Commvault CEO On Cyber Resilience, Rubrik IPO, Cohesity Buying Veritas Unit

‘I’ve been saying that data security and data protection are … coming together. And I would go as far as saying they are together. So folks who are looking at it differently are looking at it in an incomplete manner, to be honest with you. Where does data security end and data protection begin? We’ve pivoted, and we’re looking at it as resilience,’ says Sanjay Mirchandani, Commvault president and CEO.

The Changing World Of Data Protection

Commvault had a very good fourth fiscal quarter 2024. The Tinton Falls, N.J.-based company reported 10 percent growth in revenue over the same period last year, led by 68 percent growth in SaaS annualized recurring revenue.

That growth is being driving by a pivot from a focus on traditional data protection technology, exemplified by traditional data backup and recovery, toward data resiliency, which is adding a strong security layer on top of storage to both prevent cyberattacks from impacting data and ensure that data can be recovered in case of an attack, said Commvault President and CEO Sanjay Mirchandani.

Customers are now seeing data protection and data security as coming together and not as two things to be viewed separately, Mirchandani told CRN.

“Where does data security end and data protection begin?” he said. “We’ve pivoted, and we’re looking at it as resilience. So what customers need is resilience. Obviously, it’s around data, but they need resilience to come back to life whether an event was a classic data protection event like your fat finger or you make a mistake versus cyber. But the predominant attack vector, the predominant recovery vector, resilience vector, is cyber.”

Commvault has made a number of significant moves to make this happen, including the introduction of Cleanroom Recovery, which provides a cloud-based target where data can be sent to be “sanitized” in the event of an attack, and the acquisition of Appranix, which brings applications up in the cloud to run recovered data, Mirchandani said.

“We won’t just stop your resilience at the data,” he said. “We’ll take your resilience further into the cloud-native apps. We’re stretching capabilities and really giving customers a more complete offer.”

Mirchandani also discussed the IPO of rival Rubrik, which he said gives the industry a second public company against which data resiliency can be measured. He also played down rival Cohesity’s planned acquisition of Veritas’ data protection business as more of a financial exercise than a legitimate industry move.

Here is more from CRN’s interview with Mirchandani.

How does Commvault see the results of Rubrik’s IPO? What does that mean for the data protection and data security industry overall?

From my personal point of view, first of all, just having another player in the in the public markets is a good thing. We’ve been lonely for a long time, and so we became the benchmark for everything. Now, there’s a little bit of a slightly more apples-to-apples sort of conversation we can have around it. So it’s a good thing. And I know it’s a hard journey. Bipul [Sinha, Rubrik CEO] and I have been in touch, and I did congratulate him. And he’s a happy man.

Outside that, I think it underscores that, whether you call it data protection with cyber or you call it what we call it, cyber resilience, as a capability it’s absolutely paramount to customers. And the fact that there’s two of us in the public markets and a whole bunch of others in the private markets that attempt to do similar things underscores that we’re solving a hard problem for customers. It is a hard problem for customers. And I like to think that what we have is better than anyone else’s. But overall, I’d sum up the Rubrik IPO by saying it’s good for the industry. It’s good for all of us.

How about Cohesity’s planned acquisition of Veritas’ data protection business? That probably has more of a direct impact on what Commvault does.

That was a head-scratcher. It’s a little bit more of a financial engineering exercise, at least from the way I look at it. You’re talking a legacy company. I mean, everybody knows Veritas can call it what it wants, but it’s a legacy backup and recovery company, and you’re adding it to a company that’s been around for over a decade or so. And I’m not sure what you get.

It’s still going through his regulatory approvals, so we’ll wait and see. But I’ll tell you this: Customers have called us from the day the announcement happened. And all the way through, it’s becoming a very nice pipeline for us. Because it’s not an automatic choice that if I’m a Veritas customer I’m going to go to Cohesity. I don’t even understand what the path is. And frankly, what we offer them as a single platform with Commvault Cloud is far more attractive. It’s a single platform, SaaS and software. And so for us, it’s been actually a very, very good thing. We’re working with partners to really make a difference in that space for customers. To really help customers get over the hump because we know they don’t have to wait a year or two or three to figure out what those guys are going to do. We’re in there and solving for them today.

Cohesity CEO Sanjay Poonen (pictured) told me that, when the acquisition closes, the combined company will be the largest data protection vendor in the industry. How important is that?

