All right. So our next speaker is from NetApp, David Welch. I got to meet David about-- actually, one of the license live events last year. And we always joke internally, Dave DiMillo especially, we talk about ever since he joined us that he said the biggest thing missing at most large corporations is a licensing czar. And his title's actually on the bio says licensing czar. So I'm not sure if DiMillo put him up to it or what happened. But David's obviously got experience in licensing, owning that across NetApp. So I'm going to let David talk a little bit more about-- his topic today's around compliance, but kind of introduce himself and the rest of the topic as well. Thanks, David. All right, thanks, Prakash. Good afternoon, everybody. How you doing? Doing good? Oh, that's kind of loud, huh? There we go. I tend to project when I get on stage. I'm a bit of a ham. So welcome everybody. I'm going to just chat briefly about software audit and compliance and just have more of a discussion around that. In fact, I love it when you guys ask questions. So if you've got a question during the preso, just raise your hand because it helps me steer the content and I can make this relevant and interesting for you guys and helpful. Does that sound good? Anybody here shy? No. OK, raise your hand if you're shy. There you go. [LAUGHTER] Brilliant. Let's hit the first slide. Is there a clicker? There we go. Who is NetApp? Everybody know who NetApp is? So we make storage. In fact, we make beautiful storage devices. We make these massive mother-of-all USB drives that you plug in to your data center and store petabytes of data. And we're about 20 years old. Just celebrated our 20th anniversary at NetApp. And we're $6.2 billion in revenue now. We've got the number one storage operating system which is pretty cool. We're the number six place to work on Fortune's list. Whenever my staff is having a bad day, I said, hey, count your blessings. You could work for number seven. That place is a hell hole. So we're global, we're big, blah, blah, blah. You know all that. We're growing like crazy. And this really comes back into the licensing story for us because the main driver for us is software. What's the differentiator from us over everyone else in the market is that we have a unified architecture. We have a single set of storage management software tools that scales all the way from a small business up to a massive enterprise. We've got customers like Yahoo Mail. All their infrastructure is managed on our storage. Apple iCloud. NetApp storage. So we do some pretty exciting things. And growing with that though, as you could imagine, it's placed a lot of demands on how we license and entitle software. And that's part of what we've been dealing with here in our company. I'll go to some of the details with that in a moment and share some of the best practices. Of course, we talk about being number six. We were number five. I don't know why we went to six. But I think we're number one. So what we sell is a combination of hardware, software, storage management solutions. For us, we're really an embedded device manufacturer although kind of not quite. We make our own servers that our operating system runs on top of. We have some pure place software in our portfolio as well that helps you manage your entire storage environment across your network. So we've got a hybrid of complexity for us that we need to be able to manage and speak and transition to. And ONTAP 8, you see the eight with the cube in it, that's our latest operating system. It's pretty incredible. And it opened up a whole variety of complexity for us in the licensing space. So we are doing something now called clustering where you can take your FAS controllers, those gray vertical boxes that are in the picture, and you can actually put them together in a cluster. And we call it the aquarium. It's like an aquarium. And the data's like fish. And the data swims anywhere it wants in the aquarium. And you can actually add controller storage to it, you can take storage way. And you have persistent-- you have immortality of data which is absolutely amazing. We have customers that have six and better up nine uptime with data which is remarkable. However, that adds complexity to licensing. You don't want licensing to be the cause of losing your 30 second of downtime allowable for the year, right? Or being able to manage license keys. Just give you an idea of the complexity we're managing, here's just a sample of some of our chart of accounts. So I'm right-handed, so I always look to the right. I don't mean to offend you people over here. I'll stand over here just so I'm not biased in the room. So we have some pretty impressive applications we're working with. We have some pretty impressive customers. And this isn't a brag list, but it just kind of goes to show the end to end scope that we have to deal with in terms of managing licensing and entitlement for us out in the field. It's interesting, when you sell hardware, your effort into the hardware stops when you basically sell the box, right? Because you had all that R and D and you put the circuit boards together and the chips in it and blah, blah, put it in a pack and a crate and pshh, you ship it. Software's different, the IP. Once that's deployed to the customer, the life cycle really begins, right? Because a lot of licenses are perpetual and you manage them for years out in the