A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
A Quantitative Approach to Innovation
Season One
· Episode
6

A Quantitative Approach to Innovation

In this episode, host Raghu Nandakumara sits down with Illumio Co-Founder and Advisor PJ Kirner to discuss Illumio’s founding story, taking a data-driven approach to innovation and market validation, and what RSA attendees should be thinking about as they gear up for this year’s conference.

Transcript

00:02 Raghu Nandakumara: Welcome to The Segment: A Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara, head of Industry Solutions at Illumio, the Zero Trust Segmentation Company. Today I'm joined by Illumio CTO and Co-founder PJ Kirner. With 20 years of experience in engineering and with a focus on addressing the complexities of data center networking and security, PJ is responsible for leading Illumio's technology, vision and platform architecture. Prior to Illumio, PJ was CTO at Cymtec and also held several roles at Juniper Networks. PJ, so wonderful to have you on The Segment. Thank you for joining us today.

00:39 PJ Kirner: Thanks for having me, Raghu.

00:41 Raghu Nandakumara: Take us on your journey up to the point of coming up with the idea of Illumio.

00:47 PJ Kirner: So I've always been in the security software space and I've done lots of things. There's a lot of crypto stuff I did. I did, distributed... Some distributed systems, and I was in the CTO office at Juniper Networks. There's routers and switches, and then there was all the layer 7 security, firewalls and WAN acceleration. And we were doing some conversations about, what does cloud mean? And some of the observations were kind of obvious in that compute was getting more dynamic. And whether that be like VMware coming and now I can automatically get VMs, I don't have to actually wait to get a server installed. But AWS was accelerating that with, I have a credit card and now I can get sort of VM. So VM making compute more dynamic. The other thing we saw was applications were being re-architected. And way back then you were sort of maybe calling it service-oriented architecture. Today we kind of call it the API economy and microservices and all those things. More and more things are just talking to each other.

01:55 PJ Kirner: And because there was all this kind of east-west bandwidth needed, I was at a networking company and there was more bandwidth needed to sort of, that drove this change in application behavior. People wanted to start putting firewalls there. Why? Because they saw the risk of lateral movement in these environments and they wanted to control it. So these trends, these three trends of computing becoming more and more dynamic, applications becoming more distributed and connected, and this security risk of lateral movement being a problem in these larger flat, data center environments and wanting to be able to control that to control risk, were the three trends that we saw. And Illumio came out of what does a security solution need to be and look like in this dynamic distributed world where lateral movement risk is something you want to prevent. And that's how Illumio got started.

02:56 Raghu Nandakumara: We'll talk about the Illumio story in a bit, but I'm curious, you've been involved in a number of different sort of technologies and areas of interest. Why was it that sort of the essentially the scenario and the problem segment you described the one that you said, “that's the one I'm most interested in solving”?

03:14 PJ Kirner: As a technologist, one thing I think about is, like all the time, is what is the new technology that's out there? What are the trends that are happening? And then what are the challenges that that technology brings... There was a need, a business need that we identified, because of the change in this technology space in those trends. So I kind of like where technology meets business, and so why then, to answer your question, it was because I saw that happening and an opportunity there and I wanted to take advantage of it.

03:49 Raghu Nandakumara: What was the external validation that you performed to get reaffirmation, confirmation, that this idea had legs?

03:58 PJ Kirner: So external validation is something that you get continuously. Like you have to get feedback. There wasn't a, “we talked to these three customers and all of a sudden we knew everything.” You talk to each customer and you put one more piece of the puzzle together. And at some point, especially when you're doing a startup, you have only a subset of the pieces and you have to make that leap. But I'll say one story is, one of the early story is, we talked with a large, still a customer of ours, but was a large financial service provider. And I was so amazed by the level of automation that they had. They were in a very traditional data center, servers and all that, but they applied all of the cloud properties to that environment. And I was like, well I didn't expect the problem to be so bad, but automation and all this dynamic nature of things was like, a complexity of putting a lateral movement control in place, to explode. And until you sort of talk with customers about a problem, until you have a potential solution, it's hard to get that validation. But once you do, people's eyes start lighting up and people say they've thought about these things, but... and you give them your insights and light bulbs start turning on for customers or they, at that point they were potential customers. But it's about just talking to people, like talking to more and more people and you get more and more insights along the way.

