 Live from San Francisco, it's theCUBE, covering RSA Conference 2020 San Francisco, brought to you by SiliconANGLE Media. Welcome back, everybody. Jeff Frick here with theCUBE. We're at RSA 2020 Downtown San Francisco and Moscone Center, 40,000 professionals in the security industry. It's the biggest security event in the world, I'm pretty sure. Certainly the biggest one in the U.S. We're excited to have somebody who's been running around, taking care of these problems and talking to customers for a very long time. He's got a great long-term perspective. We're happy to have him. Jonathan Nguyen, the VP Global Field CISO team for Fortinet. Jonathan, great to see you. Thanks for having me. So you said you've been coming to this show for a long, long time. Love to get kind of your impressions that the human element is the theme this year. You know, I think it's changing. Attendance has broken out by very senior people who've been here for multiple events and then a whole new slew of people are coming into the industry, right? And there's a lot of excitement. There's a little bit less of a buzz. It just seems there's a little bit less people here this year because of the virus scare. But overall, I think the themes are pretty consistent, which is kind of tragic that the themes are consistent year after year because it suggests that not a lot has changed despite the $130 billion in network security spend. You know, absolutely complexity. Everyone is telling me about how to solve complexity, how to do more with less, how to do more with less than fewer people and how to get their arms on this vast volume of data that's being generated. There's a lot of talk about automation and AI, but much more practical, less buzzwords and more practical solutions. And you have still tons of new vendors, right? Tons of new opportunities. You know, I don't know what the final count is on the vendor side, but it's a really large number. And you go off into the corners to the itty bitty little mini boost. It's still a ton of innovation. A lot of people trying to move the ball. So I think when the first show first started, there were less than 500 vendors, I think, in the industry back in 2007. I think today we're north of 5,000 and it's probably 8,000. There are about 5,000 vendors in the immediate vicinity here, but just go around the corner and there are dozens of others having their own events in the neighboring hotels and restaurants. So it's astounding the number of different point products are still coming into the industry. And that really suggests that we haven't gotten our arms around integrating all this technology and it's just another level of complexity. So what do you tell your friends on the buy side, right? Who know you and say, John, I'm going to RSA. How in the heck am I supposed to navigate not only the show specifically, but kind of this vendor landscape and make sense of it all? I'm telling them to look for vendors that are partners that have a long-term perspective and that do the integration for you. You know, one of the things coming from an operational background is I talked to others like our job is to operate technology. It really isn't about integrating technology. It really isn't about OA and product releases. I want to focus my budget and my resources on operating technologies to manage risk. So I look for partners and vendors like Fortinet that has a fabric with 258 plus different products and vendors that are already integrated out of the box. I'm looking for someone that solves complexity rather than a specific problem or a specific threat vector. And I'm really looking for someone that helps me understand and manage risk because that's the object of the exercise in cybersecurity today. You know, it's not about compliance. It's about compliance. It's about security. It's about resilience, but a reasonable level of care in managing risk. Right. And yeah. It's a great topic because I was thinking that kind of in terms of insurance, in terms of how much do you spend and you can't ensure everything to 100%, right? So it's going to be some number less than that. Everybody else needs a piece of the pie. But how do you make those kind of trade offs between investment versus risk? Because you can't absolutely protect everything. It makes no sense. So I think the value of it comes back to this ESO and his or her team, it's a very human decision. There is no prescriptive definition of what reasonable care is. You know, outside of one statement by Kamala Harrison, she was the state's attorney in California here, which is the SIS20 is the minimum level of reasonable care. And so now we have to understand how do we define what is reasonable? What is the risk appetite or tolerance for a company? And once you identify those things, what are the controls and mitigation measures that you're going to have in place to mitigate those risks? And then what's left is residual risk. And that's a hard decision. How much will you absorb? How much will you transfer? And how much will you just tolerate? But it's really no longer just about compliance. And it's no longer just about having security or continuity or resilience about all of those things at a reasonable level. Right, it's interesting. I was pulling up Wendy Nader from Cisco gave one of the early keynotes and