field. And that has a whole interesting level of complexity to it over hardware, a nuance to it that was an interesting journey for us as a company coming from a hardware origin to a high software value add enterprise. So for us, in some seriousness, we look at how complex it is to manage this stuff, and this is why customers fear audit and compliance programs. Especially if you've got large enterprise software, it's really confusing as to what you own. Here, we had a case where we had a donnybrook over a set of eval licenses the customer thought they were legal and entitled to use, right? Sometimes, you wind up with some pretty fundamental misunderstandings that actually wind up cratering your customer experiences. And we want to be careful to watch for those. And part of that's understand your use cases. Where's your technology going? In our case, we're seeing this trend from basic siloed apps to zones of virtualization to private cloud to public cloud. And we're servicing all of these. For us as we look at how we audit, all of these different types of data centers and all these different use cases, for us, it just has great increasing complexity, as you notice, particularly as you get into virtualization. Anybody in the room here dealing with virtualization with licensing, entitlement? That's a tough nut to crack, isn't it? And for us, it is as well. Luckily, we've got many cases, we've got hardware we can tether it to which is helpful. But if you're in a pure play application working in the cloud or a private cloud environment or a highly virtualized data center, it's a complicated topic. What is the digital forensics that you're going to use when you do your audit to figure out if something has been running? What actually usage is considered exceeding entitlement? If they just turned it on, is that exceeding entitlement? Do they have to use it for an hour, a week? That's our policy decisions that are important to figure out. And for us, we've been working on those as well. I think some common terms, just real quick here to level set the room for those who might be fairly new to the topic. The difference between entitlement and license agreement-- the entitlement is really a contract or an agreement to use a particular piece of software within a certain defined scope of usage. And the license agreement's usually the contract that states that for the customer. How many of you are working with license keys? Anybody in the room, license keys. OK. Sometimes license keys are important for compliance tracking, also for blocking or limiting usage or deployment of software as well. Key counts become important as part of an auditing project. Let me back up for a second. How many in the room here do audit their customer base currently? One? Not many. How many have been audited? Should be about 3/4 of the room raising their hand, yeah. If you've got any Oracle or Microsoft installed, you've been audited. One of the things we want to look at is the whole topic of over and under usage. We were talking just briefly on the last slide about what is considered exceeding entitlement. That could be a tough question. It's very different. We heard from the oncology use case earlier. That's a different case than it is for storage, but we each have to answer that ourselves and define it in terms of our policies and our contracts for our customers. They need to know where the line is. But sometimes the line is really fuzzy. It's really hard to tell. For our case, for storage, we talk about all that grade nine uptime we've got. We sell something that's included-- well, it's actually embedded as a core functionality of our product-- it's called NDO, non-disruptive operations. The meaning that you can failover from controller to controller to maintain your mortality and persistence of your data. Well, if somebody uses a piece of software that's not licensed to create some volumes for a disaster recovery failover, but they actually don't copy any data, is that considered exceeding entitlement? Well, that was a question we hadn't really dealt with in our company until recently, until re-looking at the use cases for customers and trying to figure out where's the bar and how can we actually define that for our customer set? And how can we actually enable the preparation for disaster recovery versus the actual use of the disaster recovery tools which would come into a whole different kind of strategy of usage for us. But common boundaries, I think we've all seen, as like geography, purpose time, certification, support plans, et cetera. And what's interesting is that under usage as well. Have you had to deal with shelfware, customers who have got piles of your licenses sitting around unused? That's a real problem. And you find that sometimes when you're auditing and it's really interesting. You think you're getting 1,000 seats and usage and you find your customer's using 100 or 500, or they acquired two companies. They didn't do the entitlement transfer and they're sitting on another 1,500 licenses. That's why the pipeline went dry. You didn't even know that until you go back and look at the account. So you could spend easily two days on this here, but we're going to kind of zoom through here in 30 minutes and hit some of the highlights. And I tend to talk fast. Tends to be my Midwestern heritage. So if somebody wants to slow me down, go for it. Raise your hand if you've got a question, all