Cisco Systems, Inc. (CSCO) Earnings Call Transcript & Summary

Hello, everyone, and welcome to Cisco Security Virtual Summit with Secured to Build for the Future Webinar. I'm Mark Watts, your Webex producer today. In a moment, I'll turn the session over to Gio Tan, but first, I have a few housekeeping notes to cover. [Operator Instructions] With that, we are ready. So let's get started. In a few seconds, Gio, it shall yours.

[Operator Instructions]

Hi, everyone. Thank you for attending today's Cisco Security Virtual Summit Efficacy Above All. So this session has been pre-recorded ahead of time. So to ensure a good webinar experience. So in a few moments time, you'll hear from Cheuk Wong, CISO of Melbourne International Airport; Corien Vermaak, Director of Australia and New Zealand for Cybersecurity at Cisco; Bob Bragdon, CFO, Publisher Emeritus, former SVP and Managing Director, Worldwide for CSO; Frank Dickson, Group Vice President for Securities and Trust at IDC and Pam, who is the CISO adviser at Cisco. So this session has been recorded, so you can look forward to the recording post-event. And if you have any questions, please pop it in the Q&A tool. We will have people here to help respond to these questions as they come through. So Mark, if you can, could you just please play the playback.

Hello, everyone, and thank you for joining us today. I'm Bob Bragdon, publisher Emeritus of the CSO brand of Foundry. It's my great pleasure to be your guide as we dive into the issues around efficacy and information security environments today. As you'll learn, you're not alone if you have dozens, maybe even hundreds of security tools throughout your enterprise. We'll be discussing the challenges of managing that portfolio, from the risks that may be unknowingly exposing you to, to new ways to simplify your stack. But first, we'll set the stage by discussing what's top of mind for all security executives today, AI and GenAI. Frank Dickson from IDC is here with new research on how GenAI and AI impact the front landscape and also how they should be a part of your defense. Then we'll localize those trends by speaking with Cheuk Wong of Melbourne Airport. Finally, we'll discuss the complexity and efficacy issue in more detail with Cisco's, Pam Lindemoen, Frank Dickson and myself. So let's get started with Frank Dickson, Group Vice President for Security and Trusted research firm IDC to explore the threat and opportunity of AI.

