Data Protection and Governance

With the growth of consumer and enterprise data, the need for transparency and data protection has increased dramatically. Watch industry analyst and CXOTalk host, Michael Krigsman, explore this crucial topic with Mike Palmer, the Executive Vice President and Chief Product Officer at Veritas.


Jul 27, 2018

With the growth of consumer and enterprise data, the need for transparency and data protection has increased dramatically. Watch industry analyst and CXOTalk host, Michael Krigsman, explore this crucial topic with Mike Palmer, the Executive Vice President and Chief Product Officer at Veritas.

As Chief Product Officer, Mike is responsible for driving Veritas’ $2.5 billion products organization, which includes the Veritas Information Availability, Information Management, Backup and Recovery and Appliances portfolios.

Prior to this role, Mike was Senior Vice President and General Manager of Veritas’ Solutions for Data Insight and Orchestration organization, where he drove the strategic vision for bringing Veritas Information Availability and Insight solutions to market.

He has extensive leadership experience across diverse roles and technology areas, with companies ranging from startups to the Fortune 20. Mike joined Veritas from Seagate Technologies, where his responsibilities as Senior Vice President and General Manager (GM) of the Cloud Services business unit included engineering, product management, sales and marketing, service and operations and profit and loss management.


Michael Krigsman: Every consumer and every business person cares about privacy and the impact of privacy breaches are considerable on all of us. Today, on Episode #298 of CXOTalk, that is our topic. I'm Michael Krigsman. I'm an industry analyst and the host of CXOTalk.

Now, before we begin, subscribe on YouTube. I want you to tell your friends. Call them up. Invite them. Invite your family. Subscribe on YouTube.

Without further ado, I'm very thrilled to welcome our guest today. Mike Palmer is the executive vice president and chief product officer of Veritas. Hey, Mike. How are you? Thanks for being here.

Mike Palmer: It's my pleasure, and I am doing great sitting here in Madrid, Spain, actually, enjoying a bunch of client visits.

Michael Krigsman: Madrid is a lovely city, and lucky you to be there this summer.

Mike Palmer: I agree wholeheartedly.

Michael Krigsman: Mike, tell us about Veritas.

Mike Palmer: Veritas has been around for a few decades. We are the leading market provider of data protection and storage, software-defined storage services. We're about a $2 billion company. We are global. We service customers across the word and have been enjoying working in that industry for 30-plus years.

Michael Krigsman: Mike, you're chief product officer. What does that mean you do?

Mike Palmer: I have a few different responsibilities here. Foremost among them is setting the product roadmap, understanding where customers' needs are going and, obviously, keeping a pulse on industry trends, as I know you do as well. I also have responsibly for our engineering teams, pricing, and product marketing.

Michael Krigsman: You're responsible for the product roadmap, you spend a lot of time with customers, and you're responsible for engineering. Presumably, bringing these pieces together shortens the pathway between what the customers want and the products that you're ultimately building.

Mike Palmer: It certainly is our intent to make that so. One of the beauties, working in software, is it's one of the best industries to really incorporate customer feedback quickly and try to get value to them in ever faster release cycles. Being able to work that from the product marketing angle all the way through the engineering delivery is a real privilege.

Michael Krigsman: Now, Mike, we're talking about data privacy. I think, on the surface, it's, "Okay, well, just don't give away your information," right?

Mike Palmer: Right.

Michael Krigsman: It's fairly trivial. Yet, it's actually a very complex problem, and so maybe you can share with us what are the components of data privacy. Where do some of these complexities arise from?

Mike Palmer: Yeah. Data has been a topic for many, many years. Many of our customers, at times, confuse or often speak of security and data governance in the same sentences. For the most part, they're very different topics. Where security started was from a very preventative mindset in terms of keeping the bad guys out, so to speak. We got very good at things like networking, firewalling, and policy controls for access.

When we think about data governance, we have a much more complicated problem. We have to understand the data that we're storing, the type of data that it is, its use patterns, a very evolving landscape in the regulatory market, if you will, with data privacy laws covering certain countries or certain industries. Those laws are proliferating. Trying to get into the data itself and find almost what looks to be like a needle in the haystack, and then creating policy for managing data on that basis is very difficult for most businesses.

Michael Krigsman: The issue of data privacy then, ultimately, is one of governance?

Mike Palmer: I believe it's one of governance. Obviously, that is an easy thing to say and a very hard thing to do because governance starts with visibility. Many companies struggle to even understand what they're storing. They've struggled with that for many years, but it often came from more about cost management point of view rather than really trying to understand the depths of the information or data that is being stored.

