 Hey everyone, welcome back to theCUBE's day one coverage of Cloud Native SecurityCon 2023. This has been a great conversation that we've been able to be a part of today. Lisa Martin with John Furrier and Dave Vellante. Dave and John, want to get your take on the conversations that we had today, starting with the keynote that we were able to see. What are your thoughts? We talked a lot about technology. We also talked a lot about people and culture. John, starting with you, what's the story here with this inaugural event? Well, first of all, there's two major threads. One is the breakout of a new event from Cloud NativeCon slash KubeCon, which is a very successful community and events that they do international and in North America. That's not stopping, so that's going to be continuing to go great. This event is a breakout with an extreme focus on security and all things around that ecosystem and with extensions into the Linux foundation. We heard Brian Bellamoff was on there from the Linux foundation, so he was involved in Hyperledge, so not just Cloud Native, all things containers, Kubernetes, all things Linux foundation is an open source. A little bit more of a focus. I like that piece of it. The other big thread in this story is what Dave and Ease were talking about on our panel we had earlier, which was the business model of security is real and that is absolutely happening. It's impacting business today, so you got this, let's build as fast as possible as retool, as replatform, refactor, and then the reality of the business imperative. To me, those are the two big high order bits that are going on, and that's the reality of this current situation. Dave, what are your top takeaways from today's day one inaugural coverage? Yeah, I would add a third leg of the stool to what John said, and that's what we were talking about several times today about the security is a do-over. Pat Gelsinger quote from, what was that John, 2011, 2012, and that's right around the time that the cloud was hitting the steep part of the S-curve, and do-over really has meant in looking back, leveraging Cloud Native tooling and Cloud Native technologies, which are different than traditional security approaches, because it has to take into account the unique characteristics of the cloud, whether that's dynamic resource allocation, unlimited resources, microservices, containers, and while that has helped solve some problems, it also brings new challenges, all these Cloud Native tools, securing this decentralized infrastructure that people are dealing with, and really trying to relearn the security culture, and that's kind of where we are today. I think the other thing to add Dave is that was we get other guests on with a diverse opinion around foundational models with AI and machine learning. You're going to see a lot more things come in to accelerate the scale and automation piece of it. There's one thing that Cloud NativeCon and KubeCon has shown us with the growth of cloud computing is that containers, Kubernetes, and these new services are powering scale, and scale you're going to need to have automation and machine learning and AI will be a big part of that. You start to see the new formation of stacks emerging. Foundational stacks is the machine learning and data apps are coming out. It's going to start to see more apps coming, so I think there's going to be so many new applications and services that are going to emerge, and if you don't get your act together on the infrastructure side, those apps will not be fully baked. And obviously that's a huge risk. Sorry, Dave, go ahead. No, that's okay. So there has to be hardware somewhere. You can't get away with no hardware, but increasingly the security architecture like everything else is software defined, it makes it a lot more flexible, and to the extent that practitioners and organizations can consolidate this myriad of tools that they have, that means they're going to have less trouble learning new skills, they're going to be able to spend more time focused and become more proficient on the tooling that is being applied, and you're seeing the same thing on the vendor side, you're seeing some of these large vendors, Palo Alto, certainly CrowdStrike, fundamental to their strategy is to pick off more and more and more of these areas in security and begin to consolidate them, and right now that's a big theme amongst organizations. We know from the survey data that consolidating redundant vendors is the number one cost saving priority today, along with at a distant second optimizing cloud costs, but consolidating redundant vendors, there's nowhere where that's more prominent than insecurity. Dave, talk a little bit about that. You mentioned the practitioners, and obviously this event bottoms up focused on the practitioners. It seems like they're really in the driver's seat now, with this being the inaugural Cloud Native Security Con, first time it's been pulled out of and elevated out of KubeCon as a focus. Do you think this is about time that the practitioners are in the driver's seat? Well, certainly we hear about all the tech layoffs. You're not laying off your top security pros, and if you are, they're getting picked up very quickly. So I think from that standpoint, anybody who has deep security expertise is in the driver's seat. The problem is that driver's seat is pretty hairy, and you've got to have the stomach for it. These are technical heroes, if you will, on the front lines, literally saving the world from criminals and nation states. And so, yes, I think Lisa, they have been in the driver's seat for a while, but it takes a unique person to drive at those speeds. I mean, the thing too is that the Cloud Native world that we're living in comes from cloud computing. And if you look at what is a practitioner, there's multiple stakeholders that are being impacted and are vulnerable on the security front at many levels. You have application developers, you've got IT market, you've got security, infrastructure, and network or whatever. So you get that, all that old to new is happening. So if you look at IT, that market is massive. That's still not transformed yet to cloud. So you have companies out there literally fully exposed to ransomware, IT teams that are having practices that are antiquated and outdated. So security patching, I mean, the blocking and tackling of the old security, it's hard to even support that old environment. So in this transition from IT to cloud is changing everything. And so practitioners are impacted from the devs and the ones that get there faster and adopt the ways to make their business better, whether you call it modern technology and architectures, will be alive and hopefully thriving. So that's the challenge. And I think this security focus hits at the heart of the reality of business, because like I said, they're under threats. I wanted to pick up too on, I thought Brian Bellendorf, he did a forward-looking thing. What could become the next problem that we really haven't addressed? He talked about generative AI, automating spearfishing, and he flat out said the idea was not fixed. Identity access management, again, a lot of different toolings. There's Microsoft, there's Okta, there's dozens of companies with different identity platforms that practitioners have to deal with. And then what he called free riders. So these are folks that go into the repos, the open source repos, and they find vulnerabilities that people aren't, the developers aren't hopping on quickly. It's like, you remember Patch Tuesday, we still have Patch Tuesday, that meant Hacker Wednesday. It's kind of the