The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

6. Prakash Darji, General Manager of Digital Experience at Pure Storage: The Next Frontier of Storage and Security

Welcome to the Security Podcast of Silicon Valley. I'm here today with a special guest from Pure Storage, Prakash Darji, the General Manager of Digital Experience there at Pure Storage. Thank you so much for joining me. John, thanks for having me.

Just to give our listeners a little bit of background, before Pure Storage, you had spent some time with SAP as their SVP and General Manager of Platform as a Service, and at SAP as a Senior Director of Product Management Business Object Planning and Consolidations, as a Senior Architect, coming up through the engineering ranks, I see, and lots of senior roles and consulting before that, and you studied computer science at University of Illinois. Very nice. Yeah, so look, I had a pretty fun background, but I tend to like to think that, you know, I worked my way from kind of applications to, you know, technology to cloud platforms. That's kind of how, and now I'm in infrastructure, right?

So I worked kind of my way down stack, not up stack. And the challenges in each one of those things are very, very different. So, you know, when we were building a cloud platform, for example, and someone's got their back office ERP system and they want to build a mobile application for order approval. Well, you probably want to use cloud application development techniques or platform as a service techniques, but all the data is sitting on-prem.

So, you know, I think I've always had this view of hybrid not being location-centric, but being application and data-centric, right? So, and there are a lot of security challenges that kind of come from those, that view of the world saying, you know what, residency comes from data and applications, not from, am I hosting it on Amazon or Azure? So what have been some of the biggest data security challenges that you've seen? Well, the first thing is how you have to approach the real estate.

So in an application development world, if you've got 10 applications or 50 data sets on-premise and you want to build like a consumer application or a consumer front-end in the cloud, right? Point to point is shitty. Why would you do that? You know what I mean?

Like you need one gateway on-premise where you can have your trusted certificates, bi-directional connections, you know, you need to streamline the connection ports because in an enterprise, things are complicated, right? So how do you deal with network security? How do you deal with certificate management? How do you deal with role-based access controls?

How do you deal with that in this distributed environment where you have lots of applications, lots of data, but one app on the front end that's consumer-centric, right? For example, what if I wanted to build an application called the sales rep application? And think about everything a sales rep needs to do their job. That could be create an opportunity in a Salesforce system, but it could be log a vacation request in Workday, right?

It could be, let me check my compensation in my NetSuite billing system, right? Or my SAP ERP system. Yep, yep. But do you want to have the mobile app sprawl where you have the sales rep have 50 different apps on their phone to do their job?

Or would you just like a, you know, as a sales rep, would you just like a sales rep app, like app? And you could do all your tasks, organize, you got one place to go, dude. The problem with these phones is you've got so many different fricking apps. I spent just a ton of time scrolling.

It's like the crappiest experience. Yeah. Then think about securing that landscape, right? It's just nuts the way the world works today.

Well, I mean, at least on a device, we have the separation between, you know, the apps are not talking to each other unless they're explicitly like collaborating, but the isolation. For example, if that isolation makes for a shitty user experience. Does it? I mean, I'm with you that the shitty user experience, you have to swipe, swipe, swipe, and you have to look at, look through everything and like, oh, where did that app just go?

I just searched for these apps. I don't know. But honestly, like, let's say you have a customer meeting in your Salesforce CRM system and you want to be your Workday app and log the vacation. Wouldn't it be nice if those apps could collaborate and actually change your meetings?

That would be nice. In fact, that drives me crazy. But mobile app isolation creates a worse experience for the sales rep, right? Security here is being used to destroy productivity, right?

Well, I mean, if you get the right integrations and you know what calendar you want to use, like you could, you could bake that in, but you're right. That takes work and takes effort and then it's not going to work across all of the different calendar apps that everyone might be using. Well, so again, that's when you think about these persona-based applications, right? The world hasn't moved there yet.

This is more of a future thing. Applications aren't persona-centric yet. They're horizontal or they're vertical. It's like, here's your genomics app.

