00:00welcome to the a 16z podcast i'm michael
00:02copeland and i am here at the
00:04headquarters of teh neum with Orion and
00:07AH we CTO Orion thanks for coming or
00:09actually I'm visiting you so thanks for
00:11having me pleasure either way I just saw
00:14literally I was coming up in the
00:15elevator I just saw that WikiLeaks had
00:17posted hundreds of thousands of emails
00:18and more data from the Sony hack it
00:20seems to have been a pretty bad year I
00:23mean it's a tough year if you've been a
00:24security person and 2013 was certainly a
00:27tough year and you know a couple of
00:29years before that is it getting worse so
00:32there are a couple factors there so the
00:33first factor really is that we're
00:35getting better at detecting that we've
00:37been attacked and so I think a lot of
00:39customers have invested in detective
00:42mechanisms so that they can see that bad
00:44things are happening and I think we're
00:45actually surfacing a lot of stuff that
00:47used to happen and we just didn't even
00:49know it was happening
00:50and we're detecting it faster now and
00:52we've got better telemetry on what's
00:53happening and I think that's factoring
00:56into this I think another thing that
00:57we're seeing that definitely is getting
01:00worse is that companies are keeping more
01:03and more of their data online they've
01:05got more and more of this data
01:06accessible to the internet because
01:08they're using it for customer facing
01:10activity and that opens up surface area
01:13of vulnerability and I think the
01:14attackers are actually getting a lot
01:15better we're definitely seeing the
01:18sophistication of the attacks that we're
01:20looking at increasing and I think the
01:23volume of data that they can go after
01:24and the accessibility of that data
01:26driven by business use and driven by the
01:29business that our customers are in and
01:31how having that customer data accessible
01:33to the internet enables that business is
01:36giving them more to attack rates of
01:38doctors sister there's more out there
01:40it's more valuable so I'm a hacker I'm
01:44going to go after it but there's this
01:45tension then between all these systems
01:48that we want online all this data that
01:49we want to put on like online that as
01:51you say is part of doing business so
01:54what are the gaps then if we're gonna
01:57live in this world of you know
01:58everything's connected I can work from
02:00anywhere I can bring in third-party
02:01vendors vendors and they can access my
02:03system - what are the gaps then that are
02:06need to be filled and you know that are
02:08making us in some ways more vulnerable
02:10so you know the irony of security
02:13is we all pretty much know what we're
02:16supposed to be doing most of the time if
02:17you're a security expert and you've been
02:19doing this for a while we all know that
02:21they're just good hygiene things we've
02:22supposed to have done this whole time so
02:25patching your devices having disk
02:27encryption locally on devices that have
02:29data at rest having things like dual
02:32factor authentication and things like
02:34agents that are on endpoints like
02:35antivirus that are working the
02:38fundamental problem that I think we're
02:39seeing is that people aren't doing a lot
02:42of those things and I think the more
02:44that you integrate third-party vendors
02:46the more that you have data that's
02:48present that you can access from
02:51internet-facing devices the more
02:53important it is that this basic hygiene
02:55get followed if you look at the attacks
02:57that we've been seeing you know this
02:59kind of this thought that these
03:01nation-states with you know thousands of
03:03people are attacking every customer and
03:05that may be true in some specific cases
03:07but in many cases when you actually look
03:10at the actual tangible attacks that
03:12people are seeing they're exploiting
03:14known vulnerabilities they're exploding
03:16customers not putting dual factor where
03:19they thought they would or disk
03:20encryption or they should have and this
03:22is just block-and-tackle hygiene issues
03:24they're not actually be super
03:25sophisticated you know James bond-style
03:27somebody's parachuting through a
03:29skylight in Jing and your data center
03:31it's it is this misconception that we
03:33can't defend against these attacks
03:34because we can't deal with the
03:36sophistication of the attackers it turns
03:38out we should just be doing the good
03:40hygiene we've all been trying to do for
03:42the last you know whatever it is 20
03:44years and in many cases our customers
03:46are just realizing that they've been
03:47failing for 20 years and now they're
03:50actually realizing the frequency that
03:52they're being attacked by relatively
03:55mundane attackers because they haven't
