Hi, everybody. It's great to be here today. I am quite honored that I was invited to speak here on some of the trends that we're seeing as a VC. So a bit about me. I actually used to be part of the Analyst world. I covered security at forest research, mainly focused on zero trust, security, vulnerability management, and content security. I made a leap over to the venture capital world and started working at a firm called workbench.
We focus on enterprise early stage enterprise investing in enterprise technology and we're based outta New York city core tenants for us are just working with the large concentration of fortune 500, that call New York city home. We find that if we speak to a lot of these professionals from CIOs, CTOs and corporate technology executives, that we can get insight into what some of the biggest priorities and pain points within the enterprise and invest in the best technologies that are transforming the enterprise technology stack.
Our motto goes great.
Things happen at the intersection of suits and hoodies. So two things to take away from this is that one I'm American. So I like American cheese, but two is, but too, as I'm a millennial.
So please, please feel free to take pictures, share this on Twitter. I'd love to share some of the ideas that I'm working on. So some fast facts on cybersecurity, as you probably all know security. There's a lot of money in security from the venture capital side. Over 5.3 billion was put into cybersecurity startups in 2018 alone as found by the strategic cyber ventures.
It makes sense because a lot of InfoSec professionals are investing in cybersecurity to the tune of 124 billion forecasted in 2019 by Gartner. And the reason why they're doing is this is because threats are on the horizon.
1.4 billion records were compromised in 2018, from only nine breaches. These include Marriott, Facebook, Cora amongst others. And because this is a security talk, it wouldn't be complete without a couple of looks at the, at the threats that are happening in our landscape. And thankfully not a lot of people have went through them earlier today, but what are these five things have in common?
Well, they were all hit by ransomware. Most notably, the city of Atlanta in, in the us was hit by ransomware. The Sams ransomware and was asked for $51,000 in payment in Bitcoin.
Now, instead of paying that $51,000, the city of Atlanta was taken offline.
And a lot of the residents were faced to use paper based processes for things like paying bills, as well as paying parking tickets and even things like police dash cam footage and security footage was permanently deleted. Now in the end Atlanta, instead of paying $51,000, estimated that it'll cost 9 million to come back from this incident. But Samsung malware was opportunistic in the sense that it was done by ransomware actors that knew that Atlanta's security was notoriously bad.
But if you take things like wanna cry pictured here or not, Petia these things are operating on a much different level, not Petia as an example, which hit places like Deutche Bon Merck and ma amongst others was actually a said to be a political attack by Russia used to destabilize the Ukraine and all those folks from Deutsche bond, Merck and MAs were really all just folks caught in the crossfire.
And we're seeing this cyber warfare bleed into the physical world at a, at a quick pace.
I mean, the first example of this was stuck snap back in 2010, but subsequently after we've had things like crash override or, or in destroyer, which took down the Ukraine power grid or tri tri and Triton, which was found to be compromising the safety systems of industrial control equipment from Schneider electric. And as you can see here, each time this happens wired, rent's an article and calls it unprecedented, but it's, but also privacy pays.
And in this sense, we're seeing people like Google and Facebook have to pay huge fines for MIS proper use of customer data or just data breaches in general. And while 57 million and 5 billion are a drop in the bucket for major players like Google and Facebook, it's good to see that European European data protection firms and places like, and, and things like the us' federal trade commission are willing to punish these types of in this case, bad actors. And we're also facing the threats that aren't real as well.
Things like generative adversarial networks can be used to spoof things like videos and images. In this case, putting Steve BMI's face on top of Jennifer Lawrence as she was making a speech, but the threat can actually be malicious as well. Israeli researchers showed that cancer images were be, were able to be doctored by were able to be doctored and actual doctors were unable to tell whether or not the cancer was real or not.
So it comes to the question of who can we trust, right?
And the, and the bigger question becomes well, can you trust any of these vendors? Now, this is a landscape put together every year by momentum cyber. And it's a really good way of seeing that the security world is very, very crowded. And then for us as a VC, how can we be spending our time investing in new technologies, just to add to this board while I wanna flip this con conversation to a different one, it doesn't all have to be doom and gloom.
