NetApp - Dave's Blog

Most product launches are primarily about the cool new products a company is just shipping. Our launch earlier this week was different—it is mostly about a strategy that we've been working towards since the late nineties.

Don't get me wrong. There are plenty of cool new products that we are announcing: a new high-end storage system, broader switch and HBA support for 4 Gb Fibre Channel SAN, a restructuring and update of our manageability software family, and new service offerings to help customers deploy storage more quickly.

But never mind today's new products, this launch is more about strategy than products. If you look at NetApp in the mid and late nineties, we sold mostly to engineering organizations at technical companies. Cisco and Yahoo! became customers during that time. We reached $1 billion in revenue selling to customers like that, but we knew that to get past a billion we'd need to broaden our market. Tech is a great niche, but if you want to get really big, you have to crack the data centers of non-technical companies. You have to change your focus from Cisco to Nabisco.

I got lessons in enterprise selling from an IT manager at Georgia-Pacific. This was back in the late nineties when we had just begun targeting non-technical companies, and we didn't yet know much about it. I was giving this IT manager a presentation about all of our cool features—Snapshots and SnapMirrors and the advantages of our write anywhere flexible layout on disk and so on. Before I finished, he interrupted me and said, "Slow down son. What you don't seem to understand is, here at Georgia Pacific, we take logs and we turn them into paper. How's this box of yours gonna help us do that better?" I was dead in the water. I had no clue about his business, and I had no clue about whether or not we could help him turn logs into paper.

Rob Salmon (our executive VP of field operations) got a similar lesson, again in the late nineties, from a bank in North Carolina. He was visiting the CIO, and before he went out, he checked the customer support records to find out what their experience was like. They hadn't had any outages or any serious problems—just a couple of calls about how this or that feature works—so he figured that it would be a friendly meeting. The first thing the CIO said to him was, "Rob, I just want you to know that your salesmen really piss me off."

Not at all the meeting Rob was expecting! He asked the customer for more details, and the CIO said, "Your sales guys come in and they tell me about your cool new box, and your cool new features, and then they lean back and smile, like they are done. I pay you guys enough money that I expect you to come in here and understand my business problems and tell me how you are going to work with my people to help me solve them."

Over the years, our attempts to sell to enterprise data centers have driven change through pretty much every part of NetApp. Our sales and market strategy has changed, we've made large investments in customer support and professional services, we've retooled our engineering release model and development processes. Even organizations like finance and legal have had to change as we've gotten into leasing and volume purchase agreements. And of course, the products themselves have changed. Our new high-end storage system (FAS6000) scales beyond a thousand disks, over double the new CLARiiONs that EMC just launched. In capacity, performance and reliability, it's well beyond the modular mid-tier of the market and up into the range of frame arrays like Symmetrix and TagmaStore. (In addition to Fibre Channel SAN, it also supports NAS and iSCSI.)

For a strategy like serving enterprise data centers, you never reach a point where you can say, "Yesterday we weren't enterprise-ready, but today we are." It's only after the fact, when you've got thousands of commercial customers running business critical apps on your equipment that you can look back and say, "Eight years ago we weren't enterprise-ready, but today we are." Never mind all the new products, that's the real message of the "Data Center Proven" launch.

There is a theory among boards of directors about how to choose new CEOs. The idea is that you should choose an internal replacement if you are pleased with the performance of a company and want to minimize shifts in direction and culture.

I thought this was interesting in the context of Jonathan Schwartz's recent promotion.

I spent the last two days lobbying with folks on Capitol Hill about legislation to protect private information—credit card numbers, financial records and the like—that big companies store about customers. The proposed laws focus on what should happen when bad guys access large databases of sensitive consumer information. Should the company notify the press? Notify the consumer? Pay a fine? Should someone go to jail? And what should companies do to protect against theft? There's been a lot of progress since the last time I visited, six months ago.

It was fascinating to hear so many perspectives. I talked with staff people from both Senate and Congress, both Republicans and Democrats, and I also talked with two lobbying groups that focus on digital privacy and security.

There are currently at least 23 states with protective laws and another 17 or so have legislation in progress. As a result, consumer protection advocates feel pretty good. They see some benefit to a nation-wide law, but they are uninterested in a compromise that weakens existing state laws. They feel that if a federal law is going to preempt the states, it ought to be stronger than any existing state laws, to make up for the fact that states will be losing the ability to regulate further.

On the other hand, companies are horrified at the idea of having to deal with 23 (never mind 50) different sets of regulations. The last thing a company wants during a crisis is to have fifty parallel sets of laws to obey, each with a different set of procedures they have to follow. In my mind, this is probably the strongest argument in favor of a federal law that preempts state laws. Talking with CIOs and VPs of Storage at large financial institutions, I get the sense that they would be thrilled to have a single federal law, even if it were stronger than any of the existing state laws.

However, lobbyists from these companies mostly argue that the current state laws are too strong, and they don't want a federal law unless it's weaker. Also, financial institutions also worry about a new regulator watching over them. They have so many regulators already, so even if there are new rules, they hope they can be enforced by the same regulators that they have now, even if different regulators would be better for other companies.

The House and Senate Judiciary Committees want to make sure that notification requirements don't screw up law enforcement. They worry that if the press is notified too quickly, it could tip off the bad guys and give them a chance to run away before the FBI or police can catch them.

NetApp is in a subtle situation. From a purely self-interested perspective, the stronger the laws, the more encryption equipment we are likely to sell. That tends to align us with the consumer. On the other hand, many of our largest customers are lobbying for weaker laws, and it seems like a bad plan for us to lobby against our own best customers. So why is NetApp visiting the Hill at all? We want to be a technical resource with information about encryption and the role it can play in protecting consumer data. This is a perfect job for me, because I enjoy describing technical issues in ways that non-technical people can understand.

One Senate staffer said, "I am skeptical of encryption. I've got this IT consultant working for me—he's really, really good—and he told me that he can break any code, even the strongest encryption in the world, within eight minutes. So I'm not sure it's safe."

I told him that, no offense, but if this was true then this guy should have a job at the NSA, not wiring networks in a Senate office building. I tried to give him a sense of the ways that the Military and Intelligence communities use encryption, the things they trust it for and the kinds of testing and regulations they have around it. If military-grade encryption is strong enough to satisfy the paranoid people (and I mean that in a good way) at the NSA, then it ought to be good enough to protect credit cards numbers.

Through all of this, it was interesting to track my own feelings. How do I feel about all of this lobbying from all these special interests (including NetApp)? Never mind what's good for NetApp or our customers, what makes sense to me—as a person and not as a corporate officer? Am I evil for lobbying without having answered this question?

Here's something can say: Almost all of the different positions I heard had at least some merit. I definitely support strong protection for private data, but it also seems fair for companies to share their view as well. I do see a problem making companies deal with 50 separate sets of laws every time data is lost. In addition, I was impressed with how much time and effort the congressional staffers were putting in to understanding the issues and figuring out the right answer. I talked with some seriously smart people. It was especially encouraging to see how much better informed they were now than at my last visit six months ago. Since these guys are working hard to balance all of these different issues, maybe it's fair for me to talk only about the areas that I know about, and leave the other issues to experts in those areas.

Perhaps I'm in denial, but I think I might not be evil. At least I didn't pay anybody off.