VMware CEO Gelsinger On Disrupting The Security Industry, Pushing Subscriptions And Cracking The Code On The AWS Partnership
"Your customers are looking for more, and just giving them another warm blanket, expecting that's going to stop bullets doesn't do it," said VMware CEO Pat Gelsinger at the 2018 Best of Breed conference. "We've got to get more sophisticated capabilities."
Gelsinger Takes Center Stage
VMware CEO Pat Gelsinger is taking a broad and aggressive stance on the future of the IT security market, and working to position the virtualization kingpin as a leader among a shrinking group of security players.
In an interview Channel Co. Executive Chairman Robert Faletra and CRN News Editor Steve Burke at the 2018 Best of Breed Conference in Philadelphia, Gelsinger put the multitude of vendors in the crowded security market on notice. "I want to disrupt everything about the security industry," Gelsinger said. "Security [vendors] have failed our customers."
Gelsinger compared current security strategies that rely on throwing more and more security products at problems and potential problems to trying to stop bullets with a blanket.
"Your customers are looking for more, and just giving them another warm blanket, expecting that's going to stop bullets doesn't do it," Gelsinger said. "We've got to get more sophisticated capabilities.
Some enterprise customers use as many as 250 individual security products at any given time, Gelsinger said, but will whittle that number down significantly. When they do, Gelsinger aims to be one of the 15 or 20 that make the cut, he said.
Gelsinger also took on hot topics like VMware's burgeoning relationship with Amazon Web Services, its strategy around hybrid cloud and new subscription-based sales models, and said solution providers are in a position to make gains on the confusion that surrounds the fast-moving cloud market.
Subscription sales models are well on their way to becoming prevalent in the market, Gelsinger said, and mastery of that aspect of customers' purchasing strategy "is not optional."
What follows is an edited excerpt of Gelsinger's conversation at the 2018 Best of Breed Conference.
Talk about where you see the biggest disruption in terms of security and what you guys are doing with NSX and NSX Everywhere?
What we’ve said is there’s two words that we use in terms of the concepts that we’ve built our security strategy around. One is intrinsic and the other is ensuring good as opposed to chasing bad. So those two ideas are very simple: “Hey always add on products or hey, we had another breach of this area… oh, we’ve got to add a new product for that.” I was with a CIO for one of the top five banks and I asked the CIO, I said “How many server products do you use?” He said two. “How many support products do you use?” He said two. Of course, we had to say Dell’s our favorite. And then “how many networking vendors do you use?” He said, “I think it’s four.” “How many security vendors do you use?” 250. How do you make all that work? Right? You know… patches of the patches. It’s just nuts. It’s got to get much simpler. So we said we're going build more of the basic security functions directly into our platform. NSX is a networking platform that is a networking and security platform, where you microsegment, you reduce the attack surface with AppDenfense. Use the virtual machine to ensure good. So we're self learning the behavior of the application and if it deviates from known good behavior, take action, cayuse the VM provides that container environment where we may not know why it deviated, but it deviated – and we can immediately detect and respond to it. vSAN, we're building encryption directly into it. Data at rest should never be in the clear and if you could ask that question, you would not be Equifax. We're making it easy and cost effective. You should always have all data encrypted. Identifiy, multi-factor authentication – you should always have those in place. There's still lots of breaches, but this dramatically reduces the attack surface.
You can also start getting rid of products. About two years ago, VMware had 30 security products … today we are less than 20 and our objective is to get that to like 15 security products that we're using to run VMware. We're a big company 25,000 employees almost, with global operations – so simplify it. That doesn't mean that we're expecting that we're just going to be the security company, but as more and more of that becomes sedimented into the security of the infrastructure platform, now you have fewer products that you're adding on, fewer vendors and platforms that you're building on. That's the vision we would have.
How does this audience take advantage of that?
Through VMware of course.
Well, talk more about that. Why VMware in this case from a security standpoint? How far are we out when we have 10 to 15 security products?
I think this will take a number of years. Your customers are looking for more and just giving them another warm blanket, expecting that’s going to stop bullets doesn’t do it. We’ve got to get more sophisticated capabilities. Your customers want less products, they want more value -- and particularly in the security area that's true. … We think VMware is a critical component of that as you're building those capabilities. Simply the environments. Give a higher value proposition to your customers in this area in these transformative technologies are really starting to emerge in a effective way. Also your customers are looking at this in the context of a multi-cloud environment. Where is your data? All of a sudden it could be spread across not just five or six data centers, 30 branches – but it could be 20 different clouds. Now you start saying, 'Well how do you govern your data?' They're looking for a very different view, base-level security – phishing attacks – those have got to be off the table because now I need much more sophisticated partnership from you to help me put policy and governance around my increasingly multi-cloud services and data.
