Transcript
here at Convene at Hudson Yards, VeeamON 2026. We're seeing the transition of Veeam into the AI era, really building out a new AI and trust layer, creating a new category. Tony Colon is here as the Chief Customer Officer at Veeam. Happy 20th anniversary. Happy six months for you. Thank you so much. Happy to be here. Thank you both for being in New York City and being at VeeamON. You bet. We're excited to be here. So we're going to talk about the new data and AI trust maturity model. I was writing about it this morning. I dropped it at 946 because the embargo was lifted. This is really good. It's a free for customers, well thought out maturity model. We want to learn more about it. What can you tell us about it? Where did it come from? So we actually had a data resiliency maturity model that we've had for the last five or so years. And what our customers were telling us was this wasn't just a sales pitch. It wasn't used as a tool to leverage buying more Veeam or looking at what we're doing. And it was an eye-opening experience for our customers to say, you know what, we're not really data resilient. And over time, we went and started hearing more and more from our customers saying, okay, so you did this once a year. Not much has changed. We'll do it next year. And then we've discovered with AI being introduced and especially the security acquisition, we needed to update our maturity model to be focused on a data and AI trust maturity model. So it's an evolution of that. But rather than just take a lift and shift approach, we actually met with 300 of our customers and we actually engaged McKinsey. And we also engaged some of our partners to say, what would the future look like for a data and AI trust world? We added multiple pillars and dimensions to it. And now we're not running it on a yearly basis. We're actually looking at running it twice a year. And in some cases on a quarterly basis for some of our largest accounts. So I would imagine, so you say you've been doing this for five years. Is that right? About five years. So if we go back to the sort of pre-AI heard around the world, you probably had a sort of a normal bell curve. There was a fat middle, you know, and you had some leaders and laggards. I would imagine today that bell curve has shifted quite dramatically. The hump has sort of moved to the right, I would think. And it's maybe a flatter nose. Is that sort of an accurate description? Very accurate. I would say even with our original version of this, which is the DRMM or the Data Resiliency Maturity Model, 20% of our customers actually made it to the highest tier. So, you know, there were still 80% of our customers that were kind of in the middle, as you mentioned, or call it 50%, then 30% that were just starting to do backup and operation resiliency and cyber resiliency. Now, when we ran it against these 300 customers, that 20% that was in the top tier now moved to the bottom tier. Yeah, Tony, that's really interesting. And I was glad to see this work from Veeam because I think there's a lot of talk about, you know, the push towards AI, especially these AI agents. And I think the reality is customers just aren't quite there yet. And I know, in fact, Veeam talked this morning, I have the stat here, 80% of leaders said that they could scale their AI safely, but only one in three said that they could produce kind of comprehensive audit evidence immediately. So I think there's a lot kind of going on here in these conversations. So what can you tell us about, you know, the confidence that you have in terms of customers really understanding where their business is going with AI, and maybe how you factor that in? So I think the biggest thing we're realizing is that when people create agents, there's the data that's known, and then there's the data that's unknown. And the reason why we went forward with this approach of creating a brand new maturity model, and also partnering with McKinsey, is we didn't want this to be a Veeam-only standard. We actually want this to be the data and AI trust standard that really is for our entire industry. So having it backed by 300 executives at our customers, having it backed by an authoritative source like a McKinsey, and then working with some of our partners and running these models with them, we feel very confident. And it's just going to get better over time. The more we do it, the more we run it. And to kind of specifically go on the 80%, I think there's a lot of confidence in customers that they need to do something. But then there's something that's maybe unspoken right now, which is the fear of, I don't really know what's in my systems or my data. You know, I mean, the business that you guys are in is largely one of risk mitigation. And when you think about risk, you think about the frequency of an event and the impact of that event. And, you know, we had work from home with COVID. That was a sort of an inflection point. But generally speaking, over the years, it's been sort of a steady increase in frequency and impact. Now, this is a massive step function. You guys talk about the blast radius. It just widens. It touches so many different systems. And there's a lot of unknown unknowns. And so that's where this maturity model or maturity models like it start to become important. Now, my understanding is it got from hearing Anna this morning, it's got four pillars, or maybe this was from last night, four pillars, five maturity outputs in 49 sub dimensions. Correct. So you guys have thought this through. What's the end state? What's my North Star? I think the North Star is that getting to a state where across, I would say these four pillars, which is kind of discovering data, assessing data, engaging data, and then really, you know, the last pillar being where you are ready