 The Cube is back at VeeamON 2022. It's happy to be live. Dave Vellante, Dave Nicholson, and Dave Russell. Three Dave's. Dave is the Vice President of Enterprise Strategy at Veeam. Great to see you again, my friend. Thanks for coming on. It's always a pleasure. And Dave, I can remember your name. I can remember your name as well. So wow, how many years has it been now? I mean, that on COVID is four years now? Yeah, well, three. Three. Solid three, yeah. Last year, Miami. Little secret, we're going to go there again next year. OK, so you joined Veeam three. Oh, me four. Yeah, yeah, yeah. There's four, right, OK. Wow. I'm flies, man. Interesting, your background, former analyst. Analyze your time at Veeam and the market and the changes in the customer base. What have you seen? What are the big takeaways, learnings? Yeah, you know what's amazing to me is we've done a lot more research now ourselves. So things that we intuitively thought, things that we experienced by talking to customers and, of course, our partners, we can now actually prove. So what I love is that we take the exact same product. We go down market, up market, we go across geographies, we go different verticals, and we can sell that same exact product to all constituencies because the differences between them are not that great. If it was the three Dave company or the three M company, what you're looking for is reliable recovery, ease of use, those things just transcend. And I think there used to be a time when we thought enterprise means something very different than mid-market, than does SMB. And it's certainly your go-to-market plans are that way, but not the product plans. So the ransomware study, and we had Jay Buff on earlier. We were talking about it, and we just barely scratched the surface. But how were you able to get people to converse with you in such detail? Was it using phone surveys? Are you doing web surveys? Are you doing a combination? Deep dives? Yeah, so it was web-based, and it was anonymous on both ends, meaning no one knew of him was asking the questions. And also, we made the promise that none of your data is ever going to get out, not even to say a large petroleum company. Everything is completely anonymized. And we were able to screen people out very effectively. A lot of screener questions to make sure we're dealing with the right person. And then we did some data integrity checking on the back end. But it's amazing if you give people an opportunity. They're actually very willing to tell you about their experience, as long as there's no sort of ramification about putting the company or themselves at risk. So when I was at IDC, we did a lot of surveys, tons of surveys. I'm sure you did a lot of surveys at Gartner. And we would look at vendor surveys like, well, the questions are rigged, or it's really self-serving. I don't sense that in your surveys. You've still got that independent analyst gene. Is that, I mean, is it by design? Does it just happen that ransomware is a topic that just lends itself to that? Maybe you could talk about your philosophy there. Yeah, well, two-part answer, really, because it's definitely by design. We really want the information. I mean, we're using this to fuel or inform our understanding of the market, what we should build next, what we should message next. So we really want the right data. So we've got to ask the right question. So Jason, our colleague Julie, and myself, we work really hard on trying to make sure we're not leading the witness down a certain path. We're not trying to prove our own thesis. We're trying to understand what the market really is thinking. And when it comes to ransomware, we want to know what we don't know, meaning we've found a few surprises along the way. A lot of it was conformational, but that's OK, too, as long as you can back that up. Because then it's not just a vendor's opinion. Of course, a vendor that says that they can help you do something has data that says they think you and you have a problem with this. But now we can actually point to it and have a more interesting kind of partnership conversation about if you are like 1,000 other enterprises globally, this may be what you're seeing. And there are no wrong answers there, meaning even if they say that is absolutely not what we're seeing, great, let's have that conversation that's specific to you. But if you're not sure where to start, we've got a whole pool of data to help guide that conversation. Yeah, shout out to Julie Webb. She does a great job. She's a real pro and really makes sure that, like you say, you want the real answer. So what were some of the things that you were excited about or to learn about in the survey? Again, we just barely touched on it in 15 minutes with Jason. But what's your take? Well, two that I would love to point out. I mean, unfortunately, and Jason probably mentioned this one, only 19% answered when we said, did you pay the ransom? And only 19% said, no, I didn't pay the ransom. And I was 100% successful in my recovery. We're in Vegas, but one out of five odds. That's not good, right? That's a go out of business strategy. That's not the kind of 80, 20 you want to hear. That's not exactly, exactly. Now, more concerning to me is 5% said, no ransom was asked for. And