Episode Transcript
[00:00:16] Speaker A: Welcome to K beyond the go. This week I'm on the ground at NetApp Insight 2024 conference at the MGM grand in the heart of Las Vegas. For this bonus series, we've been lucky enough to have lined up conversations with the selection of NetApp executives and other guests exploring the future of Dataendental. Stay tuned for the Insight track from some of the world's leading authorities, presenting at Insight 2024 as KBI Media brings you all of the highlights.
Joining me now in person is Mignana Kote, global chief security officer at Netapp. And today we're discussing the intersection of AI and security. So, Mignana, thanks for joining and welcome.
[00:00:56] Speaker B: I'm delighted to be here. Thank you for taking time with me.
[00:01:00] Speaker A: So you just mentioned before we started recording, you've got three decades of experience in the space. So perhaps let's start there around, maybe tell us a little bit more about what you've seen over the last three decades and change.
[00:01:15] Speaker B: Well, a lot of complexity, a lot of change, and a lot of difference in the way we approach things. But then there's a couple of common elements. And so let's talk about the change and the difference. When we look at threats today, there are threats like, really? This happened? And I was like, really? This happened? Because we believe we have everything under control because we follow the basic principles. But the threat actors today now know what the basic principles are, too. They know what our technologies are to protect ourselves. And so they are very, very smart, and they're creating ways to bypass those. That's what it's like. It's intriguing because they've bypass it, but it's frustrating because, like, why didn't I think of this first? So that's what I'm seeing is, you know, why didn't I think of this first? The basic table states. I was just, you know, was talking on another meeting about security by design. With that, we're all signing in the Us to make sure we're protected. The environments like making sure we use MFA, we're not using default passwords. These are basic table states.
That is still the same, and we still have to use complex passwords. We still have phishing problems. In addition to that, I read the statistics. 80% of the hackers are still getting in with bad passwords. It's like, how did that happen? I almost want to take it on myself as being in the industry for 30 years. Why didn't I, you know, why are we not evangelizing it and, you know, getting this stuff fixed, but you get new players, you get new people, and the world is moving so fast, if you look at the pace of how development is happening, how quickly you gotta get code out, that accidents happen or even people don't know. And so with that, we've got a larger, complex world, but the basics are still allowing the threat actors in.
[00:03:01] Speaker A: Just a quick note on that before you flip over to sort of the ransomware side of things. People on my show often speak about cyber security basics. But to your point, like the basics, not that basic. We've been talking about patch management 20 years. People still can't do it effectively. Do you think we'll get to the stage where the basics do become basic because we're still not there yet?
[00:03:22] Speaker B: I'm gonna say no. That sounds kind of very controversial, but I'm gonna put it in my dental practices. I had to have a tooth extracted. The basics are to brush your teeth. Now I have to put this gel in my mouth to kill bacteria. And the other night I skipped it. And so that's kind of, you know, an illustration of the basics. We know if we don't brush our teeth, you know, rigorously, all of the time, three times a day, something's going to happen. So, having said that, I think we've got to shift to making it easier so it's transparent, so they don't feel like they need to patch every day. Prior to coming to NetApp, I worked at Amazon Web Services, and one of the things that really intrigued me was that the companies that would rebuild their environments every single day, they do the rebuild and build it with a new image that didn't have vulnerabilities in it. I, which was the most patched version. So we've got to get to the world of which we don't have to think about it and think about it as an activity. Think about it. In your life, are there things that sometimes you just don't do? Like, do you really make your bed every single morning? And so it kind of, you know, just put it into simple terms and let's make it easier and transparent so that then we don't have to think about doing it.
[00:04:36] Speaker A: So the question is, Mignana, how do we get to that point where it's like, every day I'm going to make my bed or brush my teeth religiously? Are we going to get to that point in security, would you say, with your experience?
[00:04:46] Speaker B: Well, if you had a mother like mine, maybe, but.
[00:04:48] Speaker A: So how do we get that mother like yours in security?
[00:04:51] Speaker B: Then it has to be automated. It has to let's say, okay, so if you look at a new system, it's getting deployed.
That person deploying the system cannot be able to get to a system that doesn't have the most current thing. So it's got to be something so easy, just push a button and automatically builds their system with the most recent patched versions. And so when the person doesn't have to think about it, then they'll do it.