In many ways, yes, I would agree with him, if a declining share of market is measured. If you take installed base revenue from whatever number of years, and you say, ‘I’m the biggest,’ sure. But are you gaining share or are you losing share? Are you actually growing the business or reducing the business? And for years we’ve been taking share from Veritas and winning against Cohesity all the time. Being the biggest doesn’t necessarily make you the best. I’ve lived through many acquisitions in my career. You’ve got the logical things like, what product lines do I rationalize? What do I do with the sales force? A million questions about that.

Now, quite frankly, this is the fourth home for Veritas. So big doesn’t necessarily make you best. So let’s see how time shakes it out. We're just heads-down competing with a great platform. You know, I’m OK with it.

How about the data protection industry as a whole? What do you see in terms of some of the key things impacting data protection as a whole?

I’ve been saying that data security and data protection are ‘munging’ [transforming from one form to another]. They’re coming together. And I would go as far as saying they are together. So folks who are looking at it differently are looking at it in an incomplete manner, to be honest with you. Where does data security end and data protection begin? We’ve pivoted, and we’re looking at it as resilience. So what customers need is resilience. Obviously, it’s around data, but they need resilience to come back to life whether an event was a classic data protection event like your fat finger or you make a mistake versus cyber. But the predominant attack vector, the predominant recovery vector, resilience vector, is cyber.

So we’ve pivoted a lot of security capabilities into our technology, and we’ve partnered for the rest, so anything that has to do with the perimeter and the defenses, we partner. We partner handsomely. And then anything to do with data that gets backed up and restored [needs] the ability to rehearse recovery, which is the most important. You don’t run a marathon without running it in bits or without doing the course before. So you have to be systematic and rehearsed and practiced about it. And what we’re doing is bringing back that level of muscle into recovery. Our take on cyber resilience is through the Commvault Cloud.

For good or bad reasons, the industry has segregated SaaS from software. We’ve democratized it. We said it doesn’t matter what your workload is, and it doesn’t matter where you want to take the workload from or where you want to write it to. You should reserve the right as a customer to be able to have that mobility. And so we’ve architected our platform to really do that. It’s all about data. And we talk about Cleanroom Recovery as a key pivotal capability inside of that. But we just took it one step further when we bought a company called Appranix. It’s a really cool cloud-native company with a cloud-native product that supports all the major clouds. And it essentially picks up where we left off.

In an average cyberattack breach, you take about a third of the time to get your data back if you’re using Commvault. We have good backups that have been tested, you know what to do, you can bring your data back in one-third of the time. Two-thirds of the time is rescuing your applications, bringing the applications back up in a way that utilizes the data that we’ve brought back and have checked off. So we bought Appranix, which in the cloud takes cloud-native applications and discovers all the assets that make up an application, which is actually quite cumbersome and difficult. In parallel, it backs them up using cloud-native capabilities in the customer’s cloud of choice, and then at the click of a button, literally a click of the button, will bring back all of it: data, app, state, dependencies, all of it.

And so we’re snapping that capability into our Cleanroom Recovery capabilities. But the beauty is we’re now giving customers the last-mile apps. We won’t just stop your resilience at the data. We’ll take your resilience further into the cloud-native apps. We’re stretching capabilities and really giving customers a more complete offer.

It’s interesting to hear you talk about data resiliency. For CRN’s Storage 100 project this year, we changed the name of the ‘data protection’ category to ‘data recovery/observability/resiliency.’ The term ‘data protection’ is not enough anymore.

Yes, that’s the right thing to do. As you have hypercloud assets all over the place, observability becomes super important. And then being able to do policy-based management of those assets in an automated way using AI and other capabilities becomes super important. All of this we’re obviously building into the technology we have. So you’re actually right. I wish everybody thought that way.

I was a CIO. I lived through one of the most infamous breaches in the history of breaches, the RSA breach. I was the incumbent CIO [of EMC, which owned RSA] at the time. And this was before breaches were a cocktail party conversation. They were unheard of. The attack vectors may have changed, but the implications they have on a business haven’t. The only thing that’s changed, even in the implications, is now the bad guys tell the world that you’ve been breached before you’ve been able to find out that you’ve been breached. So you no longer have cloud cover to figure out what the heck happened. You’re under the gun. So what we now believe, and believe me as an old war dog practitioner, is practice makes perfect. If you don’t practice, you could have a false sense of security about what you’re capable of doing in the moment of pressure. It’s like any sport where the mind matters, and the practice matters. You’ve got to make sure that you have a calm head, you’ve tested this thing, you know exactly where to go, you know exactly what to do. And then when you have to do it, you’re absolutely ready. So that becomes the underlying DNA for how we think about resilience. Outside this, can I do a good recovery? Can I scan the recovery?