On this episode of The Six Five – Insider Edition, hosts Daniel Newman and Patrick Moorhead welcome Commvault’s Sanjay Mirchandani, President and CEO, for an inside look at Commvault’s announcement on the launch of Commvault Cloud, powered by Metallic AI and their upcoming virtual event, SHIFT: The Global Cyber Resilience Event, happening today at 10 am PT.
Their discussion covers:
- How the approach to cyber resilience differs from what others in the industry offer, and how Commvault is delivering AI innovation
- What is driving Commvault’s partnership ecosystem
- Why cyber resilience is so critical and how involved CEOs and Boards should be in assessing a company’s overall risk posture
- What the future holds for Commvault, and more details on today’s virtual event SHIFT: The Global Cyber Resilience Event
Learn more about SHIFT: The Global Cyber Resilience Event here and register today.
Be sure to subscribe to The Six Five Webcast, so you never miss an episode.
You can watch the full video here:
Or Listen to the full audio here:
Patrick Moorhead: The Six Five is back, and we are virtually at Commvault SHIFT here talking some amazing data technologies. Daniel, it’s great to see you, my friend.
Daniel Newman: It is good to be back. And yeah, I mean data, cyber resiliency, security. So much going on, Pat. Of course, all wrapped around a 2023 theme that has been relentlessly centered around AI. It’s another opportunity here to have a conversation with someone that I don’t think we’ve ever had on the show before.
Patrick Moorhead: No, we haven’t. A first-timer I’d like to introduce, our esteemed guest. Sanjay, great to have you on The Six Five, and we hope that… We’re excited about the first one, but hope to see you on again.
Sanjay Mirchandani: Great to be here, guys. Thank you.
Daniel Newman: It is great when we can time travel around, we can be anywhere and everywhere, and that was one of probably the best outcomes of the difficult years we’ve just gotten through. It’s also very exhausting, Sanjay, so you can see all of us in different places at once, but we’re here together. Pat and I have been following the company for some time, Sanjay, and you’re known as a leading data protection company. But here at the event, at least to us, it sounds like you’re really changing, you’re moving much more broadly, you’re moving into cyber resiliency. Talk to us about how you’re thinking about the market, how you’re approaching it. What do these announcements mean for what’s next for Commvault?
Sanjay Mirchandani: That’s exactly it. Commvault’s been in the business for 27 years, and what we’ve done over these years is protect our customers’ mission-critical data. We’ve kept ourselves very true to our purpose, and protection of data over the years has meant different things. Today it’s all about cyber threats, but we still have data centers getting flooded, or getting wiped out in a hurricane, or bad things happening in natural ways, or insider issues and threats. The old stuff doesn’t necessarily go away, but there are new vectors that keep evolving; and cyber has become a key vector that we have to protect data against, because that’s what the bad actors want. What we’re doing here at SHIFT is really I think turning the industry on its head, disrupting from within, and saying the world of data protection, as we’ve come to know it, and the world of data security as we have come to know it, are becoming one; and when they become one, the real purpose behind what you’re trying to do is give your business resilience. And so today, we’re talking about cyber resilience, and that encapsulates a few factors around data protection, security, AI, you mentioned AI, and Bulletproof Recovery. That’s the gist of what it’s all about.
Patrick Moorhead: Yeah. I mean Commvault’s a reflection of the market and what the market needs. We’ve matured over the years. We had this notion years back that perimeter-based security, “We’re going to keep everybody out. Okay? Don’t even ask us about what happens when somebody gets in to get them out,” and then the industry realized that, “Okay, people are going to get in, and now how do we get them out?” Then we’re in this third stage which is, “Okay, they’re going to get in, we have to get them out, but they’re going to do some damage while they’re here, and they might stay. Heck, they might be latent and sit there for a while,” and then that’s where ransomware protection, and things like that, came in. But I do have to ask, with this leaning into cyber resiliency, does it mean that data protection isn’t important anymore?