Thanks, Bob, and thanks to everyone at Cisco for including me in this particular program. I want to talk to you a little bit today about AI. We'll talk about generative AI, we'll talk about predictive AI, and we'll talk about what all that means to CISO. I think it's important before we start. Let's define what we're talking about here a little bit in terms of artificial intelligence. As we and IDC look at artificial intelligence, we're looking at this as comprising a group of machine-based technologies that perceive and synthesize data to infer information and insight and create systems that learn, reason, adapt and its self-correct. I think it's important to define that as we look at this, artificial intelligence is not new. I realize GenAI is a really [indiscernible] want to talk about it. But we've been building upon this for a long time [Technical Difficulty]. We ask people thinking about your levels of investment AI. [Technical Difficulty] How are you going to invest these dollars? We've seen pretty a lot of things. 30% are looking to invest in generative AI. 33% are doing interpretive AI, the other 37% are doing predictive AI. So it's not like we're doing one thing, this mix is important. If you look at this sample globally. In fact, in the North America, we're much, much heavily more heavily focused on predictive AI, right? The one [indiscernible] requires an analyst, like let's face it. One of your big core challenges that you're all focused on is the people crisis. You can't find the people, you can't hire people, you can't keep them trained. And once you train and you can't pay them enough to keep them, right? Like generative AI puts that scarce resource right in the center. So a lot of folks, especially in North America, are focusing on needing more and more predictive AI. Now as we look at generative AI, we'll hit the topic of the day, what's your organization's approach? And sometimes, I think as we look at this and you as the CISOs have to deal with this, a lot of times as a result of the generative AI, we're very much ready-shoot-aim, right? Because if we look at what's going on, 25% aren't doing anything. Almost half are looking at some initial exploratory use cases and some are investing significantly. And of course, those numbers vary drastically. It seems like North America, we're the leaders. But as we look at AI, let's talk about some of the concerns, especially as it relates to generative AI. Jennifer Glenn, who is my data security analyst looked at this and asked, "How will data security impact your generative AI initiatives?" Once again, we hit this ready-shoot-aim kind of scenario. 5% says it's on an optical, 10% say they had it in the vicinity. 25% say we provide a little informal guidance. When we realistically look at it, 30% have published guidelines and are proactively enforcing compliance. This is a real threat vector. And why should we be concerned if we don't have enough guidelines. Why should we be concerned if we're not proactively enforcing things. Well, holy cow, this is the world of generative AI. It's chaos in terms of the number of new factors. There's a lot of folks looking to add value. And so as we look at this particular marketplace, we see the rush is firstly emphasizing on creating value. But we didn't necessarily focus on the security. So in all of these hundreds of vendors, if you look plain out there and lower corner, you'll see, oh there's exactly 5 cybersecurity managers, right? And so it's clearly an area where we're focused on adding value first and then looking at securing it later. But this is definitely a topic that you need to consider in having policies to make sure that we're implementing this thing properly and deliberately. But I can say, with great power comes great responsibility, right? Now you can either say Frank Dickson said that or maybe you can say Frank Dickson is quoting Spiderman. Whatever you want to do, both work. And so I think the first thing we've got to worry about it is kind of the hallucinations. Generative AI will draw conclusions. It doesn't mean they always draw the best conclusions, right? And it's noted when there's data missing, sometimes they'll fill in the missing with something that may not be necessarily true. And so that creating value requires context. And so we're seeing a lot of differentiation happening as it relates to the role of the analysts or as we're training these large language models, AI and ML will not now or likely ever be fully trustworthy. We can't always say, hey, like we know what the conclusions are going to be here, right? Additionally, on top of that, we talk about data security and privacy risks. Where does our data go? If I have a, let's say, a generative AI model and it's on premises, and that it's all within my boundaries, I know where that data goes. If I take my corporate data, put it in ChatGPT on a public internet site, like where did it go? And as we look at privacy risks, yes, the generative AI can create privacy risks by shared PII. And sometimes it can create risks. Like for example, if we take several pictures and put them together and then we use AI to create a biometric face mask that we use for authentication. Well, that's great. Except the state of Illinois says that having those 3 facial mask biometrics and you can't do that on miners. We've actually seen a court case that was brought that a company was in violation because they created unforeseen privacy risks. Input. Content aviation bias, AI is only as good at the data that was used to be trained on. If there's a bias in your core data, there's going to be a bias in your future set. We talk about the efficacy or the value of the seed set, like if the data in the seed set is not good. The model is not going to be good. And then sometimes we talk about what we call spoiling the milk, which is if we use AI to create conclusions, and we put those conclusions in our data models and then those conclusions become incorrect. Then we go, "Oh, oh. We just spoiled our data set, we spoiled the milk." And so as we look at this idea of getting value from AI, where do we go? Well, in my opinion, first of all, we need context. First context is we have to think artificial intelligence, it's not really particularly smart. Machine learning is great at illuminating patterns and AI is great at taking those learn patterns and applying patterns. But AI just leverages existing knowledge, but it can't create new constructs, doesn't think, right? It's simply automates. So as we think about artificial intelligence, I'd encourage you to view it as as not thinking but automating what people have already thought. And so as we narrow this to the use case, we define artificial intelligence and cybersecurity as providing advisory, enhanced service and [indiscernible] cybersecurity defence functionality based on the range of structured and unstructured data, including logs, device telemetry, network packet headers and other available information. But here's the goal. It's to create analytics platforms that capture, replicate the tactics of you, a cybersecurity professional. Then we take those best and brightest, the finest security professionals, we look to democratize that traditionally unstructured part detection and response