Here's your health app. Here's your banking app. Or it's like, here's your HR app. Here's your Salesforce app.

It's horizontal or vertical. There is going to be a new economy of persona-based applications in the future. Once application development, platforms as a service, are making application development cheap enough where you should be able to get a Prakash app. And if you could build it based on data science and discovery of the apps I use, like, you know, if you really solve the security challenges in the right way, where you could discover my thing and the machine generate the Prakash app and secure the pathways in terms of how you're discovering it, what the personally identifiable information is, what the kind of connections are, and work that back, right?

Like right now, we think about single sign-on as great, but every time I get that pop-up to renew my token, I get irritated. So irritated, right? I agree 100%. Like interruptions to the flow to my day are not welcome.

I know that they mean well, that it's there for a security check, make sure, oh, let's see if Prakash is still in control of the device or the phone or whatever. Maybe there's some compliance reason. Someone had a SOC 2 report, SOC 2 Type 2 that had to be pushed through and you needed to have another check every three days or every seven days or whatever it is. Yes, but like, look, are there smarter ways to do it, right?

Are there smart, like, for example, like, you know, let's switch gears a little bit. You talk about ransomware, right? Ransomware is the thing that's happening in the industry. Everyone knows it.

Ransomware is scary. Yep, it's very scary. It's scary, right? You see it and like, it's amazing still how many people aren't even paying attention to it, but it's happening in spades.

Now it's happening for one reason, because we've made black money really easy. The whole crypto industry has made black money really easy. So the easiest way to solve ransomware, right, like prior to crypto, you needed to be really smart with your paper trail to have the offshore bank account in the Cayman Islands and cover your trail. And there's a whole cottage industry that made it not available to the masses.

Now crypto has made it so easy to hide black money, which is allowing for ransomware. Well, I mean, maybe, maybe you could make the case that we should actually be solving the security holes that are allowing for the ransomware to happen, not blame the economics that, or. . .

Well, look, we can look at it from two sides, right? You can either secure yourself and protect yourself by shutting down black money, right? And this is the China answer. Kill crypto, right?

We don't take crypto in this country because you don't take crypto, you don't, and like, if you just demolish crypto. If you want crypto, if you're using crypto, you're up to no good, huh? Yeah, that's it. You're evil if you're using crypto, right?

That's the China answer, right? Now, the good news is we have a case study on how that worked, right? India did that. And it wasn't crypto, it was pre-crypto.

But the case study was India said, there's so much black money with counterfeit bills that we're going to completely eliminate all the bills. So they sent an email overnight, not an email, a notification, went to public radio, public broadcast, saying all your money is no good. You have 30 days to trade it into the bank. Wow.

And it was a shit show. Like a colossal collapse of the economy, right? People were standing in lines. My money is no good.

Like the whole thing, right? They devalued paper, right? And so we have a case study that just attacking it that way didn't work. So then back to your point, you probably need to have a stronger security profile, right?

Right. Exactly. Exactly. And Pure Storage has a very strong security profile in that regard, right?

Like when you talk to storage folks about, you know, what does data security mean? Oftentimes they think about availability, backups, recoverability, access, these sorts of things, right? Well, so what's fascinating is how sophisticated some of the attacks have been. So historically, the thing was, okay, we created this new capability saying, let's have immutable data, right?

We have created safe modes here. Data is immutable. Right. So on your storage system, you can say, you know, you can set up policies saying your data is immutable for 30 days.

You can't delete it. Root access can't delete it. We're going to keep a copy of it, all of that good, right? So pay a little bit of a capacity penalty to keep some extra data around, but we do that very, very efficiently.

But then what if you have time, like now the attacks have gotten more sophisticated with time bound, right? Like time delayed. So if you introduce a time delayed attack where you start encrypting things slowly and you wait till 30 days. These are patches.

Sure. Right? Now you've completely messed up based on the retention policies of 30 days. Right.

