 From theCUBE Studios in Palo Alto in Boston, bringing you data-driven insights from theCUBE and ETR. This is Breaking Analysis with Dave Vellante. The narrative from security companies is that organizations don't spend enough money on cyber defense, maybe, but will spending more actually address the problems organizations face? The conventional wisdom is it will help, or at least it can't hurt, but as we and others have pointed out over the years, crowded market and mega VC funding have created more tools, more complexity, more billionaires, but are we safer? Hello and welcome to this week's Wikibon Cube Insights, powered by ETR. In this Breaking Analysis, we follow up last week's RSA preview episode and continue with part two, using the same play on words in an homage to the keynote speech this year from RSA CEO Rohit Guy. Is there a looming identity crisis for the security industry? And this week we're excited to introduce the newest member of the SiliconANGLE editorial team, longtime journalist, David Strom. He's going to unpack and bring additional context to the ETR data. We're going to look at some recent data from Unit 42, Palo Alto's threat intelligence and response division and we'll also ask David to explain the anatomy of our recent double supply chain hack. And as always, we'll dig into some ETR survey data and ask David Strom to comment. And as we shared last week, we're going to get into this. Actually, guys, before we do, David, welcome, first of all, and tell us a little bit about yourself. Thanks, Dave. I've been a tech journalist for more than 30 years, started out at PC Week, back in the go-go days of the 1980s, founded the magazine Network Computing for what was then called CMP, which is still more or less kicking online. And I've worked as editor-in-chief at Tom's hardware, read, write, and run a security newsletter for inside.com. So I've been around the industry quite a while. Yeah, and you're very prolific. You've got an amazing body of work in data center security and cloud. I mean, it's just amazing. So you and I indirectly competed with each other. I was at IDG for years and of course, you know, Paul Gillan very well. So it's great to have you on the team. Welcome. Thank you. It's great to be here. All right, as we shared last week, let's pull this up. This is a chart from ETR and they asked, you know, what's the number one priority? And it came back, zero trust was number one. And they said, okay, what about zero trust? And identity, single sign-on, multi-factor authentication came up, you know, number one as tied basically with vulnerability management and patching. You know, I guess not a lot of surprises here, although I guess in a way, David, I feel like kind of a lot of the older sort of techniques are still in vogue. It's not, you know, the marketing doesn't match the actual sort of areas of priority, but what's your take here? You could run this same slide five years ago, maybe even 10 years ago, possibly with the exception of the seam tools, the logging tools. I mean, it's pretty embarrassing, I think for the security industry that we're still talking about the same types of processes, same types of tools and techniques. And we should have a better handle on this, but we don't. Yeah, so okay. So go ahead, please. The missing from this chart though is something that's pretty basic that every company has is firewall. I mean, I don't know where you put that in. It's not really, it's because of lousy firewalls that we need zero trust. You know, I got to have to ask ETR about that. I don't know if this was a conditioned response, like which of the following do you guys use or if it's like just open-ended. I think it's maybe a combo, but I'll follow up on that. The next data point that I wanted to share again in the spirit of this looming crisis comes from Palo Alto Networks, the unit 42 annual threat report. And it's basically tells us that typically 5% of the security rules trigger the majority of the security alerts. So if you look at the left-hand side of the chart, that's where the most of the rules are triggering these alerts. What is this data, David, tell us about security practices today? It shows that they're pretty lousy. I mean, we really don't have very much security by design. In other words, when you, before you even code your first line of an app, you think about how to secure it. And a lot of developers are just playing lazy. They don't really look at security as their province. They think that somebody else's job. A lot of the secret scanning tools that were mentioned in the report have been available for years, yet the vast majority of organizations, I think 80% have hard-coded encryption keys and other secrets into their code. It's just nuts. It's just really poor practice. So this is why, you know, upfront I was saying, I mean, is spending more going to change this? I mean, I've always said bad security habits are going to trump good technology every time. And so I don't believe the narrative of spending more money. You know, maybe there's spending more money on education and training. I don't know, what do you think about that? I think what we have is insecurity by design. It doesn't have anything to do with money. It's just a fact of people haven't been trained properly. You know, for many years, you could get a degree in computer science without