Sanjay Mirchandani: No. Resiliency is a superset. Data protection is still at the heart of it. You described the left side of that continuum, which is about defending, and identifying, and hoping that you can block them from coming in. And then assuming that they come in, which is what I like to give my peer group as advice, which is, “Please assume they’re going to get in. If that’s going to happen, how are you going to ready yourself for it, and how you’re going to recover yourself from that?”
Patrick Moorhead: Right.
Sanjay Mirchandani: And so data protection is still at the very heart of resilience, but we’re bolting on a ton of data security, we’re bolting on a ton of AI. And really we’ve spent, in the past 10 years, over a billion dollars in R&D, and a lot of R&D is about recovery.
Patrick Moorhead: Yes.
Sanjay Mirchandani: Okay? And really making sure that, if something bad happens, and recent studies show that bad things… 60-odd-percent of the folks we interview assume in the next 12 months something bad… It’s highly likely that there’ll be an infiltration within their defenses. If that’s the assumption, be ready. Cyber resilience becomes very important.
Daniel Newman: You’re building, you’re expanding, you’re platformizing in many ways; that’s been the theme of tech companies looking for scale. It’s not just a product, certainly not just a feature. It’s about building a platform that is extensible, and customers can do more of what’s important to them, and that’s what I’m sensing. You have a platform called Commvault Cloud powered by Metallic AI. I always make sure I get those right.
Sanjay Mirchandani: You got it right.
Daniel Newman: Great. Break those down, though. Because I think a lot of times what happens is companies launch platforms, people are like, “Product platform. Platform product,” they’re trying to untangle what’s marketecture, what’s real. Break these apart really quickly. Explain how it’s a platform, how it relates to SaaS, and what the vision is of platformizing the Commvault portfolio.
Sanjay Mirchandani: Your question is, “What makes it a platform? What happened to Metallic, the SaaS capabilities? How do these things come together?” and that’s a great question. I’m going to detangle it by starting with Metallic. We disrupted ourselves four years ago by building Metallic. We said, “We know how to do data protection. We’re the leaders in it. Can we do it better? And the world is moving to SaaS. Can we build a great new capability and a great new experience?” We almost created a startup inside of the company; funded it, ran it like a startup, and we got Metallic. For the past four years, Metallic has been at the forefront of customers moving their workloads to hybrid cloud. It was written ground-up. It was a brand new SaaS platform. We’ve taken that and put it in the forefront of security. So our security capabilities, your immutability, your copies of your data that you want in a catastrophic situation, are protected and served up by Metallic, and we’ve learned so much.
Being a SaaS platform in the past four years as customers, we have over 4000 customers. It’s one of the fastest growing infrastructure products in the history of infrastructure products. We just crossed 130 million in ARR. We took everything we’ve learned over the past four years, all the customer feedback, their interactions with the technology and infused it with AI, which we were doing anyway because we really saw AI playing a key part. Now we’ve had AI in different ways, older generations of AI capabilities of AI in the product. But now we’ve really infused it with all the new technology, the new AI. And we were able to take what we’ve built ground up and make it the platform for all delivery. And as we’ve infused it with security, as we put AI into it, as we put new workflows into it and we took our old design principles of no workload left behind, and we’ve been able to bring it into a platform completely extensible, API based.
In fact, we’ve got a new AI capability. We call it Arli. Everybody names their AI these days. So ours is Arli. It’s about autonomous resilience. That’s the moniker. And what Arli can do for you is spit out code that you can use to integrate into your environment. It can give you analytics on where you have vulnerabilities, it can do threat scanning for you and tell you, “Hey, this data looks like it’s compromised.” So we brought all that into a platform and we said, “Why should a customer have to choose unnaturally between software or SaaS?” And so we’ve been able to engineer the control plane of this technology in such a way that it insulates itself from having to make those unnatural choices. So it brings it all together as a new platform. It’s called Commvault Cloud, and it’s powered by Metallic AI. So that’s the genesis.