process or we look to complete a range of near-term automated detection response techniques that theoretically can't be replicated by a security professional, it would just take too long. Theoretically, security professionals could look at 1,000 samples, might take 40 decades, but hey, AI can do it at scale. It's the application of applied statistic to solve security problems. But before we move into how we create value, I do want to emphasize. So AI ain't that smart. Then the differentiation isn't in the smart. It's in the data. Data is the enabling infrastructure for AI. So as you're going out talking to vendors and looking to vendors to help you solve your cybersecurity problems, as you're looking to challenge them to create benefit in your environment I ask you to focus on the data. And so there's 3 key attributes associated with data. First of it is data structures. If we're going to apply analytics, first, we have to have frameworks, right? AI needs structure to be able to data scale. Let's face it, the MITRE ATT&K Framework was a fabulous innovation, right? Because it allowed us to start taking tactics and things and all of a sudden, let's start putting them together in what we call that attack chain. So I could start seeing where it goes, right? It's that framework that allows us to now apply analytics at scale because it allows us to look at things on an organized fashion, right? Self-driving cars first need maps of roads to be able to figure out where they're going. Those data framework structures of those maps. Second, data management like, these got weight. These got gravity. So as we look at that data, how we use that data, how we manage that data becomes a differentiating tool because we just can't take and put all the data everywhere, right? It will cost us a fortune. So the ability of having unique data and managing the data becomes a very, very differentiated tool. And then finally, data curation. Curating heterogeneous data sets to create homogeneity to enable analysis is a big inhibitor. If you have data sets from 4 different sources and all those sources have different architecture, different frameworks. They're like, well, Brad, how do I create standardization? Because before I can compare data, I have to have my homogeneity and that creating that homogeneity takes time as close. So having your vendors solve that problem for you proactively is great. That's why we talked about the use of standards, stakes, Taxi, OCSF, these are standards that create value. And if you don't believe me, [indiscernible] Frank and they're like, that's great, but I don't really believe you. Why don't you listen to really, really smart people. This is the CEO of Moderna. And I couldn't help but I reading an article about his approach to generative AI. He said this quote, "And I grabbed it, verbatim. He said, "We got the ChatGPT for Moderna called [indiscernible] because we don't want to teach the rest of the plan, things we are learning with our data. We're using it for contract writing. We're loading it up with all of our sense data. The data has value. And for me, what Jonas not only does it create value, what about the tax service like but what would you like that like all of [indiscernible] sense of data? That's valuable, right? And so protecting that data becomes important. And so as we look at this, some of our survey data reflects that. This comes from Dr. Grace Trinidad and Michelle Ibrahim. They asked, "Which of these are significant challenges to maximize the value of the organization's AI/ML initiatives?" Insufficient tools becomes an issue, right? Issue with durability and quality. Number two. Lack of trust in the data. Number three, right? And that's within size of the business. And when we look at the different line of business in IT, IT number 1, issue availability and data quality. These are important. So as we look at trying to get value from not that smart, artificial intelligence, how should we approach this? And I think as we approach this, there's kind of 2 things we want to focus on. So the first one is automation, right? We want to focus on things that do things on a regular basis, right? That repeatability. So we call this automating the mundane. If we can predict it and we can see it, let's do it at scale. The second thing we might want to look at is how do we up level that security professional, it's hard to have the expertise and be an expert. How do we take an average person, how do we take someone like Frank and make Frank a cybersecurity professional. Up-level our security professions. And so as we think about this continuum of looking at automating mundane and up-leveling security professionals, let's take a map that, I guess, what we do in cybersecurity, right? They're proactive and they're reactive. And so as we look at this, let's start with the proactive and automating the mundane, how about some of these like tasks that drive us nuts, patching, modifying SBOMs, clearing up anomalous configurations. Hey, how about on a Cisco use case, how about firewall policy rationalization, how many folks out there have got firewalls and network protections from previous acquisitions. And you're like, I've got hundreds of firewall policies across 3 different unique sets of policy. I don't want to condense us down. How do I do that? That's something that automation can do at scale because, oh my gosh, no one is going to be job satisfaction and trying to rationalize those one at a time. As we look at this, I'm making the mundane is reactive, they're not reporting. We had an incident. We want to tell our senior manager with do, won't it to be great to push a button and just have a PowerPoint that goes up and send it to our boss, so that we don't have to spend 4 or 5 hours writing that. All the data is there, we're going to many and collect it. Let's automte that. Alert correlation, or step-up NFA requests, talk about a reactive automated use case is perfect. As you talk about uploading that security professional in a reactive playbooks, we've identified a problem. We see what it is. Let's hit the button, let's win the playbook. Let me move on to the next day. Automated detected rules, explaining complex work spent alerts, complex query assistance. That would be great. And then finally, as we talked about that proactiveness, how about predictive threat modeling or guided remediation or our threat hunting. So if you don't believe all these use cases you're kind of like, wow, is this just a framing. Well, let me give you some data. Once again, we survey people. Can we ask? Thinking about your organization with your work, which IT area do you think generative AI will have the greatest impact in the next 18 months? 19%, say, cybersecurity. Number one. And as we look at moving forward and we generative AI and what are we going to do -- well, who's going to help us with this? We asked that as well. It's the type of vendors you're likely most strategic and you're gear technology partners in the next 12 months. Your cloud providers is number one. IT consulting partner [Technical Difficulty] digital infrastructure providers like Cisco, third. So you're seeing as we reach out cloud provider consulting partners, digital infrastructure providers who can provide help.?

