Palo Alto Networks (TICKER: PANW) Palo Alto Networks Inc Panw Ceo Nikesh Arora Presents Bank Of America 2022 Global Technology

By /
Palo Alto Networks, Inc. (NASDAQ:PANW) Bank of America 2022 Global Technology Conference Call June 7, 2022 1:15 PM ET Company Participants Nikesh Arora - Chief Executive Officer and Chairman Conference Call Participants Tal Liani - Bank of America Tal Liani Okay. Nikesh, after you. Nikesh Arora Okay. I think more people would show up, but I guess... Tal Liani They will. We'll see. Nikesh Arora I was in Dallas two weeks ago and I -- my big takeaway was COVID. Tal Liani I was in New York a month and I got COVID. Nikesh Arora All right. Nice people who don't have it are the ones who are under. Tal Liani It's -- New York is packed now. It's like impossible. Everywhere you go. Maybe they can close the door, so we can start. So, we don't have noise. Okay. Good. So, I'm very pleased to host Nikesh Arora, the CEO of Palo Alto. As you know, I'm asking questions. I have a whole list of questions for the whole 40 minutes, but if you have a question, let's make it a little bit dynamic. If you have any question, just raise your hand. There's a mic in the back. We'll make sure that you'll get it at the right time. Okay. So, I'm not going to pause at the end for questions. We'll just wait for you to raise your hand if you have anything. Nikesh, I really don't even know where to start with this conversation, because there's so many topics to talk about, and I want to start from the last results. And the last results were phenomenal, similar to previous results, billings up 40%, NGS ARR up 65%. I want to start from the big picture start, start for those that are kind of following you a little bit from distance, not for those like us that follow it day-to-day. What is the main improvement in the business, the main growth driver in the business you want to highlight over the next few years that drove the excellent results we've seen the last four quarters or the last few quarters? What are the things that you have done in the last few years that is actually the result of it is what we're seeing today? Nikesh Arora Tal, as you know, it's my fourth year anniversary actually today or yesterday. And the one thing which you learned in tech is that if your products don't work over time and they start deprecating, eventually your business is going to suffer and that's true insecurity more than anywhere else. So, we spent a lot of time in the early part of Palo Alto over the last four years -- the first two years, and really going in validating ourselves in multiple product categories. So, this is, I've said it before, but repetition does not spoil the prayer. So, I'll say it again. We were in two magic quadrants or leadership quadrants in enterprise security. Today, we're in 15. There's no other company in the history of security that's done that. Second to us is Microsoft. Just to give you a scale and scope of what's that happened, which means we have -- we are comfortable in our product portfolio. Having said that we're not stopping here, we are going to keep looking at the market to see what else we need now. What that does is when we go to a customer and the customer is up to here on firewalls, we can talk to them about SASE. When they're up to here in SASE, we can talk to them about cloud security. If they're up to here on something else we can talk to them about XDR. We can talk to them about SOC automation. So, we have 15 different products that are best to breed that we can sell them. Now, of course, over time, once they like one of our products, we could give them more because they like one product. We could show them the integrated benefits of deploying product two, product three, product four. So, from that perspective, we've done the product market fit in terms of product part, and honestly this past four quarters, and hopefully the next two, three years are going to be about scaling our go-to-market execution capability. We're going big in Europe. We hired Helmut, CEO of Orange or continuing to expand. We've hired BJ Jenkins, CEO of Barracuda to drive our global sales business. So, we're actually focused very, very, very much on continued go-to-market excellence because our largest deal in a quarter can get to close to between $50 million to a $100 million, right? That's the collective ARR or revenue of the two guys that sitting up here before that's one deal. Math works. Yeah. Not that I'm envious of that. And I wish I had a $50 million of business and $1 billion market cap. Question-and-Answer Session Q - Tal Liani When we ask our competitors, so, for example ... Nikesh Arora We have so many. Tal Liani Right. No, but with -- and just Orca, they say, yeah, but they have an agent approach. We have agentless. You ask CrowdStrike, yeah. But they have -- they don't have a true cloud security we have. Nikesh Arora They're just trying to confuse you. Tal Liani Right. So, most of your competitors are saying on a -- if you look at the advanced solutions in the market, Palo Alto doesn't have the latest and greatest; on the other hand, your numbers don't suggest it, your numbers don't. So, what is driving the success--? Nikesh Arora I was listening to George this morning, because he was on CNBC that [indiscernible], so I went back and listened to him when he was talking about the rule of 70 or 90 or something. And we still did as much an incremental revenue last quarter, which he did in