 from San Francisco, it's theCUBE. Covering RSA Conference 2019, brought to you by Forescout. Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at RSA North America at the newly opened and finally finished Moscone Center. We're here in the Forescout booth excited to be here and we got our next guest who's been coming to this show for a long, long time. He's Dan Burns, the CEO of Optiv. Dan, great to see you. Great to see you too, Jeff. Appreciate you having me on the show. So you said this is your 23rd RSA. Yeah, it's somewhere right around there. It's got to be and I don't think I've missed any in between. I've missed some black hats in there now and again but RSA is just one of those that I feel like you got to go to. Right, right. So obviously the landscape has changed dramatically. So we won't go all the way back 23 years but in the last couple of years as things have really accelerated with the internet and IoT and OT and all these connected devices and autonomous cars from a threat perspective and from where you sit in the cappered seat. What are you seeing? What are your kind of impressions? How are you helping people navigate this? Yeah, I appreciate that question, Jeff. So it has changed dramatically. There's no doubt about it. So I got into security in 1996 and that was a long time ago. It was really in the infancy of security and back in 96 when I remember really studying what security was and by the way, back then it was called information security. Now it's cyber security. But it was really straightforward and simple. There were probably two or three threats and vulnerabilities out there, right? Some of the early on ones. So that's one part of the equation. The second part, there were probably two or three regulations and standards out there, no more than that. And then when you went over to kind of the third part of the triad and you talk about vendors and technology, there were maybe five or six, right? You have McAfee, you had a checkpoint and you had some of the early, early stage companies that were really addressing kind of simplistic things, right? Firewalling, URL filtering and things like that. And now you fast forward to today. And it's night and day, so much different. So today, when we talk about threats and vulnerabilities, there are hundreds of millions, if not billions of threats and vulnerabilities. Number one, big problem. Number two, regulation standards. There's hundreds of them globally. And number three, when you look at our great technology partners here, and I think there's probably about 3,500 technology partners here on the floor today. Night and day, right? Night and day from 96 to 2019. And that's created a lot of issues, right? A lot of issues, which I'm happy to talk about. Yeah, complexity, but you've made a great quote on one of the other things I saw doing in the research for this interview, you talk about rationalization. And how does a CISO rationalize the world in which you just described, because they can't hire their way out of it, right? They can't buy their way out of it. And at some point, you're going to have to make trade-off decisions, because you can't use all the company's resources just for security. At the same time, you don't want to be in the cover of the Wall Street Journal tomorrow because you had a big breach that you just discovered. Yeah, it's a balancing act. How do you help them figure this, navigate these choppy waters? Yeah, so we think Optib is in a prime space to do that, a place to do that, no doubt about it. So let's talk about the complexity that's out there now. You look at the landscape, you look at the 25, 3,500 different technology companies out there today. And when we talk to a typical client, and we ask the question, how many vendors, how many OEMs do you have to deal with on an annual basis? And the response, of course, depending on the size of the organization, but let's just take your average, small, mid-sized enterprise client. The response is somewhere between 75 and 90 partners. And then, of course, we get shocked on our face. Just on the security side? Just on the security side? That's not counting all their CRM and all their other pricey. That's not IT, that's not anything. That is just to solve and build their own security programs. And the next response we get from them is we can't do it, we just can't do it. We spend about 90% of our time acting as if I'm the CISO right now. 90 plus percent of our time working with all of these wonderful, great technologies and partners just to establish those relationships and make sure we're doing the right things by them and then by us. And so, given this complexity in the marketplace, everything that's going on, it's just a prime scenario for what we call ourselves as a global cybersecurity solutions integrator, right? Being able to, for a lack of a better term, be the gatekeeper for our clients and help them navigate this complexity that's out there in the space. And so, the value that we bring, I talk about it in terms of an equation, right? We're all mathematical in nature, typically people in cyber. And so when I think about cyber, I think about equations. In the first equation I think about is a very simplistic one. It's people, it's process and technology. And you need equal focus on all three of those parts of the equation to truly balance things in a matter where you're building a very effective security program. And historically, CISOs have really leaned towards the technology side of that equation. And now what we're seeing is a balance, like we've got to worry about people, right? We've got to find people with that intelligence and knowledge and know-how and wherewithal, right? And we've got to find companies that have that process expertise. A process is a