05:34 Raghu Nandakumara: And just about the problem, because you often hear, you look at some new technologies and you hear, “oh, that's a technology that's looking for a problem to solve.” Versus a very clear problem that then has a technical solution. Did you find in these conversations with sort of those potential customers or organizations that you're bouncing these ideas off, that they had identified that this was a real problem but just didn't have a good way of solving it? Was that the state they were in?

06:00 PJ Kirner: I mean, firewalls do segmentation. Firewalls, like boxes that you could put in there and most of the time people, you know, you could obviously you do that at the perimeter. The biggest segment is the external world and the internal world. And then people started to put firewalls to zone off — yeah, I mean you could have a DMZ firewall, there's another classic example that a lot of people have — but then you put some other internal East-West firewalls in certain places and... So people knew there was a problem. People tried to use the tools at hand to solve it.

06:38 PJ Kirner: But we sort of solved it at a different level of granularity as well. Because you could have any level of granularity you want with what we were proposing at that point, that hooked onto an existing problem and reduced the complexity, gave them the flexibility, allowed them to work in those dynamic environments. Allowed them to go faster because the firewalls were moving slowly, there's a lot of time to make firewall rule changes. They're boxes. I got to wire stuff up. So they wanted to move faster and oh, here was a solution that did some of those same things but could move as fast as they wanted to be.

07:11 Raghu Nandakumara: Just listening to that, as we build this out, it feels okay: problem. You identified sort of factors that you're observing in the market that required a solution. You validated that problem was a real problem. And you're kind of touching on then design decisions that you made. Can you talk about some of the key design decisions, architectural decisions that you made when building the first iteration of the product?

07:36 PJ Kirner: So, one, we needed to have a distributed set of control points. That... And we had to move the control point, the segmentation control point as close to the workload as possible. And so that was kind of number one in terms of architectural elements and what this did was it both allowed us to create any level of, I'll say a software defined segment.

08:04 PJ Kirner: You could define it with a policy and then secondly, moving it closer to the workload meant you had more context. When you're far away from the workload, it's like well, I don't know what it — what operating system is that. So there like, being able to have this distributed set of control points was number one. Number two really was around, again, having a dynamic policy. And very early on we got feedback from, customers that was okay, I want to do, I want to do this — what we today call this label based policy — and I want to be able to write policy for this workload or for this group of workloads, this application or microservice, whatever you want to call it.

08:45 PJ Kirner: Oh, maybe I want to write it for my environment that I'm in. Maybe it's a PCI environment, maybe it's not prod or non-prod. Maybe I want to write location based, whatever those dimensions of policy, you wanted to be able to write that. And why I say dynamic is because as workloads come on or offline, whether it is a simple as a AWS auto scale group or a Kubernetes cluster or you're just, you're just putting a new VM in that environment to age, and whatnot, you don't want to mess with policy. You want all that automation to be handled dynamically.

09:18 Raghu Nandakumara: Both in terms of the number of customers from 0 to 1 to 10 to 100 and so on. But also in terms of the scale of your customers, what were the key learnings that kept cropping up that you had to absorb and adapt. And adopt as well?

09:36 PJ Kirner: So scale was always built in. And we've thought about it from an architectural point of view since day one. I mean, fundamentally how we do our data processing, how we do our data pipeline, how we do our, how we build our distributed system. In fact, all those decisions along the way, had to keep the scale of our customers — well scale and dynamic nature. I think that's the large scale static is actually a very different problem than even kind of medium scale dynamic. Because as things can come and go, how do you build a system that accommodates for that? So those two things, I think are really, really important and our... Our customers were telling us they wanted to be more dynamic. They wanted to move faster. That's the direction they wanted to be able to do. So, can you keep up?

10:34 Raghu Nandakumara: And, I suppose that what they mean by dynamic is not minutes or hours, it literally is in the seconds. That as that compute instance comes up, or as that container environment comes up and applications deploy there, they want the security to follow it and be ready to secure those applications at the time those applications go live. That's the expectation.

10:57 PJ Kirner: Right. And that's where there can be no human in the mix. And that's where it's not just software, that's where the policy model that we came up with, which is an important construct, how can that policy model allow people to describe a policy and be as dynamic in real time to deal with those change in environments, as you said, in seconds.

11:19 Raghu Nandakumara: Awesome. So thank you. I think that's a great sort of overview about how that origination and the development of Illumio's core products. So now I kind of want to shift gears a bit. We're here to talk about Zero Trust, so I will ask a lot of the other guests this, can you share with us your favorite Zero Trust analogy?