03:57been doing all the things that they
03:59thought they should have done this whole
04:00time and they just didn't notice it but
04:02so are you something that the psychology
04:04is today among some folks that look we
04:08can't win anyway so why bother or is it
04:11that well it wasn't a problem in the
04:13past so I don't need to check all the
04:16boxes and do what I should I think it's
04:18more of people are realizing that they
04:21been doing all the things they've been
04:22told to do for so long that they don't
04:25believe it's possible to do them so I
04:27mean I'll make an analogy right I mean
04:30if I told you that every day you had to
04:33go and exercise three hours a day and
04:36eat perfectly and you know live an
04:39extremely healthy life with you yeah
04:43most people would fail right yeah if you
04:47knew that you were going to die this
04:49year because you weren't doing that
04:51stuff you'd probably make a really good
04:53effort most of our customers have gotten
04:55to the point where they don't believe
04:57it's possible to do all the things
04:59they've been told to do so they're
05:01resigned basically to dying every year
05:03they're resigned to getting attacked
05:04constantly because they don't think it's
05:07possible to patch all their devices
05:08because they don't think that it's
05:09possible for them to get all of the
05:12antivirus and hips and disk encryption
05:14working the way that they were supposed
05:16to password policies kicking off
05:18machines off their network that weren't
05:20supposed to be there in the first place
05:21I mean these are all the problems our
05:22industry has been basically tackling for
05:24the last 20 years and now people have
05:26been trying because they don't think
05:28it's possible to do those things to find
05:31a silver bullet so you know I'm not
05:32gonna name the names of vendors but when
05:34you start looking at them you'll start
05:36seeing some of these guys touting that
05:37if you install my agent on this end
05:39point everything automatically gets
05:40fixed right extend your exercise analogy
05:43just like just take this pill now for
05:45five minutes a day and like boom you're
05:47done even not that right I mean ideas
05:49just exercise once in your life and then
05:52it'll all carry over for the rest of
05:53your life and unfortunately insecurity
05:55that's never been true I mean if you
05:57look back at the last thirty years of
05:58security there's been a vendor every
06:00year that's come up with a new theory on
06:02how if you just do one thing everything
06:04will be fine and truth of security is
06:06it's never been that way and it'll never
06:08be that way you have to do you know
06:10eating healthy and exercising every day
06:12if you actually want to keep secure and
06:14there's no way to be a hundred percent
06:15secure but the truth of the matter is if
06:18you look across the 10 biggest attacks
06:20us here all of them tied back to pretty
06:23mundane things that the organization
06:25knew they were supposed to do that they
06:27didn't do and really our emphasis from a
06:30security posture standpoint is it's
06:32great that we're looking for
06:33sophisticated inside
06:34threat from geniuses we should be doing
06:36that too but before you get there
06:38or nation-state attack prevention which
06:41is almost impossible let's just do the
06:44basic stuff if I'm in charge of security
06:47or if I'm running a company period and
06:50those that have kind of made that shift
06:52where they're not looking for a magic
06:53bullet but they're doing the sort of
06:54good hygiene blocking and tackling what
06:57if you can describe that mindset and
06:59that sort of environment that allows for
07:03that what what does that look like and
07:05feel like okay so one of the biggest
07:07things that has to happen is the
07:09security and operations teams need to
07:10actually become friends so if you think
07:13about what I've been talking about here
07:15a lot of it is detected by security so
07:17flaws in the environment that aren't
07:19really up to the compliance standard
07:21that the organisation setting and the
07:22operations team is often responsible for
07:24fixing it so we've been talking about
07:26patches or antivirus updates or being
07:29able to do things like disk encryption
07:30those have to involve operations and one
07:33of the biggest problems that we see in
07:34enterprises that we work in is that
07:37those two teams are not a hundred
07:39percent in sync right the operations
07:41team is really worried about some
07:42problems the security team is worried
07:44about a completely different set of
07:45problems and until those two teams
07:47really get on the same page it's not
07:49going to work because there's gonna be a
07:51huge gap between what security wants to
07:53happen and what operations is actually