total for the quarter. So, yes, I get it. The fact that we go -- our NGS ARR 65% tells you that somebody's buying this stuff. So, somebody must know the difference. I'll tell you that issue if you really want to get technical agentless, you do updates twice a day, but that agent, you do real-time updates. So, yes. Is it simple to check twice a day? Yes. So, it's like a security guy, the risk guy showing up at seven o'clock in the morning and noon and saying everything's secure and you have between seven and noon to do whatever you want. So, you need an agent to go do real-time security. I get the agent less approach. It's a vulnerability scanning approach, which is done on a periodic basis. You can do that. It's easier. It's cheaper. Tal Liani Got it. You invested in software, you invested other factors. What are the components of your success in the sense that when you consider the fact that you moved from not legacy, I mean, it wasn't legacy, but you moved from appliances... Nikesh Arora We legacy, you know it. Tal Liani Yeah. Nikesh Arora Anything with white hairs is legacy, but go on. Yes. Tal Liani You said that you celebrated four years. I celebrated 25 years here. I'm legacy. Nikesh Arora Yes. Yes. Hopefully the next guys will be smarter than us, but yes. Tal Liani So, when you -- again, I'm still at the high level, still trying to understand the components of your success, migration to software, migration to services. Tell us what did you do in order to take a company from appliances to where you are today? And what do you plan on keep doing for the next few years? And where do you see yourself five years from now, for example? Nikesh Arora Let me answer the question differently, because I don't want to fall in your trap of appliances and legacy and all that stuff. If you look, four years ago, there was less awareness of cybersecurity. Four years, since there's more awareness of cybersecurity. I get calls from CEOs who are undergoing ransomware threats or attacks. I get asked by security committees, not come and tell them, are they secure or not? So there is -- let's just believe there is awareness of cybersecurity. Security is growing faster than technology from an industry high level perspective. So, the growth rate of the industry, now security is higher than IT growth, where in the high single digits ITs and low single digits, right? So, more awareness, higher growth rate. Now I'll use the word legacy. There's a lot of legacy IT infrastructure and security infrastructure that's out there that needs to get upgraded, do better security. Let's establish that. If you look at the largest category you spend, forget legacy, non-legacy. You can tell me CVS, Walmart, Lowe's, Home Depot, all legacy companies, guess what, they spend a lot of money. So, they're still spending a lot of money on legacy stuff, which is called boxes in their infrastructure. That's why Cisco has a $200 billion market cap. And Oracle has a large market cap too. So, there's a bunch of legacy out there that needs to be protected. If you look at what's happening in security at three major categories. The number one category you've got to defend your network. Network is the way you access your company's resources, your customers access your company's resources. That's protecting your network, all the way from your laptop, my laptop is a customer, your laptop is an employee. From that point in into your network, you have to protect it. The way you protect it is you put firewalls in your data center. There's no other way to do it. No software will do it because we need a box. You do it by putting a software firewall in your public cloud deployment. Don't forget, only 10% of the world's on the public cloud right now. 90% is in legacy, right? That needs to be protected. That's the reason you guys all missed Dell or not all of you, but many of us missed Dell because we thought it was over. So, you got to protect your data center. You got to protect your public cloud instance, and you've got to protect your remote access that the pandemic has brought out in space. In that network security stack, the biggest move is going to be a $20 billion to $30 billion TAM is being created as we speak around SASE, which is where we are one of 2.5 players. There's us, Zscaler and Netskope. Nobody else deliver SASE. We built the best firewalls in the world. We're the only people with the largest software firewall business. So, in the network security stack, we believe we are number one. We believe we will continue to be number one. We're growing that at north of 20%. Our firewall as a platform business, an industry that's growing at 6% to 8%. That's network security. That's a $4 billion-plus business for us. That's bigger than any cybersecurity company's revenue out there. Just the network business. On cloud security, you saw -- always you saw Orca. When I started Palo Alto, we bought a compatible Evident, which did AWS security. We bought RedLock. RedLock was the first semblance of a cloud workload security company. We look at the market. There were two container security companies, Twistlock and Orca. We bought Twistlock. Twistlock had 460 customers, Orca had 250 customers. We bought them with the larger number of customers, because we thought we would build them faster. Then we bought Aporeto. Then we bought Bridgecrew. We've bought a whole bunch of it. We have nine modules on our cloud platform. Our largest cloud deal is north of $10 