Now, you have significant growth in what's called unstructured data. This is data that wasn't easily organized into tables with rows, columns, and headers to make it very clear to the user what data is there.

We're seeing a proliferation in use cases like the Internet of Things, obviously, file servers that are dating back many years. You have companies trying to move to the cloud but, at the same time, being caught in regulatory frameworks that they don't understand. In many cases, having to look at data that's been sitting stale for many years as well.

Governance is starting with a very basic visibility problem. Of course, from there, it goes to even harder problems like classification and policy management, at a time when companies are trying to cut costs and really trying to automate a lot of this process.

Michael Krigsman: There's a very detailed chain that must be in place from beginning to end in order to ultimately ensure that data privacy is maintained.

Mike Palmer: That chain often starts with some of the first links that were put onto it. When you think back to what archiving data has meant for so many years has been taking active data, pushing it off to tape somewhere, allowing a truck to cart it off to some storage facility and, more or less, forgetting about it at that point. That data has now come into question in terms of the regulatory frameworks impacting it, whether there's personally identifiable information there. Regulators are increasingly interested in understanding how that's being managed and controlled.

Of course, at the same time, you have a lot of opportunity with that data. The chains now extend all the way to the use of data, so we're looking at more and more companies that are trying to amass this data and do better analytics with it. They're no longer looking for general trends. They're trying to, for example, find targeted marketing opportunities, which means not generalizing the data, but often looking at the specific abnormal parts of the data, if you will, or the abnormalities in the data. The chain goes from decades-old tapes all the way through very modern data analytics techniques and everything in between.

Michael Krigsman: The obvious question then is, what should companies be doing about this? How do you grapple with the problem?

Mike Palmer: This is something that we all struggle with, to be very frank. There are very few customers that have figured this out, and there are very few suppliers that have an end-to-end answer. What we talk most about with the customers that we deal with is that visibility as the starting point. Typically, for customers, that often means the challenge of very heterogeneous architectures. They're working storage and applications that have been the data center for decades, all the way through applications they're deploying to SAS providers or buying from SAS providers deploying in cloud.

How do these customers start with the idea of creating some sort of orchestration framework that gives them visibility into data across all of these systems? And, not just visibility, but in-depth visibility? Not that they have data and that particular user touches it but, rather, what's in that file? Is there financial information? Is there a social security number, an email address?

Then, of course, you have to figure out how to do that at scale. It's not just about the heterogeneity. It's petabytes worth of data at a time when data, the creation of data, is still accelerating. Visibility really is kind of the first step for many of at least our customers in the process of getting to data governance.

Michael Krigsman: Given the importance of visibility, can you elaborate on what you mean by visibility? Make that more specific for us.

Mike Palmer: I'll start with our CIO friends out there. One of the challenges that CIOs have just to understand what's in the storage architecture, typically, is a process of going to a storage engineer and asking them to produce a reasonable summary, typically given to you in some sort of CSV file that tells you on this line I've got this amount of data. It's been there for a certain amount of time, and I think it's associated with these applications. Then they have to follow the chain back to the application owner, figure out what it is that that application did and how critical is that data, often then going to some sort of, let's say, governance institution, let's say at a bank, and understanding, well, what kind of regulatory framework applies to that data?

This challenge just makes it very difficult to create an opportunity to make quick decisions. Many of the customers that I talked to struggle with a very basic question of delete. What data can I delete? There are so many people involved in that decision-making chain to go back to that metaphor that most companies have just sort of abandoned it over time and decided that storage prices are dropping, so I'm just going to keep everything. Of course, that's changing now with the laws changing.

But, that basic challenge from a CIO of just understanding I'd rather be able to look at, let's say, just a basic graphical Web interface. I'd like to be able to see not what a LUN is because maybe I don't even know what that is anymore. I'd just like to understand my applications, the users, the data on them. If it's personal information, what kind of personal information is it? Maybe getting sophisticated in understanding what countries it's stored in and what are the laws associated with that data so that you can start to see the basis of policy execution and policy enforcement.

I think Veritas, along with a number of other companies, are really trying to expose the data that are inside of these systems, try to make it more real and, when I say "real," more understandable to the end user of an application rather than simply to an infrastructure provider inside the application's supply chain.

Michael Krigsman: All right, so you've got now greater visibility. You know where your data is being stored. You have a better sense of the type of data that's being stored, but even just getting to that point seems extremely nontrivial to me.