I'm excited to bring the challenges of security strategy in complex secure environment, home to you through this interview with Cheuk Wong of Melbourne Airport. He'll be sharing the impact of AI and the challenges of his broad security purview and the complexity it involves across the airports facilities.

Thank you very much, Bob. I am tremendously excited to host today's session. And with me on today's session, I have Cheuk Wong. Now Cheuk, I don't really think your title will do any justice. But as ultimately the person that is responsible for security in one of Australia's largest international airports. And welcome to our afternoon session today. Cheuk, when we look at an airport, it goes without saying that it's no longer just a building where aircraft pull up. It really has become this commercial hub for people. And your role and your team's role in securing that commercial bustling hub, with all these cars and people transversing it every day is critical. Do you want to tell me a little bit about what you do and what is your team's role at Melbourne Airport?

Yes. Look, I've been with Melbourne Airport for 5 years now. I am the head of cybersecurity and responsible for cybersecurity at the airport. Over the years, I've been able to build a team of nine security professionals, along with a number of third-party vendors that help us secure the airport from a cybersecurity perspective. Things are ever changing. As you know, airport, there's always construction going on. So it's an interesting, exciting and very dynamic place to be.

When we look at an airport, physical security is front of mind for most of us. But you and your team is ultimately responsible for the digital security element of that. Now what would you say is one of your biggest challenges when it comes to securing such a large piece of infrastructure like an international airport?

Yes. Physical security is separate from cybersecurity, that is a separate team, and we work very closely with them, right? Because they rely on IT, OT systems that operate the airport. So we work very closely with them to assure that those systems have appropriate security in place. And they're actually part of our cyber Information Security Committee, which meets on a regular basis. We talked about the activities at the airport, their risk, and they help ship our cyber program. One of the biggest challenges I have at the airport is really not having enough visibility, right? If you don't know about it how are you going to secure it, right? You can protect something that you don't know. You can probably protect it to a certain degree if you have enough systems in place, but are you really sure, right? So taking that visibility is important to me and my team, which then helps us import business, what potential risks there are, and then we're able to then discuss what mitigations, what security controls, all we need to do to actually secure those components within the airport.

Cheuk, that's a really well-rounded view on some of the challenges. But I think we could really get to help in getting our audience to understand the real complexities within an airport. You guys have, I guess, a lot of cars on site every day, a lot of people in the building every day and a lot of luggage. And all of this must be supported by systems. So do you want to tell us a little bit more about what are some of the digitization that happens in an airport facility and how that poses different challenges to a security team.

Sure. 2 good things next. We are the second largest airport in Australia today, approximately 30 million passengers go through our airport on annual basis, which translates to about 100,000-plus passengers per day. In terms of car parks, yes, we have one of the probably the largest car parks for an airport, roughly 15,000, 20,000 car park space and roughly about 15,000 cars come in airport on a daily basis. We process roughly about 30, 35,000 bags on a daily basis as well. And all of those are supported by different systems. So we at cybersecurity help understand what those systems do and making sure we understand where those potential threats are and then help protect them, right? So we also review the systems on a regular basis with the business and then ensure that we have appropriate controls in place, right? So your endpoint security, your network security and making sure that we have all the security in place to protect those assets and ensure that we have 24/7 access to those systems because we are a 24/7 airport.

Cheuk, when I talk to a security professional like yourself, it makes most other security leaders, problems seem much smaller. 100,000 people in a single location during a single day is a staggering amount of people. And if we look at how a transfer and transport has changed over years, there's a high reliance on connectivity and buildings. I know for myself, I travel quite a bit. And I almost expect there to be some kind of a connectivity so that you can do things and get things done while you're are in transit. And I'm almost certain that's the same for a lot of passengers going through your airport every day. Is this a unique challenge? And does this kind of service that you give passengers become a unique vulnerability or threat vector in your eyes?

Well, we feed information from the airlines, from the flights back into the baggage claim systems, we feed information to what we call our Flight Information Displays, our FIDs, which inform individuals, where the planes are located, which gates they can be flying out of, those are all talking to each other, right? So we need to ensure that not only the -- I guess, our primary systems are protected, but all those other systems that interconnect, which makes it an interesting challenge, right? And then if they were disconnected, you can imagine if, for some reason, our system is not talking to the value selling system. How are the bags going to to the airplanes. So then the bag that we're making and therefore, people can arrive at the destination and they don't have bags. That's going to be interesting for the individuals. It makes it very challenging for them, so we need to ensure that all these systems are talking to you, all these systems up and running. And yes, we have 24/7 availability on those systems, right? And the network interconnects everything for us, right?

Again, you've mentioned some of the complexities that an international airport needs to deliver from a technology point of view, but you've also mentioned the high reliance on visibility. So what does that mean for your portfolio? And what is your security portfolio actually look like?