million. None of the guys who are sitting here have a $10 million deal, but they won't see one for another year, right? Our cloud security. Cloud security is purely -- ask the company next time you call CrowdStrike or Zscaler. If my company, CVS or Walgreens or Walmart is moving to GCP, AWS, Azure, do you protect my application development in there? Do you? If they say yes, that's cloud security. If they say no, they are helping you do secure access to the cloud. Two different businesses. We all call it cloud security, because who wouldn't call it cloud security, nobody in cloud security. The only real cloud security are Wiz, Orca, Prisma Cloud, AWS, GCP and Azure. That business for us is north of a $5 million ARR. If it was three months ago, we had raised money at $40 million, yeah, compared to these multiple guys, but unfortunately, not three months ago, and thankfully, we're not dealing with that. Third business, which is still interesting is this whole confluence of endpoints and SOC automation. That is going to be a $30 billion or $40 billion TAM in the next five to 10 years. That's the next big thing that's going to get [indiscernible]. This is where people like IBM live with algorithm ArcSight, where Splunk lives, where Exabeam lives, where Sumo Logic lives. That world is going to get pre-engineered. Again, we have the second best -- second largest XDR business in the world after CrowdStrike. We're bigger than SentinelOne, we're bigger than Carbon Black, we're bigger than Cybereason. Nobody knows that. Cortex XDR is bigger than Intel. And we just launched a product called [indiscernible], which is in beta with eight customers, which hopefully, by the end of next calendar fiscal year, we'll have north of 100 customers. These are all Splunk replacement candidates. So, the future is bright for legacy companies. Tal Liani Firewall as a platform is a big business for you. You grew 25% last quarter. Nikesh Arora Yeah. Tal Liani How do you make it? I mean, I see -- what you don't see, I talk to Check Point all the time. They are trying so hard... Nikesh Arora You talk to a lot of people. Tal Liani ...they're trying so hard and they don't get a third of your growth. How do you make it? Why are you successful in areas that both Cisco and Check Point are failing? Nikesh Arora I don't know how to comment on other people's failures. Tal Liani So, talk about your success here. Nikesh Arora Thank you. I appreciate that. I don't know why they're not doing it. But if you look at the firewall market, 90% of the firewall market is a replacement or upgrade or enhancement market, which are existing customers who want to buy more firewalls. 10% is a replacement market every quarter. The 2C's lose share, the F&P take share. That's what's going on to the market. Fortinet has the best firewall in the market. They take share. They're price sensitive. They win when there is a throughput bandwidth argument as a cheaper Level 4 firewall. We win when it's a more security awareness conversation with a Level 7 firewall. We take share from Cisco and Check Point. I think Cisco has a combined -- I said I wasn't going to say, but I'll say it anyway, I've heard that the supply chain requires about 52 weeks or it' s still around 12 weeks. 52 weeks is a long time, it's one full year. Tal Liani Yeah. Do you think this business will remain a big business for you also five years and 10 years from now? What's the future for the firewall market? Nikesh Arora I don't know what's going to happen in 10 years. But it doesn't -- let me say it differently. If the world becomes network less, all bets are off. I don't think we're going there. I think you will all be accessing the Internet in some way, shape or form somewhere. We need some sort of device even if it's your watch or VR glasses or your antiquated laptops and iPads in 10 years, I suspect. We won't need anything. We'll just be visualizing everything. You'll still need connectivity in the network. Every time you have that, you need to protect it. Now the funny part, which people don't seem to understand is, the amount of network traffic is growing at 10x on an annual basis. So, guess what? The firewall capacity is not growing at 10x every year. You don't need more firewalls to watch that traffic. So, this is the funny part. The reason firewall is growing is the traffic throughput is growing faster than the amount of firewall capacity. Physics. So, firewalls will be around. They may be in software form factors, whether you're not worried about latency and bandwidth. They will be in hardware form factors. I don't think most financial institutions are going to move to the cloud because they don't need a high amount of throughput to move transactions back and forth. These are the crypto guys in the cloud, they're going to put firewalls against their data centers. Do you think laptop is going to go away in 10 years? Tal Liani No. I'm going to have laptop until I die. Nikesh Arora You're going to have a firewall until you die. Tal Liani Yeah. Nikesh Arora So, now you can decide the 10-year question, whether you're planning to. Tal Liani We talk a lot about Zero Trust. Every company defines it differently. Nikesh Arora Yes. It's like love. Tal Liani Yeah. I want to... Nikesh Arora We have our own definition, all of us, which is preferential to us. Tal Liani I want to ask you what, first of all, the way you see it... Nikesh Arora Sorry. Maybe I had 3 cups of coffee this morning. It's my sixth