In fact, security itself can be enabler. There's many amazing things happening within the enterprise, specifically within cloud, which I'll talk through in a bit, but security can actually help shepherd in these new emerging technologies. And doesn't just have to be a hindrance to the business and add to the balance sheet.
So three things that I wanna share with you today are first multi-cloud is near complexity follows multi-cloud due to the different types of technologies that are being used, and that security can and will be a champion in making sure a lot of this happens to begin.
Public cloud spend is reaching big numbers in, in this case reported by right scale. 1.2 million are being deployed by enterprises by half of enterprises globally. At the same time, AWS has been around for a while. AWS C two debuted in 2006, just last quarter, it posted revenues of $7 billion. And we don't expect this to stop on the SAS and cloud application side. Those are also growing a report and not featured here, but one report by Okta found that other customers over the past three years, they're deploying on average, a hundred, 163 applications.
Now I have to ask the group, do you know how many applications that you're currently running?
And if not, I'm sure a lot of these vendors can help you figure that out.
Now, the benefits in of cloud go beyond just cost and scalability, which are often talked about by most folks. One of the main reasons that we're talking with folks and talking about cloud is that it actually helps their security model for CSOs and security leaders. And I put in asterisks here because it's cloud introduces new problems, but for security leaders, it's hard to hire the right amount of talent to manage that sec, that security infrastructure, or just infrastructure that your business is using in general.
So as you abstract and change ownership to the cloud, you're able to focus your limited resources on things like the operating system and application rather than the, than the physical server network. The second piece is developer productivity. Developers are very much used to using these cloud environments and they like ownership over their processes and software that they use.
So give developers the tools that they want to be the best at their job. And the last piece to talent.
When it comes to hiring talent, nothing says we want you to work out our business more than adopting cloud technology so that you can have that second point of, of developer productivity. Now multi-cloud is real 84% of enterprises have a multi-cloud strategy. And 58% of those, when we say multi-cloud are rooted in hybrid now hybrid makes sense for fortune 500 companies. You've invested a lot of time and effort into your mainframes and on-prem databases that it doesn't make sense to move everything to the cloud.
So you'll wanna deploy some, maybe Greenfield brownfield applications in the cloud and have 'em link on premise, but there are folks 17% of that multi-cloud strategy that are planning on using multiple public clouds. And we're seeing this play out in a, in a couple of ways.
So first is just the mono cloud usage and people like capital one and Barclays we're some of the first to just adopt this model because Amazon offers a bevy of different products that everybody from large enterprises to startups can start using and build some significant applications.
But on the second point are folks that are using the price broker model. And in these cases, they'll run workloads wherever it is cheapest. Plus they wanna make sure that they're not locked in into a vendor. And in this case, things like Kubernetes and containers can help make this a reality for them. The last piece are the function brokers and these folks pick and choose their cloud based on different cap capabilities. Some folks might want to use T maker or Redshift and AWS, some folks might want to use a auto ML or some other tools out of Google.
So whatever you use utilizing whatever products is best is what these folks are looking for. And we're also seeing this because it doesn't only buy technology people across the business do, but it helps set that strategy and understand the budget.
Now, while AWS lead, we're seeing Azure close on its tail. We've seen Azure grow to 52% adoption within the large fortune 500, which is based off of if we look at the mega clouds as we like to call 'em different strengths and weaknesses that they have. I talked a little bit about this before, but AWS is what we would consider enterprise wholesale.
They can provide a lot of different products like Costco, Ken, but they're not always at the same quality or thought through many folks that we talk to are often having to put in more work just based off of how half baked AWS's products are and consider the bevy of security products that like red lock and others that are just focused on cloud security because the standard configurations, AWS comes out with are not suitable for, for working environment.
But another thing that AWS is good at is just releasing products at speed and scale.
So one thing that we're always tracking as a VC is come reinvent in the fall. What new features are, are they going be releasing within their product, within their product catalog? That is gonna be displacing a lot of vendors and startups. The cons are a proprietary path. And as I mentioned, Jack, of all trades, but this is where Azure steps in Azure has heritage. It's been in the enterprise for a while.