Mike Palmer: I actually think it's the hardest part. The history of providers that have not necessarily been the most forthcoming with open standards in terms of access protocols, for example. It's a lot of work to stitch together the pieces that are in the data center and, often now, not in the data center.

We've talked for a long time in the post-mainframe world of the complexity of managing client-server, network, SAN, and NAS environments. But, of course, that's nothing compared to what we're now engaging with where a lot of the data is stored with third-party providers. Some of those providers have robust governance. Some of them less so.

Now, that's just simply being added to the history. Very few customers that I know have abandoned client server. They've got a history of physical. They've got virtual. They've now got cloud and SAS. They've got mobile. They have IOT endpoints.

Visibility is a simple thing to say. It's probably the very hardest thing to do. But, it's the most important one because it is the basis for decision-making thereafter.

Michael Krigsman: All right. Now, let's wave our magic wand, and we have a reasonable level of visibility. At least we're trying.

Mike Palmer: Mm-hmm.

Michael Krigsman: What does that now do for us because, okay, we're aware that we have this data, but how does that actually help us protect the privacy of users?

Mike Palmer: We talked about visibility as just being awareness, as I think it's a great word. There's a much deeper level problem out there. And, as I mentioned earlier in the conversation where we're seeing such a significant growth rate in unstructured data, all the tools that visibility would have been augmented by in terms of being able to understand, what's in the database and querying that database? Those are not there in the unstructured world.

We're amassing large amounts of data, increasingly collecting consumer information, employee information where, embedded inside of this unstructured data file, are going to be all kinds of nuggets. They're nuggets from an analytics point of view when you want to understand where your consumers' buying habits are, where they're living, what their credit card information might be, so you can store that and use it for future, better user experiences. But, at the same time, if you're collecting it and you're not classifying this unstructured data, you're inevitably storing it and, by default, at risk of not being compliant with the laws surrounding it.

If you were one of those European institutions or American institutions operating in Europe that are being told that you have to be forthcoming with your consumers and your employees about how your data is being treated, we're often having to show them, upon request, how it is being treated and potentially having to dispose of it. You have to reach into this massive, unstructured data and, as I said earlier, start to find those needles in the haystack.

We talk a lot about classifying data when it hits storage so that you keep an index and that you can query that index without having to troll through petabytes of data to go find those needles. Classification is kind of the close cousin to visibility and a necessary one if you're going to create some form of software-driven automation in terms of policy enforcement.

Michael Krigsman: Okay. Actually, we think that we've got a handle on the visibility of the data, and then we start to realize that, wait a second; this onion is more complicated than we thought because we've got all of these additional data sources and data coming at us from directions that, say, we in IT were not even aware of.

Mike Palmer: That's right. I use an example regularly with customers of ours who are looking to replace the tape, for example, with object store style technologies where they feel like they're getting much better scale in terms of cost. They're getting reasonable access patterns for applications that want to query and interact with the object store.

One of the complications, and this is a complication I speak about often with our cloud service provider partners as well, is that when I start putting things into these object stores, what I'm getting back is something often as nebulous as an object ID. I'm not getting information about what the content is. I'm not getting information about what application it came from. In many respects, I'm getting less information back than I used to have.

When we think about this peeling of the onion, even some of the newer technologies are finding the need to incorporate things like content classification into their otherwise storage driven software purposes so that we don't make the problem worse over time. We start recognizing that the storage isn't storage. It's more used now.

There are very few customers that I speak to that really just want to store data and never touch it again. Increasingly, they want to provide open access. For that, they need to be able to provide information. They need to be able to understand what types of users can or cannot use it, or where they can give them or cannot give them access.

It is a very, very difficult process. With, as you said earlier, this growth of data and these multiple data sources, it's not a process that we can put a people-driven solution in place for.

Michael Krigsman: The solution, then, has to ultimately involve a combination of technology to manage it on the front-end. But, you spoke earlier about policy, decision-making, and regulatory compliance, and so where do these layers come into play?

Mike Palmer: These are difficult layers to incorporate, obviously. One of the things that customers talk a lot to us about and, I think, we've seen the trend over the past 20 years, as well in the industry, is open standards, the ability to take data and information, as well as the technology standards basis, and be able to really extend that through an API, through a query-able index, through something that can be shared with an external entity.

A lot of the technology world needs to sort of step up with these open standards efforts so that they can help. Really, that's the starting point. Let me help you by understanding what's there in the first place.

Where we're seeing a lot of collaboration between public cloud providers and traditional data center providers along the lines of adoption of things like the S3 protocols, for example, so data can then move easily back and forth. We have efforts on the cloud provider part of creating indices for their storage so that that can be query-able, again, by customers that are probably sitting also with a private data center. These are all kind of piece parts, some of which are mature, some of which are really more of a challenge to integrate, but that's where a lot of the technology effort is going these days.

