gives them more access to the corporate data. So is it just that they're a more rich target for the hackers, or is it because they have a different behavior than kind of your typical person at the end of my phone, or your kind of typical access point in? Yeah, it's a bit of both. I think one is, hackers are going to the path of least resistance, right? So as I mentioned, from a privileged perspective, once you're inside the environment, controlling and seeing what people are doing, typically goes under the radar of the traditional security defenses. So once they can get that access, it becomes much more difficult to detect when somebody's doing something inappropriately in the environment. Also, a number of these credentials are not being managed very securely, right? So a lot of people sharing credentials. They never change their credentials. They use the same password on every router in the organization. They never rotate it. Those sorts of things. So there are a lot of weaknesses or vulnerabilities around credentials. Just like in the past, there's vulnerabilities around assets, right? And vulnerabilities around applications. Now there's vulnerabilities around how you manage access and credentials. And that seems to be an area that people are targeting. So you would assume that people that have privileged access would have a little bit higher education behavior practices on avoiding things that they're not supposed to do. But it sounds like not necessarily, or? Well, yeah, I mean, certainly on the paper, that's what you would get. On the paper, absolutely. I think the trade off sometimes is, from a password management perspective, it's difficult to do that manually. If you think about the number of passwords in an organization, right? Shared accounts on systems and applications, on networks and network devices and cloud apps. It's just a number of things out there. So people really need a way to harness that, right? And to control that in a more automated way. And they just lack that today. And then sometimes it's around operations, right? When I was an admin, bad to say, but I used the same password on a number of different devices. It's immediately easier to remember. Complex and changing passwords becomes difficult to manage in some cases, right? So password management, part of PAM, one of the components that we have, enables you to manage those things in a more automated and controlled way without putting a lot of burden on the administrative team, which is what we're looking for. So how far are we away from a better method than password? It amazes me that we have phones with fingerprint readers and it still asks us for passwords to get into our phone. And we have Salesforce at work and Salesforce is very secure. So they make us change our passwords, whatever it is, every four weeks or six weeks. And after a few, I've gone through all my core, my core top 10 passwords and it still won't let me in. So it's such a not great way to access. And as you said, this expanding level of applications and stuff now, our interaction with so many different things are so password driven. Two factor authentication is obviously helping, but when are we going to get beyond passwords? Well, I think, from my perspective, I think passwords are going to be around for a long time, because it's not just users that use passwords, systems also use passwords. Application to application interface is now use secrets or some sort of passwords and so on. So they're going to be around for a long time, even the ones that administrators and shared credentials, they're going to be around for 10 years plus. And I always say, even with multi-factor, it's always something you have and something you know. So I always think there's a good reason to keep them in a lot of cases. But even beyond the passwords, even once you log in, there's still other things that you want to make sure are being addressed. So you want appropriate logging and controls and analytics around what you're doing with that, with those credentials. You might want to restrict when you should have access. So maybe I don't want my administrators to be able to go start patching a system or configuring a system unless appropriate tickets are in the ticketing system during certain times of the day. So you start adding more controls around when they can actually use these passwords and then when they use them, ensuring that they're using them appropriately. So there's a number of different aspects around privilege access management other than just the passwords themselves. But it's just funny, even with all the procedures and processes you still have at the end of the day, behavior. It sounds like so many times people don't follow the right procedure. They, like you say, share passwords. They don't apply the patches. And so you're fighting kind of the people process thing always in addition to the technology. Right, and sometimes it's difficult. I mean just in some organizations you still have end users that have full admin rights on their desktops, right? So if they get phished, if a hacker gets on that machine they have admin rights on that machine and they can use that as a footprint to go elsewhere, right? Then once they're on that machine, of course, they could have line of sight to anything inside your environment. So those things inside your environment are properly secured, network devices and so on. You know, they could be susceptible if they're not being managed properly as well. So it's a big problem. And again, as I mentioned before, it's a lot of organizations, it's a missing security layer that they just don't have today, which is why the market's growing so quickly. Well, Brad, I think you got a lot of job security. Well, thanks for taking a few minutes out of your day. Appreciate it. Absolutely. All right, he's Brad Hibbert. I'm Jeff Frick. You're watching theCUBE from the security in the boardroom event, put on by Chertaugh. Thanks for watching.