[00:05:17] Speaker A: Automated. I want to go down that a little bit more, because speaking to people with what I do, the word automated, people seem to feel like they lose control a little bit. So what are you sort of seeing when you say the word automated? Let's automate these things. People start to feel like, oh, I'm losing control. From a security perspective, you know what security people are like. What are your thoughts then on that?
[00:05:38] Speaker B: Well, my thoughts are, I'm kind of thinking, we say, you know, Alexa, turn the lights on, it's convenient. So we make it where it's convenient. The messaging is that it's convenient. You don't have to think about it. You don't have to do this very horrible thing. So always, you know, the worst things that we like to, well, we don't like to do are things dealing with house maintenance. You don't want to clean the refrigerator. Can you imagine? You had an automated self cleaning refrigerator. So just make security automated and selfdevelop fulfilling. And so what we're building is, I call it an immutable cloud environment, where actually what that does is that when the cloud environment is launched up, it's already launched in a secure state based on the code that's in it. And then should someone go in and make a mistake and open up a configuration or a change that would make it make a hole in it, then we have it self healing. Then you've got to build in those mechanisms to remove, I will call it friction, so make it a frictionless environment.
[00:06:32] Speaker A: So ransomware attacks are becoming more sophisticated and frequent, as you know, I want to talk a little bit more, and I've heard it a little bit earlier today with some of your other executives around NetApp's intelligent data infrastructure. So talk to us a little bit more on how this is designed to help organizations defend against ransomware. And then additional to that, what are some of the unique features does it offer for detection and recovery?
[00:06:57] Speaker B: Okay, so first of all, we do have the ransomware guarantee. I'm very sure you've heard about that. So we're the first storage company to have that. And we've learned through our surveys that 87% of the c level executives actually are concerned about ransomware. So what have we done? So we have the, I'll say several tools or several mechanisms in place. So the first one that I'm most excited about is the protection or the detection before something happens. So we have cloud insights that looks at the traffic as it goes towards that data. If the traffic has, or the movement of transactions towards that data has something odd in it, then it captures it and it can stop it should the threat actor get to the actual data. Now, what we have, the autonomous anti ransomware, is that we can actually, now, look if a file or any piece of data has been actually tampered with. So we get those two to detect things. But additionally, when that's detected, we have an automatic image of that data taken, and it's taken on intervals of whatever setting you put like two to 3 seconds. So that should an actual ransomware attack happen, then it's recoverable. And so it's a combination of all of these that actually allow us to protect against anti ransomware. Now, the thing is, we hope we don't have to get to that point. We look at the other controls that we've talked about, like patch environments, the table stakes. How do we make sure that we don't get to that point? But if we do get to that point, we can all rest assured that we can recover the data and be able to continue business.
[00:08:42] Speaker A: Okay, this is interesting. Would you, in your three decades experience, you've obviously seen people that haven't backed up and they've been in a real severe issue where they've had a ransomware attack. And it's like, well, we don't really, we don't have anything. Talk to me a little bit more about the emotion side of things, because I've spoken to a lot of people on this show that have dealt with customers like that, and just what they've had to go through to remediate that is, is pretty extreme, perhaps, yes.
[00:09:11] Speaker B: So I'm thinking of a couple of cases that my industry colleagues have experience with ransomware, and it is a very big toll. I mean, they want to quit. Security people and technology people, when you get, you go through so much because you go through the technical part of recoverability, but then if it's a larger scale and multiple sites have to be recovered, but then you also go through the component of the communications, the aspect where you've got to file a claim and all the media that goes through it as well. So recoverability if you do not have that protection in place, you, first of all, you got to make the decision, do you pay it or do you not? I saw a stat the other day that showed 8% of the people who pay actually get their data back. And I thought, well, that's kind of bad. They pay that money, they still don't get it. Then they learn a term from the insurance people that you have good hackers who will pay you. And I think that's also kind of interesting. That's an outage. So you have an outage, you have your data, you gotta be concerned if it's gonna be published publicly, how do you recover? How do you resume and get the business back up to operations? So, yes, the people I know that have gone through that has been highly, highly tense. I know one person that she had an attack, and I called her and she wouldn't answer her phone, but then she called me back from her husband's phone because all her lives were being monitored. So there's a lot of oversight that's put on when you go through those, because you don't know if the hackers in your environment still, just because they did a ransomware doesn't mean they're not in your environment doing other things as well. So there's so many other implications involved.