she talked about really the security profession embracing those pesky people that keep clicking on links because really they're the people that have the data around the specific applications and specific assets that the company has to kind of have that informed decision as to what is it worth to protect and do we need to protect it? Do we need to protect it more? Can we let this thing go a little bit? Yeah, I think the human element is the hardest part in mind of this conference and it's deemed the human element. The hardest part about this job is that it's not just mechanical issues and routing issues and networking issues but it's about dealing with all types of humans. Innocent humans that do strange and bad things unknowingly and it's in malicious people who do very bad things by design. And so the research suggests that no matter what we do in security awareness training some 4% of our employee base will continually fail security awareness tests. We'll refish it and actively. And so one of the things that we need to do is use automation and intelligence so that you could comb through all of that data and make a better informed decision about what risks you're going to mitigate, right? And for this 4% that are habitually abusing the system and can't be retrained, well you can isolate them, right? And make sure that they're separated and they're not able to do things that may harm the organization. Right, the other human element is the people on the security teams, right? And it's a tough resource. There aren't enough of them and historically they've been the ones at that integration point between all these different systems. And it's a highly stressful job. You know, there was a Forbes article that said 17% of all CISOs are functional alcoholics. I mean, I mean, and they medic- What was it, 17%? 17%, one of every six CISOs medicates himself or herself with alcohol and Medicaid is a very specific term of art. It doesn't mean recreational drinking. It means you are a functional alcoholic. And that tells you about the level of stress and complexity in this job. Our research suggests that the average CISO lifespan is somewhere on the low end of about 12 months, on a high end, somewhere about 24. In their role or in their profession? In their role, their current job, their current gig. They're not lasting more than two years. The sheer complexity and stress of the job. And those first 24 months, three of those months are just orientation. So that gives you an idea of the level of stress and the complexity that the average CISO is going to face here. Right, so really begs for a lot more automation. A lot more automation on the defense side. It does, it begs for a lot more automation and how do you help those teams cope with the massive levels of complexity and data that's coming out of these digitized and digitally transformed enterprises, right? I mean, when you think about each person's going to generate three to five terabytes of data per person per day and that computing is going to change in the next three to five years. Right now, 85% of computing and data generated comes from traditional IT functions. As you move into 5G and edge-based computing, the vast majority of data generated computing will be done on the edge. So the level of complexity, the number of technologies and devices that we're going to have to monitor is only going to expand. Right, right. In the speed of those transactions, in the speed of the potential harm. So Mary Dat against the research data says that 99% of the attacks could have been mitigated through simple intermediate controls and that the patches, the signatures were readily available. And so the thing to contemplate as we go into this heightened level of complexity and expansion of our computing environment is we're missing the basics today, right? If 99% of the successful attacks are based upon exploits that are known that the signatures are available and the patches available for them a year, what are we going to do when everything else becomes even more complex? Right, more sophisticated. That's funny, that was part of Rohit's keynote. To kick off the whole thing is he said, you know, we as security professionals like to focus on the complex, we like to focus on the ornate and the super sophisticated attacks. So the reality is the vast majority were just coming right in the normal side door that they've been coming in all along. And one thing I always say is during my time at the Verizon Data Breach Investigations Report was that 77% of all the breaches were not identified by the security team. They were identified by law enforcement. 77%. 