I mean, if you're dwell time. How long does it stop? What if there's a five-year time delay? Right?

Like, where's the industry going in terms of sophistication in these things? Right? So the only way to start doing it is not just saying, I'm going to have this immutable protection, but you now need to start discovering when your data is encrypted, the encryption change rate, the data reduction change rate. Like, there's a lot of things built into the system that allow you to get smarter on the time-delayed approach.

And then when customers now have these ability to set policies, how do you change those policies? Right? Because part of your security posture is always changing what you do. It's constantly changing.

It's like you're changing your password. You leave it the same long enough, you know something's going to happen. The same thing applies with your protection policies. Right.

And then who can change them because someone could spoof changes. And if they could spoof changes and spoof users and do that, is it okay to say, hey, you need, you know, the nuclear reactor with two keys, right? You need this person to approve and then the other person to do it because then they can spoof two people. So then you've got to start getting into rotating random, you know, who could do it in the approval chain.

Right. Start eliminating the spoofing attacks, right? So we're just at the beginning of this ransomware journey and the hierarchy of how people need to think about it is a cost and a protect. There's a cost for your insurance.

So you should never say, am I secure? You should always say, how secure am I? Am I at level zero security, level one, level two, level three, level four? Like this is DEFCON security levels, right?

Like what level? And every level has an incremental cost in time or software or, you know, people or whatever, right? Experience. All of the above.

Yeah. Right. And what's the ROI on it? When's it worth it?

When's it not worth it is the question, right? So as I think about the security space, we're at the beginnings of the maturity level here, right? People are talking about, am I secure or not? Like it's so immature in terms of the maturity curve.

But my prediction is over the next 10 years, given where the world's going, this is going to be a very rapidly growing, very maturing market. Yeah, absolutely. I agree 100%. Every time I hear that question, am I secure?

Like the first thing that pops into my mind is, well, probably not. But, you know, the more sophisticated answer and the better answer is to make it specific. You have to ask the question, are you secure against who or what? Not just am I secure?

It's just like you're pissing in the wind if you ask that question. 100%. But how does an executive think about it, right? As an executive, I'm an executive, right?

I sign off on liability and risk on things I ship at Pure Storage. Yep. And for me, the way I think about that problem is I'm like, okay, how secure am I? And then am I willing to deal with the risk and the cost profile?

Like that's how I approach every problem. It's like how I buy an insurance policy for myself at home, right? I got two kids. Like they got to go to college.

Do I need term? Do I need universal? Like it's a very similar thought process, right? Sometimes there's financial mitigation.

Sometimes there's technical mitigation, right? Yep, or a bit of both. A bit of both. A bit of both.

But I can tell you, increasingly, the financial mitigation is becoming less important and the technology mitigation is becoming more important over time. Why is that? Like why is that shift? Because very successful companies, I would imagine, have like buckets of money that they can use to mitigate.

As you get bigger, right, and as your surface attack grows, your insurance premiums get too high. An ounce of prevention is worth a pound of remediation, right? Like it's. .

. I know exactly where that phrase is coming from. The CISO Andrew. Yeah, exactly.

You know, so that is the world that I think things are going to, right? So, I don't know. It's interesting. How about you, though, man?

Like you've been doing a bunch of different things. What's your prediction in terms of where the world's going? That is a great question. I think you're spot on in that we're very early on in this journey.

I look at data security in general out there on the internet and the conceptual model that I see out there that's operated is finders keepers. If it's in my cloud, it's mine. If it's on my device, it's mine. And people get a little bit weird when the data moves around and moves across different systems.

And we're starting to see the implications of that now with like Facebook and advertising and Google knowing pretty much everything. So there is a big question is like, can we change that basic conceptual model that's operating underneath the hood? Can you make it. .

. What about the whole Apple-Facebook thing? What's your prediction in terms of what's going on there and why? Like Apple versus Facebook?

I mean, it's. . . Like the whole Apple locking things down to screw Facebook's ad advertisers.