Are you doing more with RSA or Dell SecureWorks? Talk about your approach to security across the whole platform.
The SecureWorks relationship is one like NSX and AppDefense being integrated to SecureWorks – that's an important partnership. Also working with a handful of key other players: Palo Alto Networks, we announced relationship with some of the emerging players, the EDR players like CarbonBlack. Also increasing the partnership with the mega-cloud players, Amazon of course is our preferred partner, but Google and Microsoft more of our end-user products with Microsoft, integrating that more with their services. NSX has native support for those environments now with both Azure, Amazon and Google – building that as an integrated platform so I can have end to end overlay networking with common security policy, including my native cloud applications. Building that into the container frameworks, that's where the relationship with Pivotal is very important – taking NSX into the container level is super crucial for that, but doing it for other container environments as well.
Is NSX the killer security app that customers and partners have been waiting for?
The security benefit that [NSX] brings have been – we have a business that's well over a $1 billion now, growing 40 percent last quarter – so we're seeing very robust growth rates. The number one use case for NSX is security and I expect that's going to continuing the case. Just announced vSphere Platinum which builds the AppDefense directly into vSphere and we've integrated it with NSX. We have microsegmentation for security value on NSX. Now it’s adaptive microsegementation, binding those together. We expect that’s going to continue to emerge as the most powerful platform that we have to put everything together. Because the magic of the network is everything goes through… if I have some end-user phishing scheme going on or some HVAC kind of thing as a target breach, it comes across the network. From a security point of view, we think of it as probably the most critical layer to enable an end-to-end view of security.
The economy is rocking right now. It’s doing really well. Is this a 2018 thing? Do you think 2019 will be as good? And where might we see that growth? Security? Edge computing? Where might you steer this team here about thinking about their business?
Most of the economists I’ve talked to are taking more tempered views, whether that’s interest rate related, trade related, Brexit related. Now I contrast that with the view that tech was hot. I believe that tech is going to stay hot. And if you look at tech growth was way outpacing economic growth 10 years ago, 15 years ago and it sort of smoothed and actually we had two years where tech growth was below overall GDP growth. But now I think we’re in this era of what I call the superpowers of technology – cloud, mobile, AI and IOT – that technology permeates everything, becoming more critical to every aspect of every business. It’s not being decided by CIOs anymore. It’s being decided by CEOs. They view it as a critical role of their business. So now this year, world GDP growth is probably 3, 3.5 percent. Overall tech growth is like 6 percent. And I believe that gap will persist. It will persist not just for a year or two but a decade or two because tech permeates everything. It is becoming how you reach more customers, how you increase efficiency, how you rebuild -- whether you’re in healthcare, whether you’re in supply chain. So I believe that tech is in for a very good period of time or extended period of time.
Talk a little bit about where you think the priorities are. In the survey that we just did, this audience tells us they see security, public cloud, hybrid cloud, application modernization and private cloud are the growth areas they see.
That’s a very good list by the way. There are some others I would put on that list as well. We’re in a little bit of a chaotic phase. Some of those are building on those trends as well. Everyone is figuring out how to bring more intelligence to their business: AI, machine learning – what does that mean to their business? A lot of data projects are becoming AI projects. You know, “Now that I have data, what do I do with the data?” How will you start applying more sophisticated analytics to it in the business area. But like you said, private cloud, public cloud… containers, Kubernetes. How do I go hard at these new, much more productive ways of building and deploying application security? You know it’s common and it has comfortably outpaced tech spend, security spend has comfortably done that. Now obviously we’ve just laid out our strategy more aggressively in this area so I want to disrupt everything about the security industry. It’s all screwed up. I think there will be winners and losers in that tech spend area going forward. You know we have a number of security companies in the industry. I think security [vendors have] failed our customers in the past. Clearly as we think about everything happening with respect to how people are taking advantage of these hybrid cloud environments, it’s to fill more applications. They’ll spend less on the infrastructure, spend more on the applications. One of the things I said in my VMworld speech this year was, “Ruthlessly automate everything is the rule of the cloud.” So all of those things that aren’t applications that are business-focused, automate so you can spend more time on business-value applications. So those would be a few that are on our list.
One of the bigger partnerships you’ve done over the past few years has been with AWS. What’s the real value for the audience to work with you and with AWS?
