 From the SiliconANGLE Media office in Boston, Massachusetts, it's theCUBE. Now, here's your host, Dave Vellante. Hi everybody, welcome to this special CUBE conversation. We're going to do a drill down into cybersecurity with the Chief Technology Officer, Thrive, Michael Gray, Michael, good to see you. Glad to be here. So tell us a little bit about Thrive. Yes, so Thrive's really a next generation manager service provider. Been in business for quite some time. We've gone through it quite a bit of M&A over the past couple of years and really building ourselves into a much larger MSP, being able to offer a lot of dedicated services that typically were out of reach for a smaller MSP. So let's get right into it. Security has evolved quite dramatically in the past decade. No longer is it just hacktivist with annoying malware. Yep, yep. You're talking big money, cyber crime, and now, of course, nation states. So talk a little bit about what's changed in security just in terms of the attackers in the profile. Yeah, the money coming out of the attackers is actually larger than the entire illicit drug industry or market, whatever you want to call that. So the bad guys have kind of realized that the money to be made off of maybe hacking or phishing at this point far outweighs other activities that I might have been into before. So your role as a security expert is to lower the ROI. Sure, sure. So one of the best ways to lower the ROI is to increase the denominator, the cost of actually getting through. Yeah. So is that fair? Yeah, I mean, and by the way, we have a tremendous amount of experience in dealing with different environments, different kinds of attacks. We have close to 1,000 customers. So I've seen a lot of different environments be attacked in a lot of different ways. That kind of experience is something that we can bring as a service provider to our customers. You know, at this point too, I think those of us in the IT industry have realized that it's not about just making sure that there's some software deployed and doing the basics. The belt and suspenders really matters now. You not only need the traditional patching anti-virus solutions, but anomaly detection, vulnerability management, full visibility into all the traffic on the network. These things are not something that maybe is reserved for the enterprise. It is needed both in the mid-market and the small business. So it used to be you'd focus on hardening the perimeter, building a moat, or digging a moat around the castle. Yeah, yeah. And now the queen wants to leave her castle. Yeah. That doesn't work anymore. Have you seen in your own business that investment shift from the perimeter to other areas and what are those other areas? Absolutely. And you know, there is no perimeter anymore, either fortunately or unfortunately. I think for a lot of employees out there, the fact that there's no perimeter, we can work from a coffee shop now, it's great. A lot of people I noticed actually end up working from their phone at this point, which is actually great. Now, you know, as far as how you solve that problem. So typically, you know, I look at as let's wrap around, let's wrap a suit of armor around our end users and then look at their applications. So put these two pieces together, figure out how to protect them, but we also can't stop them from doing work. So they've got to be able to get their jobs done. They need to be secure and we need to make sure that we stay out of their way while providing that security. So what is the biggest challenge for a security practitioner these days? Is it sort of stealthy viruses like Stuxnet or is it phishing? I mean, it's probably all of the above, but maybe you could give us a sense of it. Yeah, what I noticed is, you know, primarily the most successful attacks are those based on social engineering, you know, and these are actually not sophisticated from a technology standpoint. They are sophisticated from a psychology standpoint. They're insidious. Yeah, impersonations, you know, and there's a lot of influx into security education, which I'm personally a huge fan of. The interesting thing is that there's a statistic now that even if you do all the security awareness training that you possibly can, there's still a 4% exposure there of people that are gonna make a mistake. Security awareness training is only gonna take you so far. And I think, you know, in the cybersecurity community, the preach of defense in depth has been there forever. You know, making sure you have several layers, several gates, locks for people to get through. At this point, you know, you can't necessarily ignore those points anymore. You can't just say that we have that and then not do them all. So, you know, what I'm seeing now is that a lot of customers are finally understanding that these aren't nice to haves, they're necessities. And that makes my job a little bit easier. From an organizational standpoint, what are your biggest challenges? I hear from a lot of people that they have so many incidents that they have difficulty prioritizing and understanding which ones they should focus on first based on, you know, the business impact. Is that a problem for you? How are you dealing with that? Yeah, the one thing I will say is I notice a lot of mid-market reaching for different technologies. You know, maybe they're reaching for machine learning and anomalous detection in their data center. Well, their problem is the end user in the branch office. So, what I notice is oftentimes we're forgetting about to do, forgetting to do some of the basics. You know, and I mentioned belts and suspenders earlier. Are you doing the very foundational security items? And that's a lot of times too where those kinds of solutions can be moved to a partner for a better service at a better investment point. So, you know, you gotta do those basics and then build up your stack. Now, a lot of people what we run into is they don't even know where they are in the stack. And that to me is something where when we can educate a customer and help them understand where they are in their security journey, we can really start to protect them because they're not understanding what investments they need to make and what's gonna work for them. What's your security organization look like? What's the regime? Do you have sort of SecOps team? Do you have a CSO? To whom does that individual report describe that? Yeah, so our security team is a higher level what I would call analysts. Now, we obviously have a very large amount of engineers that handle day to day security operations, whether it be from analysis of anomalous traffic or all the way down to someone got a simple virus on their machine. We've been doing that for years. But again, because we have such a breadth of engineers we can take teams of engineers and dedicate them to specific functions like security. Smaller providers, that's very difficult to do. Often what they end up doing is maybe the engineer who was best at working with the antivirus or best at working with firewalls, they said, oh, you're our security engineer now as opposed to a security practice. And as we've grown, that's been something that's been personally very exciting to me to be able to build out a dedicated team of engineers that can set a goal and a vision and then execute on it. So do you have a CSO or are you the de facto CSO? You know, I am the de facto CSO. I have a lot of background in security. It absolutely interests me and a lot of our product