 Welcome back to SuperCloud 3, everybody, where we explore the critical issues around cross-cloud security and the impact of generative AI and large language models on this space. And it's our pleasure to welcome Minyana Kote, who is the Chief Security Officer of NetApp. Minyana, welcome to theCUBE, thanks for coming on. Thank you, Dave. I'm excited to be here and cannot wait to talk about how we're going to get past all this complexity with the cloud. Yeah, let's get into it. And CSO, Chief Security Officer, which is a super set of the Chief Information Security Officer. Explain your role specifically at NetApp. And I'm really interested, you know, a lot of technology companies, the sales people want to pull the CSO or CSO, in your case, out to talk to customers. So a lot of your time is being tapped to do that as well. How do you spend your time? Well, I spend my time, oh my gosh, doing all of it. Getting up early in the morning, reading and making sure that we didn't have any incidents, then reading what's happening in the news, and then actually looking at, right now, what's going on with AI. But stepping back, my role as a Chief Security Officer, I actually have what's called product security. So how do we deliver secured products to our customers? We have storage and we've got to make sure that our customer's data is protected, the code that we develop protects the data and then actually build out security features in that data. Additionally, I have the standard Chief Information Security Officer capabilities. I have a CSO reporting to me, and this is how we protect ourselves internally. And from an internal protection perspective, how do we make sure that we reduce our own threat landscape? How do we make sure that we have the most modern protection mechanisms within our company? And then within that role, I've actually built out a capability called cloud security. We have companies that actually provide cloud services to our customers. We want to make sure that we operate securely in the cloud as well as our customer's information is protected in the cloud when they work with us and we work closely with the hyperscalers, AWS, Azure, and also GCP. You know, it's interesting when you talk about the product focus, I mean, I go way back with NetApp back when I was at IDC. I remember there was a company called Ospex and then this company called Network Appliance that came out to disrupt them and it was focused on workstations. And then I saw the whole progression of NetApp and then you bet on virtualization, you made a big bet on cloud and a lot has changed. It's gone from basically boxes that were largely air gapped or at least protected through some kind of really hard and top to really a software based architecture and now cloud. So I want to ask you how you think about security in this world of cross-cloud complexity? Well, two things. First of all, we've over complicated it ourselves and so we're building out security today. I want to still say, Dave, with the mindset of on-premises environments. So the people who are building out the solutions are from the traditional environment. You do have a subset that are building out solutions straightly that come from the native cloud environment. So I'm on the side of the native cloud environment on how we can protect the environment. We have an opportunity to embrace security in a different way without, I just keep thinking of vulnerability scans and patching and all those other things that we've been doing for at least over 20 years since I've been in the industry. So what is that future and how do we handle the complexity across the cloud environment? I actually went and worked at AWS so I could embed myself into learning what are those capabilities and the potentials that we have there. And it goes back to, we can actually now the cloud is run essentially based on code across multiple different services and we can embed the controls in the code and also make the code, I want to say immutable, you can't change it. So we can shift the way we're thinking about the continuous over and over correcting hygiene, which we still have to do, but how can we build the protection with the code and how we build out the policies in that code? So it might be complicated to understand. I had to actually learn, look at it and get what's going on. So cloud is code, Amazon turned the data center into an API and now code is natural language. So in a way, it simplifies it for an individual like myself was not a coder to at least do things with technology that I couldn't do before. And obviously we're going to get to it but it might help attackers as well. But so on the one hand, it's simpler but what happens at the backend is actually incredibly complex. So how do you see AI specifically playing into that balance of simplicity versus complexity? Well, okay, so from simplicity perspective, we can train AI to know what's normal or know how we operate or have a pulse in the environment. I was thinking about that this morning, Dave, it's kind of like, we know what's healthy. And then we can also train it to know when we get a wart or when we feel bad. And so when we feel bad, then we know and are able to hone in on what we need to focus on. So that's how we simplify it. But in the backend, there is the code and the training and the actual skills of who can actually train and do that and make sure that we're training on good behaviors and not bad behaviors. Consequently, the threat actors can train on bad behaviors. They can know based on AI, the pulse of the internet, where are the holes? What are the mechanisms to get into the holes? What are the strengths and weaknesses of the different companies? And