 brought to you by Amazon Web Services and its ecosystem partners. Okay, welcome back everyone. This is theCUBE's live coverage in Boston, Massachusetts. I'm John Furrier with Dave Vellante at AWS Amazon Web Services inaugural conference called Reinforce. This is the first conference that Amazon Web Services is putting on around security. And we've got a great guest. We've got a CISO, Brian Lozada, CISO for DataMiner, also on the advisory board for TwistLock, which was recently purchased by, well, intent to purchase by Palo Alto Networks. Really cracked the code on DevSecOps scaling up. Great to have you on. Thanks for coming on. No, thanks for the opportunity. Love getting down and dirty and talking to CISOs because besides which regime controls security, which is always evolving, a lot of state-of-the-art activity going on in the security sector. Clearly the path of catching up to the DevOps agility has been the big focus. It absolutely has. As innovation has been really pushed forward with cloud, I think security's had to catch up and really start pushing towards innovation, looking at ways that we could be disruptive in this space with solving these problems that, look, CISOs, we've been facing this for 20 years and we're putting old technology at the same problem trying to fix it. Now that there's new services, new emerging technology with cloud, we should be taking advantage of that and innovating ourselves in security. Brian, what's the most important story that should be told or is being told or isn't being told that needs to be told and covered by the media when it comes to the security industry? What's your view on this? The lack of talent. I mean, we're starving for talent. Cyber security is the only field in the world with negative unemployment. We just don't have the actual bodies to actually fill the gaps that we have and in that lack of talent, CISOs are starving. We're looking for the right tools to actually patch these holes and we just don't have it. Again, we have to force the industry to patch all of those resource gaps with innovation and automation. I think CISOs really need to start asking for more automation and innovation within their programs. It's a multi-dimensional challenge. I want to just get your thoughts on it. But pops in my head when you say that, I think, ooh, entrepreneurial, I'm an entrepreneur. It's like, ooh, I can start a company. So one, build something, build a new tool, or work for a company, be talent within an enterprise. And then three, be part of that game-changing ecosystem community and do something. Yeah, how about all three, right? You could do all three, right? Like, I think security can't be thought of that arm to go check things anymore. I think security needs to be thought of that arm that pushes innovation forward and helps the business move forward. We need to be business enablers. And the only way we're going to do that is by building something, like by shortening up the time to actually get code out there or get products out there. So I want to dig in some of the data-minor stuff that we were just chatting before we came on camera, but I do want to dig into twist-lock because I think, you've been an advisor, you've seen that journey from day one, from seed financing to now where they're axing to a large company. The success has been very short period of time, only a couple years, five years or so. Magic happens, it's a good thing. What happened? What's the story there? Why so successful? Well, they found the gap. They found the gap that everybody's facing is the lack of talent to actually solve all of these issues with automation. And they helped fill that gap and fill it pretty quickly, right? So I think it went from selling to taking orders very quickly because they actually helped solve a lot of it. Give visibility and put more security into the actual cloud-based platforms. And then it helps companies modernize their techs that quickly, right? That's what we're all about, is pushing things out quickly and to do it with security in mind. If you look at the typical budget pie in IT, it's usually about two-thirds people. One-third hardware, software, services. Is it the same in your world or is it different? Depends on the industry and it depends on the company. Some companies don't put security as that much of a focus, so sometimes you are trying to get those dollars to actually fund your program. Others, it just depends on the risk, right? Other companies- Well, for financial services, they'll throw money at it. Oh, they'll throw, you know, financial services, they'll totally do it. But if it's an industry or a company that hasn't had security in there and you're evangelizing security, hey, the first six, eight months, you're going to be struggling for that budget. You're going to have to have that articulation that you can speak on technical risk and to business risk so you can fund your program, right? That's why the most important talent or skill that a security professional needs is communication skills. If you can articulate technical risk into a business risk to fund your program, it's very hard for you actually to be successful in security. So you speak both wallet and geek, is that what? You have to, I think, yeah. Wallet and geek is definitely, it's a required skill in this space, probably more than others, right? The other thing is security, you can actually see how it equates the dollars, too, right? So to whom are you speaking? Wallet, line of business, CEO, C-suite CFO? I think it's definitely going to be at the C-suite. I think in more mature organizations, you're going to get to the product line. You're going to get security into that product aspect. So as products are starting to be developed, those product managers and