11:39 PJ Kirner: So I love the submarine analogy. And so, how submarines are built is first they're built with redundancy in mind. They have, everything has, there's two systems or maybe even more systems that that where one can fail and the sub as a whole can survive. So it's also built with compartments. And when there is a breach. A which a torpedo or something breaching the hull, they can close off one of those compartments and yes, you might have had damage there, you might have lost that compartment, but the submarine doesn't sink. You still have resiliency. So, that's how I think about, cyber resiliency is the same, same metaphors. Segmentation are maybe the, the compartments and thinking about, all of that together I think is, is one of the, you know, is a good metaphor for, and how small you made him, how small you made him make the compartments. How much redundancy do you need, all are in service of cyber resiliency.

12:44 Raghu Nandakumara: When you think about Zero Trust as a concept and then as a strategy that organizations are putting into practice, what is your view on the relevance of it?

12:55 PJ Kirner: Some of this is, we have done. Least privilege for example, which is one element of Zero Trust is a well known concept. I think, the, having a Zero Trust strategy helps you think more holistically about the problem and apply some of those principles. I mean, having everything be dynamic and context driven. That's a little bit more of a recent view. You could even say, way back when, like layer seven firewalls. What was the layer seven firewalls were about context. Well, am I running, am I actually running FTP over port 21 or whatever. And so they had context of things. So everything being context driven and dynamic, I mean, I was in the NAC space for a little while, And so one of the things that was there, which was maybe some early kind of things around that were similar to Zero Trust, was you had conditional and dynamic access control.

13:49 PJ Kirner: So not only did you to have run an antivirus before you were allowed on the network, it's that sometimes you had to re-authenticate. And you had to prove that your machine was still healthy, not just at the initial access. So, and again, that was not continuous in the way we're sort of talking about it now and the way we can do it now, but way back then it was still kind of in the right direction of being context driven and being dynamic. So I think a lot of good principles made their way and, you know, Zero Trust is a good way to sort of talk about those and, reinforce these things. I do think we fell off the bandwagon when, with all this implicit trust in the environment, And, people could say, oh yeah, I'm doing good security. But like all these things that were just allowed to talk to each other implicitly, no one ever thought about, let's turn this into explicit trust? That's a place where I think we, definitely needed Zero Trust to help us along that journey.

14:53 Raghu Nandakumara: [You] bring up implicit trust. How do we think we let that creep in? Where do you think this whole implicit trust and essentially just the expanse of implicit trust, like what was the trigger for that?

15:06 PJ Kirner: A lot of security problems, come from [when] the business and the technology move ahead of where the security is. And while we do talk about, security shift left and we're trying to push security kind of, deeper into organization, which does seem to be working, right, but there still is always the, business comes first and security comes second. So there's a gap there. And, again, no matter how much I wish it was different, but there is a gap there. And so you ask a good question, how did we let the gap get so big? I don't know. I mean, I think maybe partially we had — sometimes one of the challenges is when you have a security, well, you have to make compromises in security all the time. And when you have a half step, I think sometimes what happens at least psychologically is you cross that off your list. Like yes, I've done something, I've reduced it partially, and you cross off your list and you go work at something else. And I think sometimes half steps come back and bite you.

16:14 Raghu Nandakumara: Yeah.

16:14 PJ Kirner: And I think this was a case of that.

16:16 Raghu Nandakumara: To flip that question over, what was the turning point to say, okay, too much implicit trust it’s out of control. We need to essentially take back control. And Zero Trust really provides the strategy by which we can achieve that. What was the tipping point to now come back this way?

16:32 PJ Kirner: I don't know if it was a tipping point. Again, I think there were a few things that were influencing it. One was, and I'll say this more from our... some of our SaaS customers. Some of their customers were kind of upping their security. The questions they provided the SaaS customers and the expectations of the SaaS customers. Even there was some standardization around those things. And that kind of forced a realization, but well, to do business, I need to do these security things. And these become the industry best practices. But, it was influenced by a business outcome at the end of the day. And so that was one place where I think people needed to do more. The other place I think is ransomware.

