Tue, May 05, 2026 12:34PM • 49:18

Raghu N  00:00

Welcome back to another episode of The Segment, and we've been looking to tee this one up for a long time, and it looks like all the events came together a few weeks ago. So it's my absolute pleasure to have on The Segment for the first time, Illumio CEO and founder, Andrew Rubin. Andrew, welcome to The Segment.  

Andrew Rubin 00:22

Thanks so much for having me. Long overdue in both of our opinions.  

Raghu N  00:25

Absolutely, I should say it's, you know, it's nice when now and then our sponsors drop in to have a chat with us. So, so thanks for that. So we're going to discuss quite a few things and some highly topical things, but before that, you've been the CEO and founder of Illumio now going 13 years. And some might say that, like the reasons you founded the company, were all the reasons why the technology and what it delivers is so essential today. So why don't you take us on a sort of a bit of a background, the Illumio origin story, and how you determined that that was the right problem to look at solving.

Andrew Rubin  01:43

Yeah. I mean, for those that have been in and around the company for a long time, people have heard me say this many, many times, we've been segmenting networks for 40 or 50 years. There's actually nothing new about the idea of chopping up a network. The tooling that we used is where the open debate really occurs in the in the beginning, we use subnet zones and VLANs on the network itself. Eventually, we figured out that firewalls were a tool that could be used to accomplish the job differently, but again, the same job. I think for us, the real inflection in the journey to segment a network started with virtualization, and obviously, you know, I bind cloud to that as well, originally private and eventually public. It wasn't so much that the problem of segmentation was new. It was the world that we had to segment change so dramatically, and so taking as many things did, taking the hardware and turning it into software, taking a concentrated problem and turning it into a distributed problem, there were all these thematics that seemed to be very appropriate. I'd say relevant architecturally, I think the two things that we probably had absolutely no understanding of literally zero. And you could argue that as a result of that, we got them wrong, but it's more a lack of understanding than getting something right or wrong. I think the two things that we had no understanding of were, number one, how long it would take before the mainstream would recognize the need to do what we all now call segmentation. And number two, I think that we had no understanding of how much of a change in the entire operating model doing this in software would be from using what had been the network and the network controls for the 30 or 40 years prior. We thought it was just a different way of doing it, and it turns out it was a completely different operating model. And there's a lot to unpack there, but the origin story was not there's some new problem. It was there's a new world in which this problem exists, and somebody needs to rethink from a blank piece of paper, how should we go about solving the problem in a new world.

Raghu N  04:01

So you've spoken there about like, as you were kind of on that journey discovering that it wasn't, I mean, it wasn't a new problem that needed to be solved, but all, but really, some of the things that sort of maybe got in the way of rapid adoption early on were that the fundamental change in operating model that it was forcing, a rethink that it was forcing So, given that you are in front of customers so often, what were those some initial aha moments that you got with initial conversations with prospects, customers, potential partners that made you sort of rethink how you approach this?

Andrew Rubin  04:38

Yeah, I mean, I think the biggest one was really around, and now it seems so obvious, fast forward a decade later, but I think the biggest one was really around, getting out of thinking of everything as IP addresses and using these labels and this natural language taxonomy to write policy to be able to say, I want to separate development from production or IT from OT and not having to actually think about all of the IP addresses and the network tromboning that goes on underneath the covers to make that happen, getting people to think about writing the policy that they actually want their environment to behave in accordance with, and not having to think about or worry about how to write the individual IP-based rules underneath it. I mean, now you say this, and it just seems so stunningly obvious, and quite frankly, it seems almost normal. But when we first started talking to prospects, I can't call them customers, because we didn't even have a product yet. You know, a couple of years before we started shipping, we would go in and spend hours, in some cases, days, talking about this concept of a label and describing an application using its name, as opposed to the constituent members, the servers that made it up and the IP addresses that they talk to and over and so much of the early life of the company was just around that. And I guess maybe in hindsight, we should have recognized that that was going to force this enormous change in operating model. But in the beginning, we just said, but it seems so obvious and logical that this is the right way to do it. And you know, I think a lot of times what happens is, and this is not an Illumio comment specifically, it certainly is relevant. You know, the new vendor comes up with a new way to think about the problem, maybe even the bigger picture. And then there is that reconciliation of what might actually be a better answer, but with the actual real world that that better answer now has to enter and live in, and that reconciliation can be very hard. If you're talking about a world that's existed for decades and has been run a very specific way that long, even if it turns out the answer is the right one going forward, even if it turns out it's better, faster, cheaper, it can check every box, but it still has to reconcile itself to the real world.