So I'd like to answer the question by taking a step back a little bit, right? So when I first joined the airport, we had different security systems, different spar solutions, which had their needs and their and had a function, right? To protect the environment. So we had endpoint security. We had DNN security, we have network security, but those systems were not always talking to each other. With limited budget, with limited resources, it was decided that we take a platform type of solution, and we reached out to Cisco to and partner up business to implement their entire security suite of solutions to help us mature very quickly in that space and also being able to help interconnect or integrate systems together very quickly, being able to give us better view over environment and then being able to carry out investigations bit quicker and being able to respond like quicker, whereas before the [indiscernible] we're not necessarily talking each other. Doing investigations could take some time.

Cheuk, that is very, very forward view on a security stack. And it's very nice to hear that you use Cisco end-to-end because, to your point, it really gives you that opportunity to integrate things that are natively designed to communicate with each other. And that really takes a bit of strain off your team. Now Cheuk, maybe a last question before we start logging off. What has been one of your biggest wins since really going on this journey and creating this road map for what you want to deliver with your security team.

I come back to the example we're speaking about responding quickly, right? So if I had a malware on a device, and we weren't sure  if it was going to infect the other machines, we have very limited view across the environment because, again, those systems were not connected together. With the Cisco solution, I can -- from the Cisco console type in, the malware signature or the IOCs, et cetera. And then just presenter, and I very quickly, I can see if any of those other security tools have seen those IOCs or have seen the malware environment, therefore, allowing us to take faster action. That was not possible years ago. And what the automation has built into some solutions, we can very quickly actually respond and isolate devices very quickly off the environment containing it within the environment. So therefore, campaigning for potential outbaseof threats.

That's tremendous. As technologists, our mean time to respond and our mean time to remediate is probably one of the oldest measures and service levels that we hold out is by. And it's really refreshing to hear that you are able to respond quicker and remediate faster by having this kind of visibility. Now Cheuk, you've been in the security industry for many years. And as our audience have now heard, you are at the helm of a very, very complex technology stack and you've secured it with the help of Cisco. What would be your advice to somebody in your shoes or possibly somebody aspiring to be the Head of Security or Information Secures Officer?

Per benefit still. Security is very dynamic opportunity is ever increasing. With the introduction of AI we very recently, that actually increases our challenges in terms of how we actually look at cyber threats, cyber risk and how we need to protect against it. So my advice is to never stand still, always look forward, move forward and look for the next solution, right, because your solution today may be out for what you're doing today. But with all those new challenges, it may not be accurate. So you need to continue to evolve your own security space to ensure that you have the appropriate measures to protect whatever you're protecting.

Cheuk, I think that's a tremendous piece of advice. Even when I speak to people that are young in Korea in cybersecurity, I always invite them to stay curious and that's exactly what you are saying. Ever-changing, stay ahead of the game, keep learning. That's the way that we are continuously hopefully, be able to protect our organizations. Now Cheuk, thank you very much for your candid sharing this afternoon. Thank you very much for all your effort. And what you do within your role, thank you for the afternoon. And Bob, it's back to you.

Now we're going to dive headfirst into the efficacy issue and the challenges of a complex security environment. Joining us first is Pam Lindemoen, Chief Information Security Officer Adviser at Cisco. Pam's a global cybersecurity and IT executive leader with more than 20 years of experience evaluating and minimizing operational risks, analyzing business priorities and maximizing technology capabilities. She spent more than 16 years in the health field of Anthem and now in addition to her role at Cisco, sits at a couple of boards, including the National Cybersecurity Alliance. Following her talk, Frank Dickson and I will join for a wider discussion of the efficacy issue. Pam, the stage is yours.

