 from San Francisco, it's theCUBE. Covering RSA Conference 2020 San Francisco, brought to you by SiliconANGLE Media. Hello everyone, welcome to theCUBE's coverage here at RSA Conference 2020. I'm John Furrier, host of theCUBE. We're on the floor, getting all the data, sharing it with you here, CUBE coverage. We've got the best new generation shift happening as cloud computing goes to the whole level, multi-cloud, hybrid cloud, changing the game, you're seeing the companies transition from an on-premises to cloud architecture. This is forcing all the companies to change. So a new generation of security is here, and we've got a great guest, a hot startup, Masha Sadova, co-founder of Elevate Security. Welcome to theCUBE, thanks for joining us. Thanks so much for having me, John. So the next generation, what'll be a multi-generational security paradigm is kind of happening right now. We're at the beginning of receiving this transition. Palo Alto Networks announced earnings yesterday down 13% after hours because of the shift to the cloud. Now I think they're going to do well, they're well positioned, but it highlights this next generation security. You guys are a hot startup, Elevate Security. What is this sea change? What is going on with security? What is this next generation paradigm about? Yeah, so it's interesting that you talked about this next generation. In some ways, I see this as a two-prong move between yes, we're moving more into the cloud, but we're also going back to our roots. We're figuring out how to do asset management right, we're figuring out how to do patching right, and for the first time, we're figuring out how to do the human element right, and that's where we come in. You know, the disruption of these new shifts also kind of hits like the still expression, same wine, new bottle, all this, but it's a data problem. Security has always been a data problem, and we've seen some learnings around data, visualization, wrangling, there's a lot of best practices around there. You guys are trying to change the security paradigm by incorporating a data-centric view with changing the behavior of the humans and the machines, and kind of making it easier to manage. Did you share what you guys are doing? What's the vision for L.A.V.? Yeah, so we believe, and we've seen from our experience being practitioners, you can't change what you can't measure. If you don't have visibility, you don't know where you're going, and that's probably one of the biggest pain point in the security awareness space, traditionally, we just roll out training and hope it works, and it doesn't, which is why human error is a huge source of our breaches, but we keep rolling out the same one-size-fits-all approach without wanting to measure or being able to. So we've decided to turn the problem on its head, and we use existing data sets that most organizations who have a baseline level of maturity already have in place. Your endpoint protections, your DLP solutions, your proxies, your email security gateways, and using that to understand what your employees are doing on the network to see if user-generated incidents are getting better over time or getting worse, and using that as the instrumentation and the level of visibility and to understanding how you should be orchestrating your program in this space. You know, that's a great point. I was just having a conversation last night at one of the cocktail parties here around RSA, and we were debating on, we talked about the kind of breaches, you mentioned breaches. Well, there's the pure breach, where I'm going to attack and penetrate a well-fortified network. And then there's just human error, an S3 bucket open or some configuration problem. I guess it's not really a breach, it's kind of an open door. So the kind of the notion of a breach is multi-fold. How do you see that? Because again, human error insider threats or human error, these are enabling the hackers. This is not new. How bad is the problem? It depends on the report you read. The biggest number I've seen so far is something like 95% of breaches have human error. But I honestly couldn't tell you what the 5% that don't include them. Because if you go far enough back, it's because a patch wasn't applied and there's a human being involved there. So because there's a vulnerability in code, that's probably a secure coding practice in your development organization. Maybe it's a process that wasn't followed or even created in the first place. But there's a human being at the core of every one of these breaches and it needs to be addressed as holistically as our technologies and our processes right now in space. The evolution of human intelligence augmented by machines will certainly help. I mean, I got to ask you, obviously you're well funded, Kostanoa Ventures, well known in the enterprise space, Greg Sands and the team there, really strong. But you guys entered the market, why? I mean, you guys, you and your founder, both at Salesforce.com, Salesforce gurus, doing a lot of work there. You've seen the large scale first wave of the cloud. Why the startup? What was the problem statement you guys were going after? So my co-founder and I both came from the world of being practitioners and we saw how limited the space wasn't actually changing human behavior. I was given some animated PowerPoint, said use this to keep the Russians out of your network, which is a practical joke unless your job is on the line. So I took a huge step back and I