Like, is that a security thing? Is that a politics thing? Is that a marketing thing? That's privacy.

No, that's privacy, right? Like Apple exists. I mean, Apple's business model is very straightforward. They exist to sell devices and everything that they do is geared towards selling more devices.

And they occupy the space in the market that protects our privacy as consumers because we're the ones buying these devices. So as consumers, they want to speak to our values and privacy is absolutely a value. And so Facebook wanted to track everything and link everything together. And this gets back to your question earlier of like, could there just be a precaution?

And could that have everything that precaution would ever want to do, like with an app? Like, would it be able to log into Facebook? And then if Facebook has access to all of these other things, they're just going to take that data and use it to advertise to you. Literally modify your behavior.

They're going to try their damnedest to get you to buy that new pair of sneakers that will help you with the next round of deadlifts or whatever. Yeah, it's funny. What I found, I got two children, right? 11-year-old and an 8-year-old right now.

And it's amazing that we listen to YouTube a lot and they know a lot of the songs and the jingles and the targeted YouTube advertisements that come, right? And the other day, like, you know, I was like, my back hurt. My son's like, you should consider blah, blah, blah. That will help with your back, right?

Like, I'm like, how do you know that? He's like, I heard it in a commercial. So kids are super like, you know, he ignored the part where with all the side effects that they say super fast at the end, right? But like, what's fascinating is I had to explain to him that the entire concept of advertising is meant to brainwash you and is not fact-based.

Right, absolutely. So I'm like, how do you desensitize and educate yourself and desensitize yourself to marketing, right? This is like the only way to deal. Is that possible?

Is it possible? I think it is, right? Like I'm educating my children, like, is it fake news? It's an informative.

It's very informative. I'm educating them that, you know, not everything you see on TV or read on the internet is real. This is good. I think every parent should do this.

And you sound like a very good dad. Yeah, so some, and but part of it is this then, how do you get information in the modern era and how do you know it's accurate? Well, Google is certainly helping with that, but there's alternatives, right, to Google. There's DuckDuckGo, preserving our privacy.

And now there's all of these browsers that are coming out that are helping us enjoy the benefits of the internet without all of the trackers, like, sneaking up behind us. And so there's Brave out there. There's Puma browser, which is a newer one. Depending on which way it swings, would you rather have software for free that is tracking you and keep a close eye on you, or would you rather just pay for your piece of hardware and then enjoy a stronger sense of privacy?

We all get to make that choice. And when we buy an Apple phone versus a Google phone, we're actually voting with our money, like, which direction the future is going to go, right? It'll be super interesting, but either way, you need storage in the backend, like all of those security problems of once you have the data in the cloud, you're going to have to secure it. We're all going to have to solve those.

And even if you're running stuff in the cloud, you know, that's eventually going to hit some piece of hardware. You never escape that. Yeah, so the way, the way we think about it is you need layers, right? Like any security, right?

You have levels of layers. You need to protect the data kind of on array. You need to encrypt data in flight. You need protection policies to make duplicate copies.

You need, you know, ways to do that in a time bound. You need lower cost tiers for, you know, archival purposes. All of those things that are standard exist. But then there's the network security portion.

But if you wanted to SaaSify it, right, one of the things we're trying to do right now is SaaSify storage. So if you're as a service, let us run and operate it for you based on a cloud SaaS control plane called Tier 1, right? That's kind of one of our business initiatives. Yep.

So that means that we're going to be reaching into the walled garden of where your data sits and working on it. And, you know, that's a different security threat model. When you're doing threat modeling in there, right? It's a different game, right?

And that, that's the new trajectory that we're embarking on as a company. And so do you. . .

Find the certifications like SOC 2, Type 2, or FIPS, or Common Criteria. Do any of these things help melt away the security blockers that show up when you're trying to close large deals or large accounts on your new SaaS platform? You know, what's fascinating is having certifications doesn't mean you're secure, right? That's very true.