that product line can start funding their own security within that product development, right? And you need to have that communication style so that you can push that initiative through that product line. So maturity-wise, you'll get there, but I think it initially has to start at that C-suite at the board level. And how does that conversation start and what's the flow like? What's the key message that you're getting across? You have to talk about risk to that product line. Where's the risk that you can articulate to them and say, if this product is impacted in this way, this is the damage to the brand's financial reputation, or financial damage. Once they see that and they can absolutely put dollars next to it, it'll absolutely help them fund that program when it comes to security. And you spend time quantifying that, right? Yeah, absolutely have to. Everything nowadays needs to be quantified so you can put the appropriate amount of resources towards it, both in human capital and financial, right? How do you make that argument credible? Is it based on experience? You pull in different data sources from lines of business? It's different data sources. You definitely got to leverage your experience, but it's looking at data lifecycle, where that data's being stored, process transmitted, the risk to losing it, and then quantify that type of data. There's different levels of sensitivity to data, right? Certain data, like you take a hit on your website, just the brochure site versus transactional data, different risk levels, different, you know, different impacts of the brand to the company. So you're taking a portfolio of you. Absolutely. Waiting, different values, and then. You have to. Helping people understand where to put their dough. So the CIO, they care about production. What's in production? Also on the DevOps ethos, you've got agility, you've got hackathons. So you have the kind of a cultural shift. So how do they mitigate the risk from your standpoint? How do you view this? And what do other CISOs think? Because you want to foster that creativity to get that incubation going for new ideas. Hackathons, for instance, is great tactic in the DevOps community. We're seeing that now happen in security. Totally. Where the people who are close to the action are getting involved in a very DevOps way, they're kind of not getting sanctioned clearance from the boss, but that's the production side. So again, ops, different. How is that migration or transition between I got a hackathon, this feature that we rolled this out, this could really help us with our visibility into threats or better quality alerts. I'm just making that up, but you see where the innovation's going to come from at the same time dealing with all the other pillars of compliance and audit and security, blah, blah, blah. All that stuff that's in production. How do CISOs deal with this? So it's taking a view, a risk-based approach to that entire life cycle and seeing where is the biggest risk and then to fix that risk, where the gap is to get into that innovation and peace. At my previous company, we did what's called security as code. We had a big gap that we were finding a lot of issues out there with our environment that we were finding three and four days after they were actually rolled out. So we were able to take advantage of AWS services so that we could actually get visibility live. And then when we did it, we actually remediated the issue with Lambda functions, right? That was innovation. We were able to do it. Now convincing DevOps to put it into production, that took some time as well, but it was that partnership and showing them we're not going to be bothering you. Ballpark a time frame to invention innovation to selling it through production, ballpark. Maybe, maybe a month. What's the difference between infrastructure as code and security as code? So infrastructure as code is you're putting out the environment, you're creating that VPC, you're setting up the routes. Security as code, what we're calling security as code is it finds an issue with that environment and it automatically fixes it with a Lambda function or something like that, right? So it could find the vulnerability, it knows what the fix is and it automatically goes and fixes it. That's the benefit of cloud, a mutable technology, you could fix things pretty quickly. Well, now that we have that ability, let's innovate on security so that we do do those fixes instead of waiting days for it to come back. And the secret sauce for that comes from what? Homegrown math, tooling. Yeah, homegrown, you have like the, I think cloud has allowed emerging technology and security to get back into being innovative and not just coming in to protect or to have visibility. Like security engineers are now saying now we can create, right? AWS has that the logo, what is their motto build on, right? Well, that should apply to security practitioners as well. We should be building just as quickly as developers. And by the way, the old model is higher affirmed to come in and buy a product. Totally, yes. Now you're saying let's code up some security. Let's do it ourselves. The practitioners are close to the action. Absolutely. They have the innovative, it doesn't take a lot of time to whip something up, find the discovery. And do it. And the other thing is we've spent years buying tools, buying tools, buying tools. Tools were built to solve one use case. Who knows better their environment than CISOs that are working in it, right? So let's build tools that are customers. It's like the toolshops. Open up the doors. I bought that 10 years ago. We're still in advertising that. It's like there's too many tools. Too many tools. So let's build what's appropriate for the environment based on our