right? What are some common audit types? And this is really kind of interesting to peek at when you look at different high and low touch models. And I think all of us from the software applications that we license out in the field and the level of IP commitment to the licensing cost would probably dictate one of these quadrants over the other. In that case, we basically didn't have a program for a long time. Our answer was none. And sounds like from a bunch of you guys in the room, your answer is none also. So you kind of lose that visibility. The next level is you've got self-service. A lot of companies-- and we're implementing a program like this ourselves where we've got a trusted relationship with a customer. We're doing a lot. We've got professional services on site. We're doing a lot of work with the customers. We've got kind of a rough picture. So we asked them, it's like hey, Boy Scout, Girl Scout system. Just swear on your favorite stack of holy books you're not exceeding your entitlement. Look at your own SAM, your own software asset management tool set and policies and then do your own assessment and then give us a certificate. We'll do that now and on occasion, and that's a great way to continue to accelerate a strong relationship with a customer. The other is remote. Oftentimes, it makes sense to do an audit, there's a Q and A typically that you'd have on an audit, engaging with a customer, getting their prospective of how's it going with sales, have you installed everything you bought, were you having any problems, blah, blah, blah. Get a take, understand their architecture a bit, how they're using their architecture for your products. That sometimes can be done over the phone. You can also do an audit over WebEx or LiveMeeting or one of these other tools where you may have a script that's run that wants to look at log files that would figure out if something is being used or not. You may require a customer sending you a log file so you could do it remote. And that's a possibility. The other is on-site. Now, on-site's really great because you find out all kinds of interesting things when you're on site. And people talk to you and they tell you things in the hallway that you never would have gotten from the structured communication in email or on the phone. And I've got some dozies of stories for us on our experience. So if we look the advantages of this here, you've got huge revenue risk if you're doing nothing. There's no cop on a walk. There's nobody downtown seeing who the pickpockets are. People are pretty much free to interpret the rules as they like and there's really nobody there to kind of police it, even if you very politely and casually police your environments. And sometimes what you don't know is pretty damn shocking. I found accounts that I talked to the sales reps. They're like, oh, these guys are great. Love our stuff. Installing it like mad. We went in this one account, they had four controllers that were two years old that were on the pallet still and they were using a three year old version of the operating system. [GUNSHOT] That didn't go really well with sales management. None of those things you find by talking to somebody on the phone. Self-service is great because like I said, you can do that through self-certification, you continue to build a partnership. Do a lot of you have phone home telemetry in your products? Anybody? Phone home telemetry? Yeah. We do in ours as well. We're kind of lucky in that we write our operating system, we've got our own applications on our own hardware. So for me, my job's half done. It makes it a lot easier. But we have, I think, an industry enviable phone home attach rate. It's an opt in attach rate. And we're pushing 66% to 80% of our install base depending on the customer segment, voluntary phone home. Yes? Do you position the phone home as having some kind of value for the customer to get them to sign up? You said it's opt in, right? It is opt in, yeah. That's a great question. And it's not a cop to watch them. The purpose of the phone home isn't entitlement management like some vendors we've done business with. It's really to help the customer. And we send log files and all kinds of really interesting telemetry data about what's happening on their storage controllers. And in fact, frequently, we will call the customer and say, you've got pending doom in 48 hours. You're running out of space here. We see indicators of dry failure or system board failure, and we can actually proactively call the customer and remedy a lot of support scenarios up front. So you're right, we do need to provide a value to the customer to do that. And the telemetry happens to come along with it in terms of the use cases so we can determine entitlement compliance. On-site, that's potentially a huge risk for the partnership. You don't want to end up with Stewie and Brian, right? You don't want to go out and club your customers like a baby seal. You want to be able to cooperatively work with them. Well, we've got a slide coming up here in a minute where you actually can actually use the on-site audit to really help accelerate the relationship. But it can't be adversarial. You can't go in there like the chicken cops and cluck them to death and try to pull every dollar out of their pocket. You've got to do it in a reasonable manner and spirit of the partnership that you've got with sales organizations. I think