Michael Krigsman: I see. Where does regulatory compliance then intersect with all of this?

Mike Palmer: We're seeing more and more tools and, of course, Veritas being one of these providers. They're building regulatory frameworks directly into their storage and archiving products so that you'd be able to do something as simple as check a box inside of a storage device or inside of an archived product and say, "I need to be MiFID compliant because I'm a European bank and, as such, here are four opportunities to analyze data and look for a risk profile." These software products can go through data sets and help you understand whether you have certain types of customer information that might likely sit inside of them, can highlight the files that have that information, so you can go back and look manually if you feel like you want to add a greater level of oversight.

This is what I said earlier. Storage is really kind of moving away from being storage, and it's more this concept of use, which makes them a higher order set of products and tools that can literally embed frameworks directly into them.

Michael Krigsman: What about GDPR?

Mike Palmer: GDPR just being one of those frameworks. We, in the industry, talk a lot about GDPR because it was fairly novel when it was promulgated as a law. Of course, it's just come into force this year in May.

But, if you look at the law, it really doesn't ask you to do much more than a well-governed company should have been doing anyway. It does add some complexity. Of course, this idea of a subject access request where an individual, private citizen can call your company up and ask to understand how their data is being treated or potentially be deleted adds a significant level of complexity for many, many companies who would have gladly given that ability to a marketeer working for the company if they had had it, are now having to rethink how they store data, how they can search across their data silos. They're having to think a lot more about cloud adoption and where cloud data might be replicated or should not be replicated to. These are all kind of concepts embedded into GDPR that are impacting the technology industry.

We think that customers are starting to really act more this year on some sort of execution around GDPR. We'll say that it wasn't as much last year as we thought it would have been. But, at the same time, I believe, like many laws, there was a lack of clarity in what enforcement was going to look like, what were the standards really going to be and, dare I say, there are many companies out there waiting for the first victim, if you will, at some level, of a regulatory enforcement action to understand what the boundaries are going to look like.

Michael Krigsman: GDPR also creates a tremendous amount of business complexity. Let me just give you an example. We do business with a major company in Germany, and we have for many years. We had to sign a lengthy GDPR contract, basically an audit. It had to be signed, and we had to physically send the document back to them.

Now, every time we do a project, in addition to all the SOW and all of the standard contract stuff, there's now this GDPR component. It's intrusive, it slows things down, and it's just a real pain.

Mike Palmer: I agree with you. Like so many new laws or, frankly, to be fair to the law, so many new activities, behaviors, or policies, the first 100 days, 300 days are often rife with inefficiencies in terms of how to execute the process. We have an industry that is trying to digitize and, at the same time, we have a new law that maybe isn't as friendly when it comes to the standards of enforcement. Like you said, you have paper going back and forth, signatures, and a bunch of things that really should have been embedded into the actual software itself and often provide the opportunity for more automated reporting and auditing.

But, I do believe, as we look at the next one, two, and three years, a lot of these ideas are simply going to fade into the background as they become part of the new norm. They're going to be embedded into the application process. They will be embedded even into the very data fabric that enforces data movement or prevents data movement. I think, in particular, as cloud providers realize that there is a part to be played as infrastructure providers in helping customers understand what's being stored there, collaborating with companies like ours as well, that the tools will come into place for enterprises to enforce this more readily.

Michael Krigsman: Essentially, GDPR will become standard or the pieces of GDPR will become standard operating procedure, and companies will sort of grapple with it in just an easier way, I guess, is the way to put it.

Mike Palmer: Like all things, I think they'll get better at it over time. One of the challenges for many of these companies is that it's not going to stop with GDPR. I wonder a little bit, sometimes, whether we'll even be talking about GDPR in two years because there will be many more data privacy laws passed. They will be amended. Companies will constantly be responding to them.

We saw California pass a law that's not dissimilar to GDPR. In fact, many believe

We saw California pass a law that's not dissimilar to GDPR. In fact, many believe is a more strict enforcement standard than GDPR even brought into effect. You have countries in Asia that are looking at GDPR as a model but, inevitably, will pass a law that is similar, but different.

What's, I think, going to come out of all of this is that enterprises will end up having to take the lead on what data governance is. That the law will be the foundational aspect of it. They'll get better than what the law requires mostly because they will really want to use this data more effectively, not just because they're afraid of the enforcement action.