meeting, so I apologize if I'm being pesky or cheeky, but you guys want some entertainment, right? Tal Liani I'll try to keep you... Nikesh Arora You are keeping me very, very excited. Do not worry. So just say legacy once in a while. That's my trigger word. Tal Liani What does it mean? What does it mean Zero Trust? What does it mean for you? And how do you participate in it? And what do you think -- what kind of changes will dictate in the organization, your product portfolio in order to benefit from the trend? Nikesh Arora Okay. Do you have a badge when you go to work like one of those things? Tal Liani Yeah. I do. Nikesh Arora That's called Zero Trust. Even if you walk in and the guy knows you, he makes you -- want you to swipe the badge because between the time he saw you and somebody might have turned your access up because you no longer work there. Zero Trust is validating you every time irrespective of any other signal you send. That's a Zero Trust about. Every time we try and access the corporate resource, I'm going to validate who you are and you have the right thing to do what you do. That's what Zero Trust means actually. It's not hard to understand Zero Trust, right? You can be validated every time. Now, yes, every product out there in security, for the most part, is Zero Trust. It has to be. Because we're validating you every time, whether it's a firewall or it's an XDR agent or a remote agent or a Zscaler, or Okta role in Zero Trust, because we don't trust it, inspecting you all the time, that's called Zero Trust. The question is, well, have we Zero Trust, then what's the problem? The problem is, is your company, is Bank of America implemented in a way that you have Zero Trust across the organization? Well, if you have six different vendors doing network security, you are doing it six different ways. So, you're not a Zero Trust, because somebody does it differently from the other guy. And some of the products out there, not all of them, are like kind of your badge. Once you use -- swipe your badge and you walk into Bank of America, maybe not Bank of America, but you have access to everything. The only thing probably you don't have access to the server room or Brian's office, maybe. So. Tal Liani No, I don't. Nikesh Arora You don't. Okay. So, there is some degree of Zero Trust there. It's applied to very selective assets. But the more stringent you make it, that your badge only unlocks certain doors and even when you unlock them, I'm watching you wherever you go, that's true Zero Trust, right? So, we watch applications, we watch user IDs, we watch your devices at Palo Alto. So, we deem ourselves more Zero Trust than the others. But everybody's got Zero Trust. The question is, if you buy a Check Point firewall, you buy Zscaler for remote access and you buy an AWS firewall for your public cloud instance, there are three different sets of security policies being deployed. Is that better? Or is it better to deploy Palo Alto's policies by using our hardware firewall, which is consistent with our remote access product, which is consistent of our cloud firewall. The answer is, I'd rather have one set of security policies across all three. So, we go and fix the Zero Trust enterprise compared to others, which is Zero Trust for a specific application. Tal Liani Big part of Zero Trust is identity. Nikesh Arora No. Identity is a hygiene factor, it's about security. It just validates who you are, and as is conversation Todd [ph], like when you log in, this is not a knocking, Okta is a great company. They're going to be around for a long time. They need identity, they have the largest number of innovation, and that's not the question. You need identity to get it somewhere. You need your badge to get it somewhere. What do you do after that? You're doing anomalous behavior, you're being consistent, is your application working the way it's supposed to? All that stuff needs to be inspected. So, yes. Identity is a key input into validating that it's Tal who we are watching throughout this process. But you are an indicator or you're an identity. Yes, I need identity. It doesn't mean I can't use an API or Okta, SailPoint or Ping and see who you are and then track you to aggressive and go back and say, shut Tal's access down. So, yes. It is an important part of identity. So, there's -- every other is a Zero Trust product. Tal Liani Got it. I want to talk about Prisma Access and/or Prisma. I want to talk about cloud security. Nikesh Arora Yes. Let's be clear. I just told you our cloud security. Cloud security is protecting the applications to the cloud. Prisma Access is securely accessing the cloud. Tal Liani I know. That's why I'd have to go back. Nikesh Arora Okay. Which one do you want to talk about? Tal Liani I want to talk about cloud security. Nikesh Arora Got it. Tal Liani And the question is, how big is the opportunity in your view, not from a numbers perspective, but from kind of your discussions with customers, et cetera? And do you see the appetite of companies -- big companies, smaller companies to actually go after and do the right thing? Or are they -- for the meantime, are they going to say, okay, I'm going to use whatever, Microsoft, GCP is offering me or Microsoft Azure is offering me, et cetera. Nikesh Arora I'm going to give you numbers answer. Tal Liani Thank you. We want it. Nikesh Arora Okay. All right. Roughly $200 billion of public cloud is sold every year between GCP, AWS and