knowledge, right? Being working in it. Describe a great day for a security practitioner. A great day is that I don't get called at two in the morning, right? I think every day is a great day in security and I'm going to tell you why, because it's growing so quickly. I think organizations are starting to realize the value of security. That security is a value prop to a customer or to a client. They like to see security being baked into the products. I think it is good for security to see it grow. I love to see that AWS has now invested in reinforced. I think it was about time. I have been going to re-invent for, I don't know, maybe four or five years now and I saw that grow and it was absolutely time for this. So. It's interesting. You hear the chatter also around security, not just being not being a cost center and being strategic, which is clearly it is, because one breach and you got a business, that's a business model problem. But as a revenue generator, you're seeing it spread now where people who are building in-house because they have their own problems are taking the Amazon Playbook. Do it for yourself first and then expose that out as a service. Totally. With Marketplace, Dave McCann's, kicking butt over there, he's got services. So the idea is that if people have a good foundation, you're just buying services. Totally. Not tools. And investing in buying services, not tools, and then pushing your resources and your talent to actually be creative and innovative and be just as hungry when they see new services come out. I love when developers come up to us and say, there's this new service that's going to launch tomorrow. AWS, can I mess around with it? Can I throw, like I like to see that because then we can get insight into it and say, yes, right? Fear is the greater threat to progress than hardship. I don't want my developers to have fear. I want them to feel, security team's got my back. The platform has the ability to visualize it. So let's move forward. So let's talk about fear, uncertainty, and doubt, aka known as FUD, right? So it used to be that the suppliers would put FUD onto the customer saying, no, don't buy that other product. You could, you know, using that at fear. It's now flipping around with CSOS the other way where we're hearing that one of the mandates is to get the supplier account from hundreds to single, double digits. And so the fear is being pushed back out saying, if you don't have this kind of stack integration, this kind of API support, you're not going to be a vendor. This is shifting. You agree? 1,000% agree. I think we need it to, like we should not have taken our tempo for so many years from vendors. They were dictating our programs at that particular point. Now we could take control of our programs and saying, we don't want to partner with you if you don't integrate with the way we've built our program that we know our environment, right? So I think we're taking a little bit more control of our destiny and our platforms versus just taking the tempo from vendors. And the key there is having that platform built to stop thinking through the critical thinking around tech stack, purpose. And this is their shift. This is what, and some companies aren't there yet because they have to build it up. They have to build it up. And how long does it take to do that? The most important thing to build out of talent. Look, you're only as good as the talent you have. If you don't have the talent to build that platform up, you're going to be stuck in that vendor loop forever. I mean. Kind of see-so to me privately. Love multi-cloud, love the vision, but honestly I'm not investing in diamond multi-cloud until I get my T on one cloud. And I'll use secondary clouds for either roll over backup or some other point feature or inherited workload through an M&A or other project. No big deals, shadow IT. But in terms of my talent, I don't want to have three different teams. I want one team to build the stack and continue to think about automation. Then we'll get to multi-cloud when it's ready. Your thoughts to that? I 1000% agree. I think that we need to get one cloud right first before we start thinking about putting our talent, our limited talent resources. Again, everybody's starving for talent into investigating and remediating other cloud issues. I think you definitely have to get one thing right first before moving over. I do think though that the time's going to come where there's going to be a lot of companies doing, you know, production workloads in multiple clouds. I'm actually eager to see that day and see it publicly and see how it's being managed. I was a little impressed that Nutt is going to win big glottary ticket. Totally. Metrics, I want to quickly get your thoughts on metrics. Metrics is something that if you serve the metrics master too hard, you could actually miss out on what your real purpose is. The joke I heard was that you could turn into Chernobyl like that movie that's on Netflix or Primate which shows. I was on HBO actually, it's the HBO series where they were pressing buttons and had no idea what was going on with the reactor blew up and the rest is history. That's the metrics problem and challenge, isn't it? What's your thoughts on metrics? I agree. I'm not a fan of metrics. I don't think security programs should be either built or measured against metrics. I don't think metrics really provide too much detail behind any of that. Metrics are just there I think to provide a little bit of insight of where you could double click and actually do a little bit more diligence, but they should not be measured. They should not be used to measure your program. I don't run my program on metrics. It's not like I'm escalating metrics either up to the board or anything like