This is Techstrong TV.

Alan Shimel: Hey, we’re back here live on wrapping up our last day of coverage of KubeKon. Hope you’ve enjoyed the last two days. Mitchell, Ashley, and I have probably interviewed 30, 35 people in the last two days and it’s a lot of people, but I think it was some great stuff, some great content, and we hope we’ve given you a flavor of what’s going on here on the show floor this year.

My next guest is John Tomello?

John Tonello: Tonello.

Alan Shimel: Tonello. John is with Tenable. Is it still called Tenable Network Security?

John Tonello: No, we’re just Tenable.

Alan Shimel: Just Tenable.

John Tonello: But that’s in our roots, so there’s a lot of people that still say that.

Alan Shimel: I still do, but it’s Tenable. And look, full disclosure, I’ve been working with Tenable for 20… since I think Ron Gula and Renaud started Tenable.

John Tonello: Founders.

Alan Shimel: That’d be around 2001, maybe, I’m going to guess because that’s when I had started my security company. But of course, today’s Tenable is very different, John, than just the Nessus company of 25 years ago. Tenable has kind of a soup to nuts type of security offering that a lot of people may not be familiar with out here, right? They may still think of Tenable as scanning or whatever, but there’s a huge cloud security component. There’s a full range of Tenable.

John Tonello: Right.

Alan Shimel: So I mean, not to put you on the spot, but tell them.

John Tonello: Right. We get a lot of people that come up to us, conferences like this, KubeKon. They’re like, “Oh, I used Nessus in college and I used Nessus in my first job, and now, I’m doing things that are a lot different and have a lot different, longer titles and all that jazz.” But yeah, Tenable started over 20 years ago and it became a de facto standard. And it’s nice to see folks coming in like, “Oh, I know Tenable.” But a lot of people, it used to be an Oldsmobile commercial. It’s not your father’s Oldsmobile.

Alan Shimel: Right, exactly.

John Tonello: It’s not your father’s Tenable. Moved well beyond just vulnerability management because the world has moved beyond vulnerability management. I used to work for a regional optical network in New York State, Eisernet, and a big part of internet too, that infrastructure. And we had wide open networks and as an IT director at that time, you plug something into any one of our ethernet ports in the office and it was on the raw internet and you quickly learn that, “Wow, the internet is a very dirty place.” And then as people evolve from a data center to, “Okay, now we have devices on our factory floors. We’re using the cloud. Of course, we’re not using one cloud, we’re using multiple clouds. We have web apps that are primarily…” Tenable has evolved to not just chase that but lead it. And having 20 years of data that we’ve gathered from what has happened, that flows now up into Tenable. One, it gives customers really not just an isolated view of their risks, but across everything that they’re doing. Because like you were saying before, no one’s greenfield. What a beautiful thing to be able to say, “Hey, we’re a brand new company. Let’s put up a Kubernetes stack.”

Alan Shimel: Right. Let’s start with a blank slate here and give me my dream.

John Tonello: Right? That’s equivalent to candy and no beets and spinach. So there’s an aspect of that. But security is hard and not getting any easier. A lot of the folks here at KubeKon are developers who’ve been tasked or told, “Hey, you have to worry about security.” You have operations guys and gals that are having their roles shift and they are looking for ways to consolidate the tools, simplify the tools, just have a faster, easier way to solve the problems, get rid of the noise, not have to write scripts or queries to get there. And that’s what exciting about our acquisition of Ermetic this year.

Alan Shimel: Well, okay. Let’s mention that. So the acquisition was announced, what [inaudible 00:04:35] about a month and a half?

John Tonello: Yeah, October 2nd, I want to say.

Alan Shimel: [inaudible 00:04:39] a month and a week, something like that. So let’s start with this. Our audience is somewhat diverse. We might have DevOps people, security people, cloud native, but we also have people who are into digital transformation and at a higher level. And of course, everything’s AI today.

John Tonello: Right.

Alan Shimel: But they may not be familiar with Ermetic is the point.

John Tonello: Ermetic, a Tel Aviv based company in the security space with some real great expertise, particularly in CNAPP. So you’re looking at the cloud native application protection and all the acronyms that fall under CNAPP, but I think what Ermetic really nailed, not only from an understanding of the security challenges, but how people want to interact with that, which is in an easy interface that gives you a lot of power that focuses on identity. And because we know that entitlements and identity are where bad people get into your systems.

Alan Shimel: Sure.

John Tonello: So looking at that and the [inaudible 00:05:54] offering. That’s part of what Ermetic brings to the table. It’s really great. It enhances what we already have, not just our vulnerability management, but working with infrastructure’s code. Tenable acquired Accurics a couple of years ago infrastructures [inaudible 00:06:13].

Alan Shimel: Sure did. Actually, the Accurics CEO was here yes… former founder. He was here yesterday.