[00:10:48] Speaker A: The interesting part that I want to focus on is the continuity side of it. So we've seen in recent times, the outage thing that happened on how much of an impact that had on just our whole society for less than 24 hours. So if you focus on a business being out of business for 24, 48, if they're a manufacturing company, like how much of a long tail impact that would have. Do you think people are really aware of that?
[00:11:09] Speaker B: Perhaps in your experience, the highly regulated industries are aware. So I spent nine years at a large financial institution, and we tested, and we had to, because we had the regulators making sure that we were able to recover within a certain period of time so that people could get their money, because it does impact lives of people. And you think of outages. Let's look at Covid.
I worked on a case with COVID to help a state department be able to give refunds or give payouts to people because they didn't have money to be able to buy food. So you learn to do rapid deployments in order to make sure businesses operate. Now you have, let's break away from the highly regulated companies, the companies that have never had to deal with these things. No, they don't. They don't know how they've never tested their backups. They've never tested to see if they can recover. And so it's like, how do we operate? And it becomes a state of flux. And you've got to have someone that comes in and said, let's look at step one, step two, step three. So likewise, you usually go to using paper or trying to figure out how to transact, transact business, or you just cannot. And then the consumer, whoever uses your services then aren't able to use it. They go to competitors, and then you just see the decline of that operation.
[00:12:23] Speaker A: So why wouldn't people test their backups? Is it just one of those things where people are so busy just trying to keep their head above the water? It's like, well, like we just got to do keep the lights on and we'll worry about backups later. But something happens. Well, we don't really have a plan. We don't have any BCP strategy, nothing.
[00:12:38] Speaker B: But I think why they don't do it goes back to what we're talking about, why they don't patch. This is kind of the basics. I don't think that it's any ill intent. It's a matter of a getting into the daily flow, their daily processes, because the backup actually is like pushing a button is a backup. And it's not like it's extra work or anything. It's just getting into the habits of what they do. Now, the testing of it does mean you have to take some time and do the recoverability and test it. So, you know, a good question to ask your friends, or do you, do you back up your iPhones or do you, you know, have you ever tested if those break? But the thing if you break your phone, you're like, oh, my gosh, I'm lost without it. So we're lost without that technology. We know what we need to do, but we just don't do it because we haven't put it in part of our daily routines.
[00:13:22] Speaker A: Do you think as well, it's sort of one of those things? It's like my analogy would be, it's like electricity. You just go and you flick on the light and then it just works. But when it's not working, you're in dire straits. You notice, and it's the same thing with backups. You don't have anything. You notice it. So how are we going to get people to that point where it becomes to your earlier statement around brushing your teeth multiple times a day? How would you sort of engender that into the people into people in security to be like, well, we need to start thinking about this.
[00:13:49] Speaker B: A couple of things come to mind. What you see in the regulated industry is the auditors. Auditors keep asking you a question and you have a consequence. If you don't answer the question, you get an audit issue, then you get a multiple set of audit issues. Your rating with a financial institution goes down. So there's a punishment. So we've got to have, you want to do like positive reinforcers, but you can't like, go give a smiley face every time someone does a backup. But the consequences. So the consequences maybe doing well, I'll change that instead. Maybe instead do scenario testing. Actually test it and have them not be able to recover. So you have an external party or your audit group or your security group or someone go and do scenario testing and say, hey, how are you going to recover? Let's walk through it. Let's actually recover. Now, I learned all this. I spent eight years of my life being an auditor, where it was easy to do an audit, say, hey, let's recover that data, and everyone freezes. If you go through that one time of having to do something and you can't do it, then you retain it. Kind of like touching a hot stove. You will never touch a hot stove because you know what happens.
[00:14:53] Speaker A: So what about for non regulated industries then? How are they sort of keeping their head above the water to make sure that they're not touching the hot stove?
[00:15:00] Speaker B: Actually, I think they're knocking on would they haven't had something bad happen.
