Cohesity CEO Sanjay Poonen: Storage And Security Are Now A ‘Blended Conversation’

‘Once you’ve protected the perimeter network, endpoint and identities, you’re getting to the last line of defense, which is typically a backup. And if the bad guys could take out not just those perimeters but also your last line of defense, you’re very vulnerable,’ Cohesity CEO Sanjay Poonen tells CRN.

Interconnected: Storage And Security

Sanjay Poonen, VMware’s former COO who took over as CEO of Cohesity, recently celebrated his first 100 days at the helm of the San Jose, Calif.-based storage vendor. It has been a busy time for Poonen, who has held meetings with the company’s 2,500 employees and most of its top solution providers while preparing for Cohesity ReConnect, which was held this month.

Cohesity, known as a provider of data management technology, has like many in the storage industry made security a core part of its offerings. However, the company and its new CEO are moving swiftly to bring data security front and center. Cohesity just introduced new data vaulting and other capabilities for protecting data from ransomware attacks. More importantly, it has unveiled a new alliance with some of the top vendors in security and has built a security advisory board that includes security executives from Google, Facebook and most recently Microsoft.

Storage and security today has become a blended conversation.

“Once you’ve protected the perimeter network endpoint and identities, you’re getting to the last line of defense, which is typically a backup, and if the bad guys could take out not just those perimeters and also your last line of defense, you’re very vulnerable,” he said. “So as a result, CISOs and CEOs and CIOs are talking about topics like immutable backups, air-gapped solutions, cyber resilience, cyber vaults, being able to be able to recover really fast from a black swan event and how to plan for it effectively.”

“It’s an infrastructure discussion on data, which does have relevant people under the CTO and folks who own storage that will come to the discussion,” he said. “But the discussion often also has people who are from the security team, the SOC [Security Operations Center) or the CISO.”

Here is what Poonen had to say about the ties between storage and security and the big changes Cohesity is implementing to bring the two technologies together.

You’ve passed your first 100 days as CEO of Cohesity. What have you learned?

I’ve always believed that great companies that create sustainable shareholder value start with engaged employees. I know I’ve not met all 2,500 employees, but I’ve certainly had a chance to interact with all of them in many town hall meetings and met a large number of them. And in innovation, I’d always respected Cohesity as having the best platform in this category while I was at VMware. Many of us at VMware felt that way because many of our largest customers were picking Cohesity. As I’ve talked to both the engineers who are building the road map of where we are going and my own sitting with the geniuses behind this platform brainstorming where it could go, it’s iron sharpening iron. So I’m very excited about the employees and the product innovation and the current road map.

I’m super excited about the customer base and our go-to-market teams. We have about 3,500 customers, including 40 percent-plus of the Fortune 100 companies, four of the top 10 banks and 300-plus global financial services companies. And the government sector, federal agencies, civilian and military, and health-care organizations, retail, just some really good brands.

And then the ecosystem. I’m very excited about having server, storage and networking vendors like HPE, Cisco and Pure Storage. HPE and Cisco are investors in Cohesity, and Pure is a strong partner. We started working with NetApp and Dell. They should also partner with us. We will do more with them. In many cases, our integration with NetApp with things like [NetApp] SnapDiff is better than that of any of our competitors. And Dell, even with overlap with some with their data protection, I really want to partner with Dell everywhere I can. Many of our customers run with Dell servers and storage.

And in the cloud world, AWS is an investor in this company. We’ve done more with them. I talk to them very frequently. I was just recently with [Amazon CEO] Andy Jassy. We talk frequently with them, and there’s more you’ll see us doing with them.

During the first 100 days, did you have a chance to get out and meet with Cohesity’s channel partners yet?

When I started off, I made a list of the top 10 [channel partners] by revenue traction in U.S. and EMEA. With many of them, companies like WWT and Insight and SHI, I know the CEOs, and scheduled Zoom meetings with all of them. I had a very simple message to them: I want to be your best partner in data security and data management. ‘Best’ meaning in terms of how you see our innovation, our product, the revenue that we’re doing with you, and the growth. … I just wanted them [to know] that I am committed to them from the CEO level down. And those are very good calls. Some of them I’ve also had a chance to meet in person.

We had a Partner Advisory Council a few weeks ago in Utah where some of them actually came to the event, not necessarily the CEOs, but the people who are working with us. And those meetings were very profitable and fruitful. They gave us feedback on what we’re doing well and what we need to improve. And I asked them a very simple question: ‘Where are we in your stack ranking of how you think about us relative to others you work with in our space?’ And they gave us an honest assessment where we’re No. 1, No, 2 or No. 3. And I said we want to be No. 1. So I have to work extra hard to make sure that’s happening. But they know that our goal is to be tenacious at seeking to earn their confidence.

Storage vendors have been emphasizing security. Traditionally, security is more of a separate issue than related to storage. So what’s going on?

Eighteen years ago, I was at Veritas when it merged with Symantec. The joke was, ‘What’s in common between storage and security? They both start with the letter ‘s.’ I don’t know at that time whether Veritas and Symantec clearly figured out the commonality between those topics. That led to them splitting apart.

But back in 2004, when I was there, and it all happened, web-scale architectures didn’t exist. One of the reasons Cohesity has been enormously successful replacing legacy vendors, whoever they are, most of them born in the 1990s or early 2000s, is our web-scale architecture, which means we can just do things simply faster. When I asked my largest customers what was your before and after ROI or TCO, it’s like a weight loss commercial: ‘It used to take 45 minutes, and now it takes four minutes. It used to need expensive hardware storage and labor, and now I don’t need as much, either on-prem or in the cloud.’ So web-scale architecture gives us a significant advantage.

