 From around the globe, it's theCUBE, covering Fortinet Security Summit. Brought to you by Fortinet. Okay, welcome back everyone to theCUBE's coverage of Fortinet's championship golf tournament. We're here for the Cybersecurity Summit Day. We've got a great guest, Ruby Kitov, CEO and co-founder of Toofen. Great to have you on. Thank you for coming on theCUBE. We were chatting before it came on camera. Big talk you just gave, but thanks for coming on. Thanks for having me. Not a bad place here, golf tournament, and cybersecurity kind of go together. Keep the ball in the middle of the fairway. Don't let it get out of bounds. That's true, and it's a beautiful place, so we're very happy to be here and be a premier sponsor of the event. Well, congratulations, and good to have you on. Let's get into the cybersecurity. We were talking before we came on camera around how transformation is really hard. Moving to the cloud is really hard. Refactoring your business is really hard, but security is really, really hard. That's true. So how do you look at how security is perceived in companies? Is there dynamics that are being amplified by the rapid movement to the cloud? You're seeing apps being developed really fast, change is fast. What's the barometer of the industry right now? Sure, it's interesting, and this hasn't really changed in the past, but we've seen exacerbated getting worse and worse. I think a lot of companies, security is actually seen as a blocker. And frankly, security is probably the most hated department in the organization, because a lot of times, first of all, security says no, but also they just take their time. So if you think about organizations, enterprises, they run on top of their enterprise applications. They have applications that their own in-house developers are writing, and those developers are changing their apps all the time. They're driving change in IT as well. So you end up having dozens of change requests from developers who want to open connectivity, you want to go from point A to point B on the network. They open a ticket, it reaches the network security team. That ticket might take several days until it's implemented in production. So the level of service that security provides to application teams today is really not very high. So you can really understand why security is not looked upon favorably by the rest of the organization. It's just, in some organizations, my perception is that the hardcore security teams that have been around for a while, they've got standards and they're hardcore. A new app comes in, it's got to be approved. Something's got to get done and it's slower. It slows people down. It's a perception that could be slow. How is it changing? Yeah, so it's changing because when you're moving to the cloud and a lot of organizations are adopting the cloud in many ways, private cloud, public cloud, hybrid cloud, they're working in cloud-native environments. And in those environments, the developers, they own the keys to the kingdom. They're managing AWS, Azure, Google Cloud, they're managing GitHub. They got the place to themselves. So they're pushing changes in their apps without asking IT for permission. So they're suddenly exposed to, this is how fast it can really be. And while anything that they do in the on-prem or in sort of traditional applications is still moving very slowly, unless they're using an automated approach to policy. So one of the things that I spoke about today is the need for organizations to adopt a policy-centric approach. So they need to define a policy of who can talk to whom and what can talk to what across the entire organizational network, whether it's firewalls, routers, switches, cloud platforms. And then once you have that policy, you can start automated based on the policy. So the concept is somebody opens a ticket, a developer wants to make a change. They open a ticket in service now, a remedy. That ticket reaches some system that's gonna check for compliance against the policy. If you're able to immediately tell if that change is compliant or not, then you're able to make that split-second decision which might take an analyst a couple of days. And then you can design the perfect minimal change to implement on the network. That is really agile, right? That's what developers want to see. And a lot of security departments are really struggling with that today. Why are they? That seems like a no-brainer because policy-based innovation has been around in the network layer for many, many years, decades. Policy makes things go better, faster. Why would they be against it? Yeah, so they're not really against it. I think it's just the sheer complexity and size of today's networks is nothing compared to where it was 10 years ago. So you have tens to hundreds of firewalls and large enterprises, thousands of routers and switches, load balancers, private cloud SDN like NSX and ACI, public cloud, Kubernetes. It's just a plethora of networking. So we're thinking of it as proliferation of networking is getting worse and worse, especially with IoT and now moving to the cloud. So it is just so complex that if you don't have specialized tools, there's absolutely no way that you'll be able to automate it. So your talk must have gone over well because I do a lot of interviews and I hear developers talking about shift left, which is basically vernacular for do security in the dev CICD pipelining. So while you're there rather than having to go fix the bugs later, this seems to be a hot trend. People like it. They want to check it off, get it done, move on. Does policy-based automation help them here? It does in some ways. I mean, so you need a policy for the cloud as well but there's a