Skip to main content

Perspectives Home / LEADERSHIP

Want To Lead Cross-Functional Teams? Rethink the Concept of "Digital Resilience"

Preventing both observability and security incidents require holistic thinking, cross-functional teams and cultural changes. Splunk's Matt Swann and Patrick Coughlin discuss with analysts Daniel Newman and Pat Moorhead.


The anatomy of a security incident and an observability incident may look different, but the end result is the same: downtime and impact on the business.

As security and observability converge, leaders are looking at ways to encourage security, IT, development and engineering teams to work toward the same goal. That means a renewed focus on two age-old problems: the difficulty of finding a trusted single pane of glass and ingrained cultural differences between departments.

Patrick Coughlin, Splunk’s SVP Global Technical Sales, and Splunk strategic advisor Matt Swann sit down with analysts Patrick Moorhead and Daniel Newman of The Six Five to discuss how to address these challenges, reduce the friction so leaders can make better decisions about their data, and rethink the concept of “digital resilience.”

Patrick Moorhead: Hi, this is Pat Moorhead and we are live here in Las Vegas at Splunk .conf2023. I am here with my incredible co-host, Daniel Newman. And it’s not 118 degrees inside here, is it?

Daniel Newman: Oh, no one would know. I’ve got this vest on.

Patrick Moorhead: I know. Got the coat.

Daniel Newman: I do have a reputation though. When I did have that event in Austin, it was 109 out and I still wore the vest.

Patrick Moorhead: I had one on too by The way.

Daniel Newman: There’s something about making sure that everyone knows you got style. I mean here at Splunk it’s probably a hoodie. I don’t know. But the security folks. I don’t know, maybe we’ll get lucky. We’ll have a guest with a hoodie, a guest with a sport coat, and then no one will quite know what to think.

Patrick Moorhead: Exactly. Dan, we’ve been talking a lot about digital resilience, and aka security along with your data. We talked a lot about AI and we’ve even talked about getting data from the edge and doing meaningful things through that. All pretty incredible topics and right into our research that we do day in, day out as our company. But let’s introduce our guests here. I’m excited to have a big conversation about digital resilience, Matt and Patrick. Patrick, my favorite name. Thank you for coming on the show. First time on the Six Five. Thank you for coming.

Patrick Coughlin: Thanks for having us.

Matt Swann: Thanks for having us.

Daniel Newman: It is great to have you both.

Patrick Moorhead: I love the two ends of it.

Daniel Newman: Pat, Pat and Matt.

Patrick Moorhead: Exactly.

Daniel Newman: Pat, Pat and Matt.

Patrick Moorhead: We have CTO and we have sales. I mean, come on. This is going to be fun. Let’s spice this up a little bit.

Daniel Newman: Now, Pat, if you know a little bit about this Pat.

Patrick Coughlin: Yeah, please tell me.

Daniel Newman: He likes you more. Because it’s not really about him, but it’s always.

Patrick Moorhead: It’s sometimes about me.

Daniel Newman: About him. You probably know which show that comes from.

Patrick Coughlin: Yes, I do. Yes.

Daniel Newman: Exactly.

Patrick Coughlin: Always about you.

Daniel Newman: Gentlemen, maybe a great starting point because we do have the counterpoints of IT and security. Quick introduction. Matt, start with you. Tell us a little bit about the work you do at Splunk.


Matt Swann: Yeah, sure. I mean, look, for the last 30 years I’ve spent probably the majority of my time focused on resilience. But through modernization. There’s been a never ending trail of how we modernize and get to e-commerce. How we think about modernize in getting to mobile, how we modernize and think about getting the cloud. How we think about modernize in getting some platforms like Splunk. This new AI revolution that we’re on the very cusp of. And so, I’ve had a lot of executive roles, C-level stuff at Booking, at regulated companies like Nubank, at Citibank. I spent about 15 years at Amazon. Wide variety of stuff. Happy to talk about any and all.


Daniel Newman: It’s great to have the practitioner lens too, working for the big corps, doing the stuff. And now working as the person selling the stuff or helping to sell this stuff. Pat.


Patrick Coughlin: Yeah. I lead our technical global go-to market teams here at Splunk, which includes security, IT and DevOps specialists, deep domain specialists who work with our account teams to really fuse that expertise into how we work with our customers. Before I joined Splunk, which was about two years ago, I was the co-founder and CEO of a company called TruSTAR, which cyber threat intelligence management platform, acquired by Splunk two years ago.


Daniel Newman: Congrats.


Patrick Moorhead: Congrats.


Patrick Coughlin: Thank you. Yes, great to be here. And my co-founder, Paul Kurtz is somewhere here walking around as well. I know you know Paul.


Daniel Newman: He was on the show.


Patrick Moorhead: Oh, he was great.