said, there are other fields that have figured this out, behavioral science being one of them. They use positive reinforcement, gamification, marketing and advertisements has figured out how to engage the human element, just look around the RSA floor. And there are so many learnings of how we make decisions as human beings that can be applied into changing people's behaviors and security. So that's what we did. And what was the behavior you're trying to change? Yeah, so the top ones of ways that our attackers are getting into organizations. So reducing fish and click-through is an obvious one. Increasing reporting rates, reducing malware infection rates, improving sensitive data handling, all of which have ties back to, as I was mentioning earlier, security data sources. So we get to map those and use that data to then drive behavior change that's rooted in concepts like social proof. How are you doing compared to your peers? We make dinner decisions on that and Amazon buying decisions on that. Why not influence security like that? So building some intelligence into the system, is there a particular market you're targeting? I mean, here, people like to talk in segments, is there a certain market that you guys are targeting? Yeah, so the amazing thing about this is, and probably not to surprise you, the human element is a ubiquitous problem. We are in over a dozen different industries and we've seen this approach work across all of those industries because human beings make the same mistakes no matter what kind of company they're in. We really work well with larger enterprises. We work well with larger enterprises because they tend to have the data sets that really provide insights into human behavior. And what's the business model you guys envision happening with your service, the product? Yeah, so we sell to enterprises and security in the CISO and the package as a whole, gives them the tools to have the voice internally of their organization. We sell to Fortune 1000 company. So it's a SaaS service? Yeah, SaaS service, yeah. And so what's the technology secret sauce? That's a great question. But really, our expertise is understanding what information people need at what time and under what circumstances that best changes their behavior. So we really are content agnostic. We are much more about the engine that understands what content needs to be presented to whom and why. So that everyone is getting only the information they need. They understand why they need it and they don't need anything extra superfluous to that. Okay, so I was saying on theCUBE, my last event I was at, CIOs can have good days and bad days. They have good days. CISOs really have good days. They mostly have bad days. It's a hard job. So how do I know I need the elevate solution? What problem do I have? What's in it for me? What do I get out of it? When do I know when to engage with you guys? Yeah, so I take a look at how many user generated incidents your socks responding to. And I would imagine it is a large majority of them. We've seen while we were working at Salesforce and across our current customers, close to a 40% reduction rate in user generated incidents, which clearly correlates to time spent on much more useful things than cleaning up mistakes. It's also one of the biggest ROIs you can get for the cheapest investment. Investing a little bit in your organization now. The impact you have in your culture and investing in the future decisions, the future mistakes that never get made are actually untold. The benefit of that is that untold. So you're really kind of coming in as a holistic kind of a security data plane, if you will, aggregating the data points, making a visualization in human component. Now what's the human touch point? Is it a dashboard? Is it notifications? Personalization? How is the benefit rendered for the customer? So we give security teams and CISO as a dashboard that maps their organizational strengths and weaknesses. But for every employee, we give personalized tailored feedback. Right now it shows up in an email that they get on an ongoing basis. We also have one that we tailor for executives. So executive gets one for the department. We create an executive leaderboard that compares their performance to fellow peers. And I'll tell you, execs love to win. So we've seen immense change from that move alone. Well, impressive pedigree on your entrepreneurial background. Ossie Salesforce has really kind of was, I consider a real first generation cloud before cloud actually happened. And there's a lot of learning, although it's an application, it's not AWS, but it's its own cloud, as we all know. What were the learnings that you saw from Salesforce that you said, hey, I'm going to connect those dots to the new opportunity? What's the real key there? So I had two major ahas that I've been sharing in my work since. One, it's not what people know, but it's what they do that matters. And if you can sit with a moment and think about that, you realize it's not more training because people might actually know the information, but they just choose not to do it. How many people smoke and they still know it kills them. They think that they doesn't apply to them. Same thing with security. I know what I need to do. I'm just not incentivized to do it. So there's a huge motivation factor that needs to be addressed. And that's one thing that I don't see a lot of other players on the market doing. And one thing we just really wanted