17:21 PJ Kirner: And when I look at the “CIA triangle”, confidentiality, availability, integrity, there were places where people lost databases of customers, and those were impactful. But I think what ransomware did was ransomware changed it from confidentiality or purely confidentiality to availability. And when the CEO comes in on Monday and you can't run your business. Like we had talked about the Maersk attack, which was, quite a while ago. But like, I can't ship things. Like my shipping company where it's sort of, doing transport logistics and I can't do that job. Well, that's a serious impact. So the availability problem that ransomware sort of, caused to happen, changed some of the dynamics. And that's always where good things come out of when there is business and security alignment. And that was one of those.

18:25 Raghu Nandakumara: I just really love how you framed that, the implicit trust, like how did it get like this? And you said, again, it's a business driver. The business wanted to move fast and we essentially we made compromises. But then when asked about, okay, what was the tipping point to adopt Zero Trust, it was essentially... It was then again, a business driver because it was the business saying, I need better assurance that my counterparties have adequate security, or I'm now fed up of losing, going offline to yet another ransomware attack, and hence I want to build resilience and hence I need to remove that implicit trust. So I kind of love how it's all almost come full circle. I had to ask you, maybe it's a bit of a loaded question. Do you think that Zero Trust, a Zero Trust strategy, is the security approach that best aligns to deliver or support business transformation?

19:16 PJ Kirner: I think so. I mean, when — one thing, when you were talking about coming full circle, I was thinking slightly differently. But, similarly in that like the problems occur when business and security are kind of misaligned or get too far apart, and then when they get aligned again, action can come out of that. Right? And I do think taking the idea of trust. Right? Because business’s need to be trusted by their customers. Customers trust a business with their data, they trust them to deliver a service. Trust is a great word to use that is highly aligned with business outcomes. So like hooking onto that is important. And when you're doing business transformation or when you're going to do a digital transformation, you're trying to become more agile.

20:07 PJ Kirner: And I do think built into the whole Zero Trust principles are, the ability to be dynamic and adaptive and continuously monitor and provide feedback to other systems, I think those two things are highly aligned. So a strategy that aligns to being more agile and dynamic and a business transformation, which requires an organization to be more agile and dynamic, when those two line up, that's a nice thing to see.

20:36 Raghu Nandakumara: So I now want to go back to tying Zero Trust to Illumio. You talk about, Illumio, the Zero Trust Segmentation company. So the obvious question I have is that what came first, Illumio or Zero Trust?

20:49 PJ Kirner: I mean, these base principles that we had, that we started the company on are fully entwined with the Zero Trust principle. So it's a good, chicken and egg problem. I don't have the answer, but we definitely started off with the same principles that Zero Trust is espousing. And I will say that maybe it's people like John Kindervag who started this were seeing similar things in the market that we were seeing. And him pushing, creating the idea of Zero Trust and pushing the principles and pushing that forward.

21:28 PJ Kirner: And then, Chase pushed that forward at, further forward at Forrester. Like those things that were happening and we were sort of taking a different approach. Being a startup and having some technology. Those two things were highly aligned.

21:44 Raghu Nandakumara: I love it. Sort of many paths that sort of lead to the same destination. I'd like to ask you as a technologist and a security practitioner, can any security product be configured in such a way that it's enforcing a Zero Trust security posture? Or do you need products that specifically have been designed with Zero Trust in mind to achieve that?

22:11 PJ Kirner: Well, let me tell you a little story for a second about Illumio. One of the things that happened early on, Matt Glenn was kind of one of the early product managers, the early product manager. And one thing he identified is we didn't have what we now call Illumination. We didn't have the visibility necessary to sort of accomplish some of those goals. And I'll say that was one of his very early important insights and contributions to the company and the product. And we built both a policy model and a visibility platform together hand in hand.

22:51 PJ Kirner: And I've watched other vendors like bolt on visibility things, after the fact, and they don't work as well. Like, they're clunky. You realize they're not like the same, maybe the same person, maybe the same company didn't build them. Maybe they acquired it. Right? And they don't all work together.

23:12 Raghu Nandakumara: Yeah.

23:12 PJ Kirner: And there's a lot of friction and there's an impedance mismatch there. So, to answer your question about Zero Trust, I can't say... I can't make a blanket statement about, no, you can't put it on after the fact. But I do believe that if it's built in from the beginning, from the get go, you have a much more smoother experience for the customer, you can achieve better outcomes, you can actually achieve maybe more outcomes from, the needs of the customers and you can sort of play in the ecosystem better. So I think having it in mind from first principles is clearly the way to succeed.