we talked about remote a little bit already. This is sometimes almost as good as being there. It's pretty close, pretty good. Just depends on your risk exposure and your risk profiles that you're working with and the cost of doing the audit. Yes? Question. Can you just mention-- so you're talking about we're going on-site, and do you also use third parties to do audits? And can you talk about when you might go do it NetApp or when you might have a third party go and do the audit for you? That's a good question. We like third parties and we work with different third parties depending on where they have the right type of reach or the right type of touch. And third parties are helpful because they're like a bonded intermediary if you will from a customer's perspective. They get the data, they review the results with the customer first before we see them so they can have a cycle to correct and fix any misperceptions. Through that dialogue, by the way, we find side deals sometimes too. Just reuse that license key. I couldn't get you the 50% off. I could only get you 40. So reuse the license key from your last order. You find interesting things like that when they're talking to a third party as opposed to talking to somebody who's badged from our company. Some customers don't trust you. They think you're going to go in there and muck with the log files and then set them up for a trip. They're going to set you up for a Brian and Stewie minute. And they want a third party to come in and be able to look at the results and be that buffer, that neutral third party who doesn't have the biased interest in the outcome. So I do think it's really valuable. We have some cases where customers do invite us in and say, would you please come do it? I'd prefer your SE come do it because we love the guy and we know him really well, or her, and we would love to have them do the work on our behalf. And that's good too. So I think you have to have a range of options of third parties and some internal teams, and it really just depends on the relationship you've got with the customer. But yeah, you're going to want to build a strategic relationship with third parties though definitely. So we're almost up to the end here. I move quick, I talk fast. Somebody said I should have been in sales because I talk quick. So this is really about the end of the last slide here really. So really kind of harnessing the opportunity for us. What's the set of inputs and the outputs? And I think for us, we looked at this, it was really trying to drive incremental revenue. I think that's the main driver. If somebody says, aha, I need a compliance and true-up program. I've got a lot of software out there that's exceeding entitlement. I want to be able to do that true-up and capture that revenue back because it's low hanging fruit. You basically caught them standing out in the wind naked running software they didn't buy overtly or inadvertently as the case. But you find those things out. And you can enable sales teams and have a conversation with true-up. And the results can be really interesting. It doesn't always have to be hey, I'm going to hit you over the head with a five iron like in the video and pull cash out of your pocket. It may be that hey, your equipment's getting kind of old, or your software is getting kind of an old version. Why don't we forget the past and do a tech refresh, accelerate that. You can either pay us for yesterday and buy from the competition, or you can buy us tomorrow and we'll forget the past. It becomes a pretty powerful tool in the hands of sales to help accelerate a pipeline with a customer. There may be cases where you had customer service issues and you say, hey, look, we found these entitlement issues, but guess what. We're going to give you some licenses out of goodwill. And it always is a gray area oftentimes when you're doing these audits where, oh, the rep said I could use it for four months, blah, blah, an extended try and buy, the eval licenses example video we just had. Or there may have been some other thing that went on in the account in understanding that you need to think about. I was at-- I've been passive at Cisco and HP and we had a huge audit by one of the major manufacturers, a publisher when I was at Cisco and I think they wound up truing-up for half because they've got 30% of their workforce is contractors. And so both the client and the publisher couldn't really keep track over if licenses were truly used and duplicate or not, so they just came to a negotiated formula and trued-up that way. So there's a lot of remedies and outcomes that could come from this. What's really key though also is the business insight. This is something a lot of programs tend to overlook. It's looking at your use cases. If you're finding a lot of exceeding entitlement, ask yourself the question, is my entitlement model correct? Is the way I'm licensing software organic to the use case that my customers deploy in the data center or in a site? And oftentimes, that's a problem. In our case, that was an issue. So I went back and I redid the entire entitlement models for the company. We redid our licensing infrastructure to match more organically the way people use enterprise storage. In licensing, if it's done really well, nobody should know we're there. It shouldn't even be a speed bump. We should just disappear into the woodwork unless somebody tries to illicitly use the