each time I see something that is in the news, I was like, oh no, that is in the threat actor database of companies that we can break into. So I think, you know, we can use it to simplify, but you still got a lot of smart people behind in the backend making it happen. And then the threat actors, I consider a group of super smart people with one intention of getting in. And so how do we leverage AI to build out the learnings to break into environments? And so it's gonna be a continuous battle, but hopefully we are the smarter group and we win. So in SuperCloud, we've been talking a lot about the technology and specifically across cloud and abstraction layers and all this technical mumbo jumbo. I want to dig into culture, security culture. We've definitely been talking about that, but not in super depth. And I consider myself pretty security conscious. But when I think about the things that I do, my password managers, you know, my authenticators, I have my, most of my crypto is air gapped in a physically separate vault. You know, and I have, you know, breadcrumbs. God forbid something happens to me. My wife can, you know, hopefully figure out how to get all this stuff back, but it's really complicated. You have a completely different view of how to create a security conscious culture, taking it away from all the technical stuff into things that resonate. Can you talk about your philosophy there? I'm particularly interested in how you get people not to click on links, by the way, but talk about your overall strategy and how you communicate to your organization in terms of getting them to be security conscious. I almost want to ask you, Dave, what happens if something happens to you? How's your wife going to find your data with all the controls that you have in place? Yeah, I have it mapped out, but even the map, I go back and look at the map, Minyan, and I'm like, and I have a little note in there, you know, ask Karate to help you with this one because he's my most technical son. But anyway, please carry on. It's not good. It's not a good situation, I admit it. Yeah, I know. I mean, so with you goes the knowledge of how to get into your stuff. And I myself have struggled with that my entire career. I mean, I think I was doing it last night, trying to get into a system. And I was like, I don't remember the password. I think it was E-Trade. And I was like, you know, having to reset my password, I'm like always having to reset my passwords because I have so many and I've tried Voss. I've tried multiple things, but I'm on multiple computers, multiple devices, and I'm in multiple places. And so it gets very confusing for me. And I'd love to be simple. Like, oh, I won't call you simple, but simple like other practitioners I know. So when I've done most of my career, I have actually not worked for IT leaders, which I think has been a big advantage. And I started off my career working actually in audit and working for a journal auditor who was not technical, had no idea, and this is at Nortel Networks, and I had to explain. And once I started learning that I had to explain to him, I had to explain to my mom, I had to explain to, well, my husband still doesn't get it, but I'm having to explain to multiple people, I learned to just simplify. And if it's simple, then we'll get it. So it's simple to go and brush my teeth. And so it has to be just that simple that becomes part of my life. So what do I mean by that? So I come into NetApp and you read the Verizon report, you read all these other documents. The number one way that the threat actors are getting in are through exposed credentials, but I call them bad passwords, and clicking links and putting in the passwords on what's prompted when they click the link. So drove a campaign, just don't click the link, just don't click it. And well, it's like, okay, well, we operate where we have links, like for example, and when I go to your YouTube, I have to click a link to get there. I know that that's going to get to your YouTube. And so we train the people on what looks right, what is right and what's not, but still they're moving fast. And so we put them, like all the other companies have been or this is coming from the outside, but we're just training them to just not click it. And so there has to be a way to get to the documents. So we give feedback. We give feedback to DocuSign. We give feedback to the HR tools and share. We need to instead find different ways. So we're using a lot of alternate ways, like well, it's not really alternate, but the other collaboration tools like Teams and Slack, which still has links, but they're not yet as compromisable as what we have on email. So drive a campaign, don't click the links. The other number way, one way that the threat actors are getting in is the compromise of our credentials. Well, if you say compromise their credentials, how's that going to resonate with a marketing person or someone that's not working in this every single day? And so I just drive a campaign, stop using bad passwords. And so bad passwords, don't click the link, can stick with people. A bad password, one, two, three, four, five, six, that's a common bad password. It's still people use it to get hacked. And when we talk about password less environments, we have facial recognition on our iPhones, but we still periodically have to key in a code. So what is that bad password and how do we protect ourselves from it? So I put it in, I call it baby fight. I put it in simple language that everyone gets it and then make fun with it. Share, we have videos. We use our marketing team to help liven up and share how to just not use a bad password. So bad password sticks in your head