taking one class in security. You know, that's changed, but it's still pretty crazy. You know, it's a CEO, sorry, CISO of MongoDB. I don't know if I've shared this with you. I was asking her like, what are you, you know, security culture? Because it's really, you know, we talk about it moves to the boardroom and it's going beyond the boardroom. And I asked her how she deals with it. And have I told you this? She said, I take my best, my deepest security pros, which of course, you know, these guys, they know all the acronyms and you read the stuff that they do and you just, I can't anyway, understand it, or a lot of it. And she says, I put them in a room. I'll split them up and I'll put the top pros, secop pros in the room with people who know nothing about security. And I just say, talk, talk about security. And through the process of osmosis, I guess, they sort of learn from each other. The deep tech pros learn how to speak, you know, normal business language to kindergarteners and the reverse is people who think, oh, I'm not a target, what's the big deal? You know, get attuned to sort of the dangers. Have you seen, you know, other techniques like that? I mean, like to say throwing money at tech isn't going to solve that problem, but sort of some of these cultural techniques, you know, might help a lot. Yeah, I think it's definitely a time to bring the cultures together and to inculcate developers with security professionals and with what they're trying to do to support the business. I mean, that's really what the bottom line is here. It's not about how much money you're spending on your tech. It's whether your tech is effective and whether it's actually protecting you. And the fact that some of these exploits are still in existence. I mean, SQL injection, I wrote about that thing in 2003, 20 years ago. I mean, it's just crazy that that's still a problem. You could give a third grader the instructions on how to do a SQL injection attack. They don't need anything other than Google. I mean, it's just, it's insane. All right, so continue. I just, I want to ask you about chat, GPT, but let's just park that for a minute. So let's continue on this theme of the looming crisis. The next chart. Thinking about there are graders. Yeah, well, exactly. So this is brought to you by Mandiant, you know, which is Google's recent acquisition. This is the three CX hack. It's evidently the first time hard evidence has been captured showing a software supply chain hack that created a second wave, sort of a double whammy attack, if you will. David, what do you know about this? How does something like this happen? And then I want to ask you about API security, but take us through sort of the anatomy of this attack. So what's interesting here is this whole thing was caused by a single individual at the company. Three CX makes voiceover IP, unified communication tools, like things that, you know, an application that runs on your desktop that turns it into a telephone or a video conference, that kind of stuff. And so this person decided to download a stock tracking app to his desktop at work. You know, why the hell he was doing that? Why he wasn't prevented from doing that? Who knows? The app was downloaded from the stock tracking company's website and it had been compromised two years ago. And again, why didn't this company pay attention? Who knows? And so once that app was downloaded, it proceeded to do all sorts of nasty things to that person's computer and then infected the three CX app itself, the desktop app itself, that it gives to its customers. So instead of running, you know, a soft phone, they're running malware. And, you know, it just shows you a combination of errors here and how crazy, you know, this business has become that we couldn't stop it. Now, part of the problem was they had a very sophisticated adversary, this North Korean UNC, whatever the numbers are, it's how it's labeled by Mandiant. But part of it is they have really crappy app sec security. And so they just came out with a blog post the other day and they said they're gonna do all this stuff that's featured in the slide here. And you read through all the procedures that they're gonna change, like, you know, having more dynamic code analysis, adding hash passwords, hiring penetration testers, having a separate knock and soft department. These are all things that were great back in 2015. So what they basically are telling their customers is we had lousy security and we're gonna bring it up to 2015 standards. Why anybody would want to do businesses with companies beyond? Explain, I still don't get the double supply chain hack, how the first one sort of created the second one. Can you add some clarity to that? So the first supply chain was the tracking, the stock tracking app. And so that was infected and it was left on their company's website so that when anybody downloaded it, they would be, their computer would be infected and then hackers could take that over and change the software code on the desktop of the employee. Okay, so it wasn't, it wasn't purposeful then by the attackers, it just sort of happened that way, right? I mean, is that correct? Right, well, they just, they left the app, you know, they were very lucky. The tracking company, the stock tracking company didn't make any changes to the app. They modified that app so that they could put