for a very trusted turning on agents for everyone in your company. And then there's 12 sort of dimensions behind it. You don't have to be perfect in every single one. But I do think understanding where your assets are, understanding where your data is, is kind of knowing from unknown to known, like that's our perfect state scenario. And then I would say, you can start activating things based on department. So I've been talking to customers that say, you know what, I want to turn this on from our marketing team. I want to turn this on for finance. Well, let's look at the data sources and then run it for those individual business units. And we don't look at this maturity model as just being, oh, pick this company and then run it for your entire organization. Maybe break it down by department and your use case. So then you may have multiple versions of this maturity model sitting within an organization. And to me, the perfect definition of success or definition of done is when a company can say, yep, we're ready. This has been signed off. This has been validated by a third party. And now they're confident that they know. And I think the other big thing that comes into this is it's never going to be perfect. But then I think the power of what we've brought to the table with being able to undo AI is something that I have not seen before. So when you make a mistake, how do you undo that mistake? And I think that's the power and not just the maturity model, but then the technology keeping up with these models as well. And I think when you get to that end state, that North Star, I would predict what's going to happen is you're going to extend the maturity model. Because, I mean, I've said this is going to take, this whole AI era is going to take the better part of a decade to play out. People say, no, no, it's happening. Of course it's happening. We know there's agents in deployment. But we're going through a transition from general purpose computing to what Jensen calls accelerated computing. And that doesn't happen overnight. The processes, the SAS buildup, took a long time, 20 years to effect. And so I would predict what's going to happen when you get to that end state. That's when you're going to start to really get on the steep part of the S-curve. People talk about a J-curve. And then you're going to build a digital twin of your organization. We use the term digital twin, a digital representation of the organization, people, places, things, processes, activities in real time. So the state of the organization is ultimately going to be that next level of maturity. And you're going to have to be able to recover state of the organization. And that is a really exciting dynamic, 10X, 100X type of productivity impact. What do you think about that? Early part of my career, I started in SAS. And I remember companies saying, why would we ever put data in the cloud? And they would say to us, give me a VPN into your data center. We're like, that's not how the cloud works. You have to put your data in the cloud. And the more customers we have using the cloud, the better benefit for you because all of your implementation, all of your enhancements are from the democratization of the cloud. And it was a very difficult conversation for probably three, four years of my career. We're just telling people it's okay to move out of the data center into the cloud. Now, no one has those conversations. But fast forward to today, and now I'm hearing lockdown laptops, lockdown operating systems, don't have data leaving your systems. And it's almost like a throwback to the start of the SAS movement of moving data to the cloud of saying, instead of opening up the innovation with AI, let's lock everything down. And I just don't think with the speed and the pace that AI is moving and the models are learning, that the lockdown scenario and the guardrails are going to be able to keep up with the pace of innovation of the AI maturity. And Chris, I know you want to jump in, but this to me is so important because, Tony, to your point, when we went from on-prem to SAS, everything changed. The operating model changed, the technology model obviously went to the cloud, the business model, pricing went to consumption, and it's happening all over again. There's a new enterprise operating model that is going to occur. SAS affected largely the IT department and software companies. It really affected users a little bit, but AI is touching every part of the organization. And so I see the data and AI trust maturity model as actually preparing for that new operating model. And that's where you're going to get massive 10x, 100x leverage. Please. Yeah, no, absolutely. Just got to get that in. My passion in research has been thinking about this very deeply and we've got our own maturity models that we've been working on. Yeah, no, of course. Not this context, but market macro, so please. Yeah, no, no, absolutely. Yeah, so I know we've kind of talked about this new operating model. I know we've talked a little bit as well about sort of the end goal or the North Star, right? But I think, what does that mean? So AI systems are consuming data in different ways, they're maybe generating new data. So from a customer perspective, what do you think that means and kind of how does the resiliency model fit in there? So my fundamental belief and the Veeam's belief is that there's a lot of companies that are securing data, securing desktops, and want to manage and control the agents that are operating. And we all think there's goodness in all of that. But unless you have resiliency on that data and you know what the data is and can actually understand the contextualization of the data and the privacy and maybe even what's shouldn't be shared or a model run on. And I think I'll go back to that