John Tonello: Ex [inaudible 00:06:20]. And we still have the open source project of Terrascan, which here at KubeKon is very popular, right, because you can scan helm charts, Terraform code, docker code, and that idea of shifting left, it’s a tired term almost for a lot of folks, but it’s really the idea that the earlier you fix stuff, the earlier you have visibility in your problems, the better off you are. And for developers, folks that… it’s a big chunk of the audience here. It’s not everybody, certainly, but they want tools that match their IDE. It could be done in their IDD that doesn’t add a whole new workflow to them. Both Ermetic and Tenable understand that, that the ability to give many different people within a company access to not only the tooling but the reporting without having to be what I would consider guru experts to do that stuff.

Alan Shimel: John, I’ve been, as I mentioned, I’ve been in security many years, did a lot of federal government work and the federal government, when you go talk, especially DOD people, it’s about the mission. And when I hear you describe what Tenable’s doing, what Tenable today is about, to me, it’s really clear. Look, the mission has changed. It’s not enough to just scan your applications and fix vulnerabilities. The people who are carrying out the mission have changed. They’re not necessarily security professionals who live, breathe, and die CBEs and GDPR compliance, or these kinds of things.

John Tonello: Right.

Alan Shimel: Security is everyone’s responsibility, starting not even with the developers, starting before the developers. We call them platform engineers, but we’ve always had them. Before there was a thing called platform engineers, we always had people, architects and systems people that were setting it up. Security’s their issue. Developers, it’s their issues. It’s the ops. It’s the DevOps.

John Tonello: Right.

Alan Shimel: It’s the SREs. Really, it’s everyone’s. And I think a lesson, though, that I’ve seen from where I sit and I have a good seat. I don’t have to do sales or sell a certain amount of security product.

John Tonello: Right.

Alan Shimel: But from where I sit, I think the biggest thing we’ve seen is that people are… they recognize that everybody needs security. I’m trying to think of the right way to say this. Everyone needs the security that they’re comfortable with. So in other words, the security professionals’ tool doesn’t suit me as the developer.

John Tonello: Exactly.

Alan Shimel: It doesn’t suit him as the ops person. Doesn’t mean I shouldn’t be involved in security, doesn’t mean I shouldn’t have a tool that helps me with security, but not that tool.

John Tonello: Right.

Alan Shimel: And I think today’s successful security companies recognize this and whether it’s the same nugget under the covers just with different interfaces or it’s truly separate things, but they work together, that’s what we need.

John Tonello: And the inverse is true too that the security guy and team doesn’t necessarily know the cloud. And if you know one cloud, doesn’t mean you know all the clouds and they’re all different. And they all have their own nomenclature and who can afford experts for every single task? You can’t.

Alan Shimel: Well, that’s something that hasn’t changed in security is we can’t, generally, most organizations. Maybe the Fortune 50 can. But most organizations cannot afford the security expertise across the whole spectrum that they would need, which is why, look, at my last company, we pivoted to become an MSSP because I recognize that just selling them product, half of it never got installed or got installed and never used because they didn’t have it. They didn’t have the ability to run it even.

John Tonello: That’s the thing where Tenable has made a commitment long-term to its customers to be on that journey with them, to say, “Hey, you’re benefiting from what we’ve learned from all of our 40,000 plus customers in this space so that when we are giving you best practices or tooling, it’s with that bigger picture in mind. We know where your challenges are, we know what threat actors are trying to do, and we’re giving you tooling that simplifies it.” But I always hesitate to say simplify because it can be misconstrued with being a broad but not deep solution. But [inaudible 00:11:33] back in the early web days, I used to say it’s easy to create a website that’s hard to use, hard to build a website that’s easy to use. Well, when those things come together, that ease of use, but power across a lot of domains like you’re describing and for a lot of different users, that becomes where the rubber hits the road.

Alan Shimel: Agreed. I agree with you, man. All right, so we covered a bunch of stuff here. I want to do a little bit of a recap and give some people some homework, okay? So we mentioned the recent acquisition and what that means for cloud native application security and so forth, CNAPP. It also brings a really great UI, right, to the whole Tenable thing. Where do people go to kind of see that in action and maybe kick it a little bit?

John Tonello: Of course, tenable.com is our main URL and under there are the products. I’ve actually created quite a few videos on onboarding and that give you a taste of that. You can get in touch with our sales folks to get even deeper dive demos on all that. Terrascan, our open source project, is tenable.com/terrascan. There’s a sandbox that’s freely downloadable.

Alan Shimel: Great.

John Tonello: And it’s a very popular tool. The number of forks and downloads that Terrascan gets because you can integrate it into your CI/CD platform on your work stage, do all those things that run Terrascan.io as its own site and we’re always looking for contributors as well for that project. And you’ll see a lot on cloud security on tenable.com. You’ll also see some content on Ermetic, which is now branded, obviously, as a Tenable company. There’s a lot of resources out there.

Alan Shimel: Fantastic. John, thank you for coming on. I know this is your first time on Techstrong TV, but come back and visit us. It doesn’t have to be at one of these shows.

John Tonello: Be happy to.

Alan Shimel: Yeah, we do it via Zooms and remotes every day of the week, so it’s a pleasure.

John Tonello: Right. It’s a pleasure.

Alan Shimel: All check out tenable.com here at KubeKon. Hey, we still have a few more interviews left to finish out the day. We’ll see you back here in just a moment. Wrapping up day three coverage. Stay tuned.