development, which I'm also a key member of that team is in cybersecurity. So it's really to our advantage as an organization. You know, my role as CTO may not be exactly just that one role and that's okay with me. I like to get into different pieces of our business, but again, we can't have security be an afterthought to people. You can't have someone who is talking about your high performance cloud who doesn't know how security works. Things are going to fall apart very quickly. So I have to say, just an observation. I mean, I sense the little defensiveness in your answer, but to me it's an advantage. Oh, it absolutely is. Here's why is because, you know, a lot of times organizations say, oh, that's the security team's problem. And it's not the right regime for security is everybody's has to take responsibility. So if the CTO is actually has some responsibility there, that's an advantage to my view anyway, because more people are aligned to be focused on that. I really look at myself as someone that is not only protecting Thrive as an organization, but protecting our customers. A lot of times when perhaps someone reaches out that is not doing what they should be on the security front, a customer or a potential prospect is looking at, maybe we need to improve our security posture. I'll say, does your senior leadership care about this problem? Are they interested in solving the problem? It's gonna be very difficult as a business to raise that level of security unless the senior leaders are interested in solving it. And you know, as someone who's a senior leader at Thrive, that is sort of a key focus of mine and with our CEO. Okay, now here's a hard question to follow on that too. Yes. Do you report? Do you report to the CIO, the COO, or the CEO? I report to the CEO. Yeah, and security is very much a prime conversation between he and I. He will say, this is something that we cannot take chances on. And to me, that's an enablement. Now that I know that it's a priority for him, it was already a priority for me. So. Do you have a CIO? No, we do not. Okay, so you're the fact of CIO as well. Yeah, that's correct. I mean, again, because we've grown over time through acquisition, you know, pulling these pieces together is something that, you know, is an advantage to Thrive. Because I can speak to these different issues and I can train our teams to speak to those issues as well. Our hosting team, our cloud team understands compliance requirements, not only for Thrive, but for our customers. So we've used the combination of some of these needs internally to build an advantage for us. So you've established that security as a CEO, has visibility on that? Absolutely. Is it a board level issue? Absolutely, absolutely. So Thrive is a SOC2 compliant. And there are SOC2 controls that are sort of speak to the board visibility into security issues. So I present to the board regularly on security strategy. If there were any needs that we needed to go over, it is primary to our board as well. Again, this isn't something that's an afterthought. It's a primary goal. I want to make another observation and see if you can validate it or refute it. I've observed it, so 10 years ago, I feel like there was a failure equals fire mentality in security that, and in fact, the security team would sometimes hide some of the bad news. I think there's been an awareness now that, look, it's going to happen. Bad guys are going to get through. It's those gates that they have to get through. It's the cost, escalating that cost but that's our challenge, it's our response mechanism. That's the key. So is that valid, and if so, how has your response mechanism evolved? So we work on the principle of assumed breach. We're constantly looking around, what if someone's in the network right now? How would we know? And when you have that mentality in the back of your head, you can really start to think about where are the gaps in my security organization. Now the other thing there is that when it comes to security, and you start to look around at these different pieces, you can now surface what if this happened? There's something to tabletop in security operations. I'm sure you might be familiar. Sitting down and doing a tabletop exercise where you're assuming a breach, especially with other people in the organization who aren't part of the technical infrastructure, it's very eye-opening. And when I talk about a little bit about education, I actually put tabletop in that group. Someone will say to me, could this happen? Maybe the HR person said, could this happen? And when they asked me that question, I know we've started to succeed in solving some of these problems. Because the answer is, yeah, it could very well may. Let's think about how we avoid that from happening. To finish up on your question though, response and remediation needs to be part of your security practice. Nothing is 100%. There is no gate that cannot be broken through. You mentioned earlier about nation states. Some of these nation states are committing real resources to break into companies and extract revenue out of them however they can. So if you don't have remediation and response as part of your security infrastructure, you're really missing the boat because you cannot lock every door. It's not possible. You've seen the stats on how long it takes to identify an infiltration. And sometimes I've seen up to a year. How is data and analytics affecting that? And do you expect that that number? I think it already is dropping in the last couple of years from an expert standpoint. Well, the question I turn back on the customer is can you tell me what's more normal in your environment? Do you know what normal looks like? Do you know that your users are maybe visiting websites in foreign countries? Whether they're malicious or not, can you tell me what, when I look at your web traffic or whatever I might be looking at from an internet traffic perspective, can you tell me what's typical? Because if you can't start there, it's gonna be very difficult to come along and remove noise and look at that. So the thing I always start with is let's build a profile of what's normal as quickly as possible. We can't have six months to build a baseline. But even a day is a decent baseline in two days and you can grow that over time. So that's one of the biggest things is establishing normal and then being able to pick up on what's abnormal. Oh, Michael, this is very instructive. Thank you very much. You get a tough job because as they say, the bad guys only have to succeed once, you know. The one thing I will say is it's a little bit, when it comes to IT, it's one of the few areas where it is good guys and bad guys. So a little bit there is a, I noticed a cooperation, a collaboration of coming together, not only between engineers, but also customers and partners. Everybody has a clear goal. They know what they don't want to happen. And that's why I get very excited when we want to sit down and talk about security because there's a clear goal. There's a clear need and something that we can solve. And every now and then you see some of the bad guys flip. Because they probably realize they can make more money and it's illegal helping out the good guys. So it's like the protagonist and catch me if you can. There you go. Absolutely. Frank Abagnale, yeah. So anyway, Michael, thanks very much. Thank you. Really great to have you. All right, and thank you for watching. This is Dave Vellante in the Cube. We'll see you next time.