First, let’s dimensionalize this for the audience. How big is Amazon’s IS business going to be this year? $25 billion or so. And it’s experiencing a 40 percent growth rate. And the growth rate is not slowing down. This is a juggernaut and it just so happens we’ve now formed a strategic partnership with a juggernaut over the last two years. I made a very similar comment last year: if you haven’t figured out what your subscription public cloud strategy is… this is not a voluntary choice. Right? You have to figure our how to position yourself in the fact of that juggernaut. And that juggernaut has Azure chasing it, Google chasing it. This is large dollars, major shift in infrastructure. And if you don’t have your strategy in place for how you’re adding value in the face of that… it’s a juggernaut. So what we did is we have the public cloud juggernaut called Amazon and our position as the private cloud leader by far and we fused those two together. Now what we just announced at VMworld was that by the end of next year, every place there’s Amazon there will be a VMware cloud on Amazon. So we’ll have a global footprint. Any place your customers on the planet can take advantage of it, you can. Wow. That’s pretty powerful. We’re starting to demonstrate some really value-added capabilities. The one that really excites the industry is RDS on premise. Not only are we taking workflow to the cloud, creating this hybrid work environment between private and public clouds, but we’re also bringing Amazon services from the cloud back on premise. That to us really helps to set this strategic partnership that we’re really innovating in both directions. Things that we can bring back on premise, now customers can say “How do I manage my databases? I do it with RDS.”
Talk about how game-changing RDS is and how partners can take advantage of it?
The database is the killer application for so many customers and so many use cases. RDS is the fourth biggest service on Amazon. It’s been a very powerful, successful product for them. But the key issue was, “Now I can manage my cloud database this way but I can’t manage my on-premise database that way.” The idea that we have a common control play: common replication, common backup, life cycle management of my databases, Sql, Aurora, Oracle… we believe this is killer. We’ve gotten an extremely positive response. We expect this to be an extraordinarily successful service. And we’ve got a pipeline of services like that coming with Amazon.
How broad is the AWS partnership, and what's coming in the future?
It's going to be global. We have teams working everyplace. We have new products like RDS, the elastic compute, is another point of innovation. We have hundreds of engineers working on this. They have hundreds of engineers. This is at-scale engineering that we're doing with each other. We're seeing the pace of interest from customers and the engineering. Amazon is not an easy company to work with. We've really cracked the code on how to make that partnership work in both directions. Now the engineering pace is picking up. We'll have more to announce at Reinvent in November.
What does the CloudHealth acquisition mean to partners?
The latest research from McKinsey was the average enterprise customers is now using eight clouds. The tools for managing spend, how do manage across eight clouds? Are you going to use the Amazon native toolset to manage the Azure workloads or the Google workloads or your Rackspace workloads? No. What CloudHealth is about is giving us that management control plane for a true multi-cloud environment. Cloud cost is the No. 1 use case. That's becoming a big item for IT and CIOs' budgets. How do I manage that and how do I have a common view of my cloud spend across multiple clouds, including my VMware Cloud on AWS, as well as my private clouds. Of Amazon's spend today, over 20 percent of it is managed through CloudHealth. The average CloudHealth customer reduces their cloud spend by 30 percent. Those are the kind of numbers that get people excited. I've probably done 12 customer visits in the last four days, and I've sold CloudHealth at probably 10 out of 12. Every customer is grappling with this issue. What VMware is going to do is populate that with all the VMware private cloud data. Customers will be able to look from what's the expense of that workload on Amazon versus Azure versus Google versus the VMC on AWS versus my private data center, and how do I cost optimize? Maybe it's a cash flow question. Maybe it's a balance sheet question. What's the tradeoff of getting that on consumption versus reserved instance? We're going to make that the management control plane for VMware's entire multi-cloud strategy. We'll have the VMware cloud with common infrastructure and CloudHealth as the common multi-cloud control plane. We're going to put Wavefront into that, CloudCoreo, all of the Tango assets, our multi-cloud provisioning and automation environment. All of those will be part of that platform so you can go to CloudHealth and be able to do not just cost management, but performance management, governance from a common control plane.
VMware is important to the network and the whole ecosystem in technology. How do you interact with other companies?
