 Live from San Francisco, it's theCUBE. Covering RSA Conference 2020 San Francisco, brought to you by SiliconANGLE Media. Everyone, welcome to theCUBE coverage here in San Francisco at Moscone Hall for RSA 2020. I'm John Furrier, host of theCUBE. We're here breaking down all the action in cyber, security, obviously three days of wall-to-wall CUBE coverage. You got two great guests here, experts in the cyber security, enterprise security space over 25 years. We got two gurus and experts. We got Bob Mindell, executive vice president of North America Cyber Practice for Cap Gemini and Joe McMahon, head of North America Cyber Strategy. You've been a practitioner in the intelligence community, Langley, you've been in the business for 25 years. You've seen the waves. Guys, welcome to theCUBE. Thank you, John. Thanks for having us. So first, let's just take a step back. Cyber, certainly on the number one agenda, kind of already kind of broken out of IT in terms of status, board-level conversation, every CISO, risk management, there's a lot of moving parts. Now, cyber is not just a segment in the industry, it is the industry. Bob, this is a big part of business challenge today. What's your view of what's going on? So John, it's a great point. It's actually a business challenge and that's one of the reasons why it's now the top challenge. It's been a tech challenge for a long time. It wasn't always a business challenge. For years it was still considered an IT challenge and once it started impacting business and gotten to a board-level discussion, it's now top of mind as a business challenge and how it can really impact the business continuity. Joe, as I was talking before we came on camera about CIOs can have good days here and there and bad days then, but CISOs all have bad days all the time because it's so much, it's so hard. You're on the operations side. You see a day-to-day in the trenches as well as a strategy. This is really an operations, operationalizing model. It's a new technology comes out. The challenge is operationalizing them for not only business benefit, but business risk management. It's like changing an airplane engine out at 35,000 feet. It's really hard. What are you seeing as the core challenge right now? This is not easy. It's a really complex industry. You take the word cybersecurity, right? We're at a cybersecurity conference. I see technology. I see a multitude of different challenges that are trying to be solved. It means something different to everybody and that's part of the problem is it's a really broad ecosystem that we're in. If you meet one person that says, I know all of cyber, they're lying, right? It's just like saying, I know Active Directory and GRC and I know DNS and I know how to code, right? Those people don't exist and cyber's a little bit the same way. So for me, it's just recognizing the intricacies. It's figuring out the complexities, how people processing technology really fit together and it's in operation. It is an ongoing and during operation. This isn't a program that you can run. You run it for a year, you install something and you're done. There's ebbs and flows. You talked about the SISOs and the bad days. There's wins and there's losses. And I think part of that is just having the conversation with businesses just like in IT. You have bad days and good days, wins and losses. It's the same thing in cybersecurity and we've got to set that expectation. Yeah, you know, being a good point, I've been saying this on theCUBE and we've been having conversations around this. It used to be security as part of IT, right? But now that it's part of the business, the things that you're mentioning around people, process technology, the class that kind of transformational formula, it is business issues, organizational behavior. Not everyone's an expert. Specialism versus generalist. So this is like not just a security thing, it's the business model of a company is changing. So that's clear. There's no doubt about it. And then you got the completion of the cloud coming. Public cloud, hybrid, multi-cloud. Bob, this is a number one architectural challenge. So outside of the blocking and tackling basics, there's now the future business architectures at risk. What is Cap Gemini doing? Because you guys are well-known, great brand, helping companies be successful. How do you guys go to customers and say, hey, here's what you do. What's the Cap Gemini story? So the Cap Gemini story is really about increasing your cybersecurity maturity, right? As Joe said, starting out of the basics. If you look at a lot of the breaches that occurred today, they have occurred because we got away from the basics and the fundamentals, right? Shiny new ball syndrome really exacerbates that getting away from the basics. So the technology is an enabler, but it's not the be-all and end-all, right? Going to the cloud is absolutely a major issue. That's increasing the perimeter, right? We've gone through multiple waves as we talked about, so now cloud is another wave, cloud, mobile, social. How do you deal with those from on-prem, off-prem, but ultimately it's about increasing your cybersecurity maturity and using the cloud as just increasing the perimeter, right? So you really need to understand you have your first-line defense and then your maturity is in place, whether the data resides in your organization, in the cloud, on a mobile device, in a social media, you're responsible for it all. And if you don't have the basics, then you're really... And you guys bring a playbook, is that what you guys come in and do? Correct, correct, right? So our goal is to coordinate people, process technology, and leverage playbooks, leverage the runbooks that we have been using for many years. Joe, I want to get down to you on this one because what happens when you take that into the practitioner mode or implementation? Customers want the best technology possible. If they go for the shiny new toys, Bob just laid out, there's also risks too because it may or may not be big, so you got to balance out, I got to get an edge technically because the perimeter's becoming huge surface area now. Some say it's gone, now you got edge, it's all one big exposed environment. The surface area for vulnerabilities is massive, so I need better tech. How do you balance between the best tech and making sure it works and it's in production and secure? So there's a couple of things, right? And this is not just our refrain, you'll hear from other people that have been around a long time, but a lot of organizations that we see have built themselves so that their cybersecurity organization is supporting all these tools that we see. That's the wrong way to do it. The tools should support the mission of the organization. If my mission is to defend my enterprise, there are certain things that I need to