Azure, right? Give or take, if you look at the numbers, they are booking. That should have between a 2% to 5% of that spend should be cloud security. It's 8% to 10% on your boxes and everything else. But because Google, Amazon, Microsoft take care of data center security, it should be at 2% to 5% of the total number. So, give or take, $4 billion to $10 billion. That's just what is sold this past year, right? You add it up over time, it was a $1 trillion spend. There should be $20 billion to $50 billion market for cloud security. I think half of that market will belong to the cloud providers because of the single tenant customers, smaller companies, they'll just take whatever they get as part of the license from Google, Microsoft, Amazon, and they will be fine. That leaves you with $10 billion to $25 billion over $1 trillion cloud spend, which is up for grabs, right? The market is not that big right now. The market is close to about $1 billion right now. So, there is a 10 to 25x opportunity in there. I think customers will have no choice. They're going to have to use cloud security to make that happen. I think 60% to 70% of the products have been built, 30% haven't been built. Wiz didn't exist two years ago, right? Orca didn't -- Orca existed five years, but they're kind of -- they're less exciting than Wiz is. If you walk around the floor, half the companies have got some variant or some version cloud security. It's great. So, it's going to happen. Tal Liani And what makes you in a good position to go after the opportunity. Nikesh Arora Remember, we have 2,200 odd customers in Prisma Cloud. And all of our customers, by definition, have to be GCP, Azure or AWS customers, otherwise you get nothing to protect, which means they have chosen us over using the cloud providers' security. Most of these 2,000 customers are the larger enterprises in the world, because they are the ones with complex multi-cloud establishments. I think just their natural growth should be 20% to 40% a year, right? Because most of this $1 trillion of cloud, which we're going to see, has not been deployed yet. I don't know, Bank of America has got a few hundred workloads in the cloud. It can tell us now you guys will be in the cloud. Well, you don't spend nothing on cloud security today, right? You should be spending $200 million [ph] a year on cloud security. Somebody is going to have to drive that capability. Tal Liani By the way, the question, I even don't know the answer I'm asking you, the fact you are in the data center or in the campus environment and you have your own solutions for firewall and network security, et cetera, does it make you -- is there any synergy between that position in cloud security? Or are these twp isolated completely? Nikesh Arora No, they are not isolated. There are multiple points of synergy and overlap, both technical and relationship. Look, if I have a happy customer -- they like Palo Alto's products, it's worked for them in multiple instances, they're more likely to buy my product, because I'm a reliable provider. If they believe I'm as innovative as I'm hoping to be and continue to be, then they believe that I'll have their back. There's enough CIOs and CISOs who are loaded to put their eggs in a startup basket, because if you look at it, after all the excitement, 2% of the startups go public, 98% are going to shutdown or gets sold to somebody else. And if you're unlucky, you get sold to BlackBerry, then you basically have to go find a different solution. I don't know what company they bought. There's an endpoint ... Tal Liani Cylance. Nikesh Arora Cylance, right? Maybe there was something in the name Cylance. That's what we hear from. So, sorry, so I was little punchy this morning. So, we don't see them, but Cylance... Tal Liani I'm going to serve you coffee on the way in. Nikesh Arora More coffee. The next guy is going to be unhappy. So, no, but look about it, when I joined Palo Alto, first, it was a Morgan Stanley conference and I was in somewhere in Utah, and I met both CrowdStrike and Cylance. And they are both neck-to-neck at that point in time, then Cylance got bought by BlackBerry, they're in the market and CrowdStrike went ahead and chartered their own path. George cannot believe for himself and for the company and for the industry. So. Tal Liani Got it. So, we spoke about cloud security. And I want to talk about another successful area for you, Cortex. Nikesh Arora Yes. Tal Liani What makes you successful in the space? Nikesh Arora Cortex ends up being a bit of a perspiration business for us because CrowdStrike is doing so well. They add about 2,000 customers a quarter. We had about 400, 500, which is not a bad thing. But we're focused on really trying to penetrate Cortex XDR into our installed base, because we get tremendous amount of leverage by cross correlating their firewall data with our endpoint data, which becomes our competitive advantage to compare it to everybody else because we can actually improve their life in the SOC thereafter. And we have north of 3,000 customers in XDR, again, at the top end of the market, which is where we actually do better in the market. And the long-term play there is to convert all of them into large SOC automation customers. And the prerequisite for that is they got to have both Palo Alto firewall, they're going to have an endpoint from Palo Alto. So, we're very happy with the fact that we're seeding these customers with XDR. We're not trying to