I think GDPR might fade into the background. We'll see other laws in the meantime. But, the importance of data as kind of the new currency for businesses to thrive is going to ultimately drive a very different set of behaviors anyway. Technology will rise to the occasion, as it's done over the past decades for us. It'll just be the new norm.

Michael Krigsman: Mike, you mentioned earlier that GDPR is really the way a well-managed business should be running anyway. Can you elaborate on that?

Mike Palmer: Well, I guess there's the old expression, right? Reputation is the hardest thing to earn and the easiest thing to lose. The most precious thing that most companies base their reputation on is their stewardship over their customer data. They're asking for more of it than they ever have before.

They're collecting information not just on the traditional transactions and not just using that data more effectively and more comprehensively than in the past, they're also collecting it in more places. They're collecting it in places often where customers don't realize, whether that's in the background of a mobile app or it's the physical understanding that a consumer has entered into a store and that their mobile ID has been picked up by a local wi-fi router.

They're looking at ways to understand customers. They're collecting more of this data that's increased the need for better stewardship. As such, if they're going to be thriving brands, that ultimate goodwill aspect of any company's valuation, they're going to have to defend the knowledge and the right as to what they're doing with this data.

They're going to have to, anyway, be able to respond to users that do have concerns and show that they are good stewards because they can respond quickly, that they can provide a level of confidence, that they're not subject to some of the numbers not just of breaches, but just uses of the data that make consumers uncomfortable. This is just going to be part of good business practice.

Michael Krigsman: As data proliferates, the issues grow, and companies will deal with it. Now, I know you did a survey recently of consumers, and so it might be interesting to hear about that because it draws the link between the infrastructure of data and governance that you were describing earlier with the ultimate business impact.

Mike Palmer: Well, we know that consumers are more concerned than ever about how their data is being treated. They understand that they want some tradeoff between the benefit of having given their data over to a company and the benefit they're going to receive in response to it. They are increasingly going to hold these enterprises accountable almost in a transaction like way where they've understood and the transparency of understanding that their data is being collected and used is there for them. And, under those conditions, there seems to be a great willingness for consumers to give data to enterprise. But, like any other good businessperson would do, this consumer is also understanding that there is a benefit conferred back to them, whether that benefit is a service. Like so many other free services have offered to them, at times it will be basically in the form of payment, which is something that I don't think any of us should be surprised to see in the future that there will be some sort of transaction offered for the better and appropriate use of consumer data.

By the way, I think this issue exists on the other side as well. One of the more, for me, fascinating ideas of company valuation comes down to an understanding of a balance sheet. We have talked to a lot of customers who really understand this metaphor where companies are valued by the assets that they have, their income statements, the profits that they generate. But, a lot of the companies that are the most valuable ones in the world now, if you ask somebody, "What's the most valuable thing they have?" and I'm thinking the Facebook and the Google of the world, there isn't one person that wouldn't say that data is the most valuable thing that this company has.

But, as an investor, there is no way to actually value that data. You can't go to the balance sheet. They don't report on the volume of data they've collected. They don't even report on how much it costs to keep it or the risk it creates to have it.

This idea on the enterprise side very well could evolve to be some form of accounting standard where companies that base their business models on the appropriate and the effective use of data will have to find a way to defend its value, to defend how they're ensured that that data is well taken care of, insured against the risks of having data, and we've seen many of the not just risks, but the actual events that come to fruition in the security world. This idea is also a very interesting one and it's the enterprise side of the value of data that complement the consumer's idea of the value of their own data.

Michael Krigsman: Yeah, it's a very, very interesting point because also we've seen, for example, I mean look at Facebook being dragged in front of Congress.

Mike Palmer: Yep.

Michael Krigsman: In politics, right? It's the Russians? It's all about data. But, that's another level, right, because you have the care and feeding of the data on the one side, which is, I think, what you were talking about earlier. Now, on the other side, how are corporations using that data that is, theoretically, entrusted to them?

Mike Palmer: This is right. There are still even basic problems in the data industry, and one that most financial institutions and, frankly, most large institutions will be familiar with. It's just discoverability. There are difficulties that large enterprises have even understanding email and where email is being stored.

You have users that have been, for many years, the ability to copy email files to various places inside of their company. Of course, a lawsuit comes around and, all of a sudden, this institution has email risk where it thought it had none because an email file that they thought they had deleted at one time, in fact, had been copied to another place and now is a discoverable item. That in and of itself could change the whole outlook for a legal case for them. That's what we would have considered to be basic management.