same theme there. Going into these repos and finding areas where the practitioners, the developers, aren't responding quickly enough, they just don't necessarily have the resources. And then regulations, public policy being out of alignment with what's really needed, saying, oh, you can't ship that fix outside of Germany, or I'm just making this up, but outside of this region because of a law. And you could be as a developer personally liable for it. So again, while these practitioners are in the driver's seat, it's a hairy place to be. Okay, we didn't get the word super cloud in as much on this event, did we? Well, you know, I'm glad you brought that up because I think security is the big single biggest challenge for super clouds, securing the super cloud with all the diversity of tooling across clouds. And I think you brought something up in the first super cloud, John, you said, look, ultimately the cloud, the hyperscalers have to lean in. They are going to be the enablers of super cloud. They already are from an infrastructure standpoint. But they can help, they can solve this problem by working together. And I think there needs to be more industry collaboration. And I think the point there is that with security, the trend will be, in my opinion, you'll see security being reborn in the cloud around zero trust as structure and move from an on premise paradigm to fully cloud native. And you're seeing that in the network side day where people are going to each cloud and building stacks inside the clouds, hyperscale clouds that are completely compatible end to end with on premises, not trying to force the cloud to be working with on-prem. They're completely refactoring as cloud first, cloud native first. And again, that's developer first, that's data first, that's security first. So to me, that's the tell sign to me is when you see that, that's good. And Lisa, I think the cultural conversation that you brought into these discussions is super important because I've said many times bad user behavior is going to trump good security every time. So that idea that the entire organization is responsible for security, you hear that all the time. Well, what does that mean? It doesn't mean I have to be a security expert. It just means I have to be smart. How many people actually use a VPN? So I think one of the things that I'm seeing with the cultural changes, face-to-face problem solving is one, having remote teams is another. The skill set is big. And I think the culture of having these kind of like teams, Dave mentioned something about intramural sports, having the best people on the teams from putting captains on their jerseys, security folks, is going to happen. I think you see a lot more of that going on because there's so many areas to work on. You're going to start to see some security embedded in all processes. Well, it needs to be in that level of shared responsibility is not trivial, right? That's across the organization. But there also, you know, begs the question of the people problem. People are one of the biggest challenges with respect to security. Everyone has to be on board with this. It has to be coming from the top down, but also the bottom up at the same time. It's challenging to coordinate. Well, the training thing I think is going to solve itself in good time. And I think in the fullness of time, if I had to predict, the unicy managed services be a big driver on the front end. And then as companies realize where their IP will be, you'll see those managers serves either be a core competency of their business and then still leverage management. So I'm a big believer in managed services. So you're seeing Kubernetes, for instance, a lot of managed services, you'll start to see more, you know, get the ball going, get that rolling, then build. So they mentioned bottoms up, middle out, that's how transformation happened. So I think managed services will win from here. But ultimately, the business model stuff is so critical. I'm glad you brought up managed services. And I want to add to that managed security service providers. Because, you know, 50, I saw a stat last year, 50% of organizations in the US don't even have a security operations team. So managed security service providers, MSSPs, are going to fill the gap, especially for small and mid-sized companies and for those larger companies that just need to augment and compliment their existing staff. And so those practitioners that we've been talking about, those really hardcore pros, they're going to go into these companies, some large, you know, the big four all have them, smaller companies like Arctic Wolf are going to, I think, really play a key role in this decade. I want to get your opinion, Dave, on what you're hoping to see from this event, as we've talked about the first inaugural standalone, big focus here on security as a standalone, obviously it's a huge challenge. What are you hoping for this event to get groundswell from the community? What are you hoping to hear and see as we wrap up day one and go into day two? You know, I always say, events like this, they're about educating, aspiring to action. And so the practitioners that are at this event, I think, I say they're the technical heroes. So we know there's going to be another log 4j or another solar winds. It's coming. And my hope is that when that happens, it's not an if it's a when, that the industry, these practitioners are able to respond in a way that's that safe and fast and agile. And they're able to keep us protected number one and number two, that they can actually figure out what happened. And the long tail of still trying to clean it up is compressed. That's my hope. I think I think day two tomorrow you're going to hear more supply chain security. You're going to start to see them focus on sessions that target areas if within the CNCF, KubeCon, cloud native con area that needs support around containers, clusters around Kubernetes cluster, you're going to start to see them laser focused in on kind of cleaning up the house, if you will, if you can call it cleaning up or fixing kind of what needs to get fixed or solve what needs to get solved on the cloud native front, that's going to be urgent. And again, supply chain software, as Dave mentioned, free, free riders to just using open source. So I think you'll see open source continue to grow, but there'll be an emphasis on verification and certification. And Docker has done a great job with that. You've seen what they've done with their business model, you know, over hundreds of millions of dollars in revenue from a pivot. That's a few years earlier, because they verify, right? So I think we're going to be in this verification blue check mark of code era of code and software super important bill of materials. They call Sbom software bill of materials. People want to know what's in their software. And that's going to be, again, another opportunity for machine learning and all the things. So I'm optimistic that this is going to be a good focus. Good. I like that. I think that's one of the things theme thematically that we've heard today is optimism about what this community can generate in terms of today's point, you know, the next log 4j is coming. We know it's not if it's when and all organizations need to be ready to Dave's point to act quickly with agility to dial down and not become the next headline. Nobody wants to be that. Guys, it's been fun working with you on this day one event. Looking forward to day two, Lisa Martin for Dave Vellante, John Furrier. You're watching the Caves day one coverage of cloud native security con 23. We'll see you tomorrow.