to do. It sounds like you guys are like providing a vision around using machine learning and AI and data synthesis, wrangling, all that good stuff to be an assistant, a personal assistant to security folks. Because it sounds like you're trying to make their life easier, make better decisions. It sounds like you guys are trying to extract away all these signals to what to pay attention to. And make it more relevant. Think about it, what Fitbit did for your own personal fitness. It creates a personal relationship based on a whole bunch of data. How you're doing goals you've set and all of a sudden a couple miles walk leads to an immense lifestyle change. Same thing with security. It's interesting, I love the Fitbit analogy because you think about the digital ecosystem of an enterprise. It used to be siloed, IT driven. Now with digital everything's connected. So technically you're instrumenting a lot of things or everything. So the question is not so much instrumentation. It's what's happening when and contextually why. That's it, you buy. That's exactly it. Yeah, totally got it. Okay, I got it. I can see the light bulb. Okay, aha, ding, ding. All right, so back to the customer pain point. You mentioned some data points around KPI's that they might or things that they might want to call you. So it's incidents, what kind of incidents? When do I know like I need to get you involved? What's one of those, can you repeat those again? So there's two places where it's great time to involve now because of the human element is all, think about this as an investment. If you do not invest your security culture, you have one way or another you have security culture. It's either hurting you or it's helping you. And by hurting you, people are choosing to forego investing security processes or security codes and you are just increasing security debt. By stepping in to address that now you are actually paying it forward. The second best time is after you realize you should have done that. Post breaches or post incidents is a really great time to come in and look at your culture because people are willing to suspend their beliefs of what good behavior looks like, what's acceptable. And when you look at an organization and their culture, they are, it is most malleable after a time of crisis, public or otherwise. And that is a really great time to consider. And I think the human error is a huge thing, whether it's as trivial as leaving an S3 bucket open or whatever, I think it's going to get more acute with service meshes and cloud native microservices. It's going to get much more dynamic. And sometimes services are going to be stood up and torn down without any human knowledge. So there's a lot of blind spots potentially. This brings up the question of, how does the collaboration piece, because one of the things about the security industry is, it's pretty high, it's a community. Sharing data is important, having access to data. How do you think about that as the founder of a startup that has a 20 mile steer through the future around data access, data diversity, blind spots. How do you look at that and how do you advise your clients to think about that? Yeah, I've always been really pro data sharing. I think it's one of the things that has held us back as an industry. We're very siloed in this space, especially as it relates to human behavior. I have no idea if I, as a regular CISO of a company, if I am doing enough to protect my employees, is my fishing click the rate, are my malware downloads rates above normal, below normal, should I invest more, am I doing enough? How do I compare to my peers? And without sharing industry stats, we have no idea if we're investing enough or quite honestly not enough in this space. And the second thing is, what are approaches that are most effective? So let's say I have a malware infection problem. Which approach is it this training? Is it a communication? Is it positive reinforcement? Is it punishment? What is the most effective to leverage this type of output? What's the input output correlation? And we're really excited to have shared data with Verizon Data Breach Report for the first time this year to start giving back to the community, specifically to help answer some of these questions. Well I think you're off to something with this behavioral science intersection with human behavior and execution around security practices. I think it's going to be an awesome field. Thanks for sharing the insights. Pleasure. I'm just watching on theCUBE here. Quick plug for your company. Obviously you're funded, series A funding. Take us through the stats. You hiring, what kind of positions? Give a plug to the company. So Elevate Security, we're three years old. We have raised 10 million to date. We're based in both Berkeley and Montreal and we are hiring sales reps on the west coast. The security product manager and any engineering talent really focused on building awesome data warehouse infrastructure. So please check out our website, ElevateSecurity.com slash careers for our jobs. Two hot engineering markets, Berkeley. Obviously poaching out of Cal and also Montreal. You got that old top belt of computer science up in Canada. Well congratulations. Thanks for coming on theCUBE's sharing story. Security kind of going to the next generation and all kinds of new opportunities to make security better secure coverage here in San Francisco at the Moscone Center. I'm John Furrier. We'll be right back after this break.