Patrick Moorhead: Yeah, I’m really glad to hear you talk like that. What I mean by specifically is I’m pretty sure all enterprises have embraced the hybrid multi-cloud. And that’s not that they don’t want to do the public cloud, and it doesn’t mean that they don’t want to do on-prem. The reality is, is that 75% of all the enterprise data is still on-prem or the edge, okay? And that’s after 14 years of the public cloud. Doesn’t mean that there’s something wrong with the public cloud or wrong with on-prem, but it’s just the reality and the complexity. And what enterprise they’re looking for, one thing they’re looking for is they want a single way to control and manage that data and protect that data, whether it’s in the public cloud or on premises. So I applaud the approach.
And to increase efficiency by layering on an AI assistant is obviously important. I think Dan and I have spent 75% of our time in the last nine months as analysts in our companies fielding ways for enterprises to better field generative AI. So you’re hitting on a lot of things there. I want to ask a very point-blank question here. There’s a lot of cyber resilience companies out there. How is what you brought out different?
Sanjay Mirchandani: That’s a great question. So part of the approach that we take, and I’m going to boil it down as much as I can, is no workload left behind. A lot of companies chase the new workloads, chase the shiny new toys in the cloud saying, “Oh, we’re going to protect the cloud native stuff.” What about the 75%, to your point, that runs the enterprise today? You can’t just say, “We’re not going to touch that, or we’re not going to upgrade that, or we don’t really like that. It’s not cool.” Our philosophy is no workload left behind, Patrick. And when I say no workload left behind, if I need to have some dinosaur system protecting this and some state-of-the-art system protecting this and something in between here and this workload, I’m not even sure it’s protected.
Patrick Moorhead: Right.
Sanjay Mirchandani: When the light gets through that landscape, that fleet of technology, generational technology, the bad guys use those as vectors to get in. So first thing that they’re different with is, no workload left behind, okay?
Patrick Moorhead: Right.
Sanjay Mirchandani: The second is no unnatural choices. Why do you have to choose between SaaS and software? Just because I only have SaaS or I only have software? No, I’m going to give you both and I’m going to give it to you in a singular unified control plane, okay? Number three, policy engines. Let me tell you why our policy engine is so powerful. It cuts across any workload. So here, let’s boil that down. If my policy engine supports 80% and not the 20%, this human intervention, that’s a flawed strategy. We have a singular policy engine and now completely powered by Metallic AI. So those are just three of the top areas. Outside of that, we don’t sprinkle things. I don’t do storage one day and something else another day. I protect data, and with tons of security, tons of AI and all about recovery. That’s what makes us different.
Patrick Moorhead: Thank you.
Daniel Newman: Tons of AI.
Sanjay Mirchandani: Tons of AI, yeah.
Daniel Newman: You just opened up a new qualifying metric.
Patrick Moorhead: You said it.
Daniel Newman: The Futurum performance lab is going to be measuring metric tons of AI.
Sanjay Mirchandani: Let me give you a little thing that might get you to understand why I use expressions like that. When we were naming Metallic, people go, “Well, Metallic sounds like it sounds heavy, and this is a SaaS product.” I said, “Metallic is also strong. It protects, it’s hard to penetrate.” And so for me, I tend to use weight-based monikers for products and descriptors.
Daniel Newman: No, I thought that was actually pretty good and I just couldn’t miss the opportunity to transition so nicely into AI. So I appreciate you doing that. Let’s go there, Sanjay, because you said tons of AI, a lot of AI, a metallic volume of AI. Tell us a little bit about the AI story because right now what I would say is after something like a hundred events here to date, not to mention thousands of virtuals and endless conversations, media questions, everyone’s got an AI story. What’s yours? What is the Commvault “We are different. We’re doing this” story?