23:49 Raghu Nandakumara: And, when you say “it,” what you mean is essentially continuous visibility, being able to write context-based, risk-based adaptive policies, being able to automate, orchestrate these key properties that are sort of required as through the, as for the sort of the modern definition of Zero Trust. Right?

24:07 PJ Kirner: Absolutely. You have to have them in mind at the beginning so that your architecture. And your architecture, the software that comes out of that, the products, the user interface, how you... Your data pipelines, all of those things need to be aligned with those principles.

24:26 Raghu Nandakumara: I know that you're big on validating sort of any ideas with data and you often say to your staff, bring me the evidence, convince me with the evidence. How have you approached this at Illumio? Whether it's validating like design decisions or validating the effectiveness of your product.

24:42 PJ Kirner: I do think I take the approach of like, there's lots of people with good ideas. And proving them out with data really helps you understand where maybe the idea breaks down after a little while. Maybe it breaks down at scale or maybe it breaks down at variability or maybe, sometimes you just are overly optimistic with your idea and the data just kind of, breaks it. I think, one thing we did with some early machine learning approaches is we did set goals for what we wanted to accomplish. And, people had plenty of ideas and we tried different things and a number of them didn't pass. And I do believe, when you do experiment with things, if you're succeeding every time at your experiments, you're not experimenting.

25:33 PJ Kirner: You have to like fail four out of the five times and you have to know how to fail things. So setting goals and then letting the data feed into an analysis, and, and proving that, proving that is important. So, one thing that our customer, one of some of our customers were asking us, even years ago was how do we understand the efficacy of this segmentation, deploying your product inside our environment. And, we discussed some things and we had some, different ideas. But one thing we, we settled on and you were a big driver of this as well, is we settled on doing some external security research. And so we partnered with Bishop Fox, who's one of the leaders in offensive security, and we came up with a few ideas that we were going to implement, and test out.

26:21 PJ Kirner: So one of the things we started was we, and this was our, one of our customers suggested was, time to target. Was the time for... if you dropped an attacker in an environment, how long does it take to get to the crown jewels? So we built an environment and we put servers in that environment. We found, put some crown jewels, we maybe sprinkled some vulnerabilities around. And we had an environment and we measured, time to target. And then we applied... So, we did that once and then we kind of randomized the environment so it was fresh and we put segmentation in place and we did very coarse-grain segmentation to start. And then we applied application ringfencing, and then we applied another layer of, tier-based ringfencing. And as we saw at each level, as you increase your segmentation, you would get risk reduction. But it's important that any level of segmentation got, slowed down attackers in that environment.

27:20 Raghu Nandakumara: So why is it important in your opinion, and as a sort of a CTO at a security vendor that you are able to prove the efficacy of your technology? Why is that so important?

27:34 PJ Kirner: I think it's even more important right now, like in these times. CEOs everywhere are under pressure to be more productive, be more efficient, be more cautious with the dollars. And that sort of trickles down to the security leaders. So every security leader is asking that same thing. Like I hear that at boards of directors, the boards of directors might not have asked this before, but they're now asking, what is the ROI on what I'm investing in security? And so that forces the security leaders to say, well, let me look at all my tools. Like what really is providing the most effective set of deterrence, protections aligned with my strategy, and understanding the efficacy and having a quantitative way — not just this guy likes this tool, or this lady like this other tool — have some quantitative way to sort of measure that. And that's also why I like the kind of the offensive security way of testing things. Like it's a real attacker in a real environment, not kind of some simulated metric that somebody comes up with. So that's why that research the way we did it, I thought was so ingenious. But, back to your point is all CISOs are going to be sort of looking at this and so it's very important now.

29:06 Raghu Nandakumara: You talked about ROI. Particularly now we need more than ever to be able to demonstrate that. And it's not just about the security benefit, but it's also about, “Okay, do I save money? Do I make things simpler? Do I make it operationally more efficient?” So that sort of that ties into some of the headwinds that we're potentially seeing in the market now. So when you look at it as a CTO and co-founder, what are the key sort of tailwinds and headwinds that you see that are swirling around in the market? And how do you see these impacting sort of the future of the cybersecurity sector?