But the other thing that didn’t exist 10 or 15 years ago were the threat vectors of ransomware in security discussions. Because once you’ve protected the perimeter network, endpoint and identities, you’re getting to the last line of defense, which is typically a backup And if the bad guys could take out not just those perimeters but also your last line of defense, you’re very vulnerable. So as a result, CISOs and CEOs and CIOs are talking about topics like immutable backups, air-gapped solutions, cyber resilience, cyber vaults, being able to be able to recover really fast from a black swan event and how to plan for it effectively. Just like you are doing COVID testing, you need to be threat hunting for data to understand sleeper cells in your stuff.

So do you call it a storage conversation or security conversation?

It’s a blended conversation. It’s an infrastructure and security discussion. I wouldn’t say it’s storage. This is sort of like hyperconvergence. Is hyperconvergence a storage discussion or a storage and compute discussion? It’s the same. It’s an infrastructure discussion on data, which does have relevant people under the CTO and folks who own storage that will come to the discussion. But the discussion often also has people who are from the security team, the SOC or the CISO. And the budgets for many of these projects like cyber vaulting and a bunch of things we’re doing come from the CISO, even if they’re being implemented by an infrastructure team. When you go to the cloud, many of these teams are blended. You can’t say it’s a cloud storage team. It’s a cloud team dealing with many aspects of infrastructure. It’s compute, storage, networking, databases. It’s a blended team. You don’t want to have tunnel vision on where the world is. I encourage people to think more broadly of infrastructure if you were traditionally a storage person. You need to be very aware of what’s happening in the security world. And vice versa: For security people looking at topics of infrastructure, you can’t have a CISO without a strong collaborative relationship with the CTO and infrastructure leaders.

Cohesity recently used its Cohesity ReConnect conference to introduce some new capabilities including Cohesity DataHawk. What is that?

DataHawk has multiple capabilities. It has a cyber vault. We released our cyber vault earlier as a stand-alone product called Fort Knox. But we’re now bringing together a much broader platform. DataHawk will have cyber vaulting. It will have threat detection capabilities that we built both natively into the platform and which also gets the best threat hunting capabilities from the best vendors out there or people who want to write their own ‘YARA’ rules to access hunting capabilities from companies like CrowdStrike, Palo Alto [Networks] or Tenable. [YARA, or “yet another ridiculous acronym, refers to a rules-based approach to describing malware families.]

The third is intelligent data classification. We’re building this in such a way that a lot of it can be classified with AI and machine learning capability so you can be better prepared before or after a ransomware attack. And the fourth is we’re building real strong integration into other companies’ product lines so we don’t have to be the center of gravity for a security operations control center. We want that control center to be what customers decide to use, maybe it’s Palo Alto [Networks] or Splunk or CrowdStrike. They send feeds to us, and when we see malware, we would send feeds to them. … Once that capability is in place, we’ve got what we believe is the best threat scanner for live data. And we will constantly be updating the intelligence to that feed.

What was the second big news from the conference?

We announced the Data Security Alliance. We want to move the industry forward with a set of the best partners that are coming to our tent to support our vision for a safer world. This is a $100 billion market cap worth of companies: BigID, Cisco, CrowdStrike, CyberArk, Okta, Palo Alto Networks, Securonix, Splunk and Tenable, along with Mandiant and PwC. And it’s just a starting point. [Those companies] have different relative strengths of their best products, for example, Palo Alto and network security, or CrowdStrike and endpoint security. But they’re all going to have natural integrations, some of which exist today and some which will be built in the foreseeable future, so that we can bring the best security products to this alliance. And we’re going to keep this alliance open even to competitors. We want this to be a broad industry initiative. We think it takes a village to protect organizations and firms and governments from the bad guys. This is a first time in the industry an alliance of such big players has embraced any one player. And we think that’s a unique position showing our power in the industry, the power of our customers and the power of our ability to bring those folks together.

Have any competitors approached the Data Security Alliance yet to join?

It’s open. I mean, at the end of the day, it has to be. And remember, this is just a point in time. It’s one milestone. It will take many companies. And over time, it’ll become one of the best initiatives to make the world safer.

What was the third?

When I joined Cohesity, I felt we should add a person to our board with the best security mind in the world. And that’s Kevin Mandia, often considered the Sherlock Holmes of fighting cybercrime. [He joined our board of directors] a few weeks before Mandiant became part of Google. At the same time, we announced a security advisory council with very talented people: Alex Stamos, who was the former CISO of Facebook; Jason Chan, the former CISO of Netflix; Sheila Jordan from Honeywell; Marian Bailey, who was formerly with the NSA; and Laura Barrowman, who was with Credit Suisse. That group of six, under the leadership of Kevin, is the security advisory council that advises us and our customers on best practices and all kinds ways to fight security, particularly ransomware. We’ve now added a seventh person do that, [Corporate Vice President of Microsoft Security Services] Kelly Bissell. We felt having Microsoft security as part of this would really help. They’ve got a very strong security business. Kelly’s a person I’ve known for years. Microsoft Security Services has a fairly large lot of assets that customers really want some advice on. Their security portfolio now is extremely large. So Kelly agreed to join our advisory board.

Over time, we don’t intend to make this huge, but we’ll have seven to 10 key people. This group of seven are some of the most respected security names in the industry who are now working to help us internally as we build out our road map, but more importantly, helping customers and partners.