different challenge that I see all together in the cloud. One of the challenges that we're saying is that there's actually a political divide. You have network security folks who are managing firewalls, router switches and maybe the hub to the cloud. And then inside the spokes, inside the cloud itself, you have a different team, cloud operators, cloud security folks. And those two teams don't really talk to each other. Some companies have set up centers of excellence where they're trying to bring all the experts together but most companies, network security folks who want to understand what's happening inside the cloud are sort of given the heisman, they're not invited to meetings and there's lack of collaboration which I think is tragic because it's not going to go over well. So there's huge challenges in security in the cloud and unless these two departments are going to talk to each other and work together, we're not going to get anywhere near the level of security that we need. Actually the cloud team, the cloud guys, if you will quote guys or gals and the security guys and gals, they're not getting along. What's the, is it historical just legacy structures? Is it more of my department, I own the keys to the kingdom so go through me kind of vibe or is it more of just evolution of the developers going to say I'm going to go around you like shadow ID created the cloud. Is there like a shadow security trend around this? Yeah, there is and I think it stems from what we covered in the beginning which is app developers are now used to and trained to fear security every change they want and the on-prem network takes a week. All right, they're moving to the cloud, suddenly they're able to roam freely, do things quickly. If network security folks come by and say, oh, we want to take a look at those changes, what they're hearing the music is, oh, we're going to slow you down. And the last thing cloud guys want to hear is that we're going to slow you down. So they're fearfully, they're rightly afraid of what's going to happen if they enable a very cumbersome and slow process. We got to work differently, right? So there's new paradigms with DevSecOps where security is built into the CI CD pipeline where it doesn't slow down app developers but enables compliance and visibility into the cloud environments at the same time. Great stuff, great insight. I want to ask you, one of your things in your talk that I found interesting and I'd like to have you explain it in more detail is you think security can be an enabler for digital transformation. Absolutely. Digital transformation has been kicked through. Oh yeah, we're transforming. Okay, everyone knows that. But security, how does security become that enabler? So, I mean, today security is a blocker to digital transformation. I think anybody that claims, hey, we're on a path to digital transformation, we're automated, we're digitally transformed and yet you ask the right people and you find out every change takes a week on the network, you're not digitally transformed, right? So if you adopt a framework where you're able to make changes in a compliant and secure manner and make changes in minutes instead of days, suddenly you'll be able to provide a level of service to app developers like they're getting in the cloud. That's digital transformation. So I see the network change process as pretty much the last piece of IT that has not been digitally transformed yet. And that's where a lot of opportunity is. Exactly. All right, so talk about what you guys are doing to solve that problem because this is a big discussion. Obviously, security is on everyone's mind. They're reactive, they're proactive, they're buying every tool they can. Platforms are coming out, you're starting to see control planes, you're starting to see things like collective intelligence, networks forming. What's the solution to all this? Right, so what we've developed is a security policy layer that sits on top of all the infrastructure. So we've got four products in the two front orchestration suite where we can connect to all the major firewalls, routers, which is cloud platforms, private cloud SDN. So we see the configuration in all those different platforms. We know what's happening on the ground. We build a topology model that is one of the industry's best topology models that enables us to query and say, okay, from point A to point B, which firewalls, routers, switches, and cloud platforms will you traverse? And then we integrate it with ticketing system like Remedy or ServiceNow so that the user experiences a developer opens a ticket for a change. That ticket gets into Toofen. We check it against the policy that was defined by the security managers. The security managers define a policy of who can talk to whom and what can talk to what across the physical network and the cloud. So we can tell within a split second, is this compliant or not? If it's not compliant, we don't waste an engineer's time. We take it back to the original user. But if it is compliant, we use that topology model to perform network change design. So we design the perfect minimal change to implement on every firewall, router, switch, cloud platform, and then the last mile is we provision that change automatically. So we're able to make a change in minutes instead of days with dramatically better security and accuracy. So the ROI on Toofen is not just security, but agility balanced with security at the same time. So you like the rules of the road, but the roads are changing all the time. That's how do you keep track of what's going on? You must have to have some sort of visualization, technology, when you lay out the topology and things start to be compliant and then