my phrase on that is that's an arson event, it's not an extortion event, right? I just came to do harm. That's really troubling. Now, there was a huge percentage there that said, we paid the ransom, about 24% said we paid the ransom and we still couldn't restore the data. So if you add up that 24 and that five, that 29%, that was really scary to me. Yeah, so you had the 19%, okay, that's scary enough, but then you had the wrecking ball. Right. Oh, we're just gonna, it's like the mayhem commercial. Yes. Let's see ya, right? Okay, so that's wild. So we've heard a lot about ransomware. The thing that interests me is, and we've had a big dose of ransomware as analysts in these last 12, 18 months and more, but it's really escalated. Yeah. Seems like, and by the way, you're sharing this data, which is amazing, right? So I actually want to dig in and steal some of the data. I think that's cool, right? You gave us a URL this morning. So, but your philosophy is to share the data so everybody sees it. Your customers, your prospects, your competitors, but your philosophy is to why? Why are you sharing that data? Why don't you just keep it to yourself and do it quietly with customers? Yeah, you know, I think this is such a significant event. No one vendor's gonna solve it all. Realistically, we may be tied for number one in market share, statistically speaking, but we have 12 and a half percent, right? So we're not gonna be able to do greater good if we're keeping that to ourselves. And it's really a notion of this awareness level, this having the conversation and having that more open, even if it's not us, you think it's gonna be beneficial. It speaks to the value of backup and why backup is still relevant to stay in age. I don't know if you're comfortable answering this, but I'll ask anyway, when you were a Gartner analyst, did you get asked about ransomware a lot? No. Very rarely or never? Almost never. Yeah, and that was four years ago. Literally like seven years. It was a thing back then, right? I mean, it wasn't as prominent, but it was, I guess it wasn't that. 2016, 2017, you know, it's interesting because at a couple of levels, you have the willingness of participants to share their stories, which is a classic example of people coming together to fight a common foe, right? In the best of times, that's what happens. And now you're sharing that information out. One of the reasons why some would argue we've gotten to this place is because day zero exploits have been stockpiled and they haven't been shared. So you go through the lineage that gets you to not pet ya as an example and where did it come from? Hey, it was something that we knew about, but we didn't share it. We waited until it happened because maybe we thought we could use it in some way. It's an interesting philosophical question. I don't know where, if that's the third one. The third rail you don't wanna touch, but basically I guess we're just left to sort through whatever we have to sort through in that regard. But it is interesting, left to industries own devices, it's sharing an openness. Yeah, I also think it's like open source code, right? I mean, the promise there is together we can all do something better. And I think that's true with this ransomware research and the rest of the research we do too. We freely put it out there. I mean, you can download the link, no problem, right? And go see the report. We're fine with that. We think it actually is very beneficial. I remember a long time ago, it was actually Sam Adams that said, hey, there's a lot of craft brewers out there and now, are you as a craft brewery now successful? Are you worried about that? No, we want every craft brewery to be successful because it creates a better awareness while in the availability market. It's a really Boston reference whip. Another Boston reference, yes, thank you. Boston and what? So I feel like we've seen these milestone watershed events in security. I mean, Stuxnet sort of informed us what's possible with nation states, even though it's highly likely that US and Israel were behind that. The SolarWinds hack, people are still worried about, OK, what's next? Even something now, and so everybody's now on high alert, even I don't know how close you guys followed it, but the octa breach, which was a fairly benign incident and technically, it was very, very limited and very narrow. Let's go, but CISOs that I talked to were like, we're really paranoid that there's another shoot-a-drop. What do we do? So the awareness is way, way off the charts. It begs the question, what's next? Can you envision? Can you stay ahead? It's so hard to stay ahead of the bad guys, but how are you thinking about that? This isn't the end of it from your standpoint. No, it's not. And unfortunately, it's because there's money to be made. And the barrier to entry is relatively low. It's like hiring a hitman. You don't actually have to even carry out the bad act yourself and get your own hands dirty. And so it's not going to end, but it's really, security is everyone's responsibility. Veeam is not really a full-time security company, but we play a role in that whole ecosystem. And even if you're not in the data center, as an employee of a company, you have a role to play in security. Don't