more than harvested credentials. And don't click the link sticks in your head more than, hey, have you read the email header to make sure that you're not being phished? So it's just simplifying the language and repeating it over and over and over. We make campaigns, we have fun, we laugh about it and we take it also very seriously. So I like that message. And I think, you know, I'm going to go off script a little bit here. We're supposed to be talking about super cloud and cross cloud but this is interesting and I think we can probably help people. You mentioned E-Trade and simplicity. And I think it's incumbent upon everybody. I mean, you obviously trying to drive that through your organization. A lot of the financial institutions, I think could do a better job. E-Trade, you know, not to pick on E-Trade. I'm an E-Trade customer. But for example, when you want to set up MFA with E-Trade and you don't want to use SMS based E-Trade, you want to use an authenticator, it's tricky to set it up. And it's got, they've got a sort of a convoluted process. And if and when, and this happens a lot, they deprecate that authenticator app. You got to set it up all over again. You got to remember how to do that. And so the other thing I find is a lot of financial institutions don't have, their MFA is SMS based or if you're paranoid about like a SIM hack, for example, you have no choice but to use SMS based. Should we be, A, should we be worried about those things? I mean, very least we should set up two factor authentication or multi-factor authentication. If all you have is SMS based, you should use it. But should we be more paranoid than that? And in the flip side is can organizations, not just tech technology companies, but banks, you know, healthcare institutions, manufacturers, et cetera, can they be doing more? I think the answer is obvious to simplify and maybe follow your protocol. They can be doing so much more to simplify it. And so I did spend nine years at a bank and then a part, a big part of my life in the financial institutions. And I think Dave, the way I shared about it when I was the head of consumer security at Bank of America is that we make our devices so complicated to use. It's miserable to be on the computer. That's because we are trying to fill in every control possible and every scenario possible of how a threat actor can get in. And when we do that, we're doing it as technologists, thinking from a technologists mindset instead of the consumer usability. And so you have to go back, okay, what will a consumer do? And I mean, this is just like, I'm on the screen all the time trying to pick out where's the bicycle, what square is the bicycle in? And I miss it. And I'm enlarging my screen to, you know, figure out where is the bicycle, you know, trying to get into some of these sites. And the same thing on trying to remember your questions or trying to go find my iPhone real quick before I'm timed out on finding my, you know, the numbers to key in to just get onto a site. So here I am, having done this for 30 years and find it complicated with the most basic things. And so think about the person who's not doing it and what they have to go through. We are forcing them to go back to try to use the simplest way to get into a system through all the mechanisms. And so what happens, think about it, when you're doing multiple or trying to get into something and it gets complicated, especially if you're buying something, I just, I lose interest. I'm like, gosh, it's so complicated to get in here. I'm just, you know, I'm just not going to buy it. So if I'm like on a website at Amazon or something wanting to buy something, I just give up. And so how many other people do we have give up? So it kind of makes my mind and as I say this shifting into a metric that we had at the bank called dropped calls, customer service calls, the customer just drops the call when it gets too complicated to try to find a person to talk to, well, we're going to drop the access request when we find it too difficult to get to the access. So we owe it to our consumers, the people we serve to simplify the model. And can we simplify? Yes. And, you know, I'm a big advocate of what we do see with passwordless, you know, using our thumb brands, our facial recognition as a different ways, but we've even complicated that on training it. And so I don't know that we have the simple answer yet. Well, and you know, it's interesting because you know, we use this term future proof a lot in our industry and it becomes this buzzword. But when you think about the technology changes as it relates to security, I mean, I remember the day where I had one financial institution, if you wanted to use MFA, you could as an option use one of those RSA things that just generated a code randomly. And then they, again, they killed that because technology evolved and they started using SMS. I have another financial institution where I actually have it set up where they have to, we have to actually talk and they have to get a voice recognition, you know, command and they know my voice, but then I'm saying, well, AI is going to be able to copy my voice. So my question is ultimately in your view is AI going to be more beneficial to attackers or defenders? And how do you think about that? Well, it's going to be beneficial to attackers, but we have to make it more beneficial to us because there's so much potential there. And so, you know, I'm just kind of thinking through the, yeah, the imitating us and looking like us. It has to get, we had, wow, they can actually probably perpetrate where our locations are. So we have to, I think it's a combination of all the contextual features of who we