their own malware on it. And when somebody downloaded it, they were notified that we have a ready victim waiting to be controlled by our evil doers. Let's go, okay, got it. All right, and what is the relationship between that hack that we just talked about and API security? Is that how they exploited it? Is that they just got into the seams? Explain that. So API or when applications talk to other applications. And so if I can insert myself in that communication stream, I can do all sorts of nasty things to computers. And so I have to be able to make sure that I'm using the right pieces of code and that's part of the supply chain. When I go and download a routine which displays something in larger type or which allows me to communicate with another aspect of my software or let's say I have a database and I wanna talk to my web server and display information from that database. Those are all API calls that the software makes. And if I don't have those locked down and if I don't know that the code that I'm using is pristine and not infected, that's where you have these things like the solar winds attack a couple of years ago. Things like that. And people then can download the infected, so. Okay, so let's stay on the topic of API security. If we can, last week Eric Bradley pointed out that he thought one of the API security companies would get acquired and we listed a bunch of potential acquirers. We didn't predict Akamai would take out NeoSec, but Eric's call was still pretty good. This chart takes data from ETR's main thesis survey, the technology spending intention survey. And it takes Akamai's data which has 190 accounts in the survey and crosses it with the emerging tech companies that are privately held and focused on identity. And we've listed in the blue, the percent overlap. Simply taking the number of N in the emerging tech survey and dividing it by the 190 that is Akamai customers. And we do that for the three companies shown. NeoSec, No Name Security and Salt Security. And then in red, we put the amount of capital raised according to Crunchbase. So in thinking about the things that acquirers look for, I just, I want to play for the audience a clip from Drew Clark, who is the CSO for CLIC, which has done, I think, 10 acquisitions in talent will be their 11th. And we asked them like, what do you look for in when you do an M&A? Because obviously they've got it pretty well down. Play the clip, Alex, and we'll talk about it. When we do M&A at the company, there are four things that we look for. First, there's, it's got to be aligned to the vision, what we just talked about. And the second thing is the technology fit. And we get that kind of indication of technology fit from joint customers, how they're using a platform and to be able to work with it. The third is about culture. This is super important for every acquisition that we've done. We've actually walked away from deals where culture wasn't right. And this is where we're excited about our Swedish heritage in Europe and talent's kind of French heritage as we think about a global kind of technology company coming together. And the fourth area is financial. Now a lot of people that get spent up all their time on, okay, how much did the acquisition cost? How do you work with that? But if we don't have the first three, it doesn't really matter about the financial side. Okay, so he said four things. Alignment of vision, technology fit, culture, and of course financial. Now I can't speak to the first three, but it's clear that no name and salt security would be way more expensive than NEOSEC assuming the crunch base data is correct. It isn't always correct, but let's just assume it is. So I just hope the other three factors were strongly considered. And this works out for Akamai and its customers. David, you've been following Akamai's acquisitions for years. Are they good at it? What do you think about the first three? What do you think about this acquisition? Well, Akamai I think generally makes very well reasoned and well timed acquisitions because they have to maintain an absolute trust in the quality of their infrastructure. I mean, the biggest websites in the world are running over Akamai. And so they have to have the tightest security, they have to have the most error-free problems. Google uses them, Microsoft uses them. So this is a good idea for them. A lot of their acquisitions, over 30 of them, are companies you've never heard of. One of the more recent ones was Linode, which is an open source community of all sorts of coding practices. And again, they probably use a lot of the Linode code in their systems. That's why they decided to buy them. They probably did the same thing here. They probably tried out their API security and thought that NeoSec was a solid product. Yeah, if you go back to that chart, Alex, I mean, it's not like the other companies were, you know, had some huge overlap, right? I mean, you look at, okay, 13% for NeoSec, not big overlap, but no name, 19%, salt security, 23%, but they're 10x, you know, more money in, again, assuming CrunchBase is right. So, okay, good, thank you for that insight. Sticking with emerging tech companies, we want to share a high level view of what's in the ETR database. I just, I found this a couple of quarters ago. These, this survey, it's really interesting to me. They basically take, you know, I