 from the Wynn Resort in Las Vegas. It's theCUBE, covering .next conference 2016. Brought to you by Nutanix. Now here are your hosts, Dave Vellante and Stu Miniman. We're back, Alan Cohen is here. He's the chief commercial officer and board member at Alumeo, CUBE alum. Alan, good to see you again. Hey, it's great to be back. So give us the update. What's happening with Alumeo? Everything all the time. Well, since we're here with Nutanix, right? I think we could talk about it in that context. A lot of what we've been doing now is helping people as they re-platform and they migrate their applications and their workloads. So obviously, Nutanix is a new source of re-platforming and a lot of migration. A lot of people moving off of traditional bare metal and VM environments into their environment. So securing elements there. But you know what's new now is attack surface. The new battle on security is your attack surface. How vulnerable is the inside of your data center? How easy is it to move around it? So that's a lot of what's been going on. Yeah, I mean, you know, pick your number, but you hear anywhere from 200 to 300 days after you get infiltrated, it takes that long to discover the infiltration. So hey, everybody's sort of pivoting to analytics and trying to find the perpetrators. Oh yeah, everybody's pivoting that way. Hey there, fellows. And no, but the issue is dual time, right? So think about it. Imagine if you had a burglar in your house and you came home and you found that you were burglar. You'd be pretty ticked off. Imagine if you knew the burglar was living in your attic for six months. So a lot of what we do is we discover policy violations which frequently can be human error or it could be cyber incursions. So by really locking down your applications through micro segmentation, when something does something that it's not supposed to, we'll see it right away and we'll alert on that. So that's been a huge growth for us. So I was telling you about my little research project. So I gathered a bunch of CXOs in our community. Right. Because they were tweeting about blockchain incessantly. I'm sure you've seen this, right? Yes. And so I asked them why and they're like, oh, new security models are really interested. I said, all right, let's gather and talk about, here's the premise we put forth, that from a board standpoint, and you're a board member and you're out with the customers, that CXOs, CIOs in particular CISOs, there's a shift in the conversation from thought penetration to response. Right. Is that premise valid? And it came back overwhelmingly. Yes, the CIOs understand that. Right. And that's happening. Okay, so that's cool. So what does that mean for you as both a board member, as a company? I'm actually a Lumio CIO. That's how desperate we are. So I actually care. So you spent a lot of time on IT. Absolutely, all day morning, noon, and night where it's always about IT. What's interesting is that, what's changing is that to start with is that the CISO is not something necessarily has a seat at the table with the board, right? They're frequently not in a position that reports into the CEO. So that's a really big discussion item. Yeah, they report into the CIOs like the Fox Watch and the Henhouse. And it can be very complicated. But think about it, so I was a board member at a public company for nine years. What does the board talk about? They talk about the CEO's performance and the management team. They talk about the business plan. They talk about financials. They talk about audit. And then they talk about risk. And risk can show up in a lot of ways. Now, cyber is a important risk variable that can completely botch your... I mean, if you were the board of Target after the breach and people said, I don't have confidence going into the store and using the credit card, that's a real risk factor. That's just as tough as the revitalization of Kmart and Costco, right? That's something that Target has to deal with. So boards actually have to be able to understand the financial and business risk of what a cyber incursion could do. I mean, think about Sony. They went back to using Blackberries and fax machines. Not exactly a fast way to build a media empire again. So boards have... I mean, once again, but boards are not technical. They're not going to be able to say this hack or that hack. So what they really want to know is if we are going to be hacked or we're going to have an incident is how do we respond to it? What is our plan? How do we communicate to our customers? And how do we vouchsafe and protect our data? So boards are going through huge educations right now. So what I'm hearing from you is it should be part of a risk management plan, not some separate stovepipe. And it's all about the response. You're sort of validating that. Is the lack of understanding of data's value, a barrier to properly securing my assets? Well, firstly, you can't secure what you can't see. So if you don't know if certain data exists, you really can't protect it. In fact, a lot of the conversations we've had this week when the Tonics customers, they've been telling me, we have ghost servers. We don't know where they are. And it's like, what might be on that? Crown jewels, personal bank account, the secret formula to Coke, right? I mean, like those are... CFO files. CFO files, the cube growth plans, you know, don't want Gartner to get their hands on them. Right? So people have very critical assets. And first of all, they don't know where they are and what they can communicate with. So I think what's going to happen is that people are gonna go through a movement, as you said. There's a huge focus on visibility and analytics, which is first, let me do an inventory of what I actually have and how exposed it is. And then you think about it, you have a kind of a risk pyramid. What are your most high value assets? So we have a large bank in the UK we're working with and we're being dragged in by compliance because of all of the hacks