29:42 PJ Kirner: If we go back to Zero Trust, there definitely is a, tailwind around that. I mean, we had the, I mean we had the Biden mandate a while back. More people are having a Zero Trust strategy. There's more Zero Trust strategy sessions, people are trying to figure out what their Zero Trust initiatives are. I think all that's good. Like we just hear more and more of that. So that's definitely a tailwind. Another interesting tailwind is I think... So during the COVID times, there was a lot of need for remote access. So, a lot of people who were working from home and there was a lot of remote access bandwidth that was needed. And to solve some of those remote access challenges, people did buy a bunch of ZTNA products. So Zero Trust Network Access. And that kind of put the focus on, because you needed them for remote access. People are saying, well, okay, that is part of my Zero Trust journeys, so I'm going to spend time out there. But I think people have spent a lot of time, they have finished those projects, they have completed that part of the journey. And there is now a focus returning to people's workloads. So what do we do inside our public cloud environments, our Kubernetes environments, our colo centers, and how do we do Zero Trust there? So there's this return after spending time on the remote access part. There's this return to focus on workload on the network and where that data is, and I think that's kind of exciting and interesting.

31:25 Raghu Nandakumara: What do you see as equally... You've talked about like macroeconomic conditions, but are there any other significant headwinds that you see that are inhibitors to new capabilities?

31:38 PJ Kirner: One challenge that, probably other people also will have mentioned, but it's worth repeating, is you don't buy Zero Trust. There's not like a, a single vendor that just you go buy it and you go check the checkbox. There is a journey that you're going on. That's what it is. It is strategy. It's a you have to discover what's out there. You have to sort of work through, understanding the users, understanding the workloads and devices and like there's multiple steps in that journey. So, one of the failing points is, thinking I'm just going to get it done quickly in one step and it'll be done. So that continues to be a headwind. And so if your management sort of thinks it's going to be like that, it can become a problem with adopting. But, I think where the counter to that is, A, know it's a journey.

32:39 PJ Kirner: Number two is find incremental progress along the way to be able to show management that I am reducing risk and I can continue to reduce risk with this same strategy. I just have to keep working on it. But showing concrete, demonstrable, risk reductions incrementally along the way is kind of really helpful to sort of reinforce. And that's what I, when I see a good Zero Trust strategy, they sort of communicate early on that they've accomplished some of these goals as they do work through... a longer journey.

33:12 Raghu Nandakumara: I'm glad you mentioned that because that's something that when we speak sort of to the Zero Trust experts. You've spoken about John Kindervag and Chase, but many, many others. We had sort of George Finney on the podcast a few weeks ago with his sort of Project Zero Trust book, and they essentially, they all echo exactly what you said about how'd you deliver a successful Zero Trust project. It's really about very tactical outcomes and measuring and iterating at every step. Given that that is the collective wisdom, why do organizations still try and do it as a one and done thing fail? Because it feels like there is enough knowledge there to say, "This is clearly the right way to do it. We just need to go and follow the same playbook." What is stopping that?

34:03 PJ Kirner: Well, I think it's sometimes hard to measure that. And I think that's where, whether there's frameworks or features and products that can help, I mean in the Illumio's product we're trying to do more dashboarding and more kind of visibility of some metrics to help people along this journey, for example. But it's sometimes hard to measure and again, why I really like the Bishop Fox research is it's against a real adversary. There's like, because sometimes you can decide a metric and people don't agree that the metric is valuable or a sign of success. But, an attacker, a real attacker not finding a crown jewel, well, okay, there's not, that's not debatable. But, and but it's harder to do those kind of engagements to set up a red blue team. You don't do that continuously. It's a little bit more expensive. So that's like maybe the gold standard, but you have to find other metrics that the organization agrees on. And there are proxies for some of those good things. And I think that's, that is one of the challenges, I think.

35:09 Raghu Nandakumara: So do you think it's really a case of essentially better awareness, better education around how to really, truly build and execute Zero Trust programs, but also it's an increased level of being clear as to what you are measuring in order to show progress. Those are two key things that are needed to make, reduce this headwind.

35:28 PJ Kirner: Yeah, and I think, I think we probably have the former. I think we have some of the education about why the journey's there. I think what's needed is the latter, the how to measure like the metric, the agreed upon metrics. And again, they could be different for different organizations. That's why it's not just a number that we can say I'm you know and you know, maybe there's a maturity model, there or some something. But I think that's what we, that's what that's could help accelerate some of these projects and avoid the trap of the everybody thinking it's just a one and done. I'd buy the product and all of a sudden I'm done with this and I can go think about something else.