think there's about 90 security companies, about 92 security companies in there. And they're all privately held, and we, they grouped them by area. And you can see the top group, there are 17 cloud and 15 identity companies. They're the most crowded. Group two, it's like boarding an airplane. Group two is APSEC and intrusion detection and prevention, and then assessment, container and IoT security, and so on, you can see. But you're talking about, again, 90 plus companies. And we're going to talk more about identity in a moment. That's why we highlighted it here. But David, I know you have thoughts on this, because when I first shared this with you, like David, this is like chalk and cheese, or it's overlapped, is the companies are in multiple sectors. I think you said dessert and floor wax is the example you gave. But there's a lot of overlap in the market. But my question is, does this suggest that cloud and identity are overcrowded, or is there really a need for this many non-public companies? It's not overcrowded, because all of them have very specific specializations. And there are just so many problems that you have to solve and integrate to your existing tool set that you're going to be buying lots of products to your security. No company has one security supplier with one set of tools. They're all a mixture. They all want to make sure that they're, you know, backstopped in six different ways. And so you're going to have all this category bleed because there was an announcement today of a seam vendor who also provides endpoint security. You know, that's an interesting combination of things that you don't see too often. So that's why there's so many categories. But at the same time, and you've made this point to me the other day, like we used to have this term GRS getting rid of stuff. We never get rid of stuff in IT. It's just, we just add more stuff on. And that's where, again, this theme of spend more, we don't spend enough, keep spending, spending, spending, but it just creates more problems in a way. IT managers are really scared that they're, when the minute they terminate one security product, they're going to get an exploit through that, whatever that thing was covering. So that's why they just don't turn stuff off, which is ironic because in some cases they don't patch the old tools and that's where people get in. Right. Let's stay on the theme of identity for a minute and take a look at some of the major players in the identity space. So this is a chart from ETR. People who are familiar with breaking analysis, no, we show this all the time, this is from the thesis. The vertical axis is net score and the horizontal axis is pervasion. Net score is a measure of spending momentum, basically the net number of customers that are spending more on a particular platform. And then pervasion is simply the number of N mentions divided by the total N in the survey. So you can see here, and we've focused on two companies in particular that I want to talk about, Auth0 and Octa. And we've said many, many times that we didn't like the price, but we liked the concept behind the acquisition. The squiggly lines show you the progress over the last one, two, three, four, five, six, I don't know, 10 quarters or so. So Octa as we reported during the pandemic and even previously, I think we started reporting on them 2018, 2019, they had off the charts spending momentum and they were doing great, stock was rocking. They ended up buying Auth0 for, as they say, $7 billion. They had that what appeared to be a benign hack. They totally messed up the communications on that and that hurt. And then they just haven't really done a good job on the Auth0 integration and the go-to market and everything else. So I want to talk about that. Then you can see cyber arc, Cisco way on the right, that includes Duo, but it's everything else, but I just included it just because Cisco's a player. I didn't include Microsoft because it scrunches everything to the left, but then you see sale point beyond trust, ping identity and one login. And so, David, let's talk about first, and I know again, there's multiple players and multiple segments, et cetera, but let's talk about the Auth0 and Octa acquisition. What's your take on that? Did you like it? But didn't like the price like me or did you think it was just a bad move? I thought it was an interesting move. I don't know if it was good or bad. The price was ridiculous, but they've really been maintained as two separate companies. Octa's more for external IAM and for integrating, they have thousands like 7,000 SaaS apps and third-party apps that they can do single sign-on with. Auth0 is more for AppDev and internally developed apps where you're gonna be building your code from scratch. And there is a bridge that can connect the two sides of the organization, but they really are two kinds of, really two different companies, they almost compete with each other. I mean, both have multi-factor authentication, both have SSO, both have passwordless things. So it's odd that they've kept the two departments, two entities at arm's length with each other, which is ironic because Auth0 probably has a really good AppDev story and Octa has a really good integration story. So this acquisition happened about two years ago. So it's, I don't know what's gonna go on there. I think most of the people that