that have gone on, they have to actually show that they have a better protection plan for the databases of their customer information. That's what regulators do, right? If you don't do it yourself, regulators will do that. So people have to kind of create a hierarchy of what's my most valuable assets. Have I taken an IT assets? Have I taken a plan for it? And then the point you made is like, what isn't data in? Like what is an IT in? Everything that we do, information is a component. So it's almost, it's a cost of... It's like, what's the term? It's a factor of an economic factor, land, labor, capital, and data. And that's how you build products and services. And we're doing some work right now on data capital, how to value data. Data has no asset specificity. It can be highly valuable in one application and meaningless in another. So it's a complicated equation. What, from a board standpoint, or a CISO standpoint, or a CIO standpoint, you gotta... I'm just a marketing guy. How often should CIOs be communicating to the board about security? Well, most boards meet four to five times a year. Those are major board meetings in most Fortune 500 companies. And then there'll be monthly, between that they'll have conference calls about. Financing or certain events, and there's updates. I think the first thing they have to do is they actually have to build a structured plan on how to educate the board. So think about it, 15 years ago, whatever it is, we had Sarbanes Oxley and I was on a public board, you had to go through Sarbanes Oxley class. You had to go through all of it. If you had a hard time sleeping, read your Sarbanes Oxley binder. Today is sensitivity training. Yes, thank you, which I probably need a little of. Talking about that. You're going to have to start by educating the board on what data and cyber risk really means, and then you're going to have to build a methodology and a set of metrics to communicate it. So think about it. You guys, you run a company, you have a management thing. You have leading indicators. How many cubes did we do? What's the forward revenue? How many analysts do we need to do? So they're going to have to be forward-looking and real-time indicators of cyber risk and cyber threat and cyber reaction inside of the business. And I think just like Sarbanes Oxley took a couple of years, we're going to probably go through this same practice over the next couple of years to educate people. You can't expect board members to have the technical acuity of your IT and your CSO. That's not what they do. They're not usually in fact, generationally, most board members did not grow up as leading edge. Yeah, interestingly, 10 or 15 years from now as boards turn over and the next generation comes up, you're going to have a much more IT-centric board and they're actually going to demand that. Oh, that's interesting. So as opposed to the CIO speaking in more business terms, it probably has to do anyway, but you're saying the boards are going to be coming, are increasingly becoming tech savvy. I was on the board of a shopping mall company because they wanted a tech guy because they were afraid about being Amazon, right? They saw the entrance of e-commerce and they said, what did it mean to us? So I think boards are going to change because tech is going to be a key component and they're going to have to both educate them and then they're going to have to look for board skills. So you will have a cyber board member. Again, if it doesn't exist today in the next five years, people will hire board members with cyber experience to do oversight. What's the right, and I just do, I know you want to jump in, but what's the right regime here? It sounds like some audit committee or whatever risk committee should have the cyber, you know. It could be part of risk. It could be also part of product, right? I mean, I mean, it's just like, you know, a company reviews its product and they says, is it competitive? Can the competitors knock it down? The question is, is it vulnerable? Will be another question. Right. What's up, Stu? Yeah. So, Alan, we're here. Yeah, Dave's been on the whole security bin, so that's fine, but we're at an infrastructure show here. Nutanix talked about how security is being baked into their environment, but they see you and some of the other, you know, ecosystem partners as a good fit there. Where does security fit in the infrastructure layer and then where does aluminum match up for that? It's a good question. So I would have said two years ago, Nutanix as a company had much more of a focus on storage and then it started to move into compute. Now as it becomes a cloud company, the concept of what applications are running and how they run is critical to their vision. And that's, I think, what Dirich laid out earlier this morning and Howard and Sunil. As you start to focus on applications, protecting them, making them secure, managing the data for them, increasingly become critical elements. So I actually see Alumeo actually and Nutanix have been moving this way, particularly now in the large enterprise space. What we do, Nutanix, interestingly, is that we do infrastructure security without the infrastructure. We do it in software. We don't have a dependency on the infrastructure. So in today's announcement, Sunil, he said, here's how I'm going to integrate bare metal into Nutanix, right? It was a pretty big announcement. Well, we run on bare metal and we run on Nutanix. So being able to stretch your security across those environments, or I may decide to put my web tier of elastic apps in Amazon, but I'm going to keep the core app and the databases in Nutanix, being able to stretch my security and work those environments. So I think what we'll do is we'll help provide that micro segmentation and provide them with a heterogeneity element as they become much more of a platform company and they actually have to reach out and work with other compute formats, not just replatform for them, if that makes