 Welcome back to San Francisco, everybody. We're here at Moscone West in broadcast row. The Cube's continuous coverage, this is day two of our four day coverage of RSA 2023. Remember, RSA in 2020 was the very last conference really before the lockdown and it's back. It's back big, north and south are packed wall to wall. I heard several thousand exhibitors here. We're really pleased to have one of our big contributors and supporters of the Cube Palo Alto Networks. Eric Trexler is here as the Senior Vice President of Public Sector for Palo Alto. Eric, thanks for coming on the Cube. Thanks for having me, Dave. It's like the old days again. It really is. I mean, this is kind of back to 2019. It really feels like that show. Obviously, AI is the big theme in the show halls, but it's great. You know what's interesting is, and you know this, there are more events. They're smaller, like you guys as well. You know, everybody's sort of consolidating the events, going to where the customers are because it's maybe less travel, but these events like RSA, Mobile World Congress or MWC, they're exploding. People want to get these industry events, you know, are really attracting a lot of people. And I think it's because they're just sort of open. People can share best practice, get new ideas. You know, it's not just sort of a myopic focus. It's one that's really more collaborative and that's kind of relevant for this industry, isn't it? And it's a fast-moving dynamic industry, right? We were just talking before, there are three to 4,000 vendors at minimum in the industry. You were saying there are almost 3,000 vendors in the halls. That's crazy to me. So you have to get together to really understand the industry, understand what's happening, the dynamics. There's so much innovation happening in cybersecurity. So you guys obviously have a big theme. We covered Ignite last December, and you know, I listen, of course, to the earnings calls and your strategy, I think, is right on, you know, you guys talk about the fact that, I guess with the exception of Microsoft, and it's hard to tell what market share they have, but no vendor, and you guys are the leader, has more than a single digit, low single digit market share. That's correct. Pick your number, if the market's, you know, a hundred, you know, billion, maybe you're five, six percent, you know, whatever number you want to pick. But it's low single digit. Two questions, why is that? And can you do anything about that in terms of consolidating the industry? Yeah, so I think incentives are the big thing. We're focused on many of the wrong targets, right? Technology is great. We've got 3,000 vendors in the halls right behind us, and there's a hall to our other side too, right? Where we're talking, we're talking about innovation and incredible capabilities, but there's a signal to noise problem. There are so many vendors with so many ideas and so many problems to solve, you've got to take a different approach, and that's what we're doing is, as we look to try to consolidate in the industry, to bring some semblance of control to the chaos, some structure. So we're bringing the platform approach. It works in IT, we're bringing it to cybersecurity. You can deploy a platform that works today and tomorrow as the adversaries, the attack vectors change, as the threats change. So really looking at keeping those efficacy rates really high over a period of time and bringing capabilities and technologies to bear in the platform that years ago, they were companies. I mean, look at the sandboxing industry, it's a capability today. 12 years ago at this show, it was the hype. Like that was what everybody was talking about, sandboxing. We don't talk about sandboxing at all, it's a feature. So that's the power of the platform and with our size and scale, with our R&D budgets that are more than double the next closest competitor. And as you said, I'm not going to talk about all of them, I can't talk about the big M. But that's where we have the ability to scale and increase the velocity, and it better help our customers with their true security problems. So it was interesting, I had near Zook, we had a founder in January called SuperCloud, it was sort of our metaphor for cross-cloud, multi-cloud. And I was asking near like, what's the right architecture for cross-cloud? Because architecture and security oftentimes don't go hand in hand, but the point that he made, I asked him about IoT, he said, the last thing you need is an IoT bespoke security tool. You don't need that. What you need, it has to be part of a, to your point, a platform. So my question, Eric, is how much can you do? What's real in terms of consolidation in terms of capabilities? What are you seeing with your customers? We can do a lot, right? So there's massive technical debt in the industry. The average customer, depending on the survey, has somewhere between 10 and 100 plus security vendors. Imagine if that was your 401k, how would you manage that? Imagine if you had to walk across the hall with me right now, and we had to pick the top 10 security vendors and what they do and just remember that as our task from this assignment, from RSA. It's chaos. That signal to noise problem is a real problem. So our traditional foundation is in the network. We sit on the network, we see everything that transits the network. That's a lot of data. We've got endpoint capability. As we look to automate the SOC, you now see the network, you can correlate it with the endpoint, and the brains in the SOC, automation and driving that capability using machine learning and artificial intelligence. And some of the incredible things that technology brings to bear in 2023 allows us to deal with the workforce problem too. Right, so that consolidation. But the problem Dave is, if you've got 100 vendors in your ecosystem and you're trying to be the integrator, I have yet to see a customer do integration well. And the government customers definitely cannot do integration well. When you say workforce problem, you mean the lack of talent. Lack of talent in the US, depending on who you look at. Right, cyberseak.org says we have somewhere around 600 to 700,000 jobs in cybersecurity today, unfilled. If you look at cybersecurity ventures, they're saying there are over 3 million jobs by 2025 in cybersecurity, unfilled. We don't have enough people. We're not going to hire enough people. You've got to bring