do. There's questions I need to be able to ask and get answers to. There's data I need visibility into. There's protections and controls I need to be able to implement. If I can lay those out in some coordinated strategic fashion and say, here's all the things I'm trying to accomplish, here's who's going to do it, here's my really good team, here's my skilled resources, here's my workflows, my processes, all that type of stuff, then I can go find the right technology to put into that and I can actually measure if that technology is effective in supporting my mission. But too often we start with the technology and then we hammer against it and we run into CISOs and they say, I bought all this stuff and it's not working, come help. And that's backing into it the wrong way. And also I've heard from CISOs that they're buying all these tools, it's like a tool shed. Don't be the fool with the wrong tool, as I say. But that brings up the question of, okay, as you guys go to customers, what are some of the main pain points or issues that they're trying to overcome that are opportunities that you guys are helping with? On the business side and on the technical side, what are some of the things? So on the business side, one is, depending on their level of maturity and the maturity of the organization and the board of directors and their belief in how they need to help fund this, we can start there. We can start by helping draw out the threat landscape within that organization, where they are maturity-wise, where they need to go and help them craft that message to the board of directors and get executive sponsorship from the board down in order to take them from maybe a very immature organization or a reactive organization to an adaptive organization. And really become defenders. So from a business perspective, we can help them there. From the technology perspective, Joe, or an implementation perspective, Joe, I think that would be a good answer. It's been a really interesting road. Like being in this a long time, late 2000s when nation states were first really starting to become a thing, all the industries we were talking to, every customer is like, I want to be the best in my industry. I want to be the shining example. And boards and leadership were throwing money at it. And everybody was on this really aggressive path to get there. The conversation has shifted a little bit with a lot of the leadership we talked to. I just want to be good enough. Maybe a little bit better than good enough, but my objective anymore isn't to leave the industry because that's really expensive. And there's only one of those. My objective is to complete my mission, maybe a little bit above and beyond, but I need to right size it, right? So we spend a lot of time helping organizations, I would say optimize, right? It's what is the right level of people? What is the right amount of resources? What's the right spend? What's the right investment? The right allocation of technology and mix of everything, right? And sometimes it's finding the right partner. Sometimes it's doing certain things in-house. There's no one way to solve this problem, but you've got to go look at the business challenges, look at the operational realities of the customer, their budgets, all those, their geographies matter, right? Some places it's easy to hire talent. Some places it's not so easy to hire talent. And that's a good point, right? Some organizations, they just need to understand what is good look like? And we have so many years of experience, we have so many customers, use cases, we've been there and we've done that, we can bring the bear to show them, this is what good looks like, and this is sustainable of what good looks like. I want to get your reaction. So I was talking to Keith Alexander, General Keith Alexander, former Cyber Command Head, last night, we were talking about offense versus defense and that kind of reaction, how the Sony hack was just, they just went after him as an example. Everyone knows about that hack, but it really was getting at the idea of human efficiency, the human equation, which is if you have someone working on something that here, but their counterpart might be working on it, maybe from a different company or in the same company, they're redundant. So there's a lot of burnout, a lot of people putting out fires. So reactive is clearly, I see as a big trend, that the conversation's shifting towards, let's be proactive, let's get more efficient in the collaboration as well as the technology. How do you guys react to that? What's your view on that statement? So people is the number one issue, in my opinion, in this space. There's a shortage of people, the people that are in it, are working very long hours, they're burnt out. So we constantly need to be training and bringing more people into the industry. Then there's the scenario around information sharing. Threat information sharing. And then what levels are you comfortable with as an organization to share that information? How can you share best practices? So that's where the ISACs come into play, that's also where us as a practitioner, and we have communities, we have customers, we bring them together to really information share, share best practices. It's an all of our best interests, we all have the same goal, and the goal is to protect our assets, especially in the United States, we have to protect our assets. So we need to, the good thing is that it's a pretty open community in that regards and sharing the information, training people, getting people more mature and their people process technology and how they can go execute. Joe, what's your take on the whole human equation piece and sharing data? You probably heard a word and the word goes back to where I came from for my heritage as well, but I'm sure General Alexander used the word mission at some point, right? So to me, that's the single biggest rallying point for all of the people in this. If you're in this for the right reasons, it's because you care about the mission. Mission is to defend us, stop the bad guys from doing bad things, right? Whether you're defending the government, whether you're defending a commercial enterprise, whether you're defending the general public, right? Whatever the case is, if you believe in the mission, if you're committed to the mission, that's where the energy comes from. There's a lot of talk about the skill gap and the talent gap and all of those types of things. To me, it's more of a mindset issue than anything, right? The skill sets can be taught, they can be picked up over time. I was a philosophy major. Somehow I ended up here, I have no idea how, but it's because I cared about the mission and everybody has a part to play. If you build that peer network, both at an individual level and at an organizational and a company level, that's really