Episode Transcript
[00:00:16] Speaker A: Welcome to K beyond the go. This week I'm on the ground at NetApp Insight 2024 conference at the MGM grand in the heart of Las Vegas. For this bonus series, we've been lucky enough to have lined up conversations with the selection of NetApp executives and other guests exploring the future of data. And stay tuned for the Insight track from some of the world's leading authorities, presenting at Insight 2024 as KBI Media brings you all of the highlights.
Joining me now in person is Kristin Vanderami, vice president, global government relations at Netapp. And today we're discussing the importance of government relations and public affairs. So, Kristen, thanks for joining and welcome.
[00:00:58] Speaker B: My pleasure. Thanks for having me.
[00:01:00] Speaker A: So, Krista, I'm aware that you represent NetApp in front of Congress and executive branch agencies, as well as government bodies around the world, et cetera. You were just talking to me about before we jumped on to record to support NetApp's policy and position. So talk us through what does all of that look like? It may make a little bit more sense to your role.
[00:01:19] Speaker B: Sure. So my job is to represent NetApp in front of governments around the world. In some cases, that's supporting corporate policy.
We have corporate values that we actually do live by, which is very refreshing. And so there are a lot of programs that we support around the world, including on diversity, where governments design specific programs. We participate, we provide advice and guidance. So we do a lot of participation with governments to support things at the corporate level.
In addition, I work a lot with our public sector teams around the world to support and build their long term pipelines.
So in a lot of cases where NetApp sales field people work with the technology folks within government agencies, I come in at a bit higher level to talk about the larger government programs, the larger government missions, and how we can support at the strategic level in addition to simply the tech world, if that makes sense. So, for example, a company has an AI strategy, build out AI across their government, digitalize their government. We've done that with governments around the world. So we offer our advice and support for figuring out how to do it right in the first place. We know we're not worried about getting business out of it. Then we know we're going to compete and do fine when they eventually do what they're going to do, because we're in the mix. It's sharing that global expertise and that deep experience with digitalization and kind of that tech infrastructure.
[00:02:50] Speaker A: You spoke before about larger government missions.
What is your version of a larger government mission?
[00:02:58] Speaker B: So I'll give you an example where we have a really good sweet spot with a government mission. So for me, I think of Netapp's sweet spot as being what I call the Magic five.
Any situation where an agency has to use a lot of data in their mission, where it needs to be shared across traditional stovepipes that existed, where it needs to be done really quickly and securely.
And typically, governments don't want to rip out all their kit. They want to be able to get something that's interoperable. So in those types of missions, that's really where NetApp can really shine. One of those, to answer your question, is Space Force. Okay. The us public sector organization, we support the new service, if you will, called Space Force, stood up under the Trump administration.
So space Force collects a ton of data through satellites all around the world, some of it surveillance data, where we're watching what's happening around the world, feeding it into our intelligence community, our defense mission. Some of it is simply tracking things in space so that we don't run into it and ruin our equipment. It has tracking tons of data, not just data within the space force, the Department of Defense itself, but also uniquely to space force, the commercial industry.
The government gets a lot of data from commercial industries, SpaceX, and those types of organizations now. So the traditional stovepipes are not just within the government, but also without. In that instance, if you're going to track garbage that's floating around space, it has to be done real time, so you prevent that real time collision. If you're going to be helping a service member who's in the field with medical help, that needs to be mission critical, time sensitive. It's also personal information. So national security reasons, personal information for medical security or medical situations, all of it has to be done quickly, securely, and real time. And that's our sweet spot. So that would be a government mission that we would support.
[00:04:48] Speaker A: And in terms of how do you interact with the government, in terms of the relation side of it, what does that actually look like?
[00:04:57] Speaker B: Well, it depends if we're supporting a mission. For example, I'll use the VA as another example. The Veterans Administration, 12% of NetApps employee population is veterans. So it's an area that we actually personally care very much about.