undoing scenario is like having a backup of that data if something gets corrupted or stolen or compromised. All of that is kind of an ecosystem of your data movement. And you can't have data protection or data privacy without data resilience. And when I say it, it sounds kind of like common sense. But when I look at most products that are being built today, they're assuming that all of this is in place. When our research and the things we've done now show that it's absolutely most companies have been either ignoring it, not prioritizing it, or there hasn't been budget to do it. It's not like people don't want to do it. It's just it hasn't been a priority. And now it's becoming a front of the line requirement for every CIO and CISO out there. Yeah, we agree. We filled a research last fall that showed, I think it was almost two thirds of customers had not even backed up half of their AI generated data. Right. So I think we're still in early stages there. And it sounds like you're seeing that as well. I was I was struck by some of the attendees. I mean, Krista, you're a hybrid. It's kind of data protection and cyber resilience and security. There are some pure play security analysts here. I was talking to Scott from the 451. He's really a security guy. So my question is, how has the maturity model affected your ability to speak to have a conversation starter, essentially with CISOs versus I mean, I'm going to an extreme versus the backup admin? Yeah. So I've joined Veeam in the last two quarters now, and we always were comfortable with Andy, the backup admin. Right. That was kind of like our go to default person. That's our person. Right. That's our people. That's our community. And now it's evolving into the CISO. And sometimes the CISO will say, yes, I care about data, but why do I care about the backup? And we're like, wait, that's how you can undo some of the mistakes you may have within your production data set. They go, I understand. But, you know, how does it pertain to me? And now we're getting the security teams in the room. We're getting the backup teams who are also questioning, why do I why am I in the security conversation? And we're starting to see and you nailed this when it came to the SaaS world of creating new departments and new job profiles. The role of the solution architect inside of a company didn't exist prior to SaaS. And now what we're seeing is you don't have just a security engineer or a backup admin or a backup engineer. We're now hearing things like resiliency engineer and an AI accelerator engineer, people who are driving and connecting teams together and our prediction over the next probably two to three years is a lot of these departments are going to come together, whether they're called data governance or data protection or data privacy. But these two teams are now all going to fall under one leader. I don't know, is it going to be a CIO mandate or is it going to be a new remit for the CISO? But you're seeing infrastructure and applications start blending together. Well, it's an organizational conundrum right now. Forward deployed engineers, forward deployed AI engineers like the hottest job right now. And they are going to be, remember the developer, we had the whole shift left movement. The developer became responsible for security developers aren't security pros. And one has to wonder, okay, these forward deployed engineers, they're really good at getting agents to work, figuring out how to spin up MCP servers, how to get them to talk to each other. They're not governance and scaffolding and security experts. That's where I see this AI trust layer that Anand talked about this morning. I see that as sort of the harness and the scaffolding around this new system of intelligence that's emerging. And the maturity model, I would imagine most customers, most enterprises don't have that scaffolding and those harnesses in place. Yeah, a hundred percent. And one thing that the maturity model is driving is what skills do you need for the future? So it's not just grading you on a scale from zero to four in each one of the 12 dimensions, but it's saying, to your point, forward deployed engineer, every single company is developing, Palantir started it. Now everyone's evolving to saying, how do I have a forward deployed engineer in my company? How do I have an AI accelerator aligned to every business unit? And now we're saying, well, where's the governance? And I keep saying governance was always, oh, who cares about governance? It's a dirty word. It's compliance under the covers. And now people are saying, well, I can come up with the best use case and best agent, but if it starts hallucinating on bad data, I have a real problem. And part of our research has shown that a lot of the companies that we talked to had 40 to 50% of their initial production testing of AI agents to drive hallucinations on bad data. So it goes back to this whole change and shift that's happening in our industry, where we not only recommend what data needs to be secured and resilient, but also what roles may be missing within your organization. So Tony, how do I take advantage of the maturity model? How do I engage? Who do I have to get involved from my end? If I'm the customer, what personas, who do you bring to the table? So what we're asking for, because it's early days for us, is we need a sponsor. It doesn't have to be a C-suite person, but someone who is empowered to work cross-functionally. If someone's like, you know what, I want a data maturity model on my backup, that's not going to work. It has to be someone who has a purview across multiple teams within an organization. The ones that I've worked on so far have been endorsed by the CIO. So typically the CIO says, I want this done. It's no cost to the customer. You can go