[00:15:05] Speaker A: They may have to touch the hot stove first before they not leave the house.
[00:15:07] Speaker B: They have to touch the hot stove or pay attention to the news. But let's look at early startup companies. Early startup companies, they haven't gone through the process, I mean, been through major outages, so they're not aware that it can happen. So we have to educate them. We have to educate others on, hey, here's what can happen. But then again, to educate, you gotta spend time to listen and pay attention. It is unfortunately, just like when we have a security incident, it's after the incident when we learned the most of what we could have done. Kind of like we get a speeding ticket the rest of your life. When you drive down that highway, you will not go over the speed limit again, which is unfortunate that we learn that way. But I spend a lot of time studying how adults learn, and we either learn through a positive reinforcer or a negative reinforcer. And so typically on these type of controls, it's when something bad happens, that does the reinforcement.
[00:16:01] Speaker A: So what you're saying is companies will have to be hit with something to perhaps change their behaviour.
[00:16:06] Speaker B: Would you say that's when most of the behaviors change? Now, they certainly, they know they're given the checklist, they know that they need to do these controls. Each company has their own policy and procedures. And in there, it's the standard basic controls. Are you backing up your data? We have from the auditing firms that audit us, there's what's called the general controls. And in the general controls are also. Are you backing up your data so they aren't told and they do a test that they are doing it. But then when you actually check out, see if it really works, that part is not getting done, or if it's getting done, it's not getting done thoroughly enough to make sure it really recovers the company.
[00:16:47] Speaker A: So, Mignon, I want to sort of flip over now to talk a little bit more about AI. So obviously, as you know, everyone's remote AI, cyber security, we're trying to, you know, cyber criminals are attacking us with AI, we're defending with AI, etcetera. But maybe let's get a little bit more about NetApp sort of viewpoint then, on how is NetApp sort of integrating AI with, with what you're doing in terms of, like, cyber resiliency, et cetera. Do you have any thoughts on that?
[00:17:10] Speaker B: So we are implementing AI in our solutions. And so when I talked about the file being able to get down to the file level, we're able to get to the file level to see any form of transaction with 99% recoverability, rate and precision of that data coming back. So we're using AI to help us, I'm gonna say, find ways to tune the controls to bring a stronger precision on the execution or the intent of the control. And that lines up with the whole efficiency that AI can bring to you. Now, from a security person, you didn't ask the question, but from a security person, we always are looking at the positives on how we can detect things. So that control is a detection control, and also it can, you know, the recoverability helps you sustain your operating environment. But also we want to make sure that we do stay aware that while we're doing really great things with AI, the threat actors are also doing what they consider great things on ways to break in the environment. And because of AI, it's now become much simpler for them to actually break into the environments. And they don't have to be as sophisticated as a threat actor. To try to break into the environment.
[00:18:26] Speaker A: So just to recap, you said 99%. So what happens to the other 1% in terms of recovery?
[00:18:32] Speaker B: Well, we've got all the other controls we talked about, so we've got the snapshots where we do the recovery, and we've got the detection capabilities, and so we've got a whole array of controls of which we can actually help recover.
[00:18:51] Speaker A: Joining me now in person is Matt Watts, chief technology evangelist at Natup. And today we're discussing technology, evangelism and strategic guidance. So, Matt, thanks for joining and welcome.
[00:19:00] Speaker C: It's a pleasure. Thank you for having me.
[00:19:02] Speaker A: I want to start with perhaps, what's your definition of evangelism?
[00:19:05] Speaker C: So it's an interesting question. I think my job is really about bridging the technology that we have within our portfolio to the outcomes, the kind of capabilities that customers are looking for. I think a big part of that is also looking to the horizon. An evangelist for me isn't somebody who's talking about what a specific product can do today. It's looking towards the trends and technologies that are coming and then helping companies understand how they need to start thinking about those things and preparing themselves for those things in the future.
[00:19:33] Speaker A: So you said bridging the gap with what customers are looking for. So in your experience with your role, what are customers looking for?