We work with all different parts of the agency on their suicide prevention mission. Okay. It's an AI based mission. The more data they collect, the more accurate they're going to be, and the more former service members they can help. Again, it has to be done real time. Pretty darn important to save people's lives. It's across a lot of stovepipes. So my job is to figure out, okay, who within the VA is in charge of different parts of that mission, and then helping the company develop relationships at that level and supporting them to whatever degree we can, whether it's from a technological standpoint, a strategic standpoint, or even mission based through our veteran internal, veteran community.
[00:05:52] Speaker A: And when you say develop relationships at that level, what does that look like in terms of specifics or day to day sort of outcomes?
[00:06:00] Speaker B: So, working through the network that we've established through our government relations world, getting in to meet with the government official in charge of the program, volunteering our services to help them with strategic planning, and then following on with their staff, or whoever's doing that, to have those conversations. So, starting out usually at the mission level, saying, hey, we have that expertise that can help you do your mission better, and then working with them to whatever degree they want over time, builds those relationships, and then for the next project, the next mission they have, they know who we are, they know they can turn to us as a trusted partner.
[00:06:33] Speaker A: So, with that in mind, Kristin, how does that type of work shake net up? But then, if you want to zoom out, like our society, for example.
[00:06:41] Speaker B: Well, veteran suicide, right? We have a lot of veterans in this world that are struggling with a lot of problems. Finding and identifying that they need help as early as possible is a mission that we gladly support. As I said, 12% of our employee population is veterans. So it's an area that's really important to us in general.
[00:07:00] Speaker A: Okay, I wanna flip over now to you being quite instrumental in building up the c cell secure by design pledge one. So maybe tell us more about this.
[00:07:12] Speaker B: Sure. So about a year, I'm gonna guess, two and a half years ago. Now, director Easterly, who she's the director of the cybersecurity and Infrastructure Security Agency, or CISA, sits within the Department of Homeland Security, came up with a framework called Secure by design. And the point of this was to encourage manufacturers of products to ensure that their products were secure upon manufacturer before they're given to the end user, as opposed to spending the money in development on bells and whistles and extra fun things for tech, and having the end user have to worry about security. So it kind of flips the mindset, putting the responsibility on the creators of tech as opposed to the end users. So that program has been built out probably over the last two and a half years, as I said, working with industry. I chair the industry advisory group at CIsA. Called the IT Sector Coordinating Council. And we work with CISA to figure out, okay, where's the government mission? What do they want to achieve in this? And what can we as a tech community actually do? Whether it's for technological reasons, balancing our own financial resources and investment, lining it up to find that win win, so that in the end, we all want the country to be safer. We all want government and critical infrastructure to be better and safer. As you and I have talked about before, we have to work together to get there. If the government just says, go do these things, and we really can't, then nobody gets anywhere. But if we work together to figure out how we actually can achieve those goals, then that's what we do. So that was the program secured by dead sign that was stood up earlier last year or earlier this year, CiSA came to us, the industry advisor group, and asked us to work on a pledge that industry could sign where they commit to these principles in seven specific goals, cybersecurity areas. We worked with them to craft the language so that the industry could sign up to it. The earlier drafts, no one would have signed up for it, but we made it in a language that we could live with. From a legal standpoint, as you're putting yourself out there with other industry players, the public, and also the tech, the seven goals to make sure we were on board with, those are the right goals. We did. We aligned it. And at RSA last May, we signed on, as did about 85 other companies.
Now it's up to over 200 signatories for the secure redesign pledge.
[00:09:30] Speaker A: So when you said before, language that companies can understand, do you mean in terms of removing a lot of that legal jargon that when you're signing up to, like, t's and c's on, like a social media platform, for example, is a lot of quite convoluted in how.
[00:09:43] Speaker B: It'S written, sort of. It's same idea. Right. Our lawyers don't want us to sign up to something that can get us into trouble later.