Having certifications gives someone comfort that you've tested, right? Like it's a process. A certification is a validation of your processes, exactly, right? It's not a validation that you're secure.

So it's operationally, you know, together. Yeah, exactly, right? You can pass a certification as long as you have strong operational processes. Right.

The way you need to secure is, you know, threat modeling. So you need to do threat modeling. You need to have people hack and try to find the goals. Do you know what I mean?

That's the only way. And the securest posture doesn't come from OS patching and like critical vulnerabilities and the way people think about the thing. It comes from reducing your surface real estate. That's right.

The number one way you can secure your product is reduce the surface real estate of your product. After that, you can deal with bugs and fixes and all of those things. It's a second order problem. The first order problem is just attack surface area.

The bigger your surface area, the more vulnerability you will have, right? So, and how do you think about this in a SaaS world? Well, you have to expose the smallest external surface area, right? For a pack.

And that means the way you think about the communication paths and the security has to use that lens first. And that's the approach that we're taking. No, that sounds spectacular. And it doesn't surprise me at all because Pure Storage is full of world-class engineers.

And so that it just so happens to be the case that that's how you would come up with the simplest possible system that fits the bill, right? We're talking about simplicity here. Yeah, 100%. Simple systems tend to have less bugs.

They tend to have less security vulnerabilities associated with them. They're easier to pass the certifications because there's less to test, right? All of that sounds like top-notch goals. That's the approach.

So every once in a while, though, you must bump into a customer or a potential customer and a deal is being drafted. And then you interact with the security team and that other company. And they ask for X, Y, and Z. Like, how do you know whether to, you know, prioritize X, Y, and Z or pass on it?

Do you just leave it up to the engineering teams and the sales teams to figure it out? Or as a GM, do you find that you have to make tough calls sometimes on situations like that? Well, look, I find that there are sophisticated environments and unsophisticated environments. And 98% of the time, people aren't as sophisticated as they seem to be.

So if you do the certifications and you produce documentation, right? You do the thing. Here's my 400-page SOC report. Here's my common criteria report.

Here's my FIPS report. You just bury the RFPs in a pound of paper. 98% of people go away and say you're secure. It has nothing to do with real security, right?

That's the unsophisticated human being. But most of the world is unsophisticated. So it's just covering liability. Yes, we did our due diligence.

Yes, they have the certifications. 100%. Check the boxes. Move forward.

So the challenge is, you know, the needle in the haystack problem. How do you find the sophisticated buyer? And the answer, like, when you find the 2%, you should welcome it because it's like, wow, this person might be smart enough to find a vulnerability in our project. Instead of paying hacker rank or, like, you know, paying people for pen testing and other things, you've now got someone who's going to do it for you for free.

Yep. That's brilliant. Like, as a GM, I'm like, this is the customer I want. Like, I'd be happy to have that because they're actually going to find things.

Like, there's no way to secure a product without real-world scenarios. And I love putting yourself in a position of learning from the customer and always striving to make the product better. Yeah. And to find it, you know, valuable to bump into the customer that actually cares and asks those sophisticated questions.

I love that. Yeah. So you recently acquired Portworx as a company. Pure Storage bought Portworx for, what, $370 million?

So Portworx was a company that was focused on storage as a service in the container space. I think they had, they brought with them a bunch of customers, a team of What, about 100 people, 120, in that neighborhood? Yeah, about that. So here they are.

They're now part of Pure Storage. When you go through an acquisition, there is some sense where you want them to keep their own autonomy. They've just been pouring their blood, sweat, and tears into this product and solving this one very specific problem. And they're being welcomed into this bigger group at Pure Storage.

But in terms of security, oftentimes, smaller companies will not have the operational effectiveness or maturity, as we were talking about earlier. Sometimes security gets thrown into that bucket. Has there been smooth sailing in that department with the, you know, balancing, let them keep their autonomy, but also bring them up in terms of the maturity level? Or maybe they came in already pretty operationally mature?