[00:19:40] Speaker C: So a really good example would be, if I go back four or five years ago, one of the things that I started to really see was coming to the forefront was sustainability. And there isn't sort of a specific thing that kind of points you to something happening. There's a whole bunch of different things that sort of come together. So sustainability was one of those areas where I thought, this is going to be important, it's going to be important for our customers equally. It's going to be important for us as well. My role then is to bring that topic, that trend back into NetApp and incubate it inside the business. It's about getting different product groups excited and starting to think about how their roadmap should look based on these trends that we're spotting.
[00:20:19] Speaker A: Okay, I do want to get into that, but before we go into that a little bit more, I want to talk about, you wrote a book, published it earlier this year. I know that you were down at Camp Cloud presenting it to people in the camp site about your book, the fourth wave. So maybe tell us a little bit more about it.
[00:20:34] Speaker C: Yeah, sorry. I mean, I won't kind of go through the whole thing because I will be here for forever. But I started writing a lot of. I've always written a lot of LinkedIn posts and blog posts and things like that. And probably two or three years ago, I just had a load of stuff in my head that I wanted to get out. And I started writing all these things down.
And I didn't really know what they were going to be for. I didn't know whether they would just be blog posts or LinkedIn posts. But the more of them that I wrote, the more I started to see a pattern. And I kind of realized that we'd been through these three waves of technology. The first one being the sort of the modularization of technology, the second one being virtualization and the third one being cloud. And it just suddenly realized that a lot of these stories that I'd been writing naturally kind of fit into one of those three areas. So the book was originally the third wave, and we never published it. It was just an internal thing that we used. And then the fourth wave happened, and that was pretty much because of chat. GPT. That was the moment of democratization of AI. So I decided that was a good time for us to update the book, create the sort of the fourth wave section, add in a few things like sustainability. And we decided, what the hell, let's publish it. So we stuck it onto Amazon, and I can call myself an authorization.
[00:21:45] Speaker A: Well, congratulations. I know that's a big job to write a book. So maybe let's talk about that a little bit more in terms of how does NetApp sort of embody this sort of shift in terms of data driven innovation and sustainability, which is the fourth wave that you've spoken about.
[00:22:01] Speaker C: Yeah. So sustainability is sort of part of. To be honest, it's part of all of the waves. It's just become much more into the public sort of psyche down. What's been interesting for me was that as I started to look at the waves of NetApp has always been very good at leaning into things that other people might say would be detrimental to their success. The first wave was different. The first wave, as we moved from monolithic systems to modular, mid range, netapp kind of created that wave. We came into a market of these big monolithic systems and said, this is great, but it's not the way things will be done in the future. So we sort of introduced this idea of modularization for virtualization. I remember people saying at the time, this will be the end of companies like NetApp. And the reality was, it wasn't. In fact, virtualization drove a need for shared storage, whereas others maybe resisted it. We lent in and I think that really helped with our growth. And then with cloud again, a lot of people looked at cloud, traditional vendors looked at cloud as being a threat. And NetApp once again lent in and said, no, it's not. It's going to be, it's going to augment what people currently do. In fact, it's going to expand the size of the it opportunity. Data has been consistent through all of this. In fact, the one thing you absolutely know is that data will continue to get bigger and bigger and bigger. So how do you protect, store, manage, replicate, make that more efficient? Particularly as we start thinking about sustainability becomes essential things that we have to deal with. And NetApps really sits at the forefront of that.
[00:23:30] Speaker A: And is that what you mean by the detrimental side of things? Like everyone's saying, oh, well, NetApp's going to be displaced because of cloud, et cetera, but NetApp land into that?
[00:23:40] Speaker C: Yeah, exactly that. It sort of feels counterintuitive because obviously when you put data into the cloud, people would say, well, that's data that isn't stored on your storage race means it's not something you're storing. But what we did was lean in and say, well, but what if we could put our technology into the cloud? So it just becomes another way of people consuming what we do. So, yeah, I think what NetApp's been very good at is looking at something that is a market disruptor, that is a wave, and really looking at how do we embrace that? How do we put ourselves onto that wave such that we can benefit from the growth that it brings?
[00:24:15] Speaker A: So I want to flip over now to sustainability. I'm a journalist, we're a media company. We're starting to see the sustainability conversation really come into the forefront. I did an interview recently with a guy, he's an australian guy. He used to run all the sustainability globally for Amazon. And he was talking to me a lot about, it's like the UN global impact sort of scoring system.