click that link. Lock the door behind you, that type of thing. So how do you stay ahead of it? I think you just continually keep putting a focus on it. It's like performance. You're never going to be done. There's always something to tune and to work on. But that can be overwhelming. So the positive I try to tell someone is, to your point, Dave, look, a lot of these vulnerabilities were known for quite some time. If you were just current on your patch levels, this could have been prevented. You could have closed that window. So the thing that I often say is, if you can't do everything and probably none of us can, do something. And then repeat, do it again. Try to get a little bit better every period of time, whether that's every day, every quarter, what case may be. Do what you can. Yeah, so ransomware, obviously, very lucrative. So your job is to increase the denominator so the ROI is lower. That's a constant game, right? Absolutely. It is a crime of opportunity. It's indiscriminate and oftentimes non-targeted. Now there are state-sponsored events, to your point. But largely, it's like the fishermen casting the net out into the ocean. No idea with certainty what's going to come back. So I'm just going to keep trying and trying and trying. Our goal is to basically, you want to be the house on the neighborhood that looks the least inviting. We've talked about this. I mean, anyone can be a ransomware, has to go on the dark web. Ransomware is a service. I can put a stick into a server and away I go and I get some Bitcoin for it. So organizations really have to take this seriously. I don't think they are. Well, you tell me. I mean, in your discussions with customers. It's changed. I would say 18 months ago, there was a subset of customers out there saying, vendors crying wolf, you're trying to scare us into making a purchase decision or move off of something that we're working with now. I think that's almost inverted. Now what we see is people are saying, look, my boss, or my boss's boss's boss, and the security team are knocking on my door asking, what are we going to do? What's our response? How prepared are we? What kind of things do we have in place? What does our backup practice do to support ransomware? The good news, though, going back to the awareness side is I feel like we're evangelizing this a little less as an industry, meaning the security team is well aware of the role that proper backup and availability can play. That was not true a handful of years ago. Well, that's the other thing, too. Your study showed the closer the practitioner was to the problem, the more problems there were. That's an awareness thing. That's not, oh, just those guys had visibility. I want to ask you, because you understand from an application view, there's only so much Veeam can do, and then the customer has to have processes in place that go beyond just the backup and recovery technology. So from an application perspective, what are you advising customers where you leave off and they really have to take over? This notion of shared responsibility is really extending beyond cloud security. Yeah, the model that I like is, interestingly enough, what we see with Kasten in the Kubernetes space is there we're selling into two different constituencies potentially. It's the infrastructure team that they're worried about disaster recovery, they're worried about backup, but it's the app dev dev ops team, hey, we're worried about creating the application. So we're spending a lot of focus with the Kasten group to say, great, go after that shift left crowd. Talk to them about data availability, disaster recovery. By the way, you get data movement or migration for free with that. So migration, maybe what you're first interested in on day one, but by doing that, by having this kind of capability, you're actually protecting yourself from day two issues as well. Yeah, so let's see. What haven't we hit on in this study? There was so much data in there. Is that URL? Is that some private thing that you guys shared? No, absolutely. Can you share the URL? Yeah, absolutely. It's VEE, so V2E's period AM. So Veeam with the period between the E and the A, forward slash RW22. So ransomware 22 is the research project. So go there, you download the zip file, you get all the graphics. I'm going to dig into it. Maybe as early as this Friday or this weekend, I'd like to sort of expose that. You guys obviously want this. I think you're right. Awareness needs to go up. To solve this problem, I don't know if it's ever solvable, but the only approach is to collaborate. So I don't think you're going to collaborate with your head-to-head competitors, but you're certainly happy to share the data. I've seen, Dave, some competitors have pivoted from data protection or even data management to security. Yes. I wonder if I could run a premise by it. I see that as an adjacency to your business, but not sort of throwing you into the security bucket. What are your thoughts on that? Yeah, it certainly respects everything other competitors are doing. And some are making some good noise and getting picked up on that. However, we're unapologetically a backup company. We're a backup company first. We're worried about security. We're worried about data reuse and supporting