[00:09:50] Speaker A: Right.
[00:09:50] Speaker B: So the original language of the pledge was, we will for sure go do all of these things.
[00:09:55] Speaker A: Right.
[00:09:56] Speaker B: If we as a company, or any company comes out and says that to the public, and then something should happen down the road, we can get in trouble with the SEC, the FTC customers can sue us. So we really didn't want to have any kind of firm commitment like that. That would not be appropriate. So the language we agreed on was that we would work, we would in good faith work toward these goals, which means good faith means you have to actually have a plan. You have to do something. But some of these goals are ones that we can never necessarily ever cross off our list. One of them is eliminating entire classes of vulnerabilities, which I know you know all about.
Insider threat, phishing. We're never going to be able to get rid of all of those things. That's not going to happen. But as long as we have a plan to mitigate them to the best we can, that's what CiSA was looking for, and that's what we could sign up for. So finding that language where it actually meets what we can actually do and what we're okay from a legal standpoint, signing up to publicly.
[00:10:52] Speaker A: So going back to your earlier point around companies perhaps focusing too much on the bells and whistles, going back to secure by design. Why do you think companies are so focused on bells and whistles?
[00:11:02] Speaker B: Because they want to sell stuff, and that's what customers look for, is bells and whistles. They don't actually sit there and say, hmm, is this secure enough?
[00:11:09] Speaker A: Didn't you buy your skinny question?
[00:11:11] Speaker B: I think they're starting to. But when you buy your laptop, is the first thing you do look for, oh, what security protections are on this laptop? No, you probably say, well, what, the version of the software I'm getting, right, what's the level of the operating system? You're not checking the security stuff. You're buying it for what we call the bells and whistles. But we're trying to flip that so that even if you buy something because of bells and whistles, it's going to be secure anyway. That's the goal.
[00:11:36] Speaker A: Well, the example I'm thinking when you're speaking, what's coming in my mind is like a motor, wireless motor. So it's like, they will get manufactured, and then, of course, telcos, they're not regulated to be like, hey, we need to buy the most secure manufacturing device.
[00:11:50] Speaker B: Right.
[00:11:50] Speaker A: And then when you have to, you know, manually change the settings in terms of the SSID, that's a manual configuration.
[00:12:00] Speaker B: And there's the password. Right. They put a default password out there.
[00:12:02] Speaker A: Correct.
[00:12:03] Speaker B: And you really need to change that.
[00:12:04] Speaker A: Commerce, cyber criminals already know in terms of the syntax. Right?
[00:12:07] Speaker B: Yeah.
[00:12:07] Speaker A: So is that going to change? If I just focus on telcos maps for a moment, is that going to start changing?
[00:12:14] Speaker B: Well, it's interesting you say that, because now that we've done a secure by design pledge for software manufacturer, we are now working on a secure by design pledge for OT IoT devices. So, same idea. So when you get that modem, is it going to automatically force you to switch the password? It should. Right. Those types of things that, by default, make it more secure before you even start using it.
[00:12:36] Speaker A: Because when I start to talk to people about that, they're like, what? Never even heard of that.
[00:12:40] Speaker B: Yeah.
[00:12:40] Speaker A: So if we start to embed that from even that manufacturing level, we could resolve a lot more problems.
[00:12:46] Speaker B: 100%.
[00:12:46] Speaker A: But then the problem is, Kristin, that's not as profitable for companies because just that arbitrary costs $5 to make the unsecure modem, but then it's going to charge an extra $10 on top of that. Table. Secure modem companies aren't going to like that. So how do you think the pushback going to go?
[00:13:04] Speaker B: I think it depends on the company, and I think depends on their overall sales platforms. So I've always said security should be a market differentiator. It's something that really matters. Does it matter that your refrigerator is super smart and secure? Maybe not. But if you're serving government or critical infrastructure, those are missions that actually require security. So it's in fact, Cisa's hope that we will advertise that. We signed onto this pledge, and we're doing these things to get our customers to buy our products. They think that actually will matter, and I think in some instances it does.