[00:24:35] Speaker C: Yeah.
[00:24:36] Speaker A: But also I was sort of saying to him, I think people generally think sustainability is about reusable coffee cups. Right. But Neil, I want to get your lens on the technology component because I think that's the part that people don't get about it. So I want to hear your thoughts first.
[00:24:51] Speaker C: So let me just try and give you just a really sort of a simple way to think about this, maybe for the audience as well. We don't think about sustainability and technology or a lot of people don't think about it because it's kind of invisible. You know, you can point at a car and you can look into the sky for airplanes going over, and it's very obvious that they're creating emissions. Every single time you pick up your phone and send an email, you are creating a small amount of emissions. How many for a typical email? Probably one or 2 grams. But if you think that we're sending billions of emails every single day, because that email has to travel across networks, which are being powered by, in many cases, fossil fuel created energy. It lands in data centers, which in many cases are being powered by fossil fuel created energy. So everything that we do online, everything creates some level of emissions. The way we look at it from a netapp point of view, is there is a vast amount of data in the world. In fact, the rate that we're progressing at the moment, the global data sphere. So everything that can be created by everything will be a yottabyte by 2031. Yottabyte. So a yottabyte for people who don't know, it's a trillion terabytes. That is the equivalent of every single human being on the planet carrying 500 iPhones.
So it's vast. Now, we can't directly influence that, because that's everything. But if you bring that down to data centers, data centers currently consume about 2% of the world's electricity. Forecasts are that it will grow to 8%. In Ireland, it's now 21% of their entire electricity supply goes to data centers. That's more than the entire urban population consume. Of that, about 20% is storage. So 20% of that amount is simply the power that is going to storage devices. And 68% of the data that we store is a gigantic land full of garbage that we do nothing with after it's been created, is that the data.
[00:26:43] Speaker A: Waste side of things?
[00:26:44] Speaker C: Data waste, absolutely.
[00:26:45] Speaker A: Tell me more about that. What does that mean?
[00:26:47] Speaker C: So, I mean, we call it dark data, data waste. Single use data, I think, is quite another sort of interesting term for it. There is a huge amount of what we create that is important at the point of creation, but then we never ever go back to it. So 68% is the sort of industry average, is just data that was created for a purpose, for a one off purpose, and no one has gone back to do anything with that data subsequently.
[00:27:13] Speaker A: And it's just stored there, but it's.
[00:27:14] Speaker C: Still sat on storage that is consuming power.
[00:27:17] Speaker A: Why aren't people going back to it?
[00:27:19] Speaker C: So there's many different reasons. I think one of the reasons is most people don't have a great idea as to exactly what the data is that they're storing. So a lot of this data kind of gets created, used once, and then no one thinks, is there value in that data? If we could subsequently look into it or do something with it, and I think AI large language models might open up a little bit of a door for companies to look back to, sort of talk to some of this older data to see if there's value within.
[00:27:47] Speaker A: It, by simply asking, what am I storing in the last five years and what hasn't been looked at again, perhaps.
[00:27:55] Speaker C: So we can tell them that we've got a capability called blue XP classification, and that will allow people to build that sort of landscape of what is the data? When was it last accessed? Who owns it? We can do those sorts of things. What I think it's interesting is when you look at regenerative, if you look at rag, for example, as a part of Genai, what if I could take that data you're not using, vectorize it, and then allow you to basically interact with it, to ask it questions through a gen AI capability, what might you be able to learn from it? So I think that's something we have to look at. But companies will need to be much, much more serious about how we deal with data waste, because it's consuming not just vast amounts of electricity, creating a lot of CO2 emissions, it's costing me a huge amount of money. So I think that's something that the world will start to get a better handle on.
[00:28:45] Speaker A: So do you think this is what's going to drive enterprises now? Because, yes, of course, the things you mentioned before, but subsequently how much it's costing, do you think people aware on how much it's costing?
[00:28:54] Speaker C: So it's an interesting question, I think. I think people are, but it's a really difficult problem to solve. Right. This problem has been around for. Since I came into the industry. It's kind of, who owns the data? The people who create the data say, well, we don't own it, it owns it. And it say, we don't own it, we're just the custodians of it, they own it. And we never solve the problem. We just rely on the fact that technology will get faster, more dense and cheaper and will solve the problem for us. I think the reality is, when your 68% of data is never used and that doesn't take into account the AI data explosion, and now companies are having to report on emissions, I think there's a lot of reasons like that that will get people to take this more seriously.