are. It's who we become to make AI work for us. And so by that, it's just, it's got to be my behaviors, my actions, my locations, and just trying to think, what else? Something that AI can't get because they're going, all these things are going to be stored somewhere that then can be broken into. And so the broken into learned algorithm database of all who I am, then becomes the source of control. I want to, again, I'm going to go off script. There aren't a lot of women in tech, let alone women in cyber. Now we've had Wendy Whitmore on, who's, you know, amazing guest, part of SuperCloud, we have Jaya Baloo on who's the CSO at Rapid7. How did you get into security? Did you have like, were you like, did you have like a superhero, you know, when you were a kid trying to save the world? Like a lot of sec ops pros I talked to say, yeah, I actually sort of fantasized about that. But how did you get into tech generally and security specifically? Well, I actually bought a book, Job of the 90s, and I wanted to figure out what job would make the most money. And so that's how I got it. There's no science there, no super champions, instead reading a book on how to make money because I wanted to make money because I was driven to make money. Now, having said that, I had no idea. I came from a small town, Nacodish, Louisiana, population 18,000, a skyscraper was the first three story building we had in our town. So first career job was for city of Shreveport. And I majored in computer science because I wanted to make money. I got a job within the audit department, had no idea what it was. I just saw a guy in the cafeteria said, hey, can I come work for you? And he shared with me, he could teach me. He said, monkey see, monkey do, I'll teach you. And he was from Exxon. So he was the general auditor, took the job and I went down to the computer room, found a report with three character clear text passwords on the SNA network. And so I figured out that, hey, if I logged in with this three character password, I can log in as this person and I can do things as this person. And so it was just that natural curiosity in my 20s of pretending I was someone else, kind of feeling like an investigator, city of Shreveport. We had lots of corruption. So with that, just played around with systems and actually had very little supervision. So I just played and hacked and enjoyed myself. And so that's how I got in. I became a hacker and then became a CSO, that's amazing. All right, my last question. You know, it used to be failure meant you get fired in cybersecurity and that's long gone. But I want to ask you a sort of a difficult question in how you would handle it. So you got this adoption of cross cloud, what we call super cloud, that organizations are adopting and that brings new challenges, data sovereignty, compliance, you know, makes observability more difficult. So suppose you're in an organization, you're head of security and despite all your good work, there's this big cross cloud data breach and you got multiple cloud providers in your organization. You're not really sure, you can't pinpoint the origin and the scope of the breach. And you got regulatory scrutiny going on, maybe there's some litigation, different regions data sovereignty. How would you lead that crisis response and manage all the complexities of dealing with the different cloud providers and international regulations? And you know, how would you go about sort of reviewing and adjusting the security policies, the architecture, the whole house, if you will, to prevent similar incidents in the future? How would you handle that? How would I handle it? I would go back to, there's two things that I always share with the cloud security. One is I would make sure my configurations are as they should be. And so when I say as they should be, I use our own technology called Cloud Checker. And so I wanna make sure that I have the environment configured tightly. And so I configured against NIST 853 plus CIS plus what I know. And so I always throw in what I know because what I know is based on experience and based on practical usage where a lot of the people write these regulatory requirements sometimes aren't putting a realistic lens to it. So configurations are correctly and then I would make sure my networks are very segmented through virtual private clouds. And so you keep those networks segmented so that they cannot cross-communicate or they have a single cross-communication channel of which then you can protect that communication and then you'd have logging turned on as well. As here we can talk, bring them in the AI again looking at the behaviors of what that data is that's traveling through. So those are the two simple, first quick and easy fixes along with then moving into what we're talking about making sure that configurations are coded into the JSON language or whatever is controlling that cloud environment. But those are the simple two things that I would do first off. If I keep thinking if I had that large-scale attempt against the multi-cloud environments I would start like shutting myself off from some of the cloud environments and just getting to my database and getting that protected really quickly. Well, I like your simplified approach in a complex world. Simplify, simplify, simplify. You just gave some really great best practices. It's a really fun conversation, Minyona. Thanks for coming to theCUBE and participating in SuperCloud 3. But no, and thank you for having me. I look forward to the event next week. All right, it was really our pleasure. All right, keep it right there for more content. SuperCloud 3 live from our Palo Alto offices and of course on demand at theCUBE.net.