technology to bear. You just can't bring 100 distinct different technologies to there and then expect them to work together and drive automation and expect to apply artificial intelligence of the future against those problem sets. Artificial intelligence models have to be tuned. And to tune them, you have to understand the data. So you're saying the formula, definitely a step is consolidation. Are you seeing, you've mentioned technical debt before. Sure. Eric, are you seeing people actually, I call it GRS. Are they actually getting rid of stuff, something that we don't often do in IT? Have you seen that inside of your government clients? They are. So I want to talk about any specific initiatives we're working on, but you could look at something like DISA, the Defense Information Systems Agency, where they're taking the joint regional security stacks. These are stacks, 40 U stacks of hardware that are deployed and they're looking at moving workloads to the cloud with a program called ThunderDome. They're bringing SASE to market. They're significantly reducing costs. They're increasing the user experience and efficacy rates at the exact same time. And the other benefit is, regardless of where the user is in the world, my son's in the military. He uses those military systems when he's deployed wherever he is. They've got to work for him. So the commercial technologies, this is bringing to the market for the service member supporting the mission. Programs like that are incredible and they're going to move the needle while allowing us to remove that technical debt and reduce costs. You're on the ground in the Beltway. I want to ask you about sort of overall demand. Everybody likes to talk about the macro. When we entered 2023, CISOs and CIOs were expecting, you know, five and a half, 6% budget growth according to our friends at ETR, their survey data. It's now down to sort of mid threes, but there's two sectors of the market that are still up in the 6% range. There's small business and government. Are you seeing that? Is the spending continuing generally in the government sector and specifically in cyber within the government? So I can't speak specifically to the small business, but I can speak to state, local education, and I can speak to the federal space. And we're absolutely seeing that. Our business is growing at high double digits. We are seeing the spend. And the reason is national security, cybersecurity is national security, right? It matters. If we're not protecting America's assets, and that's in the commercial world and the government world, we have a real problem. On the state and local side, ransomware is absolutely the big hot target that they're trying to address. These are impacting hometown America, these ransomware events. They're costly, they're impacting schools, hospitals. Imagine if your kid can't go to school because of some of the attacks we've seen, your school gets hit. On the national security side, we've got the conflict in Ukraine. We've got the tensions in Asia, in Indo-Pakom AOR. The government is addressing that and looking to spend to address those problems in the future. Where do you land on the situation right now with the public and private partnership? I mean, I've sort of been outspoken about, hey, I wish the government would be more business friendly. But at the same time, the government's got some of the smartest people in the world doing amazing things with cyber. Obviously there's a lot of data sharing going on. What's the state of that public-private partnership in your view and where does it need to be? So it's growing and it's going well. We are nowhere near where any of us want it to be. But compared to 10, 15 years ago, when you look at the JCDC with CISA, when you look at the cybersecurity review board, we are collaborating, we have the mechanisms in place, we have the contracts, there's some work I can't talk about that we're doing, but we are working very well. And I'll tell you, one of the problems I dealt with over a decade ago was the government, the federal government knew an attack was happening or they had tipping and queuing on something. And there was no mechanism to protect commercial America. Today, with us and other companies out there or other organizations, we're able to share information, we're able to update signatures, heuristics, cloud behaviors, we're able to do a lot to protect America in no real time. Really, it's the entire world we're able to protect. And our global customer base with over 90,000 customers get the benefits of that industry agency partnership that we work on every single day. As you mentioned ransomware earlier, I was talking to somebody who was a lawyer the other day and he was saying it's not necessarily illegal to pay the ransom, but it's illegal to pay certain countries, you can't pay North Korea. So that actually makes it illegal. So I know you're going to tell me the best defense is to have a good cyber strategy and whether or not to pay the ransom, we don't have to talk about that. But my question's around zero trust, okay? So we entered, in 2019, I felt like zero trust was kind of a buzzword. And now I see so I talk to you and say, we're moving forward with a zero trust initiative. It's an enabler for our business. We are still driving digital transformation. If we can, if we have a zero trust architecture, it goes faster, which is kind of an interesting side light. But so what are you seeing with zero trust? Can you actually achieve that without consolidation? So I think they go hand in hand, right? As you're rolling out zero trust architectures, you're probably consolidating legacy technical debt. You're probably taking legacy systems offline as you employ new capabilities. Obviously you're not going to do a rip and replace for the entire agency organization or a company, right? But you're going to make strides. You've got to get identity down. Then there are things like ZTNA, Zero Trust Network Access, which are really good first steps to provide user benefits and heightened security. We saw the benefits of this with work from anywhere, work from home during the COVID window, as workers left the office and went to wherever they were going to work, usually home or somewhere else. VPN tunnels were overwhelmed. Everybody was home running their traffic back to the agency and then out to an Amazon or a Microsoft, a cloud service provider or wherever their