07:55doing and so the most successful
07:57organizations that we're seeing and we
08:00would encourage all of our customers to
08:01move in this direction you've got
08:03security and operations really
08:04joined-at-the-hip both understanding
08:06this is an existential threat to their
08:08organization if they don't do it well
08:10and really coordinating on finding and
08:13then fixing very quickly any gaps that
08:15exist in the work is is that
08:17relationship you know as operations
08:19worried that their ability to function
08:22gets hampered by security or is it more
08:24that security sort of doesn't know the
08:26ins and outs of and vice-versa ins and
08:29outs of what operations does and and you
08:31know and and doesn't therefore know how
08:33to attend to it so I mean there are a
08:36few things so one of them is operations
08:38is really responsible for keeping the
08:40organization working and the more change
08:43you make and the faster you make it the
08:45more likely it is that you're going to
08:47security always super urgent when it
08:50comes to you know we've got a flaw we
08:52think it might be exploitable we
08:53absolutely need to fix it and operations
08:55typically is going to look at it as you
08:57know how do we make sure that we're
08:58implementing the change at a rate where
09:01we're not dooming the org to having a
09:03huge business knowledge because we
09:04changed something and it broke something
09:06and so there's a natural tension there
09:08what's really important is that security
09:10actually understand why operations wants
09:12to be deliberate and conversely
09:14operations needs to understand why
09:16security is so urgent and you know the
09:19reality is you really can do something
09:21in an hour across the largest
09:23environments in the world if everybody
09:25gets together you've got the right tools
09:27and you're pushing as hard as possible
09:29and I know that sounds hyperbolic to a
09:31lot of people because many people are
09:32gonna listen to this and say you know if
09:34I'm running the largest enterprises in
09:35the world I've never done anything in
09:37less than weeks right and the reality is
09:39you can do it in minutes if the tool set
09:43is upgraded to allow you to do it and if
09:45everybody understands the urgency and
09:47the requirements to make sure that the
09:49operational focus of the environment is
09:52and it's urgency not in the sense of
09:54like okay let's all freak out now it's
09:55urgency like okay we have a plan you
09:58know it's DEFCON 5 push the button let's
10:01go it's urgency in the sense that if you
10:04look at every one of the attacks that we
10:06saw somebody in that org knew something
10:09was wrong before it happened they just
10:12didn't have the latitude to escalate it
10:15they didn't have the ability and the
10:17organization that effect change they
10:19weren't actually screaming from the
10:21parapets we need to fix us in having
10:23anybody listen and what you see in the
10:26best-run environments is the security
10:28has a seat at the highest table and
10:30they're able to really raise a flag and
10:33as soon as they raise it people take it
10:35very seriously em they understand the
10:38requirements in the organization not to
10:40blow the organization up because we're
10:42moving too quickly so urgency doesn't
10:44mean let's run with our hair on fire
10:46around and try and fix every issue
10:47without thinking about it urgency means
10:49that we can't afford to just forget
10:52about these things and bring them up
10:53three weeks later and then probably
10:55forget about them then and bring them up
10:56three weeks later which in all honesty
10:58and a lot of security organization
11:00have Vanar abilities they detected years
11:02ago that are still not being fixed right
11:03if that's the level of urgency in the
11:06organization to respond the security
11:07need this is a very high likelihood that
11:09they're being attacked successfully
11:11right and it's you know shame on them
11:14and it gets back to this this notion of
11:17like you need an environment where again
11:19people understand both sides like I can
11:21imagine that you don't want to raise the
11:23alarm if that's gonna you are worried
11:26that it's gonna slow down the business
11:27and or there's been this kind of you
11:30know message from the top that look what
11:33we do is build the business and we grow
11:34grow grow and we go fast fast fast it's
11:37hard to put on the brakes if you see
11:39something in that sort of environment so
11:41let me just say I mean you were asking
11:43about the biggest change in the last
11:44year the biggest change were seeing is
11:47that there's board level acknowledgment
11:49that this is an existential threat to
11:51the business so it used to be that
11:53security was annoying and often it was