shift-left types of things, but we're not going to apologize for being in the backup availability business, not at all. However, there's a role that we can play. Having said that, we're a role. We're a component. If you're in the secondary storage market, like backup or archiving, and you're trying to imply that you're going to help prevent or even head off issues on the primary storage side, that might be a little bit of a stretch. Now, hopefully that can happen that we can get better as an industry on that, but fundamentally, we're about ensuring that you're recoverable with reliability and speed when you need it, no matter what the issue is, because we like to say ransomware is a disaster. Unfortunately, there's other kind of disasters that happen as well. Power failure still happened, as you still occur, et cetera. So all these things have to be accounted for. One of our survey data points basically said, all the things that take down a server that you didn't plan on, it's basically humans at the top. Human error, someone accidentally deleted something, and then malicious humans, someone actually came after you, but there's a dozen other things that happen too. So you've got to prepare for all of that. So I guess what I would end up with saying is, you remember back in the centralized data centers, especially the mainframe days, people would say, we're worried about the smoking hole or the smoking crater event. The probability of a plane crashing into your data bunker was relatively low. That was what got all the discussion, though. What was happening every single day is somebody accidentally deleted a file. And so you need to account on both ends of the spectrum, but we don't want to over rotate, and we also, we don't want to signal to 450,000 beam customers around the world that we're abandoning you that we're not about backup. That's still our core effort. You know, it's pretty straightforward. You're just telling people to back up in a way that gives them a certain amount of mitigation or protection in the event that something happens. And no, I don't remember anything about mainframe. Key does, though. Much older than me. DFSMS. So I even know what it stands for. Count key data, don't even get me started. So, and it wasn't, thank you for that answer. I didn't mean to sort of set up question, but it was more of a strategy question and I wish I could put on your analyst hat because I feel, I'll just say it, I feel as though it's a move to try to get a tailwind. Maybe it's a valuation play, I don't know, but it resonated with me three years ago when everybody was talking data management and nobody knew what that meant. Data management, I'm like, Oracle? Right. And now it's starting to become a little bit more clear, but Danny Allen sort of said, it's all about the backup. I think that was one of his key note messages. So that really resonated with me because I said, yeah, it starts with backup and recovery and that's what matters most to these customers. So it really was a strategy question. Now, maybe it does have a valuation impact. Maybe there's a big market there that can be consolidated. This morning in the analyst session we heard about your new CEO's objectives of grabbing more market share. So that's an adjacency. So it's gonna be interesting to see how that plays out. Far too many security vendors as we know. The backup and recovery space is getting more crowded and that is maybe causing people to sort of shift, I don't know, whatever, right or left. I guess shift right, I'm not sure. But that's gonna be really interesting to watch because this has now become a really hot space after some really interesting momentum in certain pockets, but now it's everywhere. It's kind of ubiquitous. So I'll give you the last word, Dave, on day one, Veeamon 2022. Yeah, well, boy, so many things I can say to kind of land the plane on, but we're just glad to be back in person. It's been three years since we've had a live event. In those three years, we've gone from 300,000 customers to 450,000 customers. The release cadence even in the pandemic has been the greatest in the company's history in 2020-2021. There's only about three dozen software-only companies that have hit a billion dollars and we're one of them. And that mission is why it hasn't changed and that's why we wanna stay consistent. One of the things Danny always likes to say is, we keep telling the same story because we're not wanting to deviate off of that story. And there's more work to be done. And to Anna's point, you know, hey, if you have ambitious goals, you're gonna have to look at spreading your wings out a little bit wider, but we're never gonna abandon being a backup. It's clear to me, Dave, Anna was not brought in to keep you steady at a billion. I think he's got a site set on five and then who knows what's next. Dave Russell, thanks so much for coming back in theCUBE. Great to see you. Always a pleasure, thank you. All right, that's a wrap for day one, Dave Vellante and Dave Nicholson. We'll be back tomorrow with a full day of coverage. Check out siliconangle.com for all the news, youtube.com slash siliconangle. You can get these videos, they're all flying up wikibon.com for some of the research in this space. We'll see you tomorrow.