Raghu N  07:04

Yeah, so just about reconciling to the real world, were there? I'm sure there were times through that journey that you, that you and the team thought, Hey, folks, I think we've we finally cracked it, and then said, oh, there's this one other thing we need to fix. And then again and again and again, just any, any particular sort of memorable situations where that happened, where you thought you were just at that point, where it's all clicked, and you figure out some other problem that you haven't solved yet.

Andrew Rubin  07:33

So first of all, to be clear, we had that moment like every third day, and none of them were real. You know, we would always come back from some meeting with a big bank in New York or London and go, Okay, we finally got it right, and then three days later, we'd say, No, we're just as lost as we were, you know, four days ago. I mean, I don't know if that's abnormal, but I can tell you that it happens all the time. I do think that, you know. And I remember we used to describe it as we're turning a set of knobs in front of us. And the problem that we were having was we would turn one knob and get it to a place where we thought it was right, and maybe that would unlock the entire answer. But it turns out that there were 100 other knobs in front of us, and we had turned three of them and thought that got all 101 in alignment, but it turns out, no, it just got two out of the three, and then it knocked another 30 of them out of alignment. And if you could sort of picture that visual, that's how it felt all the time, and it felt that way for years. It's not to say that you're not making progress. It's not to say one step forward, three steps back every time. But there were a lot of one step forward, three step back days. I think the biggest thing if there was, it wasn't a moment, but if there was sort of a realization. And again, it's one of those things that, in hindsight, it seems so sort of stunningly obvious. We all know the old expression that the enemy of a good or great plan is a perfect plan.

Andrew Rubin  09:02

In other words, the two things that are 100% certain about a perfect plan are, number one, you'll never develop it, and number two, you'll never achieve it, because perfect doesn't exist. And I do think that early on and for probably too long, we try to espouse perfection, and customers believe that perfection and segmentation was the right security answer. And eventually everybody sort of got to a place where we recognize this is about risk reduction. So if I have a wide open, completely flat network, and all I do is separate development and production break apart a few environments, close some very risky ports, shut off some services that don't need to be there and are pervasively open on 1000s or 10s of 1000s of servers. It may not be perfect segmentation, but I have a lot less risk after doing those things than I did before, and once that. Started to become the mantra. I think it unlocked a lot of good outcomes that everybody had avoided in search of perfection. That's probably the biggest aha that has happened over the entire time. So

Raghu N  10:12

essentially, on one side, you had a vendor that was Illumio looking to deliver a perfect solution, and on the other side, you've essentially got the self-fulfilling prophecy, where you've got the customer expecting that a perfect solution exists, that it sort of just drives itself to sort of getting into this sort of sucked into this vacuum of perfection. So what do you think? And I'm sure there was, it's not just about the product or that realization about what the best operating model is. There have been market forces that have also essentially started to create tailwinds. What are some of the key Defining Moments from a market forces perspective, that you feel have really created that shift in demand?