11:56kind of will accept this risk the
11:59likelihood that it's gonna actually
12:00cause massive damage is pretty low if it
12:02is we can probably contain it we
12:03probably don't have to disclose it there
12:05were a lot of these kind of
12:07rationalizations around security and I
12:09think the watershed moment was the
12:11target breach where the CEO got fired
12:13the board got sued the whole stack and
12:15IT got replaced and you know potentially
12:18billions of dollars of damage were
12:20caused and when you take a step back and
12:22think about that now I was talking to a
12:24CEO recently and he told me and you know
12:27and this is now a quote I've repeated a
12:29number of times but that you know he's
12:31got three existential threats to his
12:33business nuclear weapons meteors and
12:35cybersecurity right right he never would
12:38have said that five years ago and he
12:39admits that he says you know five years
12:41ago I was worried about regulation and
12:43my China strategy in my competition and
12:45now I'm worried about three things only
12:47one of which I actually have any control
12:50over right and so that change drives
12:53behavior across the organization you
12:55look at a lot of these big companies
12:56they're spending literally ten times
12:58more on security than they were five
13:00years ago and the reason is there's a
13:03realization at the top level of the
13:05organization that we can't kick the can
13:06down the road anymore and that having
13:09operations come back and say well this
13:10is annoying is not a good enough reason
13:13to do it five years ago it wasn't true
13:15you talked to a lot of large companies
13:17who are grappling with this how is the
13:20conversation talking how it happens at
13:21the board level now and had the highest
13:23levels of the company yeah if I'm a
13:25company that hasn't been hacked is the
13:28conversation is something much different
13:30than a company that just has gone
13:31through a breach yeah so there's this
13:35concept in our industry that it's good
13:37for security companies when their
13:40customers get breached it's actually not
13:42true and the reason it's not true is
13:44that often what you see in companies
13:47that have been attacked is a very
13:50neurotic behavior pattern for three or
13:52four months after the attack where they
13:54will pay anything for somebody to walk
13:56in and tell them that everything's fine
13:58which is actually not our business right
14:00I mean we don't really want to come in
14:01and tell you everything's fine or that
14:02we'll handle it and if it's really
14:04systemic change that needs to happen in
14:06the org for them to be fine and we can't
14:08affect that change they have to but you
14:11end up with people who are getting fired
14:13people who are constantly in meetings
14:15trying to defend themselves instead of
14:16actually make change and I'm just saying
14:18you know generalizing across the
14:20hundreds of customers who we've seen but
14:22it's actually not a very fertile
14:24environment for a good decision making
14:26right and so you know we will often get
14:30business out of those situations but
14:33it's not the kind of business that I
14:35actually prefer my preferences a
14:37deliberate decision by the board or the
14:40CEO or the management chain and IT that
14:42they have to really reprioritize around
14:44security typically because they saw
14:45their peer get attacked right and then
14:48they want to actually build a strategy
14:50so there's no real strategic thinking
14:52that we typically see in the two months
14:54after an attack typically we see hair on
14:56fire behavior right people are getting
14:58fired you want to cover your you know
15:00your job yeah and those are not the kind
15:04of scenarios where we typically see
15:06thoughtful work now I will say this we
15:09have some customers I think target is a
15:11great example of one of them that are
15:13extremely thoughtful and how we're
15:17math of the breach they spent a lot of
15:19time building a real lasting structure
15:22and I think they've done one of the best
15:23jobs we've seen in building a security
15:26organization they should be extremely
15:27proud but unfortunately they're the
15:29exception not the rule
15:30in post breach situations and how has
15:34the culture sort of shifted at target
15:36Minh clearly you go through something
15:38like this everybody in the organization
15:40knows what happened and you know the
15:43consequences but then there's probably a
15:45tendency to sort of try and get past it
15:48and get on with business as usual
15:50so not a target at what we're seeing
15:52there is actually a continual
15:54realization that security is a permanent
15:57thing they need to be really careful
15:59with so I mean that org suffered