IP. And then even then, locks really only just keep honest people honest. We don't want to frustrate customers with crazy entitlement schemes. But the customer insight is I talk about how the palette of FAS controllers that were sitting unused in the customer's data center. But you can gain a two-way understanding of the software usage. We had a big semiconductor company here in the valley that we looked at. And we found out they were using a low level primitive tool of ours to do really sophisticated data transfer across their WAN, across sites. And we were able to show them that software they already purchased-- and they had to buy a little more from us, but with mostly the software they already purchased, they can actually take this data motion that they were doing across the world, across their WANs, and do it much more effectively and efficiently with a lot of it was the software they already bought. We also were able to upsell them on some other stuff. But we mutually got a two-way understanding of what the use case was and then how our current tools could actually solve their problems. Questions? So as kind of a closing thought slide here that you don't need to audit everybody. You want to build up a set of risk indicators and figure out where are the trip wires? At what point should I go take a peek? And if I go take a peek, does that drive me taking a look? And if I take a look, does that drive me into an investigation or an on-site visit of some type? So kind of think about the value chain of that if you're looking at something like this. Look at statistical audits. I was able to look at all of that analytical data we got from the phone home. I was able to do a massive amount, thousands of accounts of statistical audit. And we cleared a whole bunch of accounts with that. And we found some things on the gap. We just told the sales rep, hey, why don't you just go check this out? You might have a sales opportunity. It was just done kind of informally. Next contract roll, we'll address it as opposed to maybe a confronting true-up conversation. But your risk profiles. Work with real-world data. Have that feedback loop where you understand your use cases and able to feed that back into your trip wires for your risk profiles. And as Amy had asked, get help. Talk to third parties like Anglepoint or PWC or KPMG and there's a whole handful others out there that do this kind of work who are really seasoned at talking to accounts and to working with the different personality types and working with the different cultures. I think what's important is that left on its own, an audit and compliance program will assume the personality of the software publisher. And that may or may not be a good thing. If any of you have done business with NetApp, you know that we're an extremely friendly company. Our customers tell us time and again we love it when you show up on our doorstep. It's a pleasure doing business with you. You just make it easy. I got a problem, you just can fix it. You get it done. And that's our brand. So we didn't want to have an audit compliance program that was Stewie and Brian. You wind with Sir Laurence Olivier's bombed out city in France. That's not what we want to have happen to our accounts. These are our cherished customers. These are people also of great privilege that we want to have a structured relationship with over a long period of time. And guess what. I tried and I go back to the company, I said, we're one of literally-- a little hyperbole here-- but we're like one of 60 or 100 suppliers in the customer's data center. They get audited all the time. This isn't a weird corner box one off event that they're going to get from NetApp. It'll be maybe a bit of a surprise the first time. But we're going to do it in a NetApp blue washed NetApp branded manner where we have more of a friendly conversation. We'll hopefully get to the true-up, but we're not going to do it in a way that some of you have probably heard that goes on in the valley where they bring a five iron to the conversation. Integrate the findings back to your customer listening program. So if you've got a voice of the customer or a listening program, it's really interesting the anecdotal information you pick up with customer engagements. And I know there's a few sales people in the room. I'm looking at some of the SafeNet folks. When you get a nugget of information from your PS folks or somebody who's in on a site, that's a real gem where you may have an opportunity. And don't lose sight of that because it's really important. Oftentimes, your customers appreciate it. That big silicon company I just mentioned, they loved it when we came back and showed them a better way to do something with stuff they already had for the most part. Really powerful. Kind of last thing here is absolutely adjust your licensing entitlement models. And I said that earlier a couple of different slides. I'm just going to say it again to pound the point home. Really think about the organic use cases in the field that you're struggling, your customers are leveraging. Every nuclear submarine has an HA pair on it. Yahoo Mail runs our stuff. Apple runs our stuff. Those are very different use cases. We have Humvees that have our storage arrays on them condensed down to a small box with the important critical data on it. That's a completely different use case. I can't have one licensing model for those cases. And