Yeah, you know, what I found is, the good news is we didn't get them too early in the cycle where, you know, they were the leader in their market segment with a fairly mature product, right? Excellent. Which is great. That's a great place to be in, right?

So the Portworx product provides that. There are things that are better together as a company. So one of the things we've prioritized was, you know, we have world-class support. You're famous for your world-class support.

Right? We've done it based on, you know, our usage in Pure One. So one of the things we've prioritized and, you know, now are shipping in Q2 is our container monitoring in Pure One, right? Based on Portworx, right?

So we've brought that together so you can get the same kind of troubleshooting, remediation, root cause, all the things that you need to look at in a container storage world the same way you put on a flash array or flash blade. So that allows us to bring the power of our support to bear without a lot of overhead on continuing to develop out, you know, the application development and container storage ecosystem. Right. Right?

So those types of things are things where you find a fairly good win-win. What's fascinating is this, right? It's not about the security posture of Portworx per se. Portworx actually is very, very mature.

But on the curve of surface area and real estate, when you take a look at Kubernetes and the open source ecosystem and the distributions and the projects that exist across that wide ecosystem, like, holy crap, is that a large surface area of source code and repositories and plugins to, like, secure. It's incredible. Yes. It's incredible.

Like the amount of work. Overwhelming, perhaps, even. There's going to be entire companies that come up in the industry around, you know, Kubernetes security just because it's a large surface area, right? And it's like any early stage open source project.

It's got all the trappings and the makings. Like, Linux was like that in the early days of, like, what's in the package? What's going into the consolidated open source ecosystem? What's not?

Like, it's so distributed right now and it's developing at such a fast pace that the surface area is very large. Awesome. Well, I have no doubt that we're going to see some companies pop up around Kubernetes security. I'm sure that they're already starting to come into existence.

Yeah, I've seen a few startups that are doing, actually, interestingly enough, they're using observability for security. They're like, look, the easiest way to secure it is build, like, a polygraph model based on data science of identifying things. They're like, you can't secure this real estate. It's impossible.

So they're like, let me go ahead and identify where, like, what the highest priority things to attack are, right? And they're building kind of threat models and different things with polygraph, more polymorphic graphic models, right, in a very data science-oriented way based on observability. So that's one. I've seen a set of companies start doing that in container security.

Nice. I imagine that we'll see more and more of that. Yeah. In terms of the target market, though, with Portworx now in the mix there at Pure Storage, is your long-term vision for Pure Storage to go after the SMB market or maybe you see that as already saturated or you want to go more enterprise, go after the bigger fish, close less deals, but more stickiness and more money per deal?

Look, I think it would be unfortunate if Pure Storage did anything but disrupt the entire industry and go for all of it. Go for all of it. Yeah, like, you know what I mean? Like, my viewpoint is, like, all of the stuff that I see from our competitors out there is terrible.

And we have this innovation, you know, like, Pure's major value as a company stems from the evergreen architecture where if you buy 500 terabytes of data, you're never paying for that ever again. That's not a financial program. That's not data migrations. That's like the major innovation.

So we're the only company that has reduced the GDP spend in storage. Right? You're eating your own market. 100%.

Self-cannibalism happening 100%. So with that, and no one else is doing that, with that, if you can't take the whole market, all price spans, all segments everywhere, we've got a problem, right? Like, I think it's strong enough as a value prop to go for world domination. Now, storage is sticky.

It's hard. It takes time. People don't like moving data. Containers are new.

There's a bunch of variables, but when you just boil it down to first principles, like this company has got a trajectory that's fairly large in a large market that you can go after, right? Now, if you follow cost curves of what's going on in storage, I think Wikibon said in about 2026, your cost model for per terabyte raw on SSDs will be cheaper than this. Okay? If you take a look at the disk market today, you get 18 and 20 terabyte disks.

And you know, it's kind of at the end of Moore's law. You might get to 24 to 30. This year, we've got a 24 terabyte and a 48 terabyte direct flash drive, like single SSD drive on QLC. And you could probably get to 144, right?