16:01tremendously during that breach and I
16:04think you know there's more public on
16:06this then I can repeat here that you
16:07know gives context but they hired a
16:11great C so he hired a great set of
16:13lieutenants all new into the org and
16:16what he did that I thought was really
16:18nice was he looked at the premier
16:20security executives from across the
16:24community he hired a bunch of people
16:25from the mandiant fire I crowd he hired
16:27a bunch of people from other places like
16:29General Electric that were super
16:31competent people and he built an org
16:33from the ground up and he had the
16:35latitude to do that because the
16:36organization that's top level of target
16:38the CEO on the board
16:40mandated that they do a world-class job
16:43and you know when you look at some of
16:46the people he hired especially some of
16:47the mandiant people they're exceptional
16:49people and I think he's built a kernel
16:52in that organization that's going to
16:53insist on an excellent org and that's a
16:56sea change from where they were two
16:57years ago you know let's say I'm not
16:59target I don't have thousands of
17:01employees and you know thousands of
17:03stores for that matter how then on the
17:06spectrum do I want to view security you
17:08know as a smaller company but then also
17:12take us up to a big company in and I
17:15also want to circle back on your view of
17:19this personally like how it seems so
17:22sort of forbidding but maybe it
17:24shouldn't be so I'll say kind of a
17:29girl thing first and then I'll go
17:30through the spectrum security is scary
17:34because it can cause massive damage the
17:36same way that you know a lot of things
17:39in our lives are scary cars are scary
17:41because people die in them every day and
17:43most people aren't scared of cars they
17:45just realize they have to drive
17:47carefully right security should be
17:49treated the same way you should just be
17:52cautious about the fact that if you have
17:55vulnerabilities you should be fixing
17:57them if you have users who are being
17:59added you should make sure that there's
18:00multi-factor enabled on them they're
18:03just kind of these good habits that
18:05everybody knows they're supposed to
18:07follow and a lot of organizations look
18:10like they're driving 120 miles an hour
18:12drunk right they're not doing any of the
18:15things that they should be doing and as
18:16a result of the fact that they're not
18:18doing those things they are really prone
18:20to accidents right there are rules in
18:23security and in operations in general
18:25you should be going and monitoring your
18:28network traffic in specific ways you
18:29should be implementing firewall policies
18:32you should be patching your assets you
18:34should be figuring out what data is
18:36from the endpoint so that you can
18:38actually see it you should see where
18:39your critical data is and data leak
18:41protect it there are things you should
18:42be doing and that's exactly analogous to
18:45driving 65 miles an hour on the freeway
18:48sober and paying attention to the people
18:50around you right so when I hear people
18:53who are kind of terrified generally
18:55about security and feel like it's an
18:56out-of-control situation those tend to
18:59be the people where from the analogy
19:01they're not driving anywhere near the
19:03speed limit and they don't seem to care
19:05and they just want to get wherever
19:06they're trying to get as quickly as
19:07possible and they're getting an
19:08accidents every day and there's a direct
19:10correlation between their behavior and
19:12the results so my assertion would be
19:15this good hygiene that you should be
19:16practicing in security and operations
19:19everyone knows what it is let's just do
19:21it it turns out that if you do it you
19:24feel a lot better and the results are a
19:26lot better it's exactly like exercise or
19:28like driving safely it's you know let's
19:30take it two really basic things that
19:32everybody knows they're supposed to be
19:33doing so that's the first thing I'd say
19:36the second thing I'd say is Danian is
19:38focused primarily on global 2000
19:40companies for a reason which is
19:42there is not the capacity in small
19:44companies to do the same work that our
19:46biggest customers are doing it's not
19:49that they shouldn't be doing it it's if
19:50they don't have security personnel on
19:52staff who have been three years of
19:54training and have years of experience in
19:55ferreting out advanced threat they may
19:58be attacked in some cases we're seeing
20:00stores where they've got a thousand
20:02employees and ten stores and they're
20:04being attacked yeah and the reason is
20:06they've got credit card data and credit
20:08card data is valuable I don't know that
20:10they have the wherewithal or that they