Andrew Rubin  10:55

Yeah, well, first of all, and there's, there's obviously, I think any question like that, there is sort of a pre mythos and a post mythos answer. Because I just think the last six weeks, so many people are now rethinking what cyber really means and what it's going to mean going forward. But let's talk about the pre answer, because that was really the world that we were living in as that all played out. I think number one, there was a realization that the technology should not be looked at through the lens of what is it capable of doing. It should be looked at through the lens of what is the value of deploying it. And I think that that's probably a generically true answer. Most tech has a set of capabilities that may go beyond what the real world is capable of absorbing. And if you look at it through the lens of what is every possible outcome the software can deliver, versus what are the problems I'm trying to solve, the value I'm trying to derive, the outcomes that I'm trying to get to you actually look at it through a completely different lens. So ours was very simple. Our job is to reduce the risk of a catastrophic breach. We're going to have small breaches. We've had them forever. We're going to have them forever, and we're going to probably have a lot more of them, and that's before we talk about this sort of model driven world, many of those breaches end up becoming catastrophes unnecessarily, because there's overexposed lateral movement, because once something's inside, it can move around a lot more freely and a lot wider than it otherwise should be able to. So once we focused on the outcome, which is reducing the risk of a catastrophic breach, the questions became super obvious from there. How do you do that reduce excessive lateral movement? Okay, does it matter which lateral movement? Well, it matters, but there is easy lateral movement to remove and there's hard lateral movement to remove. So focus on the easy wins and the low hanging fruit first, and get that out of the way. And the playbooks that were developed against realizing that this was the right conversation. I think those playbooks, it's not an Illumio or any segmentation vendor that caused that. I think you're right. The market realized we need outcomes. We need to reduce risk. There was some helpful tailwind in the form of things like regulation with DORA over in Europe, and I think that the focus started to become much more on those outcomes. The clarity around why people do this became much clearer, and the need to deliver those outcomes faster. The pressure ratcheted up, and those market forces obviously have been increasing now for a few years, things like DORA coming out, taking effect in January of last year and 25 all that does is ratchet up the pressure to deliver real outcomes. And I personally believe it's incredibly healthy that all of this has happened, I think that getting people out of the art of the possible, as opposed to the reality of delivering and delivering real outcomes and risk reduction, it probably took way too long to get there for segmentation, and along the way, it probably inherited a bit of a bad reputation, because It was too hard and the outcomes took too long. But I think that narrative is changing, and has already started to change materially, and is changing quickly and aggressively in real time, and that's the market forcing it to happen. And then the question becomes, can the vendors and the customers actually respond to those forces and really refocus on the right set of deliverables with the right playbooks to get there faster.

Raghu N  14:46

So I like how you said, like the often things can get derailed because you spend essentially too much time on a science experiment, the art of the possible. What could I do? It'd be great if I had x, y, z, for something that I may never, never end up using. You spoke about how the conversation turned into outcome focused, right being able to truly measure and demonstrate value. Now, from my perspective, the security in general has had a has done, does a pretty poor job of quantitatively demonstrating value. There is a lot of talk around, oh, we'll improve your security in this way. We'll reduce the chance of attack, etc. Again, right in your experience, how are you able to more positively communicate the value of what Illumio does, or maybe experience from customers about how they've really built in very accurate, quantitative measurements of value that allows them to then further accelerate the program.

Andrew Rubin  15:48

So there's a lot there. So let's start with the biggest picture and then narrow in. First of all, I would say that I agree, although I'd probably say it much more strongly. Security in general, has done an atrocious job of quantifying value. I mean, this is not an opinion. I'm a very big believer in math and data and analysis of that data to reach conclusions. We obviously all mix our gut and our experience into that analysis. But let's be clear, for the last decade, year over year, we have invested more in cybersecurity companies that would be the investment in starting companies and growing companies. We have, as a community, spent more building products, deploying products. Customers have bought more in number of tools and dollars spent, and the only numbers that grow faster than all of that investment are the number of breaches, the size of the breaches, the number of places they happen, and the total cost and economic impact of the destruction. So we can make an argument. Does that mean that every single thing we're doing is wrong? And the answer to that would be silly, of course, it's not, but it does mean that we're investing more and more money to get worse and worse outcomes, but we literally keep doing the exact same thing over and over again, and so it's not throw away the whole model. Everything we do is wrong and everything we do is bad. It's over a decade. That's a long enough horizon that we should be saying something we're doing isn't working and the problem is getting worse. So we either need to do one of three things, throw away the whole model. That probably seems like an overreaction, add something new to the model, because what we were doing in the past was necessary and sufficient, but is now still necessary but insufficient, or we need to somehow change the model itself. And I think it's probably a blend of number two and number three. Some of the things that we've been doing for a long time are probably no longer relevant in today's world, but we keep doing them just because we keep doing that, and then there are some things that we were never doing in the past that we probably need to now start doing. I think the focus on resilience is a perfect example. We've had a cyber construct that's been predicated on stopping threats for 50 years. We do stop threats, a lot of them. We don't stop all of them, but when we miss, the cost of missing now is dramatically higher than it was 10 years ago. So we should probably focus on what happens when we miss and I think things like DORA are starting to call that out. So I do think that it's more nuanced than just does a security control work? Yes or no, there's the amount that it works or the efficacy of it as well, and we don't measure that, I think that we're moving into a world where the cost of missing and the frequency with which we miss is going up faster than we can get away with no longer measuring outcomes. So I do think that things that are easier to measure, like when we have a breach, how much economic impact does it have? How long are we down? How much does it cost us to recover from that breach? You think about, you know, somebody in your neighborhood, like M&S last year, where they quantified it all the way down to the impact that it had on their earnings for the year. It's hard to deny, if you project to the stock market, that you're going to earn 350 million pounds in profit, and then at the end of the year you report 3 million pounds in profit, somebody's going to ask the question, where the 347 million pounds of profit go? And the answer is that's what happens when you're offline for months instead of hours. And so my point is that we're going to have to quantify these things, because we're going to get forced into it. And again, I think it's painful. I think the numbers are going to show a lot of pain that somehow hasn't been exposed up until now. But ultimately, I think it's healthy. You. Because this is a business risk. This is a cost of doing business in a highly connected, 100% technology driven world. So to ignore it and not deal with it is sort of at your own peril, and I think that's where we're moving to, and we're already seeing that happen.