I'm really happy to say that NetApp has a fantastic security portfolio. I'm very comfortable chairing the ITSCC and representing security because we really put our money where our mouth is. Ontap, our main flagship product, has so many security bells and whistles, to use our term, again, already built in, already turned on for customers, that we're already so far down the road from where a lot of other companies are. So it makes me very happy and comfortable to be able to talk about things like, yes, it should be built in, because we have already built it in, but it depends on the company. Right. What is their own cost benefit analysis? What do they want to be known for with customers and that sort of thing?
[00:14:19] Speaker A: So just to extend on this a little bit more. So I'm aware with, you know, that the securewide design pledge one is aligning with the White House national cybersecurity strategy. So how do you see this evolving now over time?
[00:14:32] Speaker B: Well, what Cisa has tried to do is put a little bit more meat behind the pledge. Meaning, okay, you've got these seven very generic goals. What do you mean by that? So getting rid of entire classes of vulnerabilities, what do you actually mean? What are the classes of vulnerabilities, what are they? What are the best practices out there that maybe bigger companies can share with the smaller ones who signed up for the pledge? And then looking at the rest of the ecosystem, we started with software. Moving on to Iot. What about the supply chain? There's a lot of work the government has done to require a secure supply chain in order to sell to the us government. That is going to make its way into commercial requirements as well. So it just becomes more additive and more additive and additive as they put more meat to expand. What do those seven principles mean?
[00:15:25] Speaker A: Joining me now in person is Michelle Woodnicke, president, us public sector at Natup. And today we're discussing leadership in the us public sector. So, Michelle, thanks for joining and welcome.
[00:15:35] Speaker C: Thank you for having me.
[00:15:36] Speaker A: Okay, so, Michelle, can you share a little bit more about leadership in the us public sector? I know you've got quite a strong background in the space, so perhaps tell us a little bit more about your role now at NetApp.
[00:15:47] Speaker C: Okay, so my role at NetApp is quite interesting, right? Because at NetApp, first of all, we are involved with data. That is really the foundation of what we do. And I have worked with public sector customers largely on the federal side, but I, across our state and local governments, healthcare as well. And so working with those types of customers, data is of the utmost important to them. Right. It is everything that they need to support the missions, whether those missions are supporting social services to get citizens what they need or something, supporting a DoD mission or a police mission or something like that. So it's really interesting being at NetApp, being able to work with this segment of customers. And from our customer standpoint, what I love about public sector, working with public sector customers is they are 100% about their mission. So different than people who work for companies where it's like, okay, ultimately, we're all trying to make a profit or things like that. Are the leaders in public sector looking to do something to make a difference in people's lives? So it's very rewarding from that standpoint. And it's a little bit different in terms of the leadership that you work with on the customer side.
[00:17:00] Speaker A: And on that note, Michelle, would you say people who are driven by mission, as you just described, do you think it gives people that bigger purpose? Perhaps on knowing that you're on a mission, this is what we're doing, you can sort of start to see that impact, perhaps even if it doesn't feel like that immediate impact, but you're starting to sort of move towards that greater impact. Have you noticed that then working in the public sector?
[00:17:20] Speaker C: So I think, you know, what you find is a lot of people are public sector for their, whether you're in sales or, or services, you tend to support public sector customers because that, because you almost take on the mission of your customer as opposed to, you know, people who do a career working with commercial companies. Right. And every industry has its unique characteristics, but it really is for public sector people stay in it because of the mission.
[00:17:46] Speaker B: Right.
[00:17:46] Speaker A: And just focusing now on you as an individual and on the mission, what drives you then on that front or what has historically driven you in terms of what you bring into this role at Netapp?