Sanjay Mirchandani: Okay. So again, coming back to the company we are, when folks were ransomware watching stuff, we didn’t. We said, “At the end of the day, what you want to do is protect your data and you’re protecting it from cyber threat.” So we just built lots and lots and lots of protection capabilities into the technology. We’re the same with AI. People have made all kinds of announcements that you be the judge of how deep they are, how real they are, how much they work, or how available they are, but we didn’t. We waited. We were building that technology. We were excited about it because the way our architecture works, it’s not a bolter. I’m not bolting on AI on top of something and saying, “Hey, here’s a module that’s AI.” You’ll see some of my industry… It doesn’t make sense.
What we do, if you look at the lifecycle of what we do, you can drive true operational efficiency with AI in the product, all kinds of automation, all kinds of operational efficiency, all kinds of analytics. Because when I’m seeing tens of thousands of customers data coming in and signals, and when we’re talking to the ecosystem, we can really process that at scale and give that value back to our customers through their interactions with the product, the policy, the learnings, the detection, the threat analytics, all of that stuff, so the operational elements of it, the analytical elements of it, and the recovery elements of it. I mean, let me tell you the number one question I get from CIOs. “Sanj, I get it. I get the fact that you guys know how to recover. Where do I recover from?” Okay. Now, let’s double click that and I’ll give you a premium example for AI in our product that’s out with SHIFT, with this release.
Let’s say the bad guys, the bad actors, got it in June, you didn’t detect them at all, they were sleeping. They woke up, started moving, left to right, and got someplace in August. And they delivered the payload in November. Now, chaos hits. Where do you recover from? What’s the cleanest recovery point for you in that lifecycle of time? Our recovery modules that are now infused with AI will give you a very predictive date, time, recovery point, that says this is the cleanest place to go. Not only that, we’re using AI in the cloud to spin up a clean room, an absolute clean room environment in minutes, like this. At a fraction of the cost it would take you to do it with your own capabilities. And with AI, we will take everything, the lifecycle from the point that we tell you to recover from, all the way through recovery. At a cost point that I challenge anyone to beat. So, I’m giving you examples of AI being used operationally, used in an analytical way, and then most importantly, in my opinion, used for recovery and security. It’s all there in the product.
Patrick Moorhead: So, Sanjay, doing what you’ve done for so long, one thing I’ve noticed, and it’s funny, I go to so many trade shows, and invariably I’ll run across, at one of your partner’s trade shows, Commvault. You have anywhere from infrastructure providers, to CSPs, to solution providers, all over the gambit. And you’re re-upping with this announcement here at SHIFT, with partners. Can you talk about your integration strategy, partnership strategy, maybe in the context of the new offerings here with Commvault Cloud, with Metallic AI?
Sanjay Mirchandani: Absolutely. So, our philosophy has always been that you’re backing something up to someplace. It’s never that I’m just operating on my own. And because of our decoupled architecture, we can run on a multitude of servers. We can back up a multitude of workloads, and we can write to everything. So, if I’m backing up an Oracle application, I need to understand the Oracle application so I can bring back state when I restore it. And so, for us to partner, we have to first engineer very deeply, and that means we have to sit together and make sure that we are building a better integration, a real integration, with real edge, so that when customers deploy our technology, all they do is tweak it to their environment, they don’t have to go build the technology. That’s our responsibility. And we’ve always… I think we’ve done well because of that. A big part of it is because of that.
And now, with Commvault Cloud, if you take that same philosophy and you say, the continuum that you brought up earlier, Patrick, which says, you go from identifying and defending and all of that lifecycle, all the way to recovery, and if we think those worlds are coming together, I don’t do those things, that’s not what I do. But I talk to those things, and they talk to us, and it’s important for us to make sure that the source sees something. We bring it into our analytics and we make sure that, is that data that we’re backing up clean? Not clean? Quarantinable? What should we be doing with this? And so, the integrations now are in the world of security. You’ll see a ton of… I’m using that word again. You’re going to see a lot of security based integrations, that are real, that are very important, AI based, so that really, you’re doing more with data, for example, with Databricks, we’re doing some really, really cool things.