Patrick Coughlin: He’s fantastic. You’ve already got to know him a bit. But before that, before TruSTAR, I led security, analyst and security operations teams all throughout the Middle East. Spent a lot of time in places like Afghanistan, Iraq, Abu Dhabi, Syria, Yemen. But also working with multinational corporations in Europe, Middle East, Africa to build out security operations capabilities. I guess I’m a security analyst and security practitioner by trade who now leads field tech teams here at Splunk.


Patrick Moorhead: No, I love that. And both of you have an incredible amount of experience with this. Great. And by the way, experience matters in doing these things. Or at least, that’s what I say because I have experience too. But one of the fascinating things that I’ve seen over the past, I would say five years, is we used to separate observability and security. And you were actually one of the first companies that aligned observability and security and security with observability. But I’m curious, what are your points of view? How do you look at those two coming together? And Patrick, we’ll start with you.


Patrick Coughlin: Yeah. Absolutely. I mean, I think there’s two parts of it for me. I guess on the personal experience side, one of the things that I was so excited about when coming to Splunk. And it’s tough to part with your baby, with your startup and Splunk acquired TruSTAR. But what I was excited about is the way that Splunk was positioning observability as a security practitioner. Because I was seeing from our shared customers these different groups and teams that were starting to knock on the door of the proverbial SOC and say, “Hey, we’ve got this data. Should we be looking at this together? Should we be collaborating more?” And then I was seeing literature like NIST put out a paper about two years ago around developing cyber resilience systems that basically glues together observability incidents and security incidents. Saying, “Hey, at the end of the day it all rolls up to downtime. It all rolls up to downtime.” And that’s how it impacts the business. Whether it comes from an adverse condition, like a malicious compromise or whether it comes from an outage in your infrastructure or a performance degradation and application. The impact to the business at the bottom line level is the same. And so we need to start thinking about our resources and our investments together.


Patrick Moorhead: So security became a data problem. And observability was a way to solve that. And two wonder powers combining to get you to that digital resilience. Matt, how do you look at the combination of these two coming together?


Matt Swann: Well, I think in a lot of ways, very similarly. I mean I view it very much as a data problem. I don’t view these. I think historically we looked at these as separate cost centers and entities. We made different investments about how we felt about one or the other. And the reality of it is the common denominator is data and what you do with it. And the insights that you derive, whether it’s operational, whether it’s security and things of that nature. And so, I think what you’ve seen with a lot of the advances, not just in open source but also in platforms like Splunk and other things, when you can bring that together, harness the power of that data with a very clear strategy, you win on both sides.


Patrick Moorhead: That’s right. And it’s only gotten harder. I mean, I like to look at 30 years ago. And you were looking at gigantic in-memory systems. The applications were there, the operating system where there. The infrastructure is all in one place. And now we have the fractalization, we have infrastructure everywhere. We have applications that are no more monolithic, they’re based on APIs. The security problem as we fractalized everything out there has just gotten extraordinary and quite frankly, impressive.


Daniel Newman: Yes. It’s pretty interesting though that we still see from a budget, from a decision making, from a board level that security does get somewhat siloed. It’s CISOs and CIOs working in different silos some of the times not actually marching down the same path. Like I said, boards have long weighed the difference of spending just enough to not get breached, which means they’re going to get breached if that’s the approach. It’s not over investing, even though there’s a double-digit percent valuation loss that comes with a significant cybersecurity incident. There’s a lot of consternation at the C-level. Matt, you were a C title. Maybe I’ll check with you first. CTO in the field, probably working closely with a lot of CISO, CTO, CIOs of clients. Talk a little bit about this very thing. And how should these folks that are actually being pushed by the board, pushed by the customer to make sure data is secure, resilient, how should they be thinking about this right now?


Matt Swann: Well, I think, look, the mileage merit, it varies by company. Some groups are very functionally organized, where there’s a great distance between product and engineering and security and other roles. You’ve got other organizations that have built cross-functional teams where their architecture more closely aligns with the kinds of things that they build and own. I firmly believe as someone who’s owned a lot of product and technology, you want those cross-functional teams. You want to have end-to-end ownership. And what that means is, they think about it, not just the go to market of the customer. Did I get a new customer? Did it make me money? Did it save me money? Am I retaining that customer? But all the way down through that service and how it operates and is it secure in the risk and impact of a breach. And so therefore, when I met the CEO of that domain or business, I want them to think through and have it be part of their plan and their investment. They need to worry about those things, not security off to the side and the business systems kind of manager. But there’s a level of that that also needs to be provided, but it needs to be ingrained in the culture and it needs to be ingrained in the thinking of the product.


Patrick Moorhead: A lot of people at this show in particular probably understand why visibility is so critical to IT operations and things like security. But Pat, I’d like to hear from you first. Can you explain maybe in simplistic terms for maybe people who aren’t fully understanding or maybe people who aren’t customers, why visibility is so important to this?