Raghu N  20:17

So you describe sort of a model that needs maybe two or three areas where it needs to be fundamentally fixed. So I just noticed your background that you've got. So would you say cybersecurity has hit a brick wall, or would you say cybersecurity is fundamentally broken and is actually moving backwards in terms of our state versus where we need to be

Andrew Rubin  20:38

well? So the brick wall is super appropriate, because you could probably interpret it in a few ways. One is, we've hit a brick wall. You can't keep spending more and more money every year and have the cost of the problem that you claim to be solving go up more and more every year faster than the amount of money you're investing that that that is the definition of insanity in the most perfect form, doing the same thing over and over again and expecting a different or better outcome. So yes, I'd argue we hit a brick wall. The second way to look at the brick wall is, the brick wall is not really a brick wall. There's actually lots of holes in the brick wall, which is why we think building brick walls keeps the problem out. But obviously it doesn't. We have the data to prove it. The third one you could argue is that we believe that we've had this brick wall in place, but it's obvious even before a model driven world that we have figured out how to hop over the brick wall, how to go around the brick wall, how to find the holes in the brick wall. And then we could talk about what happens when you put all this in the hands of a model instead of a bunch of human attackers, and how much more efficiently and how much faster the models are going to make the brick wall totally irrelevant.

Raghu N  21:50

I like what you took the brick wall analogy. I didn't think, I didn't think you'd expand it that much. But nice one. We're going to talk about sort of what you're alluding to in a second. So, um, at RSAC this year, you hosted this fantastic panel, the hard truths panel, with some real luminaries from across the industry. So and this particular aspect that I want to talk about, but what was your kind of key takeaway from that panel? And by the way, we'll put the YouTube link in the show notes. Everyone should go and check it out. So what was your key takeaway? Andrew,

Andrew Rubin  22:26

yeah, two things. The first one, in all seriousness, was of the panelists, two of them I know well, and two of them I had only recently met, and the having them up on stage together. My first takeaway was I was blown away by the depth of experience and the diversity of experience amongst the four of them. And if you watch even five minutes of the video and don't focus on me or anything, I said, they are four remarkable individuals who have a very interesting set of experiences. And so for me, sitting up there, in all honesty, that was my first takeaway was, I was like, wow, CIO of the White House and the CISO who had to live through solar wind side by side, you're talking about some really interesting perspectives that that was really, honestly, my first takeaway. My second takeaway was the consistency of concern that all four of them had about the world that we're about to enter, and I know that we'll get to sort of meet those slash models, so I'm not trying to drag us there prematurely, but that was my second takeaway was we are about to break the entirety of the operating model of how we've existed for the last 40 or 50 years. And to say it bluntly, we're ill-prepared for it. I think that we recognize that we've been kicking a can that has gotten bigger and bigger down a road that has gotten way too long and not to drag the brick wall back in, but that can't is about to hit a giant brick wall, and I think that the panelists all recognize, from different perspectives, that we are not ready for what is about to happen to us. And unfortunately, Time is not on our side, the historical operating model and the DNA of the cybersecurity industry is not on our side, and we're not going to have a choice. We're going to have to reconcile all this and probably do it faster than we're prepared for. And so I just thought that that was sort of woven into everything that we talked about for the entire hour that we were up there.