20:11should be trying to build that expertise
20:13to deal with the same attacks that a
20:15target or a Walmart are trying to deal
20:16with now that said you know again there
20:20are some good hygiene things they can do
20:22there are endpoint solutions that are
20:23designed to be heuristic alee kind of
20:26preventative so you think about
20:27antivirus is kind of the most simple one
20:29and you look at things like you know
20:32host IPS or some of the other solutions
20:34that are being released on the endpoint
20:36that are really heuristic you set them
20:38and forget them if you want to think
20:41you should probably deploy some of those
20:43but I'll be honest that's not our area
20:45of expertise where we start playing is
20:47when we've got a five or ten thousand
20:49seed org they've got enough data at this
20:51point where it potentially could be a
20:53huge disclosure issue if they actually
20:54get attacked and they typically have a
20:57security set of personnel in the
20:59environment because they can't afford
21:00not to right I mean it's again a risk
21:02reward the risk benefit if you want to
21:05think about it that way in the end of
21:07the day if they don't have these people
21:08then they stand to have huge risk and so
21:11they'll expend the cost to actually
21:13build a practice within the org that
21:15allows them to kind of understand their
21:17security posture when you get to that
21:20point there are a few hundred things you
21:23should just be doing and you know this
21:25is kind of a theme of the discussion
21:27right is yet you know we should start
21:29making sure that all those 200 things
21:31are done so password policy is domain
21:34presence being able to have good ideas
21:37of what's connected to the network and
21:39being able to see whether devices are
21:41unmanaged and bring them under
21:42management making sure that manage
21:44devices are being patched correctly and
21:46that the applications that are on them
21:47are actually the intended applications
21:49that they're being upgraded
21:49appropriately you know just kind of
21:53and assuming that that's done then you
21:55start getting to the next level so we
21:57have many of our customers we're
21:59starting to do outlier analysis
22:00heuristic analysis to determine whether
22:02behavior patterns are changing looking
22:04at things like the insider threat I'll
22:06say though I mean when we walk into
22:08companies we've now deployed this thing
22:10in hundreds of companies and we've seen
22:12a cross-section of the global 2,000 that
22:14you know it's a pretty interesting
22:15cross-section I think maybe one or two
22:17percent of the companies that we've
22:19walked into really should have started
22:21talking about insider threat when we got
22:23there right the other 98 99 percent they
22:27weren't through the just block and
22:30tackle stuff and it's so fun to talk
22:33about insider threat nation-states and
22:35you know cloak-and-dagger it's just a
22:38waste of company resources unless you've
22:40got the framework built correctly to
22:42even approach that kind of attack if you
22:44haven't dealt with your patches you
22:46should be worried about kids that have
22:48access to Google not nation-states that
22:50want to attack you right that's kind of
22:52the point I'm making is that you know
22:54there there are thousands of people that
22:56are professional attackers that our
22:58nation state level or criminal attackers
23:00who can get into most companies there
23:03are millions of kids with Google who can
23:05figure out how to explain known
23:07vulnerabilities that aren't patched
23:08right in some ways the nation-state is
23:11the meteor that hits you not the sort of
23:13you know security breach that happens to
23:15a lot of folks guy I mean I think
23:16serious people in security have realized
23:19a long time ago that given infinite time
23:22and infinite money a nation-state will
23:24come out you and will succeed the
23:26reality of the situation is very few
23:29companies very few are equipped to
23:32actually deal with that threat in any
23:35way I don't even want to use the city of
23:38the word prevent because I don't think
23:39it's possible but even deal with it I
23:41think you look at our intelligence
23:43community they're fighting a war with
23:45other intelligence communities and
23:47nation-state actors outside they are
23:49probably more equipped but the truth of
23:51the matter is this is a bloody conflict
23:53it's not a clean we keep everybody out
23:56everything's perfect we go to sleep at
23:58night and everyone feels good even for
23:59them well and so as a company I go
24:04through the 200 things that I need to do
24:07I might even look at insider threat sort
24:08of risk and then then I just need to
24:12keep it up I just need to keep this sort
24:14of regime going and stay fit and stay