In the face of a Dell relationship, which is very powerful and growing rapidly, it's more critical for us to lean into those other relationships. At last year's VM World, I was announcing our HPI partnership with Michael Dell sitting and looking at me in the front row. It's more important for us to lean into those other partnerships because nobody debates whether we're going to work with Dell. That's an HP statement, that's a Lenovo statement, that's a NetApp statement. It's important for us to be leaning into those relationships, and we've had good performance. Clearly Dell has grown more rapidly, but we continue to see good performance from the HP Synergy partnership where we integrated our HCI stack with Synergy as a unique value-add. We announced Workspace One being integrated as the management plane for HPI's client platform. We've seen good, unique announcements with each of them.
There has to be some level of conflict somewhere. Other CEOs must ask what's going to happen, or how am I going to be able to make this work over the long term?
Some of it is 'trust me.' They're working from trust, but verify. That's why we do the Synergy things. That's why we do the client things. That's why when they call me up and say Pat, we've got this deal in Europe, are you really going to honor our registration, you can't let the Dell guys flip this one on me, we have to go tell our Dell counterparts that that's very good, we're glad you like that account, but there's no blankin' way you're entering that account because we're partnered with one of these other vendors. It requires us to be very disciplined. Some of the channel programs we've put in place over the last couple of years are very much designed so that we're honoring the partnership with you with the way we do registration and margin back to the channel. For our other partners it becomes super critical that we honor the registrations, that we put in place the investments in the channel programs so HP, or NetApp can say that's a good partnership. I get a few escalation calls, and sometimes it's pre-escalation, and it's 'don't leave me hanging on this deal, Pat. I'm partnered with you.' A lot of times, it's the customer's choice.
Are these conversations you get involved with yourself?
Absolutely. Or it's my other executive and business team, as well. We're very sensitive about it.
What are you seeing as far as the cost of public cloud versus private cloud is concerned?
When you look at the cost of public cloud versus private cloud, a well-run private cloud wins, generally. But most people don't buy public cloud because it's cheaper. They buy it because it's easier. For developers it's a lot easier. A poorly run private cloud is more expensive, so where are you on that spectrum? A lot of IT and CIOs say I'm tired of that hassle. I just want to rely on somebody else. Our view is that the right answer is a hybrid answer. It's being able to truly build and operate those together. If I give you the flexibility, a well-run private cloud can not only be a little bit cost effective, but a lot more cost effective. If you get rid of DR, peak capacity, we have customers who are seeing greater than 80 percent utilization of their private cloud resources. That halves the unit cost, and you take advantage of DR in the public cloud. Why spend capital on DR when you can get it as a subscription service? My job is making sure it stays current. Now I get better unit cost economics on my private cloud. I get greater elasticity and greater resilience. We view the economic model of a hybrid cloud, the resilience, the governance of it, to be far better than either public or private. We want to enable customers to move past the public versus private and to public and private.
What other movements in the cloud market are you keeping an eye on?
There's been a move to centralization and then a move to decentralization in the history of computing. Cloud has been a force of centralization for the last decade. Edge and IoT will be a force of decentralization. It'll be get more of my computing resources and data resources closer to the edge where they need to be. The idea of hybrid becomes more critical in the future as you take more advantage of edge and IoT use cases as well. You have the laws of physics, the laws of economics and the laws of the land. Physics: If a robotic arm needs a 200 millisecond response time, you're not going to the public cloud and back in 500 milliseconds. It doesn't work. The laws of economics: How many pictures of my cat do I need to send to the cloud? You want to have intelligence so you're using the public cloud when you need it and not paying those bandwidth charges all the time. The laws of the land: there will be laws that require certain data, certain applications and services to be on premise or protected from international networks or clouds. We do not see it as public or private. It's about how we enable a hybrid cloud environment.
Where's the opportunity for the channel there?
This is a lot of opportunity. [The channel] knows how to do edge IT. [The channel] knows how to do hybrid cloud. You're well positioned to go to the public cloud, but not everything is going to go there. Remember, in mystery is margin. In the mystery of where and how to do it, there is margin. You have competency in helping your customers navigate. You're competent in edge and IoT, you competent on hybrid cloud. You can give [customers] tools to show the cost and governance of a multi-cloud environment. That's turf that's going to allow you to deliver real value to your customers for the next decade or two.
How does that change licensing?
Licensing will not be a simple answer. Everybody is struggling with how to shift their business models from perpetual capital models to increasing use of subscription and consumption models. You go through the valley of death in the business if you do that. You go to a customer and say should I sell you the $1 million license or should I sell you the $10,000 subscription starter pack? A $10,000 deal well executed may have more value over the lifetime than the $1 million ELA, but that's a pretty uncomfortable sales model. Who owns the risk? A lot of customers like this. The perpetual model is like the perfect business model. I have the money and you have the risk. A subscription model is a much more shared risk model. It's much more customer friendly in many dimensions and that's why the industry is moving that way. Every vendor has that transition to figure out. There are customers that say I like capital. There are customers that say I like op ex. Different vendors view that differently and that creates more complexity as well. Every vendor is going to have to go through that. If your software vendor isn't willing to go through that with you I suggest you get a new software partner.