sense. Yeah, so I guess, look at what Nutanix is doing. Maybe give us your thoughts as to compare to, say, Oracle is putting security down on the silicon level or VMware, who you've got strong familiarity with and all the various options there. So I have a theory. You guys were a docker this week and for the last 15 years infrastructure, the last 25 years, applications were written to infrastructure. It started with Microsoft. Intel came up with a chip, Microsoft filled it out and every time they did that, we bought a new PC. Now the world is going the other direction. Now infrastructure has to chase applications. The application people are in charge. So if you think you're just going to lock people in at the infrastructure level and put it in the silicon, good luck. Because, I mean, you could be all in on VMware and then your entire team says, hey, we're going to build our development environment in containers. What do I do about that? So you're going to have to be able to be adaptive and change with that. So, look, you want your infrastructure more secure. It's critical, but you actually really have to live and deal with the growth and dynamic nature of your applications. I think that's the core skill that security means. And I think that's something that we provide. Think about how Newtonics are just saying, let's take the infrastructure out of the way. Just run your apps. Ours is let's just take the security out of your way, make sure it follows your apps no matter what they're doing. So what, follow up on that. So taking the security out of the way and then what, giving you more time to respond, those response plans that we were talking about? Well, the first thing is you want to know, as you said, Dave, earlier, what happens when something wrong happens? You want to know it immediately because the longer the time goes by, the more risk. Like you can't go nine months anymore, like OPM and Target, and say there were people living in the environment just picking off information when they wanted. So you need to know immediately when something, or as close as you can get, when something wrong is going on. And then you want to have the ability to take action. So one of the things that we do is we actually, if we see something, let's say I had an HR database that was running on Nutanix and I also had an ordering application. If that HR database starts talking to the credit card server, number one, I shouldn't allow it to do that. Number two, I want to quarantine and take care of it before it does any harm. And I need to know that immediately. So you're going to have to be much more synaptic and fast in security to be able to live in the world because your infrastructure and your applications are just spinning up, spinning down, moving, and they're so dynamic. So I think you actually, so what's going to happen is you're going to have to move as fast as your applications. So you're able to witness and observe anomalous behavior horizontally across different assets, and then you help respond to that as well. So I can't, I won't spot polymorphous malware showing up on a server. The minute it tries to do something different, I'll knock it down. Yeah, that's somebody else's domain. Yeah, I mean you need both, right? No one company's going to do this by itself or boy. We're working on it, but we're not there yet. And then so you can compress that 200 or 300 days, is that? We can compress it to minutes. Do you have examples of that? None that I can tell you about live, but yes, we do it all the time. Rob, this is, I wonder if people don't know they're being infiltrated until, you know, I mean, I don't know where the numbers come from, you know, it's like, they're fuzzy, but there are a state of public numbers. It was the Verizon study. And there are numerous, yeah, there are numerous ones. Well, people will tell you. The issue is that a day is too long, nine months is really ridiculous. So you need to do that, but that means you have to be much more in touch with, you know, so think about it, you can't just be in the server level and you can't just be in the network level, right? You actually have to span both of those because, you know, you have to be able to see when something wakes up and then does something. Because by the way, malware is not brilliant, most malware, it's extremely patient. And it just starts and it starts to port scan around and then pretty soon it finds a hole. What's interesting is that you actually have to protect your unprotected environment, not just your protected environment. So I know my Hadoop cluster is really valuable and I'm gonna firewall it, I'm gonna put a Lumio on it. But the question is that other server that can talk to it, I wasn't watching it because it's kind of innocuous. I have to watch all the sleeper cells as well, not just the known spies in the environment. Right, right. And as a board member, I just want to understand that dynamic, right? And how it's changing. You want to know the game, right? It's interesting, you got to play offense. So the key thing that a Lumio does is that we've taken the tools that hackers use, they think about, hackers think about computing and graphs, they say that's the critical asset. How many stops do I need to get there? What does the graph look like? Traditionally, defenders, like firewall vendors, they think in lists. Here's a bunch of IP address, this is blocked, this is denied. So you actually have to think like a hacker. You have to think in the graph. You have to look holistically at your compute environment and saying, what are the pathways to get there? Visualization becomes more important. Come on by the booth, we'll show it to you. You got to be able to see it, like an MRI machine. Awesome. Constantly running. Hey, thanks very much for coming on theCUBE. Always a great guest, really appreciate it. Thank you, gentlemen. All right, keep it right there. We'll be back with our next guest and the afternoon keynotes right after this short break.