important in this. Nobody's an expert at everything, like we said at the beginning. Well, you brought a philosophy, I think one of the things I've observed in interviewing and talking to people is that the world's changed so much that you almost need those fresh perspectives because the problems are new problem statements. Technology is just a part of the problem set. Back to the culture, the customer problem, Bob, they got to get all this work done. And so what are some of the use cases that you guys are working on that is low hanging fruit in the industry or customer base, how do you guys engage with customers? So our target market is Fortune 500 Global 1000. So the biggest, the big enterprise is in the world. And because of that, we've seen a lot of complex environments, multinational companies as our customers, right? We don't go at it from a pure vertical base scenario or a vertical base solution. We believe that horizontal cybersecurity can be applied to most verticals, right? And there's some tweaking along the way, like in financial services, there's regulators and FFIC that you need to make sure you adapt to, but for the most part, the fundamentals are applicable. With that said, large multinational manufacturing organization, they have a major challenge in that they have manufacturing sites all over the world. They're building something that is unique. It has significant IP to it, but it's not secure. Historically, they would have said, well, nobody's really going to steal what we do because it's really not differentiated in the world, but it is differentiated and it's a large corporation making a lot of money. Unfortunately, ransomware, there'd be a talk of a ransomware immediately, right? Like shut down their operations, their network. Right, so their network goes down. They cannot have zero downtown in their manufacturing pledge around the world. So for us, we're implementing solutions and an SLA for them is less than six seconds downtime. So to help secure these global manufacturing environment. That's classic naive when they're IT. Oh wow, we got to think about security at a much broader level. I guess the question I have for you guys, Joe, you talk about when do you guys get called in? I mean, what's your main value proposition that you guys are, because you guys got a broad view of the industry, got expertise, why are customers calling you guys and what are you guys delivering? Because they need something that actually works, right? It's, you mentioned earlier, I think, when we were talking how important experience is, right? And it's Bob said it too, having been there, done that, I think it's really important. The fact that we're not chasing hype, we're not selling widgets that we have an idea of what good looks like and we can help an organization kind of navigate that path to get there is really important. So one of our other customers, large logistics company, been operating for a very long time, very mature in terms of their IT operations, those types of things, but they've also grown through merger and acquisition. That's a challenge, because you're taking on somebody else's problem set. And they just realized simply put that their existing security operations wasn't meeting their needs. So we didn't come in and do anything fancy necessarily. It's put a strategic plan in place, figure out where they are today, what are the gaps, what do they need to do to overcome those gaps? Let's go look at their daily operations, their concept of operations, their mission, their vision, all of that stuff down to the individual analysts, like we talked about, the mindset and skill set. But then, frankly, it's putting in the hard work, right? And nobody wants to put in the hard, I don't want to say nobody wants to put in the hard work, that's a little bit, it's not fun. So there's a lot of work that's good done. I guess a lot of the question is that, are you guys getting called in from CISOs, Chief Information Security Officers, who calls you? So usually, we're in talking to the CISO. We're having the strategic level conversation with the CISO because the CISO either has come in new or has been there, they may have had a breach. Whatever that compelling event may be, they've come to the realization that they're not where they need to be from a maturity perspective. And their cyber defense needs revamping. So that's our opportunity for us to help them really increase the maturity and help them become defenders. Guys, great for the insight. Thanks for coming on theCUBE, really appreciate you sharing the insights. Guys, give a quick plug for what you guys are doing, Capgemini, you guys are growing, what are you guys looking to do? What are some of the things that's going on? Give the company plug. Thanks, John. So it's been a very interesting journey. This business started out from Lockheed Martin to Lido Cyber and we were acquired by Capgemini a year ago last week. It's a very exciting time. We're growing the business significantly. We have a huge growth targets for 2020 and beyond. We're now over 800 practitioners in North America, over 2,500 practitioners globally. And we believe that we have some very unique differentiated skillsets that can help large enterprises increase their maturity. And capabilities, plug there? Yeah, I mean, look, nothing makes us happier than getting wins. When we're working with an organization and we get to watch mid-level analysts, brief Vistisso, that they just found this particular attack and oh, by the way, because we're mature and we're effective, that we were able to stop it and prevent any impact on the company. That's what makes me proud. That's what makes it fun. Final question, we got a lot of CISOs in our community. They're watching. What's the pitch to the CISO? Why you guys? Well, we'd love to come in to understand what are their goals? How can we help them? But ultimately, where do they believe they think they are and where do they need to go? And we can help them walk that journey, whether it's six months a year, three years, five years, we can take them along that journey and increase their cyber defense maturity. Joe, speak to the CISO, what are they getting? They're getting confidence. They're getting execution. They're getting commitment to delivery. They're getting basically a partner in this whole engagement. We're not a vendor. We're not a service provider. We are a partner. We're a trusted partner. Yeah, partnerships is the key. Building out in real time, a lot of new threats. Got to be offense and defense going on. A lot of new tech to deal with. I mean, it's a board level for a long time. Guys, thanks for coming on. Cap Gemini here inside theCUBE, bringing their practice of cybersecurity, years of experience, with big growth targets. Check them out. I'm John Furrier with theCUBE. Thanks for watching.