that. Providing relevant data and how that data impacts the business from a security perspective is how I like to escalate, not putting up charts or anything like that of how many vulnerabilities were remediated. Guess what, you did your job. I don't want to put a metric up there that actually says something like that. I want to show some real value with some real data. So what are you communicating to the board specifically? How we've integrated information security or the security program into the workflow without slowing down the business. I think that's the key part and how security at the end of the day it's a culture change, right? And you are changing behavior, right? So how you're able to do that without slowing down production, especially in technology companies, because you don't want to slow down that development pipeline, that's a key metric to put out there. We've been able to enable static and dynamic code analysis without slowing things down. Things are still getting to prod at that time or using container security for our infrastructure so that it takes that out of the developer's mind when they're actually building out a new environment. Digital transformation equations, people, process technologies, heard that over and over. It's cliche, but the people part, okay, you can get more people, totally agree, technology, plenty of tools and services, that's a huge opportunity, but the process is where the focus has been, and I heard a quote earlier in theCUBE today, it says, process is a reflection of your culture. True. And a lot of those cultures won't yield the process control to either CISOs or teams. Your thoughts to that comment and where that kind of goes, because that's the key breakdown on digital transformation, isn't it? It is, that is true. I think the one thing that CISOs needs to remind themselves is when they introduce themselves to the organization, they need to be a customer service organization. CISOs need to be available to the users and to the business and offer their services as a partnership instead of as a mandate. I think that warms the waters a little bit for that behavioral change and that culture change so that process can change into the new innovative way of actually pushing security as code and infrastructure as code as the new way of actually doing business. It says, certainly it's got this contagious, look at Twistlock, you're advising that company. Boom. Yeah, it absolutely is contagious and showing those type of examples actually throughout the business actually help and saying, breaking down those old silos of how security is viewed is important, right? You kind of implied before in the earlier days, vendors sort of control the table, you were sort of beholden to their way of doing things. Steve Schmidt today made the statement that all the negative fear factor is not helping our industry. It really, the state of cloud security anyway is good. The union is strong. Do you agree with that? And are there other things that vendors are doing that drive you crazy as a practitioner that they shouldn't be doing? So, two great questions. I think the first one, I think cloud security absolutely does exist and it gives power back to the CISOs so they can actually make more controlled decisions over their environment instead of being beholden to vendors. I think understanding the shared responsibility model between a company and the cloud is crucial for CISOs to make those decisions and I think for years that was misunderstood and that's why it took time probably to migrate to the cloud or to be born into the cloud initially. But I think once that's understood, it empowers the CISOs and the technology organizations. I think that's one. On your second questions, I think everybody in the world has vendor fatigue. I think vendors that would drive me nuts about all of them is that they say that they integrate with everything and that they're going to give me more visibility than before. Great, man. That's what everybody's been doing for the past 20 years. They're giving me a lot of information. I want them to fix things. Don't give me alerts. Don't give me alarms. Unless you're going to say here's the alert, here's the alarm, here's the automated script that you can put into your environment to fix it. Knowing that every CISO in the world is starving for talent, they don't have the resource to double-click on that, do diligence and write it, do it for me. I think vendors need to start innovating and stop doing the same thing that we've been doing for the past 20 years. You're seeing, I'm inferring from that, there's a lot of incrementalism, kind of taking safe bets. And really, you're looking for a step function. Totally. I want vendors to take a more aggressive approach in their innovation. I don't want more. So you're giving me more alerts that I've seen in different shapes and different sizes from different vendors. Tell me how you're going to fix it or fix it for me. That's what I really want. We need to exceed that more from vendors. And look, since we're not getting it, it's making us, or I'm happy to do it actually, is to start innovating and doing it ourselves, right? So I'm investing more in resources and talent, doing it that way instead of outsourcing and getting a vendor. And that's a trend that's happening more and more. Totally. And that's indictment on the community itself and the vendors. We need to exceed more from the vendors. Thanks so much for coming on. Great insights, profound commentary. Great to have CISOs on theCUBE. Thanks for sharing. It's theCUBE's live coverage, Boston, I'm John Furrier, Dave Vellante, day one of two days of CUBE coverage for the inaugural AWS Reinforced Conference. We'll be right back. Thanks. I want to work for a mission.