24:17sober is that so here's what I would say
24:19there's an almost infinite amount of
24:22optimization that you can do in security
24:24when you've got hundreds of thousands of
24:25assets everything that could be going
24:28wrong is going wrong somewhere right now
24:30right you'll never get perfect and the
24:33goal is to reduce the surface area as
24:35much as possible by tamping down the
24:37obvious stuff and most obvious and then
24:39moving up to the slightly more obvious
24:41or less obvious and then moving up to
24:42slightly less obvious and so far until
24:44you get to really esoteric kind of
24:46vulnerability most of our customers are
24:50at the first level of that when we walk
24:52in our goal is to ratchet them up a
24:54couple levels of less obvious
24:55vulnerability and give them the tools to
24:58keep going but the reality is given the
25:01flux of environments given the
25:02virtualization and cloud computing
25:04that's happening given the mobility and
25:06BYOD and all the other things that are
25:08happening the you know perimeter being
25:10dissolved in many companies in reality
25:13even if they don't want to admit it it's
25:15a never-ending process and unfortunately
25:18it's two steps forward one step back in
25:20many companies because as soon as you've
25:22stepped forward two steps of security
25:24org somebody from you know one of your
25:26business units comes back in and it has
25:27an awful idea that they want to do
25:29something and as soon as you hear you
25:31choked a little bit because you realize
25:33that this is going to obviate a lot of
25:34what you just did and you're gonna have
25:35to figure out how to deal with it so the
25:37other point that I would make is we
25:40can't build the security house for our
25:42customers what we can do is give them
25:44really effective tools that they can use
25:46to build the house and when somebody
25:47wants another bedroom added or a wall
25:49knocked down to make that as easy as
25:51possible and to confirm that you did it
25:53right right I mean you know to take the
25:56house analogy a little further you know
25:58many of our customers are constantly
26:00knocking down walls and they don't even
26:01know which walls are load-bearing and
26:03then the house crumbles right you need
26:06to actually have a good view of what you
26:07have you need to understand how it works
26:09and again you know I've said this many
26:11times before but many of our customers
26:13don't even know how many computers they
26:15have so when you start with that
26:17of lack of knowledge you can't knock
26:20down walls in the house you can't make
26:21any change and have any confidence it's
26:23going to work because you don't even
26:24know what you have you don't know what
26:26it's supposed to be doing once you know
26:28that then you can start planning well
26:31what's the deficiency between what I
26:32have and where I want to be somebody
26:34comes in and asks me for a change
26:36house I can affect what I have today how
26:38do I want to pivot so that I can
26:40minimize the security impact of that
26:42change or actually maybe allow that
26:44change to drive more security posture
26:46for the work but the first step is just
26:48figuring out how many bedrooms are there
26:50in the house where does the house you
26:53can sit what does the foundation look
26:54like and many of our customers before we
26:57walk in there don't have any idea they
26:59don't know how many subnets they have
27:00they don't know how many computers they
27:02have they don't know what's running on
27:03those computers they don't know where
27:04their data is security is impossible if
27:07you don't know those things right it's
27:09not hard it's impossible so we would
27:13assert that you have to solve those
27:14problems first get the hygiene in place
27:16then let's go worry about everything
27:19arjan thanks so much for the
27:21conversation you haven't scared me
27:22you've actually made it seem like this
27:24is something that's doable
27:25absolutely doable we're seeing our
27:27customers make progress on this
27:28constantly you just need good tools and
27:32you need to have the discipline to use
27:33them it's that simple and I do think
27:35people are getting better at this I
27:36don't think of this is hopeless in any
27:38way I think you know kind of the fear
27:40mongering aspect that people are so
27:42exhausted by insecurity is an admission
27:45that if you don't do this stuff first
27:47you don't know how to do it right that
27:49doesn't mean that it's hopeless that
27:51means you just need to do this stuff
27:52first and then you actually have some
27:54hope so I think this is actually a very
27:56helpful message and I think people
27:57should see it that way
27:58well it's work and so I guess we have to
28:00get to it right on thank you yep