Raghu N  24:38

Yeah, absolutely, in fact, regarding sort of my thoughts we're going to come to that. There's a great quote from Sherrod DeGrippo, who was one of the panelists, that kind of, in a way, almost predicts that. But we'll come on to that second. So you mentioned Tim Brown, CISO, Sullivans, and this is the quote from listening in on the on the on the panel that I really picked up on, that he shared. And this is, of course, related. Leading to the compromise of SolarWinds and their entire CICD pipeline. Was the risk raised to the board as an extinction level event? Yes, was I prepared for a nation-state attack? No, and that was known from a business perspective, we were spending appropriately for the business we thought we were protecting. So in there the likelihood of being targeted was their perspective was zero, even though the potential impact was significant, and they hadn't really planned for it, like, how did you react when you heard that?

Andrew Rubin  25:34

So I agree the quote was very, very profound in terms of getting a real insight into what it was like to be sitting in that chair, I thought about it a little bit differently, not in terms of having a different interpretation of the problem space, but in terms of how he and the board were processing the risk. What he said, in my mind, was that they knew the risk to the business of an extinct level event. They understood that something terrible could happen. Their risk assessment was it would require something like a nation state attack in order for that event to take place, and they had no reason to assume that they would be the target of that type of attack. So it wasn't a lack of understanding of what could happen. It was actually a risk cost analysis of it would require a nation state. We understand that if a nation state attacks us with that level of sophistication, it could be an extinction level event, but we have no reason to assume that a nation state would ever attack us, and we can debate whether that analysis was right or wrong at the time, but history proves that it was wrong, in other words, that they were attacked because of their connectivity and the estate that they allowed a sophisticated attacker to then move through. And so the question then becomes, are we living in a world where the analysis that we've all done about our risk is no longer valid, and that that is an unbelievably difficult question to answer, because Tim was right that to spend at the level that it would have required to defend continuously against what obviously would be deemed tail risk, right up until the moment that unfortunately it's not tail risk, the spend would have been considered obscene, except and until You believe that that existential risk is now real, and the question is whether or not we all have to rerate our entire playbook. And I don't have a good answer for that, for for the SolarWinds board, any better than I would for anybody else, but we now know that that event that you discount to zero is really not discountable to zero any longer.

Raghu N  28:21

So just bringing that home to sort of Illumio, if we're able to talk about this, that with Illumio protecting some of the world's largest and most important organizations, how do you think about Illumio as part of that wider supply chain for your customers, for our customers?

Andrew Rubin  28:39

Well, first of all, I think that every single vendor has to also think about that new risk analysis the same way that SolarWinds obviously did the day after the event took place, we've seen a number of vendors obviously deal with their own breaches, which impacts both the organization. So you think about SolarWinds. We think about Collins in the aerospace industry. We think about f5 obviously, in the network and network security industry, these vendors have dealt with their own breaches, and obviously there's then the impact on their customers because of the products that they build and supply and sell. So there's no doubt about it that the cybersecurity and technology industry is not only not off the hook on this, we're squarely in the center of it, and the more critical you are to your customer base, the more strategic your technology, or your security technology is, the more you should realize that the target on your back is as big or bigger than the target on everybody else's back. There's just no getting out from that anymore. So obviously, at a Illumio, like I'm sure, all of the vendors, we're thinking about this every day, and we're thinking about it more now than we were a week. Ago, a month ago, and certainly we're thinking about what all this means in a model driven world, as opposed to a human-only driven world. So I think we have to acknowledge that we're not going to have perfect answers. And I don't mean Illumio, I mean the industry as a whole. Anybody who thinks that the cybersecurity vendors by definition are somehow going to have a better set of answers than everybody else. We're certainly going to be more in tune to it than many other industries. We're certainly going to be more paranoid about it than many other industries. But we're not going to have some magic wand that other industries don't have. We're going to have to work to defend ourselves. We're going to have to work to figure out how to use our own products and our I'll say industry products in order to defend ourselves, and therefore the things that we build and sell to our customers. So yes, we're more in tune to it. No, we don't have any magic wands. I think we have to start by acknowledging that. I do think that one of the things that is now coming up more and more, and I think that recognizing it is important. I'm not sure that we necessarily have a good set of answers for it. Yet is the amount of inherited risk and the amount of connected risk and derivative risk in the world is far more than most people have thought about, let alone contemplated what to do about it. The truth of the matter is that SolarWinds as an example, and Tim said this on stage, the reason that they didn't think about the level of attack that they ended up sustaining was because as a singular company, it's hard to imagine that they would be perceived as important enough. But when you immediately understand the connectivity they had and who they had it to, it actually becomes stunningly obvious why they would be a target. The truth of the matter is that was not a SolarWinds only problem. Almost everybody operates in a fully connected, highly SAS driven, highly connected way, and it's only going up every single day, and we have so much connected, inherited derivative risk in the world, untangling how all that daisy chains together is almost impossible. And the truth is, we can build as many brick walls as we want, but we have to create so many holes in so many of those walls that the walls look more like Swiss cheese than they do brick walls. And so I just think that acknowledging that is going to be part of the go forward model.