And we continue across the cloud providers, because at the end, the cloud is still a destination that’s going to be one, whether it’s been 14 years or more, it’s a destination, and folks are on the way. And so, the cloud providers, the integrators who actually get things done for our customers, AI partners now, and security. And so, we’re not trying to do everything, but the platform, like you said, is extensible and incorporates end-to-end capabilities for our customers, so they don’t have to do it.
Patrick Moorhead: Thanks.
Daniel Newman: So, Sanjay, I always think it’s the inside out perspective that can be somewhat of a limiting factor, and the outside in perspective, that really drives. Companies that have the outside view of greatness, meaning their customers, their partners, their ecosystem, tend to always strive more when it’s insular. So, as respective as CEOs of our company, it’s great when we tell people we’re good, it’s better when the customer does. And your customers are CIOs. And you’re a rare CEO because you work. And I say that because, Pat, we talked to dozens of CEOs in any given quarter, hundreds a year, I can’t think of another one off the top of my head, I’m sure there is, that actually rose to this position of leading a publicly trade company, through the technology or information role. Talk a little bit about that, and give us your own lens, because this is, in my opinion, going to be the lens of your peers, and the ones that are relying on Commvault. You looked at the tech, decided this was something you could lead, and be successful.
Sanjay Mirchandani: I’m my own CIO’s worst nightmare. But I’m blessed in that I had the opportunity to be a CIO, I wasn’t the career CIO, so I came at it as a business person thinking about the issues. And barely had I taken over, that RSA, at the time, RSA technologies, which we had just acquired, was breached. And back then a breach… was not something you talk about over a cocktail, in these days, where people say, oh yeah, we got breached last week, and this happened and that happened. It was unprecedented in many ways. It was… I could write a book on what happened. But what it taught us, what it taught me was that they will get in. And so fundamentally, that’s the philosophy that I always work with. I’m not trying to scare people. There was a recent situation that we were involved helping with where actually the damage was caused on the inside. Didn’t even have to jump over a wall or a moat. They were on the inside.
So if you assume they’re going to get in, let’s look at it from the lens of what has to happen. What happens when you find out that you’ve been breached is absolute chaos, even if you’ve been prepared. And you go back to basics, the war room, what have you got, when did they get in? You’re trying to do forensics, you’re trying to shut off the network. It is chaos. And when chaos rains… When I was CIO and then it happened, there was no outside world telling you that it happened today. The bad guys are publicizing it the minute it happens. So every second feels like an hour. I’ve been in these situations. We help customers every day to recover. So the lens I always wear is, first of all, they’re going to get in. Number two, it’s an absolute kick in the gut to the IT and security organization because they naturally feel they let their team down. And what you need at that point is not about finger pointing. What you need is technology that’s been tried, tested. You have a playbook and you can get on with it. You’ve tested it, you’ve been waiting for this moment.
And that is exactly what I try and… the questions I ask my product teams is from the viewpoint of A CIO, maybe an aging CIO, but a CIO all the same, and say, “What would happen? How would this help the CIO answer the questions? How does this accelerate the time to recovery? What cost is involved with this?” Because at the end of the day, CIOs have to work off an envelope, which gets smaller and smaller sometimes. So I think every one of those philosophies has found its way, slowly but surely, into Commvault cloud. And if you look at things like Cloudburst Recovery, this is where we spin up a clean room like that, in the cloud, to get on with the recovery and not have to figure out how to do that. Or the clean room itself, ready on a button. You hit a button and you get a clean room, whether you’re doing the simulation or you’re doing a recovery, a real recovery. Okay. Things like that. And for better or for worse, having been a CIO, I think I speak for CIOs.