on Veeam.com. We have an easy way to get access to our team. The other option is to go to your sales account executive and say, I want a data and AI trust maturity model. It is a mouthful. But that's how you engage with Veeam. We bring our experts in, we run this analysis with you, and then we do a readout for your team. It's a very low effort engagement, but we do need sponsorship because we don't want to be there. We show up with really high-powered consultants that then come back and say, well, we couldn't get anyone to pay attention to our meeting. To us, this is a very high valued couple hundred thousand dollar report that typically would be done by a McKinsey type organization that we're doing pro bono for our customers. And to get the data that you need for that report, who do you need in the room? Ideally, the CISO, he or she is sponsoring it. Do you need the CIO, the application heads, the SecOps team? Do you need the backup team? We want the backup team. If it's a regulated industry, understanding what compliance requirements they have. We obviously know what customers are asking for from a compliance perspective. We definitely want the CISO. And if there's a chief data officer or a chief analytics officer, someone who can show us the data movement in and out. And then we're smart enough to know within an organization, what they're using, how they're leveraging it. And then from there we can basically off and running, but it's a very lightweight effort for us. We just need access and the right people in the room so we can get to the right outcome. Is the degree of sophistication around data classification proportionally, roughly consistent with where they are on the maturity? I would say that's a really good assessment. And most companies, the term garbage in, garbage out, I've heard it more in the last probably six months than I have in the last 10 years because it is so true. Data hygiene, data quality have just been ignored for such a long period of time and people just dealt with it. Now AI runs on that data and it's putting a spotlight onto how bad organizations have kept and maintained data over the last handful of years or decades. So what's the prescription? I've heard two schools of thought. One says, get your data house in order before you invest a lot in AI. The flip side of that, which is kind of counterintuitive, says get on the AI curve and let the AI help cleanse and harmonize the data. What are you hearing? So we've actually seen both schools of thought. I would say definitely start your AI journey now, if you haven't already. At the same time, in parallel, do it on use cases where you have maybe trusted sources of data. Then start looking at, if you want to do more complex things or maybe more cross-functional in nature where there's more data sources, then you need something like the maturity model that's looking at your data, assessing your data. Because the last thing you want is more data gets created on a daily basis now than probably used to take years to create. And then how do you continue to build that muscle internally? So I would say, if it were my choice, I would start building my AI use cases, identifying what departments I want to tackle first. What are my high value areas? In parallel, making sure my data hygiene and data quality and data security and resilience strategy are all working in tandem, because that will get me the best outcome. I'm glad you circled back to that department by department, because earlier in our conversation, you were basically giving that advice. And that's kind of how organizations work. Each organization has their own data set, their own data mart, their own lake house, their own set of spreadsheets, their own version of the truth. And that's really part of the problem. And that's what the promise of AI is, is to reconcile all that. If you do it department by department, you're going to take the learnings from one department, you're going to get on a fly wheel. Ultimately, the goal is to dissolve all that departmental friction and have agents and agentic actually own that tribal knowledge with human feedback, obviously, and get better and better over time. But I think that scenario is very practical and one that organizations should really sort of lean into. I'll give you the last word on VeeamON 2026. You're six months in. What are you most excited about the next year? This is my first VeeamON. So really excited to kind of share with you what we're doing and what we've been thinking about over the last six months that I've been here. I think for me, the unlock going into the second half of this year, you know, this is like conference season, every vendor, every SaaS company, every provider has their conference right now. What I haven't heard is practical use cases of companies that are wildly successful using AI. It's a lot of, here's what we plan on doing. I think we're all launching products. The pace of innovation is so quick. I cannot wait for the success stories that happen. And honestly, there's probably going to be some unsuccessful stories that we'll all learn from. But that to me is going to be the next six months of learning when people start deploying these products and then going live. That's when the real litmus test is going to come out. Well, very practical advice, Tony. You're already bleeding green. I mean, that's right. That's the heritage of Veeam is building products that, you know, it just works. Yeah. You know, very practical. Tony Colon, thanks so much for coming to the Cube. Thank you for your time. Thank you. All right. We're here VeeamON 2026. We're working through the day. My name is Dave Vellante. I'm here with Chris DeCase. We'll be right back in New York City, right after this short break. VeeamON 2026. You're watching the Cube.