When we get into more sophisticated use cases, you think about the advent of analytics and really optimizing, from the enterprise perspective; optimizing the use of time series data, understanding not just that you are a consumer, but much more detailed information about what exactly your behavior was and a time and place that you were, what the outcome of that situation was and, in some cases, it can even be data that's transmitted through a third party. Your data is now residing with a company where you had no direct relationship but is taking advantage through a third party provider or some sort of data-like relationship where they're using your data to enrich their data sets.

The world is changing quickly in this space. We do think that, as we've seen from our surveys, that consumers are a little bit more both weary, by also understanding, of the fact that the genie is a bit out of the bottle. But, that does give an opportunity to start to put some controls around it. This is where we go back to facing the complexities of looking into the part of practice and data management that really hadn't evolved all that much until a few years ago.

Michael Krigsman: Yeah. You know what's another interesting dimension of this is the way the challenge of data management influences business behavior. For example, there are many attorneys these days who basically don't use email.

Mike Palmer: Right.

Michael Krigsman: Except for, you know, scheduling a meeting. They say, "Okay, let's have a call Thursday," but they don't write it down.

Mike Palmer: That's right. But, at the same time, a lot of these folks are using tools that they don't think of as email like formats but are absolutely just like email. We think about messaging tools, whether those range from the ones on your mobile device, but also in the form of collaboration tools that are almost built into most enterprise software today. They are also a record of your communication. They all of a sudden are both exposed to the legal discoverability process, but also are part of data that you want to mine for information about not just consumer, but even employee behavior and trying to understand the culture and practices of your own company.

While we move away from one tool because we thought it had risk, we often just move to another. I think what the industry at large has shown us over the last 20 years is that the demand for communication has increased over time. It has not decreased. The methods have proliferated, ranging from this video chat all the way down to the legacy emails.

We're not going to be able to run away from a particular process that we thought was more risky. We typically are running into many more. The problem with data management is going to have to evolve to accommodate those processes.

Michael Krigsman: Somebody said to me that he thinks that companies are, Mike, wanting employees who migrate into tools, collaboration tools like Slack because it makes the data discovery, ease of discoverability, easier for the enterprise because now, instead of being spread out among texts, emails, and whatever else, it's all consolidated in one place.

Mike Palmer: If my Microsoft colleagues were here, they would sort of protest that they have a product called Teams. Just like every other competitive industry, not everyone will coalesce onto a single platform even within a single company. While Slack is a great tool and, by the way, we're users of that here at Veritas as well, we also use a lot of email, and we use a lot of other sharing devices as well. As an agile development company, we have a lot of background tools where we share information, both with our customers and between our engineering teams.

Again, if we go back 40 years, we all used the telephone. We probably had, basically, that and letter writing. The means and mechanisms for talking with each other in whatever talking means these days are growing more numerous, not less. I don't think we're going to see platform consolidation any time soon.

Michael Krigsman: Okay. If we kind of net this out, then, is the ultimate the fact that the data exists in so many places? Is that oversimplifying?

Mike Palmer: I absolutely believe that is one of, if not the primary, challenge facing most CIOs today. Now, let's also talk about the opportunities because, with increased communication, it's just more information, better information, and more specific information that we can use to make decisions. We've seen the rise of the chief data officer, a role that didn't exist ten years ago. That person is now wearing this dual hat of, how do I help become compliant but, at the same time, maximize the use of my data.

We see this at Veritas. As I mentioned at the beginning, we're the world's largest data protection provider. Protecting data is core to this entire conversation. As a protection provider, we see one of the big challenges is, wow, the formats are changing; the tools are changing; where the data is being stored is changing. How can I go back to yesterday? Even if it's not just for the classic use case of data being deleted, what if it's for showing a regulator that I came to a particular conclusion with a certain data set using a certain tool, and now I have to go defend that. How do I go back to yesterday with my Hadoop cluster, with my Cassandra deployment?

We're seeing opportunity. We're seeing an evolution in the responsibility and the governance that goes along with that. But, certainly, a lot of that is being driven by the fact that data is everywhere now and we're increasing the opportunities to collect it. We're changing and increasing the number of places we store it, and that's forcing us all to evolve quickly.

Michael Krigsman: Okay. Again, just to make sure that I understand. You have the data infrastructure, and that data, the places the data is stored, the sources where this data is coming from, the specific technologies, the devices, and all of that is shifting over time because technology changes all the time.

Mike Palmer: That's right.

Michael Krigsman: You have that, and it's in flux. But then, on top of that, you have this data governance layer that then presumably -- and I'm not trying to put words in your mouth -- then manages that underlying changing infrastructure so that the people who are making decisions can be insulated from the changing sources and storage locations of that data.