go -- get 2,000 customers, because beyond a certain size of customer, it's unprofitable to go try and sell this to those people. I think the depth of enterprise when you're selling $50,000 ACV deals in an efficient sales model. Tal Liani So, we spoke about products. We're going to talk about additional products. But I want to just take a step back for a second and say, these are very different businesses from the businesses that you inherited when you started. How did you adapt the sales channel? The motion of salespeople and selling organization to go after the new opportunities. What did you have to do in order to make sure that, okay, you have the R&D developing solutions that go after opportunities, but you can also have another organization that can fill them? Nikesh Arora Yeah. Well, 80% of VPs at above Palo Alto are new in the last four years. 80%. So, we had to reshape the entire leadership team because it's too old. I'm too old to change people's religion. So, we just get people who have religion. They understand cloud, you bring them. They understand XTR, you bring them. So, 80% of our leadership is new. A majority of our hired people who are dedicated cloud salespeople, SASE salespeople, XDR salespeople. And something we're very proud of, because we have changed the perception of Palo Alto in the employment market. People want to come, work for us. We are seen as one of the best places to work in cybersecurity. People like the breadth of the portfolio, because when if I'm a salesperson, I've been selling for 20 years, and I have my patch in Michigan, and I have 10 really good customers that are doing really well. Well, I sold every one of them every XDR possibly from a CrowdStrike or if I'm a Zscaler, sold in SASE. But if I come to Palo Alto, I have 15 products to choose from. So, I can go back to buy relationships and go sell them into a much better cybersecurity product him. So, we see a lot of people who want a more impactful, more expansive role come back to us. Tal Liani Got it. And what about the channel? Did you have to make changes also to the channel, not just the sales organization? Nikesh Arora I think the channel is changing itself. If you see even in the last four years, the people who are emerging in the channel are more like the Accentures, Deloittes, British Telecom, AT&T, Verizon, Infosys, HCL, Wipro, these guys are all turning into security managed services businesses or security implementation businesses. So, when we tell -- sell SASE, we sell it as part of the large network transformation. There's typically a service partner involved. And in the past, when you sold boxes, you sold it through a box mover, which is more lower on the service, and now there's a big architectural company and services company. So, the market is shifting there. These people are building large security practices, which is better because we have better relationships. They prefer because they're getting into the game. They prefer larger relationships with fewer security partners, and try and go partner in [indiscernible] security. Tal Liani You spoke about SASE, and I want to go back to SASE. We used to talk about technical differences, proxy approach, non-proxy approach. We don't talk about it anymore. Nikesh Arora It's all normalized. Eventually, you take the objection away by us having the capability. Tal Liani Right. And the question I have is what makes you -- first of all, if you can, for those who don't know, if you can discuss your portfolio in SASE. And then, what makes you successful? Nikesh Arora So, SASE is the new architecture for the network. So, a little history lesson. If you were running 1,000 stores, when you have 50,000 employees, every employee logs in using a laptop, using VPN, back into your data center. You dial in back into your firewall, in your data center, that's how your VPNs work. You connect it to your data center, that's how the production is done on security and then you get your data from whatever you want. If you are a store, you are a big Tier 1 line from your stores, you are Walmart, CVS, Cartier, whoever you are, a big Tier 1 line bought from AT&T or Verizon, which runs back into your data center. Now with the availability of internet access at 10 gigabytes, you don't need dedicated lines anymore. So, almost every large legacy company is going through an MPLS replacement cycle, where they're going to replace those big pipes that they spend $100 million a year, and they were replaced them with internet access and use SD-WAN. So that's kind of one trend on one end. The other trend is everybody moves 50% of the applications to the cloud. The question becomes, why do I need to go back to my data center, half the stuff is in the cloud. Why don't I just go straight from my laptop into the cloud? If you're accessing your Gmail or accessing your Salesforce, why do you need to go to your data center, because your laptop, you can go there. So, those are two big changes going on in the world in IT architecture. The way to solve for that is to deploy SASE, which means your laptop logs in, you run a firewall in the cloud, you run the permission right, closest to where you are in your pop, from there you can either go to SFD Salesforce, you can go to Workday, you can go to your own applications in GCP, and you never see your data center. Now that requires both security capabilities in the cloud, as well as SD-WAN or fastest evaluating capability in the cloud and requires