Thanks, Bob. Hey, everyone. Thanks for joining me today. I want to talk to you about a big issue that every information security organization faces, the efficacy issue. Effectiveness and efficiency. It's what every information security organization aspires to demonstrate. In a traditional approach to security, we often end up with a patchwork of different products and solutions, each addressing a specific aspect of security. While these tools may individually serve their purpose, the lack of integration and coordination can lead to gaps in a defense and depth program. It becomes difficult to gain a comprehensive view of the entire security landscape, making it harder to detect and respond to threats effectively, especially in our ever-changing digital world. In any organization where sensitive data and critical infrastructure are at stake, the consequences of any security breach can be severe. The potential impact on customers, employees and the company's reputation is tremendous. It's why I took my time to look for a new place to call home after 15 years. I came to Cisco because they are working to simplify the solution. The mission of connect, secure and automate that spoke volumes to me. We need an approach that cuts through the complexity, streamlines our security operations and ensures that we have a unified integrated defense strategy. By doing so, we can enhance our ability to detect and respond to threats, minimize the attack surface and ultimately protect our organization and its stakeholders. Speaking of AI and ML to achieve efficacy, we must also focus on detecting and responding to the most sophisticated threats. Not only do we have a rapidly evolving threat landscape, organization faced the challenge of combing through the vast amounts of data to identify the right risks. This requires correlated cross-domain telemetry and leveraging AI, ML driven enrichment. It's not new that Cisco furnaces, the power of AI and ML, but also we follow responsible AI principles to provide comprehensive and ethical security solutions. We recognize the importance of maintaining transparency, fairies and accountability. In addition of the expertise and continuous monitoring of Cisco Talos enable organizations to stay ahead of emerging threats. Their team of security efforts and researchers analyze global threat data, identify trends and develop effective security measures to combat the most advanced threats. We've even automated the recovery process. As we've discussed today, Cisco is working towards a unified approach to security, which is built on a Zero Trust principles using AI innovation across the portfolio, but above all, never losing track of the outcomes our customers need to achieve better efficacy, better experiences and a better ROI. Cisco has a long history and deep expertise in security. We see over 550 billion security events and 2.8 million new samples of malware per day. We also discovered 200 vulnerabilities per year. To put that in perspective, that's more than one vulnerability for every working day. We find vulnerabilities and help get them fixed before they are exploited. With the launch of the security suites at Cisco, we're delivering on the promise to improve protection and simplify how organizations can use and procure security technology. If you haven't already, I encourage you to visit our security page and learn more about our innovation and the release of the new Cisco Security suite. We're happy to partner with you throughout your security journey.

Pam, what you said about that was so interesting. We've been talking about complexity and inefficiency. I think you've seen and you mentioned it is that companies have dozens to hundreds of security solutions, right? How did we end up here?

I ask myself that daily. Bob, it's interesting. I think it's just the nature of the base, right? And security while it's not been -- we've not been around that long. And so I think we've just been trying to solve these point problems, right? With point solutions. So obviously, we've ended up here in a way in which we have to kind of look at the portfolio in a different perspective and analyze all of the data at work speed, it's just so difficult to do. So I think it's just the nature of our business as it's grown, as the threat actors have changed their tactics and their patterns, we've had to adopt different methodologies. So couple that with the pivot of technology over time and us keeping up with that. So it's kind of like a cat and mouse game, if you will.

Frank, what are your thoughts on that?

Yes, I see...

Everyone begins this one with a sigh.

It's -- because there was a very positive spin on it. I think the issue with complexity is that the complexity is created by individuals, right? We -- human beings are extremely flawed. And as you look at that issue of complexity, 2 things create that complexity. One is Pam's exactly correct. Things have been attacking us so fast, so long. For some reason, we don't really plan pragmatically. We're just trying to get through Christmas. And then after Christmas everything will magically be all right. But like we get this set of new attacks next year and this is failure can really start, okay not to sound negative, but look at the [Technical Difficulty]. So let's plan so that we can migrate our infrastructure because switching and consolidating tools, that's not like a, hey, I'm going to get that done by the end of the year. Sometimes that takes planning between maybe a year or 2 years or 3 years. I mean I made this assertion one time to a CISO at a Fortune probably 10 organization. And she looked at me and she goes, "Frank. You know what, this is ridiculous. There's no way we can consolidate all these tools. We are the product of acquisition." And I go, "Well, maybe you can't do it by the year, but if I gave you 3 years, do you think you could reduce the number of vendors by half?" And then all of a sudden her laughter would be quiet, right? Because I was exactly right.

Pam besides the complexity, there's the inefficiency power, too, right? I mean, some of the issues that arise from best-of-breed approach are actually quite serious. Do you want to talk a little bit about maybe what some of those are?

Yes. I think about some of the advantages that solutions bring, but it also introduces risk and challenges that you have to consider. And if you think about limited visibility and silo data in this in those multiple CLM solutions also result in the data silos where you are operating independently from each other, and you're not taking the value of what that holistic visibility could offer you to more increased operational overhead. So I talked to a CISO today and he said, I run the tools that the security team picks. And I thought... I mean, if you have this operational overhead that you're managing for multiple systems, think about increased costs for additional staff, training and infrastructure. That's what I looked for is how do we reduce that operational overhead look very popular but it was something that you had to think about as a leader. And then something else, I would want people to take away and to think about with adopting best-of-breed, the complexity in vendor management. So managing those relationships, coordinating support activities and surely timely updates for all those patches across those solutions, that's time consuming and resource intensive. And just think about third-party risk on top of that. So that's where my head goes when I think about best of breed, not that I didn't look at best of breed myself. I think that, that's one data point. I just think you've got to look at the total operational costs in every aspect of what we're managing is leaders.