those are extremes, but just think about all levels of gray in the middle and think about your customers and how they want to leverage your IP assets. So that's pretty much it. That's a wrap. I appreciate your time today. If you've got any questions-- yes sir? My company gets about half our revenue, new license revenue comes from audit/compliance, but we don't actually have a formal audit process. So a couple questions. One, within your audit process, do you have it handled by your direct sales force or do you have a separate audit team that's responsible for the revenue. And related to that, how do you go about positioning this with your clients when you go in to say you're going to have an audit? Is it contractually obligated? And if it's not contractually obligated, how do you position it with the client? Those are great questions. So for us, we have a relatively small program. We've got about four consultants who are helping us with the implementation of the program. We've got a member of my staff who's actually driving the program within the company. We may scale it up in which case it may actually move to finance to the compliance organization. But for us right now, I actually work for product strategy and operations at NetApp in product management which I think is a great place for a licensing and entitlement team to park because we are right at the crossroads of kind of all functions of the company. So we actually put not a lot of resources into doing the risk management. We're lucky in that we've got, I think, really good risk profiles that we've developed. We have, I think, really good analytics that could help give us some feedback also from the field that goes into that risk management profile. So we could have just a headcount, basically, not even full-time to be able to look over the range of cases that we ought to be investigating. And we try to leverage that multi-touch model where it's self-certification, remote, as well as on-site to give us kind of the reach and range that we need with a small team to get the results that we're looking for. In most cases, we're concerned about true-up and we do true-up for cash, for money. But also it's an important tool for us for tech refresh. We're able to accelerate the development deployment of new hardware for us which is really critical. And the new operating system, ONTAP 8, that's been a real powerful catalyst. The storage industry has a bit of a nuance in that when you have a footprint in the data center, it makes you really sticky with the customer. And so we want to do everything we can to keep us on the leading edge within that customer's data center. The other question I think you had about how do you work with sales. For us, we have a [INAUDIBLE] that has an audit provision in it. It was a bit generic but it was a fairly strong audit provision, a paragraph. We've since rewrote that and it's going to be coming out with our new version of our operating system where we're going to have more direct true-up prescriptions for true-up than we've had in the past before. Our audit clause really stated that we had a right to audit. We had a right to come on prem to audit. And we had a right to have access to their staff and their records and log files as needed to conduct the analysis. We're going to get a little more prescriptive in that the new licensing models that are not announced are going to allow some greater flexibility to the customer. And we're going to allow for that flexibility. There's going to be some automatic true-up mechanisms that we're going to be putting in place as well. So we've really learned a lot starting small. We've really evolved growing the program. Got a question? Did you first try out strict enforcement before you went the audit route? How do they compare? We had compliance keys for most of our major features. It was fairly easy to circumvent. So there were a lot of people circumventing it. There were a couple of key generators on the web. We'd found in Czechoslovakia and one in China, you could make your own NetApp keys. By the way, if you did that, you got a free virus along with it. [LAUGHTER] Reminds me 10 years ago when the guy shot the saguaro cactus. It was like, oh those things are ancient in Arizona. Well, the thing fell over on him and killed him. I thought that was poetic justice. Same kind of thing. Questions? Great. Well, hit me up at the cocktail party or something if you've got any questions. It was great speaking with you today. Take care. [APPLAUSE] Thanks, David. And I can tell you that just in all seriousness, I would say most customers actually of certain size would actually appreciate the audit because I can tell you from our CI's perspective, she'd rather find out from you than find out for compliance reasons from somebody else, especially for companies who are large size and are public and others. So many other reasons to have that.
NetApp's David Welch leads a discussion around Software Audits and Compliance at LicensingLive! 2012. David is NetApp's Licensing Czar.
Software audits and compliance are some of the least favorite topics with software development companies. As many companies are selling software and hardware across multiple platforms, the associated licensing management increases in complexity as well. NetApp's Licensing Czar David Welch covers how to effectively manage these necessary tasks across disparate licensing environments.