Mike Palmer: I think you've said that well. One of the clear trends in technology over the last 30 years has been the development of what is, I think, in a trendy sort of way, referred to as platforms. But, if you think about what the underlying driver always was for a platform, it was proliferation in technology.

When we all put our data onto a mainframe, we knew where it was. The compute was there. We all logged into the same box. You didn't need platforms. There was one platform, and it was the mainframe.

When we moved in the client-server, and we saw a proliferation of hardware vendors, we needed operating systems. We needed to create some sort of commonality to help us adopt the hardware vendor that we wanted to. When we saw Java rise, we had the same issue with development platforms. We saw the J2EE platforms help us scale and abstract development from operating systems and, slowly, those faded into the background.

The question we can ask ourselves now is, if the most valuable thing and, for that matter, the thing for which we have the most responsibility, and maybe the only thing we even own is enterprises now--by the way, with regulatory, we don't even own it anymore. We are custodians of it--is data. What's the data platform? As you describe this overlay architecture, I think that is exactly the right way to think about the evolution of a platform in which you can abstract data in terms of your use of it, in terms of your policy enforcement for it, from all of the technology decisions that you're not only making today but, as all of my enterprise colleagues also understand, is that you didn't change. You just added because you still have all of those technology choices that you've made over the 30 years typically still sitting in the same data center.

You're now having to manage all of that together, so you're rarely going to get a solution from a particular silo. You need to get a platform solution that spans across those silos, and we think that's where combining rock-solid data protection with a very good understanding of visibility, embedding classification in there, and then creating the workflow policy enforcement tools on top frees customers to make the best technology choices possible, but also gives them the ability to manage data abstracted from those technology choices.

Michael Krigsman: Mike, we have not spoken much about the decision-making, the policies and the training and, also, the cultural mindset of how employees in the enterprise relate to that data. Now, let's talk about the governance layer that we've just been discussing and the people who are making use of it that it is serving.

Mike Palmer: It's a super interesting part of the conversation. One of the things that keeps me sane is, I spend a lot of time thinking, "Where are we on the arch of the evolution of our industry?" I just mention that from a platform standpoint. But, if we took it from a people orientation, we've seen a lot of change there as well.

We had highly centralized technology teams 20 years ago. They've become extremely fragmented these days. You have teams often sitting in lines of business that are very, very technology focused. They're building their own applications on new technology architectures at the same time that we have very centralized functions at many organizations. Sometimes both exist at the same one.

That means that the culture and the mentality of the individual groups will be very different. If I'm sitting in a line of business and I'm trying to get my application out because I am part of the team to hit a sales target, I have a very specific type of mentality. If I'm sitting in an IT governance organization where I'm overseeing the behaviors and the practices of the entire organization, I'm going to have a very different one. I'm going to be a little bit more possibly conservative. I'm more focused on scale and supportability. I'm more risk averse, potentially. I don't want to do a disservice to my IT colleagues who are obviously very ambitious, aggressive partners to their business colleagues inside the enterprise as well.

But, those different groups are definitely going to bring some slant to the way that they think about these things.

We see this in cloud most recently. Independent development teams that are acquiring, in effect, hardware-based solutions in cloud at the same time having moved away from some of the support teams that not only supply them hardware but supply them with a lot of support and governance services in the process, all of a sudden aren't part of the process as much anymore. Now, we have cloud-based applications that may not have the level of protection that the enterprise is required. In some cases, the enterprise doesn't know that the applications are even there or, better said, that the people responsible for governing them don't know that they're there.

We're starting to see some fraying in the traditional fabrics that used to hold IT and business and governance together. Some of those cultural aspects are starting to be changed. But, as I mentioned earlier, we're not going to be able to do that with people. It's going to have to happen with software. It's going to have to happen in more of a software-defined data center way. Those tools are just coming to market now. It's going to be, I think, a very challenging few years for the technology users.

Now, at the same time, I think you mentioned something that's also important. There's a whole new user out there. There is a chief data officer. There's a risk manager. There are marketeers that are looking for more and more data than they were given in the past. They're looking for different types of data.

They've now become a user, and they want more direct access. They want more direct control. They're very savvy technology people. The whole idea of self-servicing data is now something that is a very significant conversation for a lot of our customers. They're adding a whole different point of view to the process.

They don't do any infrastructure. They don't do any applications, but they want a lot of say over how data is protected, where it's stored, how it's stored, how long it's retained for, and what information they can get about it. That's a very significant shift for most enterprises where, 20 years ago, they'd create a transaction, they're stored it they'd put it off to tape and they wouldn't have to think about it anymore.