I adore that term, operational overhead, right? Because that's the problem. We look at best of breed. And by the way, I'm not against best in breed. Best of breed will solve a plant problem really well. But that's not our problem, right? The threat landscape is only one thing that a security team has to manage, right? So obviously, threats great, great. Best of breed will do that. But then also, we have to deal with the complexity put on to us by being digital first, right? Organizations are now driving revenue with their digital products. And so we have to manage that and that complexity comes downhill. They don't stop and say, "Hey, what are the security considerations. They drive revenue, and then they figure that out later. The other thing associated with that operational overhead is compliance, right? It's not just about being secure. Compliance is a massive oversight. And so when you have all these data silos and multiple tools that aren't connected, all seen, you're creating problems. And for me, this is just me, but the #1 asset or the #1 thing you need to do is maximize your people, right? We don't have enough people. We can't find enough people, we can't train enough people. It's a hard problem. And so as we think about this topic of operational overhead, complexity makes the management and training of our people, which is the hardest problem harder. And that's what we don't want to do. So best-of-breed might solve one thing. But essentially, it's rapid 3, right? You solve a lot problem, but you create 8 more. An operational overheads a beautiful term, I adore that term.

Yes. That's a good one. Pam, there's a couple of other issues there, too, right? Latency is a big issue across the board. I mean, we're stunstime, people being able to get actual intelligence out of those systems because they're all disconnected. There's also a complexity part of it too, which really speaks to how quickly an organization can update its security environment to prepare for new threats, and that introduces a whole another level of vulnerabilities. Is that something you've seen?

Yes. I used to -- when I was in operations, I used to say things like you've got to make sure we are getting our owned of food, like the security team should be a first group that is managing their own vulnerabilities, their own incidents and updates and that type of thing. And it so surprised me how the security teams were a little bit taken back by me asking those questions and I wanted to be the example. So any pilot we rolled out, certainly, the security organization was first to go and then all of IT and then the rest of the business kind of work out the heat. And I think the complexity that we introduced with all of these systems, it means that you're going to have delays making sure that your patches and your security updates are managed appropriately. And that exposes the organization to potential risk. So you're introducing vulnerabilities into the organization. And I just think that, that's something that we have to take a look at, first, take a look at yourself, make sure you're following your own policies and you're doing the patching and you understand what you're putting everybody else in the organization through. So certainly, it's a problem.

Frank, how much of a portfolio can you -- if people expect to be able to consolidate if they're moving to a suite like we were hearing about today.

It's interesting. I think it's less about the end and more about the journey, right, because the auto manufacturers have got a wonderful goal. And their goal is 0 fatalities and accidents. Now none of us think that, that's a realistic goal. And when I was talking to an executive, he at the time didn't think it was a realistic goal. But it's not necessarily about the endpoint. It's about the process there. If they can reduce fatalities by half -- that's a lot of lives. And the same thing with complexity. Do we want to be one vendor, one cloud vendor, one infrastructure vendor, one security, the more platforms and more consolidation we do, the less complexity and complexity creates this accidental impact on vulnerabilities. As Pam was talking about vulnerability. I was like, well, yes, if you have half as many tools you probably have quarters many vulnerabilities. But it's not about the endpoint, it's about the journey, right? Because if I can reduce -- let's I can reduce the number of vendors by 20% next year. Well, next year, I've got 20 % less complexity. And now all of a sudden, I'm saving time, I'm saving people and those people, I can now point towards either further reducing complexity or solving other problems. It's all for me, it's all about a people problem. So I wouldn't say, look, because if you look at trying to get to the endpoint by the end of calendar year 2024, to do like a few months. But you can simply say we're going to reduce the number, we're going to control complexity. I think it's more about the journey than the endpoint.

That's a good analogy. Pam, how much of the efficacy from Cisco suite of products comes from AI versus tighter integration?

I think it's both. One of the things about Cisco that really appeals to me and why I'm still here, quite frankly, is the ability for them to listen to their customers and to adapt to what they hear. And that's part of my role here at Cisco is to meet with security executives and really translate what their priorities are inside of our organization, whether it's best practices that we employ when you think about the AI principles that we leverage to the transparency that we have that type of thing and how we share that with the world. If you think about our threat intelligence, how we share those tactics and techniques with the world, I think it's like a handshake with our customers. A lot of people don't understand that about Cisco, and that's -- I believe that's why I exist. But I think we take both into consideration. And what's really impressed me is the fact that our product side is listening and they understand that we have to -- a little bit about what Frank said, meet people where they are on this journey and that can be different for every customer that we have, which is -- can be exhausting and expensive for us, but it's certainly a part of our DNA to listen to our customers and really build things that matter to them and to integrate with our competitors, like we have deals with our competitors with our new XDR platform that is incredible, and it's really taking that what I call an ecosystem, leveraging the best technology of the day in a very responsible way, ethical way and marrying that all together to solve this problem. I mean we're a software company, and we're selling some of the most complicated security problems in the world, right? And we're seeing them with our red intelligence behind those products.