And while they do a great job of enabling a lot of enterprises to deploy hybrid applications, they do an amazing job of customer and account support, which enterprises require something that Google a little bit later to the scene has historically been bad at, even though they're some of the smartest people in the room, developing some quality software around data, infrastructure and security, they can't put in the, the right of amount of support to garner the attention of enterprise buyers.
Everybody wants to be cloud native, and it's because of all the speed and velocity at which you can deploy products and delight your customers and cloud native to just put it into a definition in this case, defined by cloud native computing foundation uses open source software stack to deploy applications as microservices, packaging, each part into its own container and dynamically orchestrating those containers to optimize resource utilization. Now, I highlighted all those words because these are the main points that I want to share about how this is changing.
The enterprise containers are multiplying. 19% of organizations are starting to have containers in use, whether that be in testing mode or actual production. And we're seeing this as well, because these enterprises aside from just better application deployment, love the fact of their portability so that they can scale to multi-cloud, but also in general, there's the consistent operation and, and better overhead or less overhead.
And in this case, when it comes to managing all these containers, as you reach that scale, you need to make sure that you orchestrate them in the best possible way.
Kubernetes, we're seeing emerge as the king beating out by large margin, Docker, swarm, and Mesos. And this is a large part be because of the community and open source support that Kubernetes has received serverless. I'm sure a lot of folks have started to maybe think about it or try using it within their organization. But I love the way Kelsey high tower puts it because I'm a gamer myself. I'd rather not be building my own gaming PCs. I'd rather just use Xbox and play FIFA, right? And services, service list is much like that.
These application developers would much rather just utilize the function rather than having to build the entire infrastructure itself. And if anything is more apparent of a thing, cloud native computing foundation puts together these great landscapes for all of the different cloud native computing technologies from containers to serverless.
And you can see that the serverless landscape is starting to be filled out for serverless itself because the abstraction model changes to a level higher things.
There are certain benefits and weaknesses, and then there's still some unknowns for one development costs go down just given that we're utilizing functions as well as the scaling costs, because you're only really paying for the things that you want to use rather than the pay per machine compute. And then there's better operational management, cuz there's less for you to manage.
But the bad part is that right now for a lot of enterprises, if you want to use functions from Azure or functions from AWS, they don't cross mingle on you in essence, have to be locked into a single vendor and then there's even less in your control. Now there, the, the picture didn't come up for new security concerns, but it's the shrug emoji.
But in this case security, because it's abstracted, there's less to care about. But in this case, as functions begin to explode across your environment, the IAM policy to manage that will in essence also have to manage this.
And considering that folks can't already manage their own IAM policy. Now we consider that this will be a problem that a lot of enterprises will have to juggle. We take containers, we take serverless and we wanna put them together. Cuz as said before, the modern application will be BA will be built into microservices. And here things like service mesh are gonna play a big part.
And what service mesh are is an application layer infrastructure that helps, that helps route service to service traffic, helping out things like encrypting the traffic as well as load balancing folks like link D Envoy and EO are types of technologies that are ushering this in.
But the cloud in practice is best idealized by DevOps and DevOps for a lot of organizations is about enabling your business to use technologies and processes and to deploy these applications at scale and in a high velocity.
But the thing about DevOps is that it tends to be more abstract and concept like reduce organizational silos except failures, normal and implement gradual change. I love this slide by Google.
This, this gentleman, Seth Fargo created this amazing slide that says SRE or site reliability is a prescriptive way to do DevOps.
And what that means is instead of just saying, reduce organizational silos, let's share ownership, let's have the development team and operations team both have responsibility over the reliability of the product service level objectives and blameless postmortems instead of just accepting failure as normal let's set the baseline for what's failure is, and then what are the, what is the error budget that we're allowed to fail so that we can release features better and so on.
If you're not familiar with site reliability engineering, it, it is a, a term or a concept that was created actually outta Google in 2003. And the reason why is that in operation?