needed Octa have bought it already, probably it's in 495 of the Fortune 500. And the other problem is these are not tools that a lot of people use. Even at a large company, you probably have one or two SSO people, they do the whole thing and that's what makes it such a powerful tool. They can handle the entire company's login and password collection. And they're not that much more of a need for more people there to do that. So it's a very, very specialized IT skill. Interesting. I always thought, okay, Octa has the enterprise locked up. They don't really have a strong developer mojo. So this would be a nice TAM expansion strategy, but you're saying that you would go back to the comments from Drew Clark. They really didn't have the sort of, the technology alignment, right? I mean, it was sort of chalk and cheese. Yeah. You know, as the experts say. So, okay, how about, bring that up again, Alex, if you would, is there anybody else in this chart that you would call out, whether it's CyberArch, SailPoint, Beyond Trust, Ping, Cisco Duo, OneLogin, doesn't look like there's a lot of momentum there or a lot of market presence. Any things strike you there? Well, so these guys all expanded over the last five years their product, you know, a lot of them were late getting into the cloud, you know, so they're now in the cloud. They now have all sorts of identity connectors to all the apps. They now have various tools that are used. And so people that, you know, bought them early on, continue to use them. They continue to expand their, you know, market share like Ping was used in Walmart, for example, you know, thousands of computers. But, you know, once you buy your, you know, your license for whatever number of computers it is, that's the end of their, you know, mystery. They're not going to, nobody's going to switch out paying for, for example, unless something really bad has happened. So that's interesting. Maybe instead of seven billion on Auth0, would it have made more sense in the hindsight 2020, but it would have made more sense to expand the TAM into other areas, you know, whatever, API security or IoT security or, yeah. But again, IAM is a very, very specialized thing. It's pretty much, you know, the province of these companies, they've remained leaders for many years. I've been reviewing these products probably for 10 years. Yeah, cool. All right, well, let's take a look at the next chart. I want to explain this. So this is what we did last week. We took the data from the technology spending intention survey, the main quarterly survey, and we identified potential acquirers. So Cisco, CrowdStrike, Fortinet, IBM, Palo Alto Networks and Zscaler. We picked them just because we just picked a reasonable list, we could have done more. But, and then what we did is we said, all right, give us, remember we showed you earlier though, it was like 15 identity players in the ETS, that's the private emerging technology company survey. And we picked, we took those 15 and plotted them. And so this is the overlap. You got 770N in those one, two, three, four, five, six companies that I mentioned before. And then you can see in the XY axis, we got net sentiment, which is a measure of intent to engage. And then the horizontal axis is mind-shared, just a number of mentions. And you can see, David, beyond trust and one password, they stand out and then from the crowd. So my first question is, does that surprise you? And if so, why? Yeah, because particularly one password, that's a consumer password manager. If you've got an SSO tool that's working for you in your company, you're not gonna buy a one password type of product. You might start out with a password manager for a small development group, for example, so that you don't have to remember all your passwords. But eventually you're gonna migrate to an SSO tool because you don't wanna know what your passwords are. You're gonna wanna have some software that takes care of that, so that automatically logs you in when you bring up your screen in the morning, when you start working. All your apps are right there on your desktop. You don't have to sit there and say, oh, now what was a password that? To that, so to me that shows either the SSO tools aren't working in those organizations and they don't have somebody that's competent to roll them out, or that they've been using that personally on their home computers because they're now working remotely and they need something that they can use that is not part of the corporate SSO tool. Another thing that surprised me on this chart was how much red there was. I mean, normally in security, you see a lot of green. You know, I'm not sure what to make of that because I haven't spent enough time on the ETS survey, but there's a lot of green in other places. Is there anybody else in this lower left in this pack that stands out to you? I would say, you know, a dash lane is similar to one password. You know, their consumer product again, WSO2, they've been sort of on the fringes of IAM. They were very big initially, you know, open source world, but they hadn't really taken off. Yeah, okay. One of the things I like to do with that, one of the things I like to do with that data is like I did earlier with the crunch-based data, just divide by how much, you know, VC they've brought in and just sort of normalizes things. But let's go on to the