apps are. ZTNA as part of Zero Trust really eliminates a lot of those bottlenecks and provides for that better user experience while providing security, any place, any time for any user, any device, right? So now I'm using my iPad and I'm using my work laptop in the same manner. I might even use this home laptop that my son is using for school. What's the situation, Eric, with back to work, physically at Fed? Is it kind of like it is in commercial? Is it more of a hybrid model? Is it sort of a permanent remote? What do you see? So we're seeing a more liberal approach to the business. DoD and intelligence are really actually, they're absolutely back to work because of the classified nature of their work. On the civilian side, we saw before COVID, we saw a lot of work from home with agencies like the Veterans Administration. They have a very liberal open work from wherever policy. We've seen a lot of other agencies adopt those policies and they're working two or three days a week in the office where they need to collaborate to work on projects and then they're working from home when they need to. That is changing and the government is looking at what is that right mix from our perspective? We're back in the office, we're in customer meetings, we're working with them, really driving technology solutions to solve their hard business problems. So on a quick question to follow up on that, so you know how pre-cloud you would over provision, so you had enough capacity, Black Friday was always the best example. You'd have so much capacity, but you needed it for Black Friday and the cloud to a great extent changed that. We could sort of optimize. Are you seeing a similar over provisioning for the unpredictability of remote versus back to office and how are you helping your customers deal with that unpredictability? So in some cases we are, we see a mindset where we have to provision for a worst case. But the beauty of the cloud service providers is our technologies, we can scale them up and down with the workloads based on where you are in the world, if the workload shifts, based on what's happening in the world. The CSPs allow us that infinite scale and that's one of the reasons we built the backbone of many of our technologies on those cloud service providers. We get the 99.99x uptime and we get the extensibility and scalability that our customers demand. You know I want to come back to the skills gap, you mentioned a 500,000, 600,000, 700,000, I mean it's a huge number. Whatever it is, it's too much. It's way too much. What's the answer to that? Is it automation? Is it AI? Is it education? Is it... All of the above. What's the, is there a light at the end of the tunnel? Why are you an optimist? I'm an optimist because we're making progress against the problem. I see in automation the strides we've made. I'm highly encouraged from what I'm hearing from our teams on artificial intelligence and how we're bringing it to the technology to solve business problems for the customers. I'm highly encouraged from the programs we're running and others in the industry on bringing more diversity into the workforce. Women, minorities, you name it. There's a lot of investment there. At this point, the latest surveys I saw were up to 25% women in the cybersecurity field, right? I don't know what the margin of error is on that. It's too low. But we're making strides compared to a decade ago. We're investing heavily there as an industry. There are jobs, and the message I would say is, there are jobs. If you're a young person trying to figure out what you want to do in the world, you don't have to be a comp-side major. You don't have to be a doubly. You don't have to have a mathematical degree. Some of the best cybersecurity professionals I've seen are musicians, artists, you name it. There are jobs in this industry. There are programs to train you both before you enter and while you're in, and they pay well. There's a lot of opportunity. But so couple that with automation, couple that with artificial intelligence. Hopefully we see additional consolidation to a platform-based approach. Stop some of this chaos, take some of the, you know, get some of the signal out of, take some of the noise away, maybe, is the best way to put it. I am an optimist. That's interesting. You're talking about, I mean, actually, what skill sets would you say are sort of most interesting to expand that base? It's not, you're saying, you know, double E necessarily, you want those. But what kind of skill sets do you look for? What kind of characteristics? Is it curiosity? Is it creativity? What are the, what are the characteristics? Some of the best reverse engineers, they're artists, they're musicians. They have that creative mindset, right? If you have a computer programmer, it's a very linear, very framework-based approach many times. The adversary doesn't have any restrictions. Why are we putting restrictions on ourselves? We see some of the most creative capabilities come out of our creatives' people. So, and that is an area where diversity gets me so excited in this industry because it takes all of us to be better to address the nation-state attacks, to address the things that are hitting hometown America today. Now, I mean, 25%, wow, if this industry's at 25%, that's impressive. First of all, it's got a bad rap because I think, you know, it's often criticized for not having enough representation and diversity, women specifically. I would say tech in general is below 20%. I would say it's 15 to 17%, it's probably the average there. You know, I'm excited, I'm really pleased to have Wendy Whitmore coming on later. She is amazing. She is an unbelievable rock star and somebody we reached out to early on as part of our editorial program. Eric, thanks so much for coming on. But the jobs are there. Yeah, the jobs are there, so. But I think people are intimidated by Sire. Don't be, we're here, we need you. But, you know, right? Because there's so many acronyms and it's so complicated and it's, you know, this sort of dark web type of thing but there's a bright side is what you're saying. There absolutely is, Dave. Eric, great to see you. Thanks so much for coming on. I appreciate the time. All right, our pleasure. All right, keep it right there. This is Dave Vellante, John Furrier's also in the house, The Cube's continuous coverage from RSA 2023 at Moscone. We'll be right back after this short break.