Raghu N  32:42

Yeah, absolutely, absolutely. Okay. You've kind of dropped in, like AI models, my thoughts, et cetera, a few times in the conversation. So here's a quote from Sherrod DeGrippo, GM of global threat intelligence at Microsoft, again, from the panel. And this was a few weeks before the whole anthropic mythos announcement. I believe we will see the Advent very soon of the unicorn threat actor, an apex level threat actor that has incredible capability, incredible reach, incredible automation and persistence with one human react,

Andrew Rubin  33:15

yeah, so agree with the quote entirely. That's my initial reaction, and I'll frame it the way that I think about it and I think my frame and that quote will be perfectly aligned. So cyber security life to date has been really a math equation, and we all know that there's this famous quote that every cyber practitioner loves to use CISOs. Everybody doesn't matter what your role is. Everybody in cyber all practitioners love to talk about this quote. Use this quote. The attacker only has to be right once the defender has to be right 100% of the time, 100% versus once. So if that's a math equation, you would make the argument that those odds are obviously horrifically bad for the defender community by definition, if we have to be right 100% of the time, and the attacker only has to find one hole and get it right one time. Those are from a mathematical perspective, horrifically bad odds for the defender. So there is sort of a really super obvious question that's buried inside of that, which is, why has the world not come to an end multiple times already? And the answer is, because, even though the odds stink, the fight has actually been a relatively fair fight over the last 40 or 50 years, vulnerabilities are found by human attackers. Vulnerabilities are exploited. By human attackers. Exploitation is actually harder than it sounds. Humans have to build the tools to exploit. They have to hide those tools. They have to get inside and move around, and they have to do it in a human-driven model. And the defenders have their own tools that are human driven and human utilized, but it's been person against person, and generally speaking, the playing field has been relatively level. That's sort of cyber life to date. But Chong, over time, on both sides, got better, but it's still a person sitting there driving the defense and a person sitting there driving the attack. What does the model do? Whether it's Methos or whatever the model is, six hours, six days, six months, six years down the road, the point is not the name of the model or the frontier model company driving it. The point is that the model does something that's never been done before. It finds the vulnerabilities at machine speed and at a scale that no human driven motion could ever find. And we know that already. That's the reason why mythos both exists and why it hasn't been released, because the risk of the model being out in the wild. And this is not my perspective, Illumio’s perspective, this is what we're reading every day. The decision and the determination has been made that the risk of the model being out in the wild is so steep and severe that they can't release. So we know that the model is going to find not a few more vulnerabilities, not a few really old vulnerabilities, but some version of every vulnerability. And whether it's literally every vulnerability or not, doesn't matter. The number is going to be so much, dramatically higher, bigger and more scaled than anything we've ever been able to do in the last 50 years, that we literally can't release the model. So when we change the math and we make the world asymmetric, which is now, we don't have to worry about a few holes in the wall. We have to worry about 1000s, 10s of 1000s, hundreds of 1000s of holes, and we have to worry about all of them being exposed at once, at machine speed. We do not have an equivalent operating model to defend in that asymmetric world. And I want to point out something that is incredibly important. Somebody said to me last week, yeah, no argument there, because the data tells that story. If the model wasn't such a big problem, it would be released. But the same model that's going to find all these vulnerabilities and likely can create the exploits to take advantage of them, it should absolutely be able to build the patches that will plug all these new holes. And when I heard that, I realized that there's an enormous problem that people, for some reason, don't recognize. Why I say that this is now asymmetric. So I'm going to use an analogy that I've been using now for literally about a week to try and remind everybody why developing a patch doesn't actually solve the problem. Because I think too many people are walking around with this very misconceived notion that when you develop a patch, the problem is now solved. So here's one that I think will hit home, and you don't need to understand anything about software, operating systems or cybersecurity to understand why. In March of 2020, we all woke up and we were told that we have a very big problem that the world had not had in about 100 years, and for most of us, we've never had this problem before. The problem was called covid. And from that moment, the only question that all of us asked was, how fast can they develop an effective vaccine that would allow us to first get this problem under control? And secondly, to solve the problem, I want to remind everybody, whether you believe in the efficacy of the vaccines or which one was good and bad, don't focus on that just for a moment. Remember that we all decided that at some level we needed to control the problem, and the decision was made that a vaccine was going to be part of that answer for many people, developing the vaccine was super difficult, and we went faster than we ever did, but the day that we decided that a vaccine was now available, that wasn't the end of the problem. We then had to figure out how to. Manufacture a few billion doses and how to distribute the vaccine. Please, remember that developing a patch is the equivalent of coming up with the vaccine. You then have to go patch the billions of things that run everything on planet Earth. And by the way, some of those things you can't patch without rebooting, and some of those things, you can't reboot. The problem here is that the math goes asymmetric. Not because we can't figure out how to come up with patches. It's because we then have to figure out how to patch every hole on every system on planet earth. And the size and scale of that problem is unlike anything that we've ever confronted. That's the thing that I think most people are starting to realize very quickly, it becomes an asymmetric math equation unlike anything we've ever thought about.