Patrick Moorhead: Listen, I a hundred percent buy into the do something first and have empathy for your potential clients. I spent over 20 years in products, product management, product marketing, corporate strategy, and my job as an analyst and the way that I run my company is exactly the same. So obviously I agree with that. So as a former CIO and CEO of a tech company, governance is part of the board process and part of the overall process. We’ve seen boards be held accountable for the degree of cyber resiliency. We saw a recent CISO get charged recently as well. I’d love to get your take on boards assuming this risk, overall risk posture.
Sanjay Mirchandani: Sure. Private or public at some level, doesn’t matter. If you’re serving customers and shareholders of whatever kind, this is a risk. This is not a looming risk. It’s a real risk. It’s not something that may happen, most likely will happen. So if it’s that dominant out there today, it behooves us all in the positions that we have as CEO to really look into it. Even if you’re not an expert, get an expert. Get somebody who can advise the board on what needs to happen. There are a lot of folks that are smart and can do that, and get smart on it. Just like you are smarter on supply chain today than you were three years ago. Because you have to deal with it. Everybody dealt with it. My point of view is whether the SEC mandates it or your own board mandates it, have a board member that’s a lead on cyber issues. Make sure you’re holding the management team accountable for cyber issues. Look at their test plans, look at their run books, and look at technology like ours to say, how much automation do you have? How much AI are you using to make it foolproof? These questions need to be asked. And you don’t have to be an expert, but you have to have that lens of governance and making sure that you’re asking the hard questions of the team to make sure they’re thinking it through.
Patrick Moorhead: Makes it a board discussion, doesn’t it?
Sanjay Mirchandani: A hundred percent.
Daniel Newman: Yeah. I’ve been saying this for a while. The conversations have gone across the continuum, Sanjay, over some period of time, with some companies trying to figure out at the board CEO level, how do we minimize IT expense? How do we do as little as possible and then get away with it. And I’m saying we’re seeing it shift. And obviously, with the attention that breaches have gotten with the attention of transformation and now AI, boards have become straight up technological machines. They realize that these companies cannot compete and we cannot govern if they don’t lead on technology and they don’t keep customers data safe, private, and secure. You’ve touched on a lot of that here. We’ve only got about a minute left. I just want to make an observation and maybe get a comment from you. It seems to me like the Commvault that most people, it feels like this is not your mother’s Commvault moment. It’s not your father’s. Are you kind of ushering in a new era and looking to be seen in a new look? Because it just feels very different. And by the way, as an analyst, this is a moment where I say different and good synonymously.
Sanjay Mirchandani: Oh, thank you for noticing. We’ve been hard at work. I inherited a great team and great technology that we’ve shaped into some really good product. We’ve got over 1,350 patents in the field that we operate in. We’ve spent over a billion dollars and 10 years in R&D where we engineer. And what we’ve done over the past, at least the last five years, is really focus on the customer experience and making sure that we’re delivering to the customer best-of-breed technology in a consumable way. And we’re not afraid to disrupt ourselves. We did it with Metallic, and we’re doing it again. We’re doing it again with Commvault Cloud. And the need of the moment is resilience. We all should be worrying about making sure our businesses can withstand things from the outside in. And right now the outside end is cyber, and we need to get really good at it, and we think what we’re bringing to the world is disruptive and solid. So it is definitely not Commvault of five years ago or 10 years ago. For sure.
Daniel Newman: Sanjay, I want to thank you so much for joining Patrick and I here on the Six Five Insider Edition, right from SHIFT. It’s been great to talk about your announcements. I’m excited to continue to follow. I think I could say this on behalf of both Patrick and myself. We’d love to see innovation. We’d love to see how it creates more competition. More competition then brings more innovation. And as analysts, that’s really all we can hope for. But best of luck. Best of luck with the event. Keep going, and we look forward to having you back again soon.
Sanjay Mirchandani: Thank you both. Thank you both.
Daniel Newman: All right, everybody hit that subscribe button. Join Patrick and I for all our coverage here on The Six Five. For this episode, it’s time to say goodbye. We’ll see you all later.