 Hey, Jeff Frick here with theCUBE. We're in Palo Alto at the Chertoff event. It's called security in the boardroom. We're talking about the security conversations that need to happen in the boardroom, not just at the IT department and locking down your phone and your VPN. It's really, how do we elevate the conversation, especially as things continue to change? Digital transformation is forcing people to move quickly and everyone's becoming a digital company, right? All their assets are becoming digital. So it needs to, it needs to get elevated and we're excited to have our next guest. He's Paul Ferrell. He's the CEO of Nehemiah. Paul, welcome. Thank you. And joining us again, Jason Cook from the Chertoff who, Grayson, good to see you again. All right, so let's jump into it. So you're CEO, before we get it, first tell people about Nehemiah. Who aren't familiar with the company? Well, Nehemiah has a cybersecurity suite where we know, manage, and help protect organizations. And the knowing part is what we're probably going to talk more about today, which is our risk quantifier software. Your risk quant, well, let's jump in. What is risk quantifier software? We take a bottoms up look at the, at the organization to get a true copy, high fidelity copy of the corporate network. And then we layer business applications on top of it. So boards can get a look at what the business exposure is to the cybersecurity risks. So the network and the application. So very, very, very techie piece of it. So how much of in terms of the process and the people get filled into that piece as well? I mean, we call that process BIA or business impact analysis. And a lot of the Fortune 500 firms have already been doing this to be compliant with Sarbanes-Oxley and other regulations. And it's being able to work with them to take some of that information out of the system and combine it with the cyber information we have to give them a good look at risk. So if I'm looking to invest $2 million, what's my risk buy down? Is it 10 million? Is it 2 million? Is it nothing? I just need to do it. So these are some of the things that the questions we're trying to help boards answer. And I'm just curious from a, why do we need to do this point of view? How much of it is compliance and governance and regulation? And how much of it is not? It's just we need to protect ourselves from the bad guys. I'm curious, I would imagine, especially financial services and healthcare, a lot of it was driven by compliance before, but is that percentage going down? Go ahead. So I'd know not at all. Not at all. Still mainly governance, compliance, regulation. And what you have to bring together now is security, risk and compliance. It's all the one thing. And at the board level, you don't have those as separate agenda topics anymore. That's why we talk about a risk management program that especially the Fortune 500 boards are becoming very educated in and also, you know, actioning and taking forward. And that's really where that stuff comes together. So compliance, especially if you look at the finance industry, healthcare industry, for example, it's always going to be there because it's a duty of care as to the industry, how to run the business and to all of the consumers at the end of the day, at the end of that. So you need to better track that. And it's a very useful tool if you apply risk management to it and if you apply security to it and bring those things together, many CISOs will talk about situational awareness. And one of the things they need to do if they've got a seat at the board table is what do I have? What's my assets? And that's no longer just purely from a technical perspective. You know, you hear the phrase many organizations have technology silos that don't talk, that don't come together, perhaps different business units that are running those silos. And at the board level, how do you ascertain what you've got when you have an issue? And that situational awareness then is also going to help drive well, what priorities do I take when I have to take action? And so that's something that near my security is really focusing on. So they're saying, let us put together for you and work with you to assemble your silos of IT, network and everything else there that's essentially underpinning your digital footprint as you go on that digital journey. But then how do you have actionable business intelligence that's gonna help you prioritize how to run that, how to secure it, but also how to invest and run your business through this journey. Right. You hear us say something? Yeah, I think it's the word that Jason uses a lot as a journey. And there's a lot of things we should be doing just because it's cyber hygiene and it's intelligent, it's what we should do to run our business by taking the business information and marrying what we get up. And then communicate it in language that the board knows which is key. Don't be talking about wanna cry viruses and all that and SMB ports and that doesn't make any sense to them. What they make is they make business decisions every day. So we're investing X and you take a risk profile over time and you say this will help reduce our exposure here but it's good and we need to do it. Whether compliance says it or not we need to be protecting our data. That's one of the things that, compliance is a checklist. And we need to make sure that's done and everybody does audit and financial statements and that's great, we should do it every year. But there's some things that are basic. We should, like in basic stuff and finance we should do basic stuff in cyber hygiene as well as updating our systems, keeping them current, educating our employees on scams and stuff that happened. These are things that need to happen over time. And so it's a journey for the board and for the senior management but for every employee to be able to know these things and to actually integrate it as part of their everyday job, in my opinion. Yeah and it sounds like the cyber hygiene stuff is still just not, we're not hygienic enough as we should be. It's amazing that that just continues to be a recurring theme. Absolutely and one of these sort of ethos approaches that Nehemiah has taken to this is they call it no. What do you know about your environment? And it starts there to say so, especially for an organization as many are now on a digital journey, or what is underpinning all of our digital footprint? Do you know that? And unfortunately so many organizations out there have bits of it but they don't maintain that. So when you have, for example, the famous WannaCry incident that kicked off, very, very large organizations as well as many small ones were impacted. Why? Because they didn't actually understand what they had and they didn't have the business intelligence and the business analytics to make a prioritization to say we need to invest our focus and time and effort here to respond to this activity from a hygiene perspective. And until those things are addressed, you're not actually gonna truly be able to go on your digital journey as an organization. So if anything, what this is doing is heightening the awareness at the board level that you need to have an articulated dialogue where at the board level you can understand the impact of the business or what's going on here but then take all of that and take all the knowledge that you're building to then drive actionable intelligence, business as well as technology coming together which underpins risk management in that context. Right, and I would imagine those types of incidents are helpful in terms of helping to define what is that risk. Tragically helpful. Tragically helpful, but still without those types of things it's probably harder to really monetize what is the risk so that I can come up with a portfolio that then I can validate my investment. Yeah, it's about being prepared. It's about thinking about what are your critical business systems? And so when you've got something happening no matter what it is, let's make sure the critical business systems are protected first and then we'll get to the less priority systems. It's not that they're not all important it's just that there's some that are more critical inventory systems or sales at the end of the quarter. It tends to be we find to be not only the systems but also the time of the year. If you're selling seeds March and April in North America is really big. If you're Amazon it's Christmas time, right? The inventory system in order entry system has got to be going so but it's taking that step back now and saying what are our critical business systems? What are the risks? And then the other thing that we also look at that we've talked to Jason about is what's the, we know what the risks are but what's the probability that those risks are gonna hit you? Everybody's not 100% so some people are 20%. So when you go to the board you gotta give them a true idea of this is a true risk that we're seeing and we've tempered it down by saying if it was 100 million a risk but you only have a 20% chance of getting that exploit then it's really just $20 million that we're talking about not 100 because the days are gone where we slam our hand on the board and say you must do this, you must do this. Boards are more cyber aware now than ever and they don't want to just pay people throw information at them. They want to understand it to be able to respond properly and not react. Right, so really the net net is speaking the language, right? Boil it down into language in the decision making process in which they're used to doing because it's not a zero sum game. It's not a one or zero anymore. It's really a probability decision and a risk assessment. Yeah, it happens over time. That's the whole thing. It's like there's ebbs and flows of the year and you look at things over time and I think that's the other thing that we like to talk about and it's renaissance. And one of the things that we talk is we talk with a lot of people and the chief information security officers are embracing us because they're looking for new ways to be able to communicate properly and succinctly to the boards and that's one of the big things that we see. Good, because when they get bumped up the agenda items on the board that's what you want to see, right? Absolutely. All right, well Paul and Jason, thanks for stopping by. I really appreciate the time. All right, I'm Jeff Rick. You're watching theCUBE. We'll see you next time. Thanks for watching.