Patrick Coughlin: Sure. Yeah, yeah. I mean look, with every major technology wave that rolls through the enterprise, what happens is you see this evolution and often expansion of the attack surface area. The move to desktop, into mobile created this whole new attack surface area around devices that didn’t really exist in the past. Then you have to move to the cloud. And that changes. I mean, if you think about what incident response looks like back when I was doing it 15 years ago compared to what it looks like now with cloud assets, I don’t even know if I’d be able to keep up. It’s a totally different world today. And now you think about artificial intelligence. And how does that change the attack surface area? Well, does it bring new critical assets like training data sets that hold very important IP now for enterprises. We weren’t talking about protecting these critical assets two years ago. Those weren’t even in the attack surface area. And so, part of the challenge of security operations and security leaders is this never ending rat race to keep up with the ever expanding attack surface area. And that’s where you need tools that bring you visibility. And so, as a pure security operator, I hear observability and I think visibility into my cloud native assets that I really need more and more of overtime.


Patrick Moorhead: Yeah. Matt, well, you add something if you’d like, please.


Matt Swann: I would love to build on it. I 100% agree with what you’re saying. And I think look, visibility in this information, in simplest terms, it helps companies make more informed decisions. If you don’t have that visibility, you’re flying blind, you’re prone to errors and mistakes, your time to respond, your time to think is longer in that. And I think what you’re going to see right now is that we hear a lot about the AI hype and both good and bad in one way, shape or form. And I think what you’re going to see is a lot of it on the cusp is trained on public data. There’s a lot of stuff out there that can help with that from a security or other perspective. But I think when you take your own internal platforms like a Splunk, you take your data, you train on it, you open it up to incorporate and work your other models through it, now you have the power to accelerate. Your mission hasn’t changed. I still need it to be up and secure. These tools allow me to actually work much faster and better when I develop and hone those things.


Patrick Moorhead: Alright. Look, I talked to, I characterized the fractalization of IT. And it’s funny, we think, oh gosh, where else could this go? Heck, you guys made an announcement today that put an actual device in areas where there isn’t a lot of digital data. And if you look at, we like to call fancy things, Web 4.0. It’s really digitizing the warehouses, the factories. By the way, every car that’s on the road and we have wireless technologies today, even like 5G and Massive MIMO that is going to put a data producing element, tens of millions if not billions of them, it’s going to make smartphones look like child’s play. I think this challenge and this issue is only going to exasperate once we light up. I mean it’s a big number. I joke when you get into the hundreds of billions of endpoints, it gets ridiculous and it’s a lot. This is just going to continue and it’s super exciting I think.


Patrick Coughlin: Yeah. I would just say I completely agree with that. I think what’s exciting about this concept of digital resilience, just in listening to customers over the last couple of days is what’s the next frontier of digital resilience? We talk a lot about the consolidation of engineering, IT and security and shared data. But if you go and talk to a retail customer today where they’ve had a massive shift of their business from physical brick and mortar stores to e-commerce. They’re talking about the next frontier for them with digital resilience is really about fraud. And then if you go talk to a manufacturing customer, they’re talking about the next frontier of where they really need to move is OT environments. I’m excited to see how this concept of digital resilience continues to be a unifying banner, a rallying cry that brings together the necessary resources inside the enterprise to hopefully drive better outcomes in resilience.


Patrick Moorhead: Yeah. And by the way, every one of those new endpoints that has a CPU, a mini operating system and connectivity is a potential breach point. We have more of those out there. And it’s with that much more data coming in, visibility again, more paramount, I think we’re all going to be in business and have a gainfully employed for a long time here.


Daniel Newman: Let me spark a little bit of a debate. It’s great that we’re all in. There’s a big lovefest here.


Patrick Moorhead: Slapping each other on the back.


Daniel Newman: Everybody agrees about everything. I’m good.


Patrick Moorhead: Pat, Pat.


Daniel Newman: I got this.


Patrick Moorhead: You can do that too. Okay.


Daniel Newman: But no, I mean serious, I’ve asked you on the edge of role playing a little bit. Clearly you both have security and IT backgrounds. But where’s there some disagreement in the security and IT? Is it about going fast versus being really safe along the way? Because obviously, these companies are under pressure to grow, they’re under pressure to do. It can’t all be kumbaya. There has to be some disagreement.


Patrick Moorhead: Where’s the friction?


Daniel Newman: Don’t be so nice about it. Just go.


Patrick Coughlin: I’m sorry. Yeah, you go. I’m kidding.