What are some of the things VMware is doing on diversity?
On diversity, generally tech sucks. It's taken us hundreds of years to be bad. We're working on getting better. VMware is extremely committed to this. We're one of the founding members of Women Who Code. We started the Women Transforming Technology conference. We recently announced our largest commitment ever out of the VMware foundation for forming a joint diversity around women in technology with Stanford to understand the underlying issues to why diversity is challenging. We've changed our hiring practices in that regard. We've worked at it real hard. We've got a long way to go, but we've seen real, statistically measured progress in our hiring and the mix in our staff. It's all publicly available in our social responsibility report. We have one audited gender neutrality in our pay practices. We've been public on those audited results. Most companies haven't taken the step of being public on those. We feel really good in some respects, but to honest, we feel really bad because there's so much work to go yet. I just had the dean of Stanford engineering school in my office last week. She's been in the role about a year. Stanford, our closest partner, we're Stanford-bred, crossed 40 percent of their freshman engineering class now is female. We feel we're a little piece of that progress. That's up from 21 or 22 percent five years ago. The more you talk about STEAM rather than STEM, the more attractive it is. It's not just science, technology, engineering and math, but also arts.
What is VMware doing on workforce transformation?
There's a nasty issue under the surface here. Lifespans are increasing, career spans are increasing, but individual career durations are decreasing. The average lifespan is crossing 80 years in the United States. Instead of having a 30-year career, we should see that go to 45 years in our lifetime. But the average career is going from 30 years to 15 years. That means every employee looks at three careers on average. That underlines that there's a much deeper issue at work. The former model of education was you go to college for four years, get hired and finish your career largely in the same task. Now you go to college, you take your first job for the first third of your career before you need to undertake two major career transitions before you finish. That changes the model of education in a very fundamental way. It forces on businesses and educational requirement, and a re-educational requirement where all of us need to be purposely saying how do I bring people into the workforce, how do I retrain them for the workforce as almost a constant. Those are areas that national policy, state policy start to reflect the idea of not just educating once, or many times, but continuously to keep up with the pace of technology.
You've climbed Mt. Kilimanjaro for charity. What's that like? How did you prepare?
I climbed Mt. Kilimanjaro in July. My training regimen was to do lots of stairs. I got up to the point where I was doing 5,000 steps an hour with a 20 lb. pack. I was super fit and ready for it with the exception of downhill. If you go up to 20,000 feet, you also have to come down from 20,000 feet. Man, did that hurt. Seventeen of 22 of us made it to the top. There was a team of four from VMware on the climb with me. I made sure they were younger and stronger so they could carry me up. I had a watch that had the GPS. We had it online. We had one of those things where you could follow us online as we went to the top. We had to be a little geeky. Amazingly we had cell connectivity up to like 17,000 feet. I get better cell connectivity on Mt. Kilimanjaro than I do in the Bay Area.
What was the purpose of the climb?
It was a fundraiser. We've been supporting work in the slums of Nairobi, my wife and I, for 17 years. When we started, it was less than 500 kinds. Now we have 17,000 kids in 22 different schools that we helped to start in the slums of Nairobi. They fund-raise specifically for building a women's high school. Women and girls are highly susceptible to tribalism. Many of them are being raised by aunts, uncles, grandparents. The women are married off at 11 or 12 years old to become the third, fourth, fifth wife of a tribal chief. That pattern of tribalism is heavily imbued. Building a girls boarding high school breaks that cycle. We set a goal to raise $175,000 for a girls high school. We raised $325,000.
Can you share a the success story of anyone who's gone through that program?
These are slum kids. The average income in the slum is less than $1 a day. The housing density of these slums is higher than the density of Manhattan. My favorite story is a boy who went through the program. Both of his parents died of AIDS. He was raised by his grandmother. Her job was selling charcoal. He entered the program, went through it from four years old all the way through high school graduation. They get two meals a day, probably the only food they get. They get school training. They get medical support, spiritual training. That boy is now in his second year at Stanford Business School. Forty percent of those 17,000 kids are now going to college, and several, like this boy, on international scholarship.