you might see opportunity to do innovative. Because you know, I love this policy, but I'm going to work on my policy because you've got to up your game on policy and continue to iterate. Is that how do your customers handle that? So listen, we're not a tiny company anymore. We've grown, we went public in April of 2019, racing capital, we have over 500 employees. We sold to over 2,000 customers worldwide. So when customers ask us for advice, we come in and help them with consulting or professional services in terms of deployment. And the other piece is we got to keep up all the time with what's happening with Fortinet. For example, as one of our strategic partners, every time Fortinet makes a change, we're on the beta program. So we know about a code change, we're able to test it in the lab. We know about their latest features. We got to keep up with all that. So that takes a lot of engineering efforts. We've hired a lot of engineers and we're hiring more. So it takes a lot of investment to do this at scale and we're able to deliver that for our customers. Tell us about the relationship with Fortinet. So you're here at the golf tournament, you're part of the pavilion, you're part of the tournament. By the way, congratulations. Great, great event. Thank you. What's the relationship with Fortinet from a product and a customer technology standpoint? Sure, we're working closely with Fortinet. They're a strategic partner of ours. We're integrated into their Fortinet manager APIs. We're a fabric ready solution for them. So obviously we're working closely some of our biggest customers, our Fortinet's biggest customers. We got the opportunity to sponsor this event, which is great, tons of customers here and very interesting conversations. So we're very happy with that relationship. Business is good. Yeah. So I'd ask you, what have you learned? You've got great business success. Looking back now to where we are today, the speed of the market, what's your big takeaway in terms of how security changed and it continues to be challenging and these opportunities? What is the big takeaway for you? Well, I guess if you're like spanning my career, the big takeaway is, first of all, in just in startup world patients, things come to those a way. But also just you got to have the basics right. What we do is foundational. There are times when people don't believe in what we do or thought, you know, this is minor. This is not important. As people move to the cloud, this won't matter. Oh, it matters. It matters not just in on-prem. It matters in the cloud as well. You got to have a baseline of a policy and you got to base everything around that. And so we've sort of had that mantra from day one and we were right and we're very happy to be where we are today. And as a founder, a co-founder of the company, most of the most successful companies I observed is usually misunderstood for a long time. You ask his favorite quote on theCUBE, he's now the CEO of Amazon said, we were misunderstood for a long time. I'm surprised it took people this long to figure out what we were doing and that was good, the good thing. So having that North Star vision, staying true to the problem when there's, we're probably opportunities that you're like, oh, you know, pressure or. Sure. Yeah, I mean. Of course, what was the key thing? Grit, focus. Yeah, look in the startup life, it's sort of like being in sales. We got told no a thousand times before we got told yes or maybe a hundred times. So you got to be, you got to persevere. You got to be really confident in what you're doing and just stay the course. And we felt pretty strongly about what we're building, that the technology was right, that the need of the market was right and we just stuck to our guns. What's the focus in the future? What's the next five years look like? What's your focus? What's the strategic imperative for you guys? What are you working on? So there's several things that on the business side, we're transitioning to a subscription based model and we're moving into SaaS. One of our products is now a SaaS based product. So that's very important to us. We also are now undergoing a shift. So we have a new version called Toofen Aurora. Toofen Aurora is a transformation. It's our next generation product. We're re-architected the entire underlying infrastructure to be based on microservices. So we could be cloud ready. So that's a major focus in terms of engineering. And in terms of customers, we're selling to larger and larger enterprises. And we think that this policy topic is critical, not just in the on-prem but in the cloud. So in the next three years, as people move more and more to the cloud, we believe that what we do will become even more relevant as organization will straddle on-premise networks and the cloud together. So safe to say that you believe that policy based architecture is the key to automation? Absolutely, you can't automate what you don't know. And you can't, people, like I mentioned this in my talk, people say, oh, I can do this. I can cook up an Ansible script and automate. All right, you'll push a change. But what is the logic? Why did you make that decision? Is it based on something? You got to have a core foundation and that foundation is the policy. Really great insight. Great to have you on theCUBE. You've got great success and working knowledge and you're in the right place. And you're skating through where the puck is and will be, as they say, congratulations on your success. Thank you very much. Thanks for having me. Okay, CUBE coverage here. The Fortinet Championship Summit Day, Cybersecurity Summit, Fortinet's golf tournament here in Napa Valley. I'm John Furman, theCUBE. Thanks for watching.