When PLC comes out, you might even be able to get to like a 1. 5 petabyte drive, like SSD drive. Like we're at the beginning of the technology curve, right? Now think about storing that much data on a single drive.

Like, and the cost per terabyte will be so low. Think about the amount of data you could store and access. That's going to happen in the next decade. That will be important for a lot of industries.

I'm thinking the AI industry, which is entirely data-based. Yes, today, more data gets generated and thrown away than stored. And it's only going to get stored when it's cost-effective enough to store it, right? Now, if you play that out and that happens, and let's say you have 1.

5 petabyte drives in the future, and you've got, you know, I don't know, 100 petabyte or, you know, 1, 000 petabyte systems. Yep. And based on your network bandwidth, you know, storage systems with a dual controller architecture, what, you get 10 to 50 gigabytes bandwidth, right? Like without the bandwidth, you could spend five to 10 years doing a data migration if you don't have a technology like Evergreen, right?

That's completely not viable. What's going to happen in the industry when the density goes that hard and network, like think networking bandwidth might go to one gig, 10 gig, whatever, but you're still bounded by your controller architectures and storage systems. Yep. It's not about the network, right?

So at that point, it all becomes about bandwidth to do data migrations on that size of data. Data is going to get so big you can't afford data migrations. And when that happens, you're going to have to rely on something like Evergreen. And who else has that?

That's the question. Well, I love that Pure Storage is continuing, you know, this disruptive and very aggressive approach to revolutionizing storage, right? Because Pure Storage was the first company to come up with essentially enterprise-grade flash storage, like all flash storage devices way back in the day. That's kind of what they were famous for and continuing this trend with under your leadership with that vision to enable a new generation of data and services based on that data.

Just maybe we won't have to throw away all that other data. That's the goal, right? You want to put data to work. Performance density and cost, man.

It comes down to that. That uncompromising ambition is just part of the culture there at Pure Storage, isn't it? Yep. Do you think that that culture, it plays a role in how Pure Storage also positions itself in terms of the intersection of culture and security?

You know, it's something I've been given a lot of thought to. What I would state is the security folks that you meet, there's kind of two or three types of people, right? It's a weird personality breed. There's the optimist.

I would characterize you as the optimist, right? You see the world through an optimistic lens, right? There's the pessimist that says that the world is falling and everyone's attacking everyone and everything, right? Very, very scary.

And then I think there's the person that kind of just looks at security as something that is mysterious, right? It's like one of those things. It's like, how do you define security? What does it smell like?

What does it look like? What are its attributes? I don't know, that's kind of a nebulous thing. It's like, what is the cloud?

What does it smell like? I love that. You know, I mean, like, what is the cloud? I don't know.

Is it a location? Is it a puffy thing? Is it a, like, you know, what is it? Like, you know what I mean?

Like, security is one of those topics that, like, most people kind of look at it like the mysterious thing. And it's like, it's kind of that black box over there. Someone's telling me I need to patch some bugs, so I do it. You know what I mean?

Like, there's no real clear definition of security. So it's hard to say what is the culture intersection of security because it's so mysterious. Like, most technologists don't understand it. I think most find it at least mildly amusing, if nothing else.

But yeah, they treat it as perhaps a black box. You get a bump into every once in a while. It can be interesting and fun and exciting. Yep.

And then you get folks like me who have built careers around it, hanging around with that black box. Yeah, that's why you're a unicorn, man. I appreciate that, Prakash. Well, hey, this has been a most entertaining and delightful discussion.

Thank you so much for coming on the Security Podcast of Silicon Valley. As Pure Storage progresses, and we'll have to bring you back on. Cool. Thanks.

Great talking. No, thank you.

‹ 7. Michael Brooks, vCISO and Director of Cyber Risk Services at Trava

5. Leigh Honeywell, Founder and CEO of Tall Poppy, The Human Side of Privacy and Security: Online Harassment and Abuse ›