endpoint monitoring to see if something breaks, how that takes it. That's SASE. The way you deploy that is using SASE. The reason we are successful is, in the past, the proxy based architects were a better way of doing VPNs. You didn't do VPNs, you didn't dial in data center, you took all your proxable traffic and took it out whatever is not proxable, you build an exceptional one there. Today, as the world is moving towards the architecture of defining, people are demanding more from their security and require a full set of security stack, going back to the definition of Zero Trust, why can't you run everything run in the data center in my cloud? Why do I get a different security stack in the cloud and a different stack in the data center? So for us, we can run the same security stack that we run your data center in the public cloud. So, you run all the rules that you're in a data center, you can run on the public cloud, so you have a consistent security posture. Irrespective we don't need new security rules. We just replicate the rules and run them off on security console. That's how we're successful. We have two SD-WAN capability with CloudGenix, these kind of doesn't have, for example, we partner with everybody else as well. We can do data loss prevention. We can do IoT, we can a whole bunch of stuff. I said this publicly, we were nowhere 2.5 years ago. Last published quarter for them and us, we are 40% to 50% of that business in a quarter. We think that number will keep rising. And we hope to be in the next two years at a place where we're doing as much SASE business every quarter that they do. So. Tal Liani Okay. Nikesh Arora If you can build a business, that's -- I just want to have like 200x my ARR on cloud. I want my Zscaler multiple from my SASE business, my Check Point multiple or my operating margin ... multiple. Tal Liani Fortinet multiple. Nikesh Arora Fortinet multiple. I don't know Fortinet operating margin. Fortinet is bringing their operating margins down, so that will be fine. Tal Liani You spoke about CloudGenix and you spoke about SD-WAN, it's a big business for Fortinet. Nikesh Arora Not really. Tal Liani Discuss your position. I'm not going to ask you about your competitors. Nikesh Arora Look, the two SD-WAN players are actually not Fortinet or Palo Alto. The two SD-WAN players are telcos, AT&T, Verizon, are the largest SD-WAN businesses. And that's fine. That's an SD-WAN business. I think the difference is we are -- we don't want to be in the SD-WAN business. We want to be in the SASE business. If somebody wants remote security. So, SD-WAN is effectively a way of creating some reliability on your internet access so that you have a more -- like this kind of the lightweight version of having an MPLS line, having some degree of consistency. What we have learned is SD-WAN has a huge interplay with security. We can do it with the APIs or we can do it integrated. So, we integrate SD-WAN into our security capabilities. We're seeing the next iteration of SD-WAN will be with security, which is where there are very few players. I think there's only one called Silver Peak that does this. VeloCloud doesn't do it. Who knows what's going to VeloCloud under the new management. But most of the SD-WAN capabilities are some are legacy, like Viptela and Meraki. We think they won't make -- the transfer when we start doing synthetic routing with SD-WAN. So, I think it's early days. But SD-WAN, in my mind, plays into that whole MPLS trend, the remote security trend, the pandemic is unveiling and it is going to become a key requirement of a SASE strategy. Tal Liani Got it. Nikesh Arora Everything else we sell SD-WAN, our firewall to soft of Fortinet, but that's more as a component part, not as a design element. Tal Liani Right. CloudGenix was different, though. CloudGenix was very application-centric, unlike the others. Did they help you to in any way to grow the business more? Nikesh Arora Yes. CloudGenix stack is more compatible with our SASE stack, because it's in the public cloud, because it does a bunch of synthetic low-cost routing, which is consistent with our SASE strategy. So, it was more aligned to our product architecture, that's why. Tal Liani Got it. Okay. Before we run out of time, I want to talk to you about numbers a little bit. Number one is SBC. One of the biggest criticisms that I'm getting is now... Nikesh Arora You mean discussion. Tal Liani ... right. The biggest points of discussion is SBC is a big part of your revenues. What are... Nikesh Arora You mean is a big percent of my revenues? Tal Liani Right. Big percent of revenue. That's what I mean. For those who don't follow you day-to-day, can you explain the background? Why is it such a big number? Number two, what's the outlook? Nikesh Arora So, it's kind of like this. This is -- you guys have never been in the public market, the CEO the next really things happen. But I just blame that guy. But me, not my predecessor. We bought $3.5 billion of companies, which are mostly startups. We paid the founders in stock, but we made them reinvest and earn it over the next three years. So, a lot of our acquisition price that I put it in the acquisition cost would have filtered through dilution and not shown up as SBC. So, north of $1.5 billion that showed up as SBC, which inflated our -- already reasonably high SBC numbers in the company. So, SBC started -- going to 15%, 16%, 18%. The good news is those acquisitions we haven't done