means to an end. How do I get to a certain outcome? And so what we bring is the people process and technology all sides of the equation with the ability in masses to help clients plan, build, and run their entire security program or parts of it. So how has it changed with a couple of things like cloud computing? So now I'm sure the bad guys use the cloud just like the good guys use the cloud. So the type of scale and resources that they can bring to bear are significantly higher. Just the pure quantity and variability using AI and machine learning and as we saw in the election, really kind of simple Facebook targeting methods that most marketers use at work at REI to get you to buy a sleeping bag if you looked at tents on your way in. So how's the role of AI and machine learning now going to impact this balance? And of course the other thing is all we see is so many open security jobs. You just can't hire enough people, they're just not there. So that's a whole kind of different level of pressure on the CISO. Yeah, definitely, no doubt about it. And there are a few companies that can truly build that have enough budget to address cyber on their own. And those today are typically the large financial, right? They're typically given massive budgets. They have massive teams and they're able to minimize the partnerships and really handle a lot of their own stuff internally and go out for special things. But you look at the typical companies, small, mid, even some of the large enterprise companies, no, they can't find the resources, they can't get the budget, they can't address everything. And to your point around digital transformation and what's going on in the world there. And that's probably what continues to support 3,500 technology companies out here. It's the continuous change that we see in the industry every single day. And of course, cloud is one of the most recent transformations and obviously a real one which opens up other threat vectors and other scenarios that create new vulnerabilities and new threats. And so the problem just keeps getting bigger exponentially. So you're coming for another 20 years, is that what you're saying? Hell yeah, I'm coming for another 20 years. I think though, eventually Jeff, I can remember, I kind of poked fun at this a little bit. I can remember, I think it was Palo Alto, there was the first company that said, hey, we're a platform company. And I think that started happening, whatever it was, roughly seven years ago. We're a platform company and I can remember so many people kind of poo-pooing that. You're not a platform, nobody's a platform company. Fair enough, fair enough back then, but I'm going to say fast forward to today and that's what's going to have to happen in this industry, Jeff. Eventually we will have to have some large platform companies that can address multiple things within a client's environment. And then there will always be the need to fill gaps with some of the other great new emerging technologies out there. So maybe we won't have 3,500 vendors in 10 years. Maybe it's 2,000, so there will be consolidation. There will be the platform play that happens. But then you have the addition of public cloud, right? So now a lot of infrastructures, they've got some stuff in public cloud, they still have some stuff on their data center, right? So this is kind of hybrid world. Then you add the IoT thing and the OT connectivity back to the IT, which is relatively new. So now you've got this whole other threat vectors that you never had to deal with before at all. It's the machines down on the factory floor that have been pumping out widgets for a long time that are suddenly connected to the infrastructure. So the environment that you're trying to apply security to is really evolving at a crazy pace. That is, it's a great industry to be in. Every day I wake up, pinch myself, I think all our guys do. Right. You know, it's amazing. Now don't see that slowing down, right? So I think that's why some of that balance continues to be there in the future. You know, one of the things that we're seeing in our industry is companies really trying to take this inside-out approach as opposed to this outside-in approach. And I'll tell you the difference. The outside-in approach is, it's all this chaos, right? It's all the chaos that's behind us and we see it right here. It's everybody telling you what you need and you building a security program around what's being fed to you externally as opposed to really taking a step back, looking at your organization, understanding what your company's initiatives and priorities are, right? And your own company's vision, mission and strategy. And I tell people all the time, I don't care if they're a part of our company or any company, first thing you should do is understand the vision and the mission and the strategy of the organization that you work for. And so that's part of the inside-out approach, understanding what your company's trying to accomplish and is a security practitioner really wrapping your arms and your mind around that and supporting those initiatives and aligning your security initiatives to the business initiatives. And then doing it through a risk management type of program and feeding that risk management dashboard and information directly to the board. So I'm curious how you approach kind of the changes. Now we have state-sponsored attackers and what they're trying to get and why they're trying to get it has maybe changed. And the value equation on your assets that clearly you know some assets are super valuable and personal information and some things that are kind of classical. But now we're seeing different motivations, political motivations, other types of motivations. So they're probably attacking different