36:13 Raghu Nandakumara: Yeah, yeah, absolutely. So just now, like pairing that off with RSAC is just around the corner and hoping that it's going to be back to full strength. After a few years impacted by the pandemic, what would you love to see on the show floor or on the various presentation theaters?

36:31 PJ Kirner: That's a really hard question.

36:34 Raghu Nandakumara: Not what you expect to see. What would you love to see? I want to make it very clear what I'm asking.

36:42 PJ Kirner: I'll say back to exploring the AI thing for a second. I do think there's going to be some novel ways that security is going to be impacted by this. So I'll give you one example. I mean, you got to imagine with all this code, AI code generation, okay? There's going to be a way to exploit that somehow. And then like if you're a developer like who is really accountable? Like, oh yeah, the AI wrote half my code, the AI introduced a bug, the AI introduced a security flaw. Is that my fault that I did that, or somebody else's fault. Because obviously when you generate code as a developer, like you are accountable for the code you write, it came from, you know, it well a human intelligence made it and that human intelligence is accountable. Well, how can the generative intelligence be hacked.

37:44 PJ Kirner: Because, and then like who is accountable at the end of the day? So both those two things are kind of really interesting ways to do this. I mean, we see open source packages, like simple things like this. We've seen people inserting software supply chain by just, like a JavaScript package that says, "Include this InnocentProject.whatever," right? And then you call InnocentProject.run and oh man, it steals your things or it becomes a Bitcoin miner or whatever. That's how things get injected and like in the real world, pre-AI. And so what can AI do to sort of increase the, well, augment the human intelligence of those bad actors out in the world. They're going to get powered by that. Hey, there's a go, there's another, there's another presentation: "How AI improved my ransomware program by..." Obviously someone who would never be able to show up there or present that, but that would be an awesome conversation.

38:52 Raghu Nandakumara: I'll be shocked if at least 40% of the presentations at RSA didn't have some reference to AI at some point in them. And actually that brings me onto another correlated question. What advice would you have to attendees of the event about questions they should go and ask at vendor booths, to be able to separate the wheat from the chaff?

39:19 PJ Kirner: I know this is hard to ask because you got to really put yourself... If you're a buyer of something and you really understand the problem, I think the really interesting thing is, "Vendor, how do you help me with the day two problem," right? Because there's a lot of what people show, especially even in a sales presentation, it's all about like the day one problem. "We'll help you with the day one problem." But I think a lot of the cost of adopting a product is the day two problem. After you've done the initial implementation, how do you maintain that implementation? Who does it? How does it work in the organization? And when somebody wants to make a change to it, or you could even ask a question about, well if my... Well, my organization like made this change in the past year, how would that be handled if we had it deployed out?

40:11 PJ Kirner: So I think those are some more challenging questions to ask folks. And I think the folks who have thought through what... because everybody's thought through the day one problem. Those who have thought through the day two problem and can answer that day two question, I think those are the ones you should listen to more because they're trying to, not optimize just to get you onto their platform, but to sort of keep you happy in the platform over your entire journey. And I think that's a great way to... A, a great way do business, but a great way to test people out there and how they do.

40:46 Raghu Nandakumara: I love that as a sort of a leaving insight for listeners who are going to be attending RSA or other sort of vendor events or, and conference type events, is really think about can that vendor help solve your day two problems? Or are you just going to be essentially have a problem in your hands that has just solves that first problem but is unusable after that? PJ, it's been such a pleasure to have this conversation with you, so thank you so much. And everyone, PJ is not just a guest on our podcast. He himself is the host of his own podcast, the CTO Function podcast, which I encourage you all to check out. It's available on all your favorite podcasting platforms and in that you have a seasoned CTO who chats to a collection of other seasoned CTOs from across industries and they collectively share their insights on all the challenges that they've faced and lessons they've learned throughout their careers. So go ahead, check that out and thank you again so much, PJ, for joining us on The Segment.

41:44 PJ Kirner: Thank you, Raghu.

41:45 Raghu Nandakumara: Thanks for tuning into this week's episode of The Segment. For even more information and Zero Trust resources, check out our website at illumio.com or visit us at RSAC in San Francisco, between the 24th and 27th of April. You can find us in the North Hall at Booth 5778. In the meantime, be sure to check out our other episodes wherever you get your podcasts. I'm your host, Raghu Nandakumara, and we'll be back soon.