one in about almost a year, that scale and size, and we've got to understand now the better way to do it. Certainly, it's going to wash out as the investing periods expire. You'll see a natural decline from the high-teens or to a mid-teen, low-teen number and then wash it out. On top of that, we put a whole bunch of processes in place to reduce our stock allocation in our hiring. And thirdly, because as a percent of revenue, if you grow revenue 30% a year, you don't go SBC 30% a year, there is some sort of mathematical thing that happened. Tal Liani Got it. Your free cash flow, we're focusing now more on free cash flow. Free cash flow last quarter was about 25% of revenues. You... Nikesh Arora Adjusting for seasonal, we guide to 32% and we're very comfortable with 33% for the year. Tal Liani Got it. Okay. So, the question is what's the target? What's the target for free cash flow? And what are the drivers for free cash flow going forward? Nikesh Arora Look, we have guided to 32%. That's a target. Tal Liani Yeah. Nikesh Arora 32% is a good number. And especially if it's 32% of a large number, $5.6 billion of revenue, 30%, some $1 billion here, $1 billion there, so as real money. Tal Liani Got it. Nikesh, we're almost running out of time. I want to ask you the one question I'm asking all the CEOs. Do you think there is going to be any sensitivity of your business to the economic cycle? Meaning, if we're going to recession, inflation going up, are you expecting or planning to see any decline in the demand environment? Nikesh Arora I don't plan declines. They unfortunately happen if the market goes there. Look, I can't predict what's going to happen in the economic cycle. If you tell me a scenario, I'll tell you what could happen. But if it's going to be a soft landing or a slow decline, I think we'll be fine. If it's a harsh lending, then all bets are off for everyone. I'd say security is somewhat more resilient than technology, and technology is somewhat more resilient than some other things. I was -- two years ago, the same conversation happened when the pandemic hit. And think about that moment for a second. There were weeks when the oil price is close to zero. The entire oil industry was sitting there and saying, I don't want to spend money on tech. I want to spend money on anything. I need to preserve cash flow, I need to stop spending money. I had to push out receivables. You had companies, retailers whose revenue vanished. Their stores were shutdown for three months, and they had no idea. Nike, Target, everyone of these guys had no stores, they all had to run online, right? Nike, I talk to Donahoe at that point in time, you've got $8 billion of inventory stuck in stores, you can't sell. It's stuck, locked in stores in city centers. So, I think that was a more radical economic hit and somehow we survived that economic hit, because things start to come back and people start to get comfortable online. So, I don't expect any major outcomes in this process. Will there be sectors of the economy which will get impacted? For sure. Because the flip side, commodities are -- Exxon is $450 million market cap. They didn't have that last time around. So, I think Exxon is going to be spending money. Tal Liani Right. Nikesh Arora So, I think it depends on how the economic impact manifests itself. And I think the bigger question is supply chain challenge as opposed to the economic impact. I think supply chain is not going to abate anytime soon. It's going to run through a cycle. A better question for semiconductor companies, but it has an impact on all, anybody who's got any chips at the need, but as cars or appliances. Tal Liani But how come -- sorry. [Technical Difficulty] Nikesh Arora That's a great question. Yeah. So, we've underperformed internationally, and I was very public about that two or three quarters ago. And it wasn't -- it is more because I want to make sure the product portfolio is right. And we have traction in the market where we have a lot of relationships. We're really focusing hard on driving more growth internationally. So, I think -- us, specifically, we'll get a slight benefit from matching our underperformance of what we believe our real performance should be. So, hopefully, that buffets us for a little bit of time. Internationally, also they are way more connecting on third parties for outsourcing and system integrators and service providers, less so in the U.S. So, I think we're going to see that happen. But I'd also say internationally -- and I don't want to make more generalizations -- but internationally, companies are a little less ahead of the technology curve than we have in the U.S. And there's a bit of catching up they have to do. And we're seeing that happen. Like Daimler or Ben did a $3.5 billion outsourcing deal for tech. They've given it to a third-party company to manage, and we're working with them to go build a new security reference architecture. And we're seeing that trend pick up internationally. So, I think, again, it really depends on how severe the economic impact is and how long it lasts. If you tell me you're going to be down 10% over the last two years, all that's route. You're going to tell me there will be two quarters of a dip or we'll come back in low single digit percentages, I think we can all weather that storm. Tal Liani Nikesh, we ran out of time. Thank you very much. Nikesh Arora Thank you, Tal. Tal Liani That is always fun. Thank you.
Scroll to Top