So besides mitigating business risk through greater efficacy, let's talk about cost, right? Does it efficient security stack also lend, I guess, predictability and efficiency to that budgeting process that we all had to go through?

Well... I don't know if you've ever been in a large enterprise, and you've had to manage large sophisticated agreement. That is complicated. And I've spent -- actually was a large vendor for a long time and managed through SLAs, understood NCR, all of the infrastructure, the idle best practices ins and outs of that. And I have a great understanding of that. I have a great understanding of what it costs to build a software product. And now I understand the impact of security on top of that or security or privacy by design and I believe in that, so does Cisco. Absolutely, if you're managing multiple licensing agreements, you're streamlining your vendor management with less complexity in that stack, absolutely, it's going to give you an environment that can help you optimize your resource allocation, minimize redundancy and improve your overall cost effectiveness. So I mean that's my math right, Bob.

Yes. Yes. Yes, absolutely, Frank, if you say I mentioned you're seeing the same thing in the work you're doing in the field.

Yes. I think it's interesting as we look at -- as I listen to what Pam's saying, it seems like there's been this maturation over time. The problem is I've got too many gray hairs as you can see. So early on, we would do surveys about what's the most important thing to consider in buying a product. We have the best-of-breed or this or that. And I present the data well, of course, other than price, right? Because we only talk about price was #1 and then like all the other features because everything was about price. But over time, we've seen this maturation in the industry where one feature got more important price. And then another feature got more important price. And when we do surveys now, price has got to be somewhere around 6 or 7, right? Because when you look at this idea of cost management, we've started to associate the fact that there's 2 kinds of costs. There's the hard cost what  you pay vendors and then there's all the soft costs, right? The issues of installation and how do we get it up run, some of these tools like in the past, they would take 6, 8 months to install and monitor in configure before getting a value. That's all...

I want to add to that. You and I are on the same page. And I just want to say something like, I remember, years ago, I was forced every time I ask for a budget to complete an ROI 5 years out. And I think that, that's lost somewhere in technology these days. The ROI and getting the total cost value out of a product is something that when I'm talking to customers and when I hear people in the room talking about what Frank said, like here's the cost of it, and we can get it running tomorrow and I might pull on a second. You got to put yourself in the customer's shoes, about you can't just rip and replace everything the customer has. You've got to think about that. You've got to think about it methodically and carefully. They've got a large soft cost, as Frank described, but also like are you getting the total value of the product? And is it answering the call that you once had maybe 3 years ago? And I would offer that we need to get back into those routines if we're not today about the total cost of ownership in both product and what it needs to bear and the partnerships that you have. And that's something that I talk about a lot with customers that I'm engaged in is is how are you using our products? And are you getting the total value out of them. I think that's super important. And it's something that we take much proud in here at Cisco.

Yes. No, it makes great sense. Even our words have changed. It's like the whole industry is starting to get this maturation. Nobody uses the words PLC anymore, right? It's all POV, it's proof of value, right? Because like I say, if it takes 3 months to configure and get any value to our product like a body wants that, it's all about the proof of value and a lot of the work that we do here in IDC is really focused on illuminating the value created by not just a product, but the breaking down of silos Bob, you talked about, is it the AI? Does that create value? Or is it the interconnect? And that's like it's kind of a chicken and egg scenario. Security is an AI discipline. It has been for 10 years. But unless you connect the AI with the data,there's no value because as we've seen, again and again, with these discussions of GenAI, all said, you can have the best large language model in the world. You don't have to at the data to train it and you can't give that language model access to the data. You've cut it. I mean you heard me say that on stage last week.

Yes. Well, that's fantastic information. Pam, Frank, thank you both for joining us. First and foremost, we want to thank our wonderful presenters and our audience for participating in this event. We're delighted to share these insights and Cisco's exciting news with you.

We'd like to thank you all for attending the event. We hope you found it informative. A special thanks goes out to all the speakers today. And as a reminder, please take a moment to complete the confidential survey that has been posted in the chat panel. And it will also pop up in a browser as you exit. Thank you for joining, and have a great day.