77%, okay, so let's say you've got a CIS admin that goes out and accesses financial information before the earnings call and does insider trading. And it's the SEC that calls the FBI and it's the FBI that calls you and said, by the way, your CIS admin is going to be charged with insider trading and that's how they know that there's been a compromise. And in many cases, what does that tell you? Despite $130 billion of network security spend this year alone, that's seven out of 10 data breaches will be identified by law enforcement and not the security team. So that tells you that- And not the security law enforcement team either. It's the SEC or the FBI or somebody else. It's the Secret Service. And it just says that security is so complex that until we find ways like the foreign and security fabric to automate and to manage complexity in an integrated way, that's the leading edge indicator that I look for is that at what point do security teams identify more data breaches than law enforcement and the victims? And they're way behind at this point. Unfortunately, yes. That's crazy. But there's a lot more AI now that you guys can use too, right, on the good guys side. But how does that really square the circle when you're saying so many of it just comes through the simple approaches? Because of lack of visibility. SOC teams are overwhelmed by the volume of data. And so the way to address the volume and variety and velocity of data is to use artificial intelligence to use a machine to make human decisions and behavior at machine speed. And so when we launched our 40 AI product offering of the virtual security analysts, the research that we did suggest that is equivalent of five SOC analysts. And so that's one way of helping SOC teams that are overwhelmed by the volume of data that are under staff to use artificial intelligence to distill out from all of that data the useful patterns and to marry that with our four to guard intelligence and say, okay, this is the techniques, tactics and procedures most likely associated with this threat vector now escalate that to a human to make a decision on whether you want to mitigate that. And once you decide to mitigate that, you use the automated and integrated capabilities of the fabric to make an efficient and effective mitigation of that incident. That's interesting you bring up the SEC case. We had a conversation earlier today where we're talking about deep fakes. Somebody had the use case that what if you just had a pretty straightforward deep bake of some executive from some company saying something to move the market and you drop that into the social stream three minutes before the close on a Friday, you get a play off the margin leverage. Nobody gets to really investigate the thing until the four minutes are over, markets are closed. You get a significant financial damage in a situation like that. Without even really directly impacting the company systems. So you're hitting on the fact that we are more interconnected than ever and that the traditional compensating controls that we would have used to mitigate that type of risk is not as effective. And so that's going to be a challenge we report. Everything is going to be more interconnected, accelerated and decisions will be driven by data. So all those things will drive complexity. So maybe next year when we'll be talking again, we'll see about that. One of the reasons I have a credit freeze personally is that I'm aware of things like deep fakes, impersonating, spoofing my identity. So having a credit freeze allows me to know that no one can leverage my credit even if they have my data. Interesting. So, Begg's question, we sit down here a year from now without the benefit of 2020 hindsight. You know, what do you think the themes are going to be? What do you see as kind of this kind of short-term move in the market based on some of these factors that you've identified? I think more automation, more artificial intelligence, ways of automating the traditional process, close and security. But secondarily, I think there's going to be the rising awareness of edge-based computing and smart systems. Autonomous level five vehicles that are networked and rather than sensory-based awareness, smart homes, smart industrial applications, that computing will be done on the edge increasingly and those industrial applications, that 85% of the data computing will be done there. And that increasingly, the cloud will become a repository for storage and correlation but the actual computing and actuation will be done on the edge. And so as 5G takes hold, you're going to see tremendous transformations in our society and our economy and how we conduct commerce, how we communicate. And that leads to more complexity. That's why I'm so focused on helping organizations getting security right now before that next onslaught of complexity hits us. Yeah, it's coming. It is, yeah. The 5G IoT thing is just around the corner. Look at the telcos. There's a very specific reason why they're investing literally hundreds of billions of dollars into 5G and the tremendous societal and economic changes that that will bring in infrastructure and communications and security will have to stay paced with that. One of the things that we're going to see moving forward is that the digital infrastructure is only as successful as the security is. And I think we should see a breakdown in the traditional operational silos and network operations and security operations. Well, as Michelle Dennedy said earlier on the air, if you cannot protect, you should not connect. But fortunately, people are still connecting before they're ready to protect. So hopefully there'll be a little bit more circumspect going forward. Well, Jonathan, thanks for taking a few minutes and sharing your perspective. Really appreciate it. Always a fun time. Always a fun time. He's Jonathan. I'm Jeff. You're watching theCUBE. We're at RSA 2020 from downtown San Francisco. Thanks for watching. We'll see you next time.