repositories of data that you maybe didn't think carry that type of value. Are you seeing kind of a change in that both in the way the attacks are executed and what they're trying to get and the value they're trying to extract than just kind of a classic commercial ransomware or I'm just going to grab some money out of the account. Yeah, I think you're right. And it kind of goes back to the earlier part of the conversation. The number of devices that the attackers can attack are almost infinite, right? And especially with the edge, right? With IoT, it's created this thing we call the edge, right? Devices on streetlights, devices on meters, devices here, devices there. So the number of devices they can go for is ever increasing, right? Which continues to support the need and the cause that we all are a part of. And the ways they're going to do that is going to change as well. There's no question about it. Yeah, so are we seeing different ways of doing it? Yes, there's no question about it. Back to the state sponsor kind of stuff. You know, the way I look at cyber and probably one of my biggest personal concerns is I think about us people and family, right? We all have family, is that, you know, cyber and ultimately cyber warfare has created this levity or kind of equalness in terms of countries, right? Where a country like the US or Russia or somebody with massive resources around physical weapons are now no longer necessarily as powerful as they were. So brevity, you know, it's just created this field, leveling the playing field. So countries like North Korea, countries like Afghanistan and others have a new opportunity to create a pretty bad situation. And we haven't seen cyber warfare, quote unquote, yet. We would call it something a little, because they haven't really used it as a mass weapon of destruction, but the threat of that being there is creating more of an even playing field. And that's one of my biggest concerns, like what's the next step there? And the other thing is really the financial implications if you don't do it right. It's beyond being embarrassed on the Wall Street Journal, but right, GDPR regulations went into place last year. There's not the California data privacy law that's coming into place. People are calling it kind of the GDPR of California and that may take more of a national footprint as time moves on. So, you know, it's weird on one hand, we're kind of desensitized because there's so many data breaches, right? You can't keep track. We don't actually flip past that page on the Wall Street Journal. I can't keep track. But on the other hand, you know, there is kind of this renewed kind of consumer protection of my data that's now being codified into law with significant penalties. So I wonder, you know, how that plays into your kind of risk portfolio strategy of deciding, you know, how much to invest, how much you need to put into this effort because if you get in trouble, you know, it's expensive. Yeah, yeah, it is, it can be, and it will be. And it will get even more expensive. And we're still waiting, you know, for, you know, the lawmakers to levy some pretty heavy fines. We've seen a few, but I think there's going to be more. And I think you do have to pay more attention to regulations and compliance. But I think it is a balancing act. Back to our insight, our approach that I was talking about. A lot of companies, when PCI came out, as you know, Jeff, a lot of companies were guiding their security program by PCI, right, specifically and only. And that's a very outside-in approach, right? That's not really accounting for the assets that you were talking about earlier. Not all of them, right? Some of them. And so I think that's a great point, right? As a CSO, the first thing you've got to understand is what are your assets? What are you trying to protect? Right, right. And, you know, our friends here at Forescout do a great job of giving you the visualization of your network, understanding what your assets are. And then I think the next step is placing a dollar value on that. And not many people do that, right? They'll go, oh, here's my assets. It's painful, right? This one's kind of important. This one's kind of important. But to get buy-in from the rest of your organization, you need to force the conversation with your counterparts, with your CFO, with your CMO, with anyone who's a partial owner of those assets and make them put a dollar amount on it. How much do you think the data on the servers how much do you think the data on this server? How much do you think, and inventory that is part of the asset inventory. And then I think you've got a much better argument as it relates to getting budget and getting buy-in. Right, getting buy-in. And I see it a lot where CSOs tend to be, most tend to be a little bit introverted, right? They'd rather hang out there, you know, on the second floor and be there with their team, take a look at the latest threats, take a look at what's going on, you know, with their logs and their data and trying to solve really critical problems. But my recommendation to CSOs is, man, build tight relationships across the entire organization and get out there, be out there, be visible, get buy-in. Do lunch and learns on why cyber is so critical and how our employees can help us on this journey. Well, Dan, you trip into a whole nother category that we'll have to leave for next time, which is what is the value of that data? Because I think that's changed quite a bit over the last little while. But thanks for taking a few minutes and hopefully you have a good 23rd RSA. Thank you very much, I appreciate it. He's Dan, I'm Jeff, you're watching theCUBE. We're at RSA North America at Moscone at the Forescale Boot, thanks for watching. See you next time.