next slide if we can, things to watch out, tongue in cheek again, watch out for at RSA. Let's unpack this a little bit. David, I've been working on a sort of premise around data protections, you know, generally, and that means a lot of things to a lot of people, specifically backup and recovery. And you've seen some companies, I think Rubrik is an example, Cohesity a little bit as well, which are backup and recovery companies, they're disruptors to companies like Veritas and they're trying to go after Dell and et cetera, and have done pretty well, but now they're kind of pivoting, particularly Rubrik to say, we're a security company. Now, in part, there's some logic there because they are, in my view anyway, part of a sort of fundamental component of cybersecurity, it's like the last resort, but on the other hand, they're not really cybersecurity companies. So I wonder if you could talk to your thoughts on the relationship between backup and recovery and cybersecurity specifically. Well, I have one word for you, Dave. It's ransomware, you know, look at what happens the first thing when a piece of ransomware infects your machine, they disable volume shadow copies on windows and they exaltrate that backup data. So if you're not doing backups properly, if you don't have an offsite or an air gap or some kind of staged system where you can protect that differently from the regular desktop or regular server, then you're going to get exploited by those kinds of attacks. So that's, and you know, this is not, again, this is not new. We've been dealing with ransomware for years. You think people would finally get this worked out that they haven't. Yeah, I heard a stat the other day. You know, let's say again, one of those self-serving stats from a company that actually does the kind of air gapping and immutability that 100% of the ransomware attacks that they analyzed, the backup corpus was encrypted. And so, so okay, so why don't companies make their data immutable in an air gap, you know, physically air gap system? Because it's a pain in the ass to do. You know, I mean, that's just basically it. Like all backup. Yeah, like all backup, it's just, if you don't do it automatically and regularly, you're going to get messed up. Yeah, it's just. Actually, backup's the one thing is my friend Fred Morse's recovery is everything. That's really the hard part. Right. Yeah, there are a lot of companies don't even test the recovery of their backups. They make them, and then those hard drives have no data on, they haven't tested them. You know, you have to put in place a staging process, you know, what happens if your data center gets flooded? You know, that kind of thing. Like forget about just, you know, and actors, like just bad weather can do all sorts of things. Well, you know, some companies have two data centers that are 50 miles apart. That's not a good idea. Well, you need geographic separation. And to your point, most companies don't, still to this day, don't test their DR, right there. Right. All right. Let's go back to the points here. There's a lot of talk about cyber. I'm going to go through a couple of these quickly, but cyber spend is immune from a tech pullback. I heard that again, coming out of KubeCon. Yeah, it's not true. We've reported on that. I'd love for you. I mean, if you have thoughts on that, that's cool, but we've pounded that one. This notion of a world that is password less, we all hate passwords. I think you have some Netflix examples. What's your story there? What do you think? Yeah, well, Netflix announced that they're going to stop sharing of their account passwords in certain selected areas. And of course, everybody is freaking out because we all do it. And they know exactly who's sharing. It's not hard. They just track your IP address. And if one family has IPs that range over three countries or continents, it's pretty clear that they're sharing. But I think a password less world is like a world where we finally have world peace. It's not going to happen anytime soon. There's a lot of great things that are going on in the Fido world, the Fast Identity Alliance with pass keys, Apple, Microsoft, and Google have finally gotten together and agree to a general strategy for how to implement password less things. But of course, the devils and the details and each of those three companies have it just slightly different. And it's not quite ready for enterprise users yet. It's almost there. I'd say maybe another year and we can see it. All right, thank you. So the other point, next point here is, I want to talk about the attendance. It sounds like RSA is going to be amazing in terms of just the attendance. It was the last conference, really major conference before COVID. We actually were there and it was kind of weird. People were like, hoping nothing bad happened and it wasn't a super spreader event. We had no clue. We're like, all right, we're going to shut down probably for a couple of weeks. We'll be back, see you next month. Or two years later, we're still fighting this thing. But we've noticed a couple of trends and of course we see them with theCUBE is that there's way more events, physical events, but they're on balance much smaller, especially the vendor hosted events. And many of them, like Palo Alto Networks is not having this big event this year from what I'm told they're going to do a