[00:17:57] Speaker C: So what's driven me is working with our customers. They really are all about their mission and making a difference in people's lives, whether it's to develop the latest and greatest in technologies and get that infused going across everywhere or what they have to do for cybersecurity. So if you look at an organization in the us government like CISA, their mission is to improve the cybersecurity portfolio of the nation, not just the government, but of the nation in working with companies to make sure that the concepts and that there's a framework there available for companies to participate in. So being able to be a participant in some of those kinds of initiatives is really what does drive me and what's made me stay with public sector for this long.
[00:18:45] Speaker A: And in terms of how do you navigate all of that, in terms of managing leadership within NetApp, but then also driving that into the us public sector, what would be your sort of strategy to that?
[00:18:57] Speaker C: When I look at what I do and we all look at our calendars and you say, okay, how much time do I spend on different things? I think for me, I look at the industry and it's a matter of participating in some of the industry organizations that are helping our public sector customers to move forward or doing relationship building between technology companies in the government, as well as what I have to do in order to run our business on a day to day basis. Right. Driving sales teams, making sure that we're supporting customers, we've got the right set of customer success managers and the like. So it allows me to do a variety of different things, but also do it in conjunction with our, with our public sector customers.
[00:19:41] Speaker A: Okay, so I want to sort of switch gears now a little bit and talk more about distributed and diverse data, perhaps. Let me frame it as public sector agencies manage increasing amounts of distributed and diverse data, or data, as you would say, so what role does sort of NetApp's intelligent data infrastructure play then, in terms of enhancing the data security? You've sort of touched on that slightly, but then also the governance side of things.
[00:20:05] Speaker C: Yeah. So, you know, as technology has evolved, as the technology landscape has evolved, so have our government clients. And NetApp has been a partner with the government for over 30 years now. And so we worked with agencies to help them to implement the infrastructure that they need to traditionally support customers that being on Prem. As their landscapes have evolved, we've helped them to move into, like, hybrid but cloud environments because we know the government, like all customers, have initiatives to move to cloud. So our intelligent data infrastructure really helps them to build out so that they can, they can aggregate their data, whether they're doing it on Prem, on Prem, in a couple of different places in the cloud or wherever they need to, where it's really starting to help them is they need to take. The government has a lot of information.
If any of you have ever gone, you fill out a form with one department, it's like, okay, I just went to the motor vehicles department. I fill out all this information, and yet, okay, now I want a permit, and now I go to the next department, I fill out all the same. So being able to aggregate that and be able to take advantage of the data that they have in different systems to be able to serve citizens better is where you see them kind of moving and migrating.
[00:21:26] Speaker A: That leads me to my next question around migrating to the cloud. So I saw George Kurian, CEO of NetApp, speak earlier, as well as your chief product officer. So perhaps I want to sort of follow this talk track a little bit more around many public sector organizations in the process of migrating to the cloud. However, we want to balance that with security requirements. So how does NetApp, in your view, support these agencies in making that sort of transition happen?
[00:21:53] Speaker C: Yeah. And so I'll again go to the foundations. Right. We've worked to ensure that we've got the most secure products in our on prem environment. So we've done testing and certification testing around ISO standards, DoD standards, around common criteria. In fact, we are the only storage vendor to have the NSA certification for commercial products, commercial solutions for secure programs. And so it's, CSFC is the short name of it. And so that certification was done so that anybody, whether it's a private customer or anybody in the government, knows this data. And the systems have been tested to support top secret information. So it's got a set of criteria that it's already met. So now, as they're taking that. We carry a lot of those characteristics and certifications along with us. But as you move into cloud, we need to get additional certifications, and we've done that through the work and the partnerships that we have with hyperscalers. So if you look at some of the certifications that they need for cloud and the federal government, it's things like Bedramp, which the civilian agencies use, and impact level certifications that DoD uses. So Microsoft and Azure and Google, they all get those certifications. And our products that are their first party products get those certifications along with it. So now the government can take advantage of the on prem security that they have and connect to secure clouds that are made for their purposes.