[00:29:39] Speaker A: So do you start with your experience of being a technology evangelist? You'll start to see people taking this more seriously now and addressing that 68%?
[00:29:48] Speaker C: I think we will. I think in the past, money hasn't fixed the problem. People are just prepared to say, well, we'll just deal with it and we'll spend more money so that we don't have to try and deal with it. But I think because of regulations that are starting to come through CSRD, the corporate sustainability reporting directive, I think as companies now have to address their emissions scope, one, two, and three emissions, if we said 20% of data center power goes to storage, if 15% or 68% of that. So 1213 percent of the data center power is storing data you never use. We have to do something about that because that's emissions that we can't offset.
So I think we haven't had that dimension before. And I think the emissions, emissions reporting, I think, brings another level of urgency toward people needing to be able to deal with this.
[00:30:41] Speaker A: So you said before, Matt, people just don't want to address it. Why do you think that is? Just that they got other things to do from being bothered or we've got other, other things we need to solve rather than the storage problem.
[00:30:50] Speaker C: Yeah, I think it is. And it's really, really difficult because we have this data ownership problem. And I've spoken to companies before who've said, let's take a quantity of data that we don't currently use and let's do that analysis as to who owns it and how old is it and what is it, and then let's see if we can build a process that would enable us potentially to delete it. And it's so complicated to work out, you know, who is responsible for this stuff? Who's going to make that decision of, we don't need that data anymore? You know, if you think about all of us, I've still got the emails from my last job. That was 19 and a half years ago, but even I look at it and I go, I'd probably better not delete it because there might be something in there. And that's.
[00:31:34] Speaker A: So we're hoarding.
[00:31:35] Speaker C: We hoard. We love to hoard. Yes.
[00:31:38] Speaker A: Who once emailed 19 years ago?
[00:31:40] Speaker C: Apparently I do, because I still store them and I still award them. It's a data ownership problem. Who's going to be that person that's going to make that decision to get rid of a whole bunch of stuff?
[00:31:51] Speaker A: Because if you delete it, they're going to say, well, why did you delete it?
[00:31:53] Speaker C: Why did you delete it now you're fine. We needed it.
[00:31:55] Speaker A: Correct?
[00:31:56] Speaker C: Yeah.
[00:31:57] Speaker A: So I'm aware on NetApp's partnership with the Aston Martin F one team and its impact on sustainability, to your point earlier, you can obviously see a car driving around a track, which obviously has impact on our environment. So maybe talk to me a little bit more about the partnership for people who aren't aware.
[00:32:14] Speaker C: Yeah. So we had the partnership for. I think we're in the third year of the partnership now. I think that's what it is.
So, to begin with, what was really interesting for me was that Aston Martin are obviously a very new team.
They are. Of course, they come from, I think, Racing Point was what they used to be. But they're effectively a new team in Formula One. And when they came in and when Aston Martin decided they wanted to start a Formula One team, they built the first new factory that I think has been built in the history of Formula One for maybe the last ten or 15 years. And they took sustainability really seriously. The factory itself has sustainability embedded into it. And, of course, then when we had that opportunity to work with them, knowing that f one as a sport has to be net zero by 2030, that just felt like a really good challenge and opportunity for us. So you can look at it in many companies that sponsor Formula one teams. It's, you know, we're the quickest storage. We help do this. And look, the reality is they do need data. They need it quickly to make better decisions. But the more interesting angle for me was, I love Formula one. It's one of my passions. The opportunity for Netapp to be part of not just Formula one, but helping Formula one to become net zero by that 2030, that, for me, was just a phenomenal opportunity for us to kind of partner with Aston Martin around.
[00:33:41] Speaker A: And so with what you're doing now, how do you see other people sort of learning from your experience with NetApp to get to that point in 2030?