road show. We saw a couch base, do kind of a big road show, some similar. So you're seeing a lot of that. You're seeing IBM think is one tenth the size that it used to be by design. You know, Red Hat last year was much smaller. I think they're going to be somewhat bigger this year. So the very few vendor hosted events, they're actually getting larger. Snowflakes are an exception. I'm sure Databricks is going to be an exception. AWS re-invent is bigger. See Google Next, they're coming back. I don't know about the Microsoft events, but generally my point is the vendor events are shrinking in size, but there's more of them, road shows. But what's definitely happening, David, is you get these events like RSA that are hosted by sort of independents now. RSA, MWC, Mobile World Congress, we were just at. NAB, we were just at. These big industry events are getting bigger. They're growing. I don't know if you've noticed that. It's pretty interesting, and we'll see at RSA this year, but what do you see? Well, I think we've all gotten used to attending things virtually, right? So companies can really expand their audience by not having to worry about putting people up at hotels and getting them on planes there. So the smart ones are figuring out ways to have hybrid events. And there are some streaming sessions that RSA will have next week, which is great. They've been virtually only for the last couple of years. So I think you've got to figure out how to run a hybrid event successfully. It's not a matter of just putting a camera in the room and turning it on. Yeah, you're right. And people are still trying to figure that out. Okay, last, I'll just run through these, roll of public policy. I guess I'm going to come back to them. Let me just get through these. And you got the great evening events and theCUBE's going to be there. I will come back to that. But does the government, you saw the executive orders and the government sort of pushing public policy to do better. It feels like one of these kind of unfunded mandates, but what are your thoughts on how the government's doing in this whole thing? Well, I've been reading the national cyber strategy that was released last month. And I don't know, it's very disappointing. It's a lot of acronyms and government is going to do this and that. I think the time is right to actually coordinate the government and private sector and to really push forward on cyber security. We have a lot of nation state actors that are using it as ways to attack us. And we looked at the Russian Ukraine war. There's a lot of cyber stuff going down there. I think we've got to work a lot harder to really integrate it into our public policy. We don't have a national privacy policy. We have five or six or seven states now that have different privacy laws and they're all slightly different. That's a pain in the ass for a company to try to keep track of. Yeah, I mean, I totally agree. I feel like the public-private partnership is failing right now. Not only an M&A, kind of ranted on that for a while where they're sort of changing the rules of what is an illegal monopoly. It's from one that demonstrates it to one that has the potential to be one. So that's kind of Lena Kahn's thing. Okay, that's a problem. But as you just pointed out, having so many different, like, is there a four or five now? As you said, the California kind of started it all, patterned after GDPR, and then they each have their own little twist. I don't think that's the right answer, but so coming back to the last two points I want to make here, the evening events, David, that link you sent me accounted up 131 events evening and morning. Various companies have breakfasts. And of course theCUBE is going to be there on broadcast row or at Moscone West in booth BA06. I don't know if the booth numbers matter, but going to Moscone West, it's kind of wide open. You'll see us there. And David, I'm super excited to meet you and have you on theCUBE. You're going to be reporting on the ground and we'll be there all week. We're really, really stoked. Same here. Thanks for having me, Dave. Yeah, you bet. And so I want to thank you for your time today. Your insights, really fantastic addition to the team. Of course, thanks to Alex Meyerson, who's on production and managed the podcast, Ken Schiffman as well. Kristen Martin and Cheryl Knight helped get the word out on social media. And in our newsletters and Rob Hoef is our editor-in-chief over at SiliconAngle.com helps with some great editing work. Remember, all these episodes are available as podcasts. Wherever you listen, just search breaking analysis podcast. Love for you to share that. Appreciate any comments and thumbs up, thumbs down even if you don't like it. Let us know how we can improve it. We publish each week on wikibon.com and siliconangle.com. All the videos are on the cube.net. That's where all the events are. You want to get in touch, email me directly david.volante at siliconangle.com or DM me at dvolante. Pitch me. If you've got something good, I'll respond. If not, don't take offense or comment on our LinkedIn posts and please do check out etr.ai. They've got great survey data in the enterprise tech business constantly looking to improve. This is Dave Vellante with the Cube Insights powered by ETR. Thanks for watching and we'll see you at RSA or next time on breaking analysis.