Well, an engineer was tasked with, with staffing, the production operations team and what he did was staff it the way that an engineer would in this case core to their principles. The fact that they, as engineers should spend less time doing manual toil and should automate and just use software to the best of their ability.
Now taking in a lot of these core principles as engineers, when things aren't readily handy, they're able to build a lot of the software and then create these level of objectives so that they can operate as a, with the development team in a way that is beneficial to the business, as well as embracing that risk so that they can deploy more features at a faster clip.
In this case, SRE toolkit is really just your infrastructure logs and metrics.
This isn't an exhaustive list, but alerting and service management and a lot of those pieces it's incumbent upon these engineers in the SRE role to understand, Hey, here are metrics about what's running on our, in our infrastructure environment. Here's what we're getting, getting paged on. And then here's how we can shift the duties so that we can address these problems correctly. What's important here is that we can all be like Google, thanks for a standardized tool set.
Like the one I showed earlier, as well as platforms being standardized teams can get deeper into site reliability engineering, especially in incident response. Things like postmortems deployment, tracking communication are things that with the standardized toolkit, we can utilize something like slack so that we can sh talk to a broader business better. We can do deployment tracking.
So we know where the, the problems occurred and we can use postmortems to do detailed review on any major service incident so that it doesn't happen in the future.
There's also chaos engineering and stress testing. This is something developed outta Netflix that for something like chaos monkey, which they developed, they want to make sure that within their environment, that if any production incident occurs, whether that's a failed instance for content streaming, that they're able to recover appropriately. And that if it happened in real life, that they could adjust to it, security can do the exact same thing in usher in new techs are already evolving to be more like CIOs instead of just being gatekeepers and owning technology.
What they're doing is reporting to the, to sea level, to the sea level and board, that's telling them about their cyber risk profile, what they're doing as an organization or at worse about a bad security incident.
But what's really great is that they're not just understanding risk, but that they're embracing risks so that they can take on the features and requests that the rest of the organization has. Part of this is security engineering emerging.
And this is a shared group of engineers across infrastructure and application that can help usher in these new changes because as SRE transform the role of system administrators, security engineering can build the, the tools and processes themselves so that they can build resilient and secure distributed systems. Here is a mix of open source technology. That is amazing to see because these are the types of tools in tech that engineers want to use. They're contributed by folks for like Google Facebook Ws, oh two Hashi cor cystic. And as I said, dev, first, they want to be using these tools.
So let's give 'em the opportunity to do so and help automate a lot of these processes quickly.
I just wanna say zero trust. I know a lot of you're working on it, but how do you apply it to this environment? And this is where things like identity professionals are getting more and more excitement around their, their role because it's in this new world of microservices applications no longer have that network security IP model. It's all about what identities can we can. We provide to a container, to a serverless function to a VM and then have it operate uniformly across all of them.
Here are some promising projects, spiffy SP open policy agent and Oreo oathkeeper, we're keeping a big eye on this. I think it's everybody else should be looking at it as well as some considerations going forward is that the dev first role means one for employers, you know, focus on that developer experience so that they can have the tools necessary to do their job, but also see what you can build internally leveraging the application development resources, and then also for vendors build a lot of your tools as open source and then sell 'em to the developer community.
Second, to say yes to the cloud, you can help usher this in third is incidents will occur. So utilize these SRE best practices so that you can reduce that meantime to resolution. So with that, I'll be around all conference. I'd love to speak with anybody. So thanks again for having me.
Thank you, Kelly, but maybe thank you.
Maybe, maybe one question short answer is very concise answer. Where do you spend the money? So what would be the number one thing to spend the money? Probably it's not Google, it's not as a VC multi-cloud, which was hype a couple of years ago. So where do you spend the money?
So where we're spending a lot of our concise yeah. Where we're spending our time is idea that it shouldn't be built on security. You shouldn't have to build a new firewall in order to secure containers, right. It should be built in security.
So things like Syal hash Corp Banian ops are these types of tools that are building security into the infrastructure itself.
Okay.
Thank you, Kelly.
Thank you.
And with that, we are.