Michael Krigsman: You raise a very interesting point about the cloud providers because, as you're outsourcing the movement of data to somebody else, we think of cloud as outsourcing the infrastructure. But, actually, you're outsourcing the control of data and so, in this GDPR world, how can companies manage that?

Mike Palmer: Let's talk about GDPR, but let's talk about the basics before that. Cloud providers will tell you they are not responsible for data protection at all. It's in your contract. They expect you, as the user of, in effect, their hardware service, of course, overlaid with other services, but you are the steward of your own data. You are the governing entity. While they'll do the best that they can to keep their service up and running, the reality is, in the end, you're the one that is responsible.

Challenge number one is, as we have, as you mentioned earlier, different users coming into the picture using these services, how do we train these users to think about the 360-degree view of what it means to be an IT provider? That starts with things like data protection, making sure you can recover data, making sure you understand the kind of data you're putting into any environment, not just a cloud environment, because that's not the primary mentality that you came to the job with. You often came more with a development mentality or a marketing mentality. That's job number one.

When we get into more sophisticated issues like GDPR where now we also have to think about not just, "Is my data protected? Can I restore it?" we have to think more specifically about what's in the data in the data. Right? It could be the 6, 9, 12 character string that is inside the data file they sent up there that happens to have a social security number in it. As such, I have very specific rules that my enterprise requires me to follow. Now, I have to embed that mentality into the process.

I think what we're starting to discover is, we'll start to see users that kind of went out there on their own a little bit because cloud enabled them a more ready access to infrastructure to build applications, and that definitely grew and is continuing to grow. We're starting to see an umbrella form over the larger data center, the one in which cloud and SAS providers are part of the core premises-based data center, and that those software products, those standards, and even those roles are starting to have a light touch, but an important touch, into these new groups.

Michael Krigsman: Okay. We could go on and on, but there's a lot of complexity into this. As we finish up, what advice do you have for corporations who are just looking at this, daunted, and saying, "What do we do? How do we solve it?"

Mike Palmer: Well, I'm coming from a data protection perspective, so I always start the answer to that question there. That is, you can outsource hardware. You can outsource applications to SAS providers. But, the number one thing that you will be held accountable to will be data.

You've collected the data. You use the data. Your reputation is built on the treatment of that data. The growth of your business is in how you use it. So, protecting data is your foremost responsibility, so know that you're doing that, and know that, regardless of how technology changes, the core responsibility has not changed. Whether things go to cloud where they get virtualized, or you put them into a container, or you have them running on a Hadoop platform, protecting data is something that you have to ask every one of your teams and make sure that that is well enforced.

Beyond that, going back to what we discussed earlier, do you have visibility at a business level into your data? That means going to your counterparts as a CIO, for example, in the chief data officer, in the chief regulatory officer, to your legal teams, and asking them, how well do they understand the data the enterprise has? If they don't, do you have an interface for them as non-technologists to be able to not only risk manage the profile of the business, but take advantage of the data that you're collecting as well, and you enable them to get that kind of access? That visibility and that classification is key.

The third is software enablement. If your new architectures are not foremost software-defined, you will not scale. Data is growing, as we said earlier. The places where it's stored and where it is collected, they're proliferating, and that is not going to stop. Software has been solving problems like that for many, many years. It's going to solve this problem as well. But, the software first mentality and the open software standards first mentality is going to have to be top of mind.

Then last, but not least, is employees. Policy execution through software that makes people better and that means allowing them to focus on their core job, primarily, and not make everything I've said up to this point an added significant complexity to their job, but more a plugin to it so that they can feel confident the data is protected, that it is classified, that the rules are followed in terms of its treatment while they do what they do best. It is ultimately the right long-term answer.

Michael Krigsman: Okay. Wow. Well, you have given us a real college-level course in data protection.

Mike Palmer: [Laughter]

Michael Krigsman: Mike, thank you so much for taking the time today to be with us.

Mike Palmer: Michael, it was my pleasure. Thanks for having the conversation with me.

Michael Krigsman: You have been watching Episode #298 of CXOTalk. We've been speaking about data, privacy, and how to make it better. [Laughter] I'm Michael Krigsman. I'm an industry analyst and the host of CXOTalk. Thanks so much, everybody. Don't forget to subscribe on YouTube and check out We will see you next time. Have a great day, everybody. Bye-bye.

Published Date: Jul 27, 2018

Author: Michael Krigsman

Episode ID: 533