Matt Swann: I’ll throw one piece. I think we are on a continuum between what I would call supervised and unsupervised learning when it comes to intelligence. And where humans are involved, supervision is involved. And it’s because when you think about the amount of data that’s out there and the importance of severity, when you talk about security incidents and the need to be right or financials, people’s money, you need to be right.And so, sometimes at this stage, we can’t fully trust yet, the computer to be unsupervised and do 100% of those things. And so, I think we will actively debate the bias, the accuracy, the maturity, the need for supervision, the need for some of those things. By the way, we should pursue all of it carefully and aggressively and test our way into it. But I think those are some of where you’re going to start to see potential regulators get all kinds of opinions get thrown in the mix.


Patrick Coughlin: Yeah. And I mean agree with that. But in the interest of being a little controversial, I would say we still have different cultures. If you look at security and DevOps or security and engineering. Engineering, software development, move fast and break stuff. Security, skepticism, trust, but verify, go slow, be thoughtful.And so, I think that kind of friction still exists at the people level and culturally sometimes in organizations, especially large ones. But if you allow me to be a little positive about it, what I think is really fascinating is as these teams are coming together, I think security operations can learn a lot from DevOps. I think we can learn a lot from the movements around toil and the way SREs talk about reducing toil. And what does that mean in the SOC and how do we leverage automation in our workflows the same way the SREs are? I think we’re going to learn more from each other and that will help us come closer together.


Daniel Newman: As we come to close here, and thanks for playing the game. When we get offstage, they can all hug it out. I digress. But observability has become really in vogue. It’s a combination of a little bit of a marketecture and a really important technology at the same time the way it’s being talked about. What are you seeing in terms of how observability is sort of driving home and helping solve this speed? Because it seems like the biggest problem for most companies is they’re not catching things fast enough. It’s very reactive. Observability is one of the keys to getting proactive, isn’t it? Getting on the front foot. Talk a little bit about how observability really drives faster incident reaction response to be able to be more proactive on the security front? And Pat, I’ll have you take that.


Patrick Coughlin: Yeah, I mean I’ll go quick and jump in. But we’re seeing more and more that an incident, is an incident, is an incident. It’s often difficult to tell whether it was an outage in your infrastructure or some sort of misconfiguration in an application or whether it was a DDoS attack. And companies are often smoke jumping incident responders into it before you know actually whether it’s a security IT or an engineering issue. And so, because of that, I think visibility becomes critical regardless of whether it is a malicious compromise or an adverse condition. And visibility into infrastructure services and applications, regardless of whether it was a malicious compromise or it was a misconfigured app or whatever. That’s really driving the proactivity is you can’t get proactive if you can’t see it.


Matt Swann: Yeah, I can’t agree more. And what I’d say is the challenge that I see with a lot of companies is when you stitch together, there’s a lot of beauty and open source and a lot of different things. But the more of these solutions you stick together to get to finite solutions, it gets more difficult to get to a clear, trusted single pane of glass that you can bring the right people together to diagnose and run through those things. Because you need to be able to trust and be informed to make better decisions about those things. I think the other thing I’d say is people are going to move further up the stack. Meaning it’s not only the logs are logs. And logs are incredibly valuable and we get a lot of information out of that. I think increasingly over time, in the same way you’re going to see people moving further up into the code to try and detect those things earlier with the use of AI, with the use of other capabilities.


Patrick Moorhead: Gentlemen, really appreciate your time. Good conversation about digital resiliency, rethinking it a bit. Looking into the future, but also keeping grounded in the present. And it was great to see from a CTO point of view. Matt, thank you. And from a go-to-market, sales point of view, Patrick, I appreciate that. Thanks coming on the show. We’d love to do a check-in in a few months as well.


Patrick Coughlin: Absolutely. Lots of fun, guys. Thanks.


Matt Swann: Sounds good. Thanks a lot.


Patrick Moorhead: Thanks for tuning in to the Six Five On the Road at Splunk .conf here in Las Vegas. Hang in there, tune in there. We’re doing about eight different videos and interviews. And hit that subscribe button if you like what you heard. Thanks a lot.

Read more Perspectives by Splunk

A racing vehicle at a pit stop surrounded by a pit crew.

August 22, 2023  •  7 Minute Read

4 Surprising Lessons Technical Leaders Can Learn From Pit Crews

Discover how the high-octane strategies of Formula 1 pit crews can fuel your technical teams’ performance, rev up precision and drive collaboration.

exec orders

JULY 11, 2023  •  5 Minute Read

Strategic Investments CISOs Should Make for Long-term Success

Philadelphia’s new deputy CISO shares tips on cyber hygiene, training the next generation of security leaders and more.


JULY 11, 2023  •  7 Minute Read

The Executive Imperative To Innovate With Resilience

IT and security leaders are in a balancing act. Mandates say everything must be cutting edge, but secure. If apps don’t have AI, you’re fired — but also, don’t let AI undermine business. What’s a CxO to do?

Get more perspectives from security, IT and engineering leaders delivered straight to your inbox.