Raghu N  40:54

Yeah, absolutely. I think that that analogy, analogy is right, right on point. And the thing I'd add is, is that again, coming out of RSAC. What I, what I heard consistently, is coupled with the excitement about the use of AI to improve and enhance security products. There was also the general consensus that the majority of organizations wanted to keep a human in that decision making loop. Now when I, when I think about that, even all this promise about automated patching, etc., if you want to keep the human in the loop, you are never addressing the asymmetry. So like, as you said, all of these things, developing the patch is just the first step. Actually operationalizing it, rolling out at scale, etc., is kind of really where what is the hard problem? So how do we, over time, reduce that asymmetry, if at all,

Andrew Rubin  41:46

listen, Raghu, we're five or six weeks out since the world learned that this capability exists. I think I can say many of us feel like, fortunately, we're not yet in a world where this problem yet exists because I don't believe that we're ready, and I think the question you asked is the right one, and I don't think that anybody necessarily has an answer yet, you know, somebody said to me and I think that it's being recognized as maybe A closer equivalent, but, but nonetheless, another very valid answer. We spent three years getting ready for one problem and patching one hole, and that one hole was called y, 2k 26 years ago, we spent three years essentially getting ready for one hole, and it still took three years, and most people will say we kind of barely made it right now. Fortunately, it turns out that that hole wasn't as severe as we all imagined it might be, but we didn't know that, so we had to treat it as the potential, sort of shut off the light scenario, and we had years to get ready for it. And think about the scramble that went on inside of places like these large banks and these government agencies, where really critical infrastructure that truly makes the world go round runs every day. What happens if tomorrow we have to patch hundreds of 1000s of holes? And it's not about the rollers going to 00, it's about people who want to do harm and bad taking advantage of those holes. So I think the answer is, we all know that something pretty big has got to change, because the math is going to be asymmetric. But I also think we learned about this five or six weeks ago, and the answer is, we don't have an operating model redeveloped yet. You know, I was talking to the CISO of a very large, what's called G SIB, globally systemically important bank yesterday, and we were sort of joking, you know, trying to bring a little bit of levity to this, that the days of 12 month RFPs and 12 month POCs are likely going to have to come to an end when the CISO realizes they've got a giant hole in their estate somewhere, and they've got a day to figure out how to plug it. You're not going to have two years to run a paper RFP exercise and a POC and a layout. So when I say that this is sort of a reconciliation that is going to force us to rethink a lot more than just what are the bricks in the wall. I think that we are probably going to have to rethink the way that we operate top to bottom. And so I don't think anybody has that playbook developed yet, and I'm not surprised. But I also think that as the world is moving faster and faster, we're going to have to be comfortable being uncomfortable a lot faster than we have been in the past.