[00:23:24] Speaker A: Do you think as well, in terms of the enemies that I conduct with cloud, people are becoming more accustomed to. Cloud's been around for a while, but there's still some people that are perhaps, like, hesitant about it. Are you seeing that from a government perspective, or do you think now it's becoming a little bit more ubiquitous and a bit more normal?
[00:23:40] Speaker C: So both because it really depends on what their applications are and what their missions are. Right. There are a lot of organizations where, look, some of the government agencies use commercial cloud because the level of the data, the sensitivity of the data that they have is, hey, we look at it. Clouds are centralized. They can keep up with the patching much greater than we can. So let's go into a cloud. At the same time, you have some missions that look at and say, okay, we want to be able to ring fence it, or they've got different secure networks that they need to exist on. Right. They can't exist on the Internet. So having private data or private clouds is what they need to. So it really has to do with what their mission is and what they need in order to accomplish that.
[00:24:26] Speaker A: And you mentioned before, Michelle, in terms of the NSA certification, perhaps for people who are not familiar exactly what that is. Can you explain that a little bit more?
[00:24:32] Speaker B: Yep.
[00:24:33] Speaker C: So one of the missions that NSA took on was trying to build a set of products or test a set of products that anybody, like I said, whether it's a commercial customer or whether it's another government agency, what they run is a testing program. So they run it through products, through a very thorough set of tests where they test a whole bunch of different criteria at the level. And the pass fail that they're using is to ensure that the products can maintain the security profile for top secret data they go through. And it was, I don't remember exactly how long it took us, but it was probably more than a year to get through the initial certification. And now, as we add new products than some of the parameters we can carry forward, but we keep adding to what we have sent through their testing process. Right. So once you've been through that, it's like we know that it has all the criteria that we need for top secret data, which probably should be pretty good for most people.
[00:25:41] Speaker A: And on that note, do you say in terms of top secret data giving customers assurance as well? Because obviously, people now with sensitive information, especially around government information, more specifically, people are now really looking for that extra layer of assurance.
[00:25:57] Speaker C: Yeah, well, and I will say, yeah, I think they are. And especially so our government customers, they're used to having requirements that they have to meet and they have to hit this standard, whether it's an ISO standard or a FIP standard.
But when we first announced this, the calls that I got were all from commercial customers, some banks, and some other regulated industries, and where it was our team and their customers were like, hey, tell me a little more about this, because we have needs to protect our data. So I think the program, NSA's program, is kind of doing what they had intended it to do was build a framework that could be used by them, but also by other customers as well.
[00:26:40] Speaker A: And just to sort of conclude our interview now, Michelle, I think the operative word that you've used today is definitely mission. So I want to maybe round it off with, from your perspective, with your experience, what do you sort of think? Leadership qualities, you know, essential in driving innovation and success in complex sort of mission environments, with what you do today with NetApp, but then also your background in the private sector as well.
[00:27:05] Speaker C: Yeah. So I think with, obviously, leadership characteristics transcend industries in a lot of ways, but sometimes you need a little more of something than other. And with public sector, I think it's an environment where you have a lot of different organizations, we have elected officials. You've got, everybody's got an opinion or a voice. Right. The money comes from taxpayers, so everybody feels like they've got a vested interest in the decisions that get made. So I think you need to be highly collaborative and you highly transparent are a couple of the things. And then I think you need a lot of grit because there is a lot of scrutiny, and it takes a lot to get through the network that I think exists in public sector, maybe a little bit different than in some other businesses, if you will.
[00:27:52] Speaker A: And what does grit mean to you?
[00:27:53] Speaker C: Grit means that don't give up. Right. You've got to keep going because there's going to be a lot of obstacles that you're going to have to overcome, so you're going to have to knock them down and then a new one might arise and just sticking with it until you get to the objective.
[00:28:13] Speaker A: And there you have it. This is KB on the go. Stay tuned for more.