[00:33:47] Speaker C: So I think there's a number of different things. I think people are looking beyond the greenwashing nowadays. I think we had an awful lot of that in the early days, which wasn't doing the vendors who were doing it. I mean, service. It wasn't doing our customers any service, and it certainly wasn't doing the industry any service. So I think we're starting to move beyond that now. And people are looking much more closely at, okay, well, where are there the real opportunities? So when NetApp talk about it we start by saying you need to look at your entire data center, because the wastage will be everywhere. It'll be in the servers, the network, the storage. It'll be across all of it. That's your starting point. You need to find the 68% of data that you're storing that you don't ever use. The opportunity, if you could do something with that becomes huge. Work with the cloud providers. One caveat.
Just be very, very careful that when you work with the cloud providers, they give you complete data that shows you what the sustainability is like. Some of them are playing a little bit with the truth and the reality of some of those things, but they can be a very good option. And then finally, the stuff you run in your data center should be the most sustainable technology you can get. I think that's where we're starting to get to now, is companies are becoming more aware and they're starting to look beyond the kind of the vendor greenwashing to find out, well, what's the big picture? How do we really address this rather than being sold on some piece of technology is going to solve the problem for them? Because it won't.
[00:35:13] Speaker A: From my understanding, being in this space, customers are now looking to organizations and vendors that have that sustainability component baked in. So do you sort of see this as a driving factor moving forward now? Getting closer to that 2030, perhaps, in terms of customers only want to work with vendors that have the sustainability baked into their process?
[00:35:33] Speaker C: Yes, in a nutshell. I mean, when I first started really working on this, which is about five or 6456 years ago, something like that, I was very clear when I was talking with all my colleagues and peers internally, I said, we've got to look at this across three pillars. The first pillar is, are we doing the right thing as a company? Because we can't go out and talk about the sustainability we can help people with if we're not doing the right things as an organization. Fortunately, Netapp was in a pretty good place. You know, our Wichita facility is kind of runs completely off renewable. We increased our renewable energy last year by up to about 144% over what we've been using before. We've got aggressive targets around scopes one, two, and three. So that was the first pillar. The second one was, how do we think about sustainability in the way that we design our products? So we have a lot of capabilities and technologies that we're building around. That one is simply giving people a dashboard that allows them to see exactly how much power the array is consuming and the emissions that are therefore being created. And then finally, that sort of third pillar was how do we show people that our technology, our solutions, could help them achieve more of their sustainability objectives? So for us, very much, we have to do all three of those things. What we are now seeing, to come back to your point, we're getting rfps now, particularly in EMEA and AIPAC, where 1015 20% of the Amarques that are being awarded to the RFP are related to sustainability. So we're now starting to see companies that if you do not have a good sustainability story, you will not win the RFP because you'll be 20 points behind before you even get to the solution.
[00:37:12] Speaker A: So can I ask you a rudimentary question? And going back to the greenwashing, I mean, if people are sort of saying, oh, we've got this cool sustainability story, what if it doesn't check out? How do you know if a vendor is doing what they say they're doing?
[00:37:24] Speaker C: Matt, that's where it's starting to get interesting now, because if you go back three, four years ago, there was no metrics, no one was checking this stuff, right? So you could, and we didn't, but others did. People were going out with the most outrageous claims, such as, oh, I mean, we've seen, you know, our storage arrays are create 90% less emissions than competitive storage arrays. I've seen that one, which is just ridiculous because we all use very similar components. The power consumption of storage devices is very similar across the board. So that was just outrageous. But no one fact checked. And the companies that were buying into this technology, there wasn't a CSRD, they weren't having to submit independently validated reports around what their net zero goals were, what their carbon emissions were. So there was an awful lot of companies that literally waved these flags and made these outrageous claims. And now what's interesting is you're starting to see some of them back off those things, because now the companies that they're selling those technologies into are having to submit independently validated CO2 emissions reports, and it's starting to expose some of the, I'm not going to call it lies, but some of the mistruths, let's say, about some of those early claims.
[00:38:39] Speaker A: So it's all going to come out.
[00:38:40] Speaker C: In the wash effectively, I think so. I think if you were a vendor that two, three years ago was making some of these pretty unsubstantiated claims, you should be a bit concerned now because the CMA in the UK are looking at this and they are going to be finding companies that are not able to support the claims with true and valid data.
[00:39:02] Speaker A: And there you have it. This is KB on the go. Stay tuned for more.