Raghu N  44:47

And what do you see as Illumio's role in this new playbook, in this new architecture that organizations may be looking to adopt?  

Andrew Rubin  44:56

So I think the number one thing that is going to change is that the focus on. Resilience is going to go through the roof, because, again, I'm a very big believer in math and data as the primary starter of a conversation. You blend in your gut, your experience, your history, you blend all these other things in as you learn more over time. But you can't use your gut to override what the data and the math are telling you, if mathematically, we're going to have more discovered vulnerabilities, tools that allow us to have more powerful and faster exploitation of them. It is a mathematical certainty that we're going to have more breaches. It just the math says that. The history already tells us that, and this is just all those things going up at scale faster. So one of the things that you have to assume is, if you don't believe that this is the end of the world, and I don't, and I hope nobody else does, what you do have to believe is that we're going to have more incidents. We're going to have more breaches, and therefore recovering from them smaller and faster is going to become part of that playbook. That's how we break this insane cycle of just spend more to stop everything, but miss more and have it cost more to have it happen. And I think that where Illumio plays in, it's literally the mission of the company, the tagline of the company. And I would argue, even outside of Illumio, it's the mission of the technology that we developed. Segmentation is all about finding breaches, slowing down the spread of them, containing them to smaller pockets of the environment and therefore increasing resiliency. That's the purpose of the technology, that's our mission. And I think that the model driven world just makes that value proposition much higher and the need for that control a heck of a lot more important.

Raghu N  46:45

Awesome. No, I think, like, yeah, I think a perfect encapsulation. Okay, to wrap up a quick, rapid-fire round. So I've done this with, in fact, many of CISOs who are your customers, so let's see what you say. All right, best, in your opinion, the best technical lever for risk reduction.

Andrew Rubin  47:10

One.

Raghu N  47:11

Just one, yeah.

Andrew Rubin  47:14

Better understanding and observability of the network.

Raghu N  47:18

Okay, most overrated security promise.

Andrew Rubin  47:23

That ranking vulnerabilities in the model driven world is somehow going to allow us to feel safe, because we already know that daisy chaining is a capability that's coming at us, and you can take a bunch of low level vulnerabilities and string them together and turn them into an Incredibly severe vulnerability. Ranking of vulnerabilities is going to become almost utterly useless,

Raghu N  47:46

The most underrated capability in a modern security program,

Andrew Rubin  47:51

Segmentation. And you can argue that I'm saying it because of Illumio, but I actually believe that the network in a model driven world is going to become one of the few reliable backstops, and we need to chop them up one way or another, so use Illumio or use other tooling but chop the network up so you're less exposed.

Raghu N  48:12

Awesome. Last question, maybe this is something for your own team. One thing you'd ban from vendor security? PowerPoint, forever.

Andrew Rubin  48:25

That's a really good one. The promise that you can be safe all the time. Any version of that comment that slide, I would strike it out immediately. I think that there was a long time where you gained credibility from having it in your deck. I think it's the number one way to lose credibility in front of a customer or prospect in 2026 and whatever the number is after the credibility goes to zero. When it gets worse, that's where it's going in a model driven world.

Raghu N  48:59

Well, Andrew, thank you so much. I can't believe it's taken us till season four to get you on the podcast, but we have to wait for the right moment. I think this is absolutely it. Thank you so much for your time and again. Thank you for the sponsorship of the of The Segment.

Andrew Rubin  49:12

Pleasure to be here. Thanks for having me.

Raghu N  49:14

Thank you, Andrew.

‍