Palo Alto Networks (TICKER: PANW) Palo Alto Networks Inc Panw Goldman Sachs 2023 Communacopia And Technology Conference
Palo Alto Networks, Inc. (NASDAQ:PANW) Goldman Sachs 2023 Communacopia
& Technology Conference September 7, 2023 6:45 PM ET
Company Participants
Nikesh Arora - CEO
Conference Call Participants
Gabriela Borges - Goldman Sachs
Gabriela Borges
Good afternoon. And thank you for joining us at the Palo Alto Networks
keynote at the Goldman Sachs Communacopia & Technology Conference. I'm
Gabriela Borges, I cover emerging software here at Goldman. And I'm
delighted to have on stage with me, Nikesh Arora, CEO, of Palo Alto.
Thank you for your time.
Nikesh Arora
Thank you for having me. What did you pay all these people to stick
around?
Gabriela Borges
Yes, it's a great reason to anchor the end of the conference.
Question-and-Answer Session
Q - Gabriela Borges
I wanted to start on the milestones of the last five years. And I think
about the learning curve that you talked about when you first joined
the Company, the technical debt and building up the product portfolio
going from one platform to three platforms. And I want to ask a
forward-looking question, which is, what do you think the one or two
milestones are that will define the next five years of the Company?
Nikesh Arora
That's a good question. You say you're going to ask me questions that
haven't been asked before that has not been asked before. Look, the way
I see it, and five years ago, when we got -- when I got in this
business, it was fascinating to see there's only 1.5% share that the
largest cybersecurity player had in the space, which is unlike any
other tech sub vertical. There are players who have much larger shares
in most verticals. You said that and analyze there are 3,000
cybersecurity companies and the largest has 1.5% share. There is
something structurally wrong or different about the industry. And what
you realize is that the bad actors are constantly innovating. Every
time we figured out how to fix what they have used as a threat vector,
they're busy chasing the next threat vector. So it's bizarrely enough
the most innovative industry in the world because the bad guys move on
to the next thing when you're blocking the last thing. And you're busy
selling the last thing to bunch of customers for 10 years and they're
on to the next thing. So if you look at the history of cybersecurity,
it's littered with companies that are amazing for 10 years and then
they sort of stick around and sort of stabilize or stall at a certain
place. I think you realize that part of the reason is that most of
these companies are winning in their swim lane don't think about the
new swim lanes that are being created while they're there. So we did
that and the general pushback from investors and customers was, I don't
want to put my eggs in your basket just because you have multiple
products.
So we said, what convinces them? We looked and said what normally
convinces them is if people are in the top right quadrant in
enterprise, the Forresters and Gartners of world. So we said about
saying, let's create our products in the swim lanes, but the benchmark
has to be [indiscernible] we have to be in the top right quadrant. So
now we're in 17 top right quadrants in five years, this has not been
done in tech before. There's possibly two companies, possibly because I
haven't done all the research, but I think Microsoft might have done it
and IBM might have done it some point in time. There's no fourth tech
company who has 17 top right leadership quadrant position. So, we
established that we can build best-of-breed cybersecurity products and
then we started to platformize. We have three platforms, network
security, cloud security and SOC transformation. I think in the next
five to 10 years, it is not infeasible that there will be consolidated
platforms in cybersecurity and eventually the equivalent of a Workday
or a Salesforce or a ServiceNow starts to develop in security, that's
our aspiration. We want to be that company, which has double digit
market share, if not more, in the space that should be the milestone we
aspire for.
Gabriela Borges
Do you think you can get there with the three platforms that you have
today?
Nikesh Arora
Yes. Yes, I think our newest platform around the SOC is -- has
tremendous potential. I think that's kind of the integrated platform.
Most of our competitors in that space are 15 year old tech. I think
it's the CrowdStrike, Palo Alto, SentinelOne moment that happened to
endpoints, which is happening to SOC except to standard SOCs.
Gabriela Borges
Let's stay on the theme of SOC. And I want to think through a little
bit how the data set that you have is differentiated because you are
collecting telemetry across the three platforms. So maybe as the first
part of that, talk to us about the R&D synergy that occurs from being
able to connect the dots across the different types of data that exist
in an enterprise.
Nikesh Arora
Great. So let's step back for a second. The traditional approach to
security is there is this thing called SOCs. You try to protect an
enterprise by buying a whole bunch of security software and every piece
of security software, either block something bad or sends an alert
saying, hey, here's a problem, go figure it out yourself to your
customer because you have 40 different security vendors, and I don't
know what do with that, and this thing went into a thing called SOC and
you had a bunch of analysts who would figure out what happened and you
store a lot of data. And the bad actors were taking on average 20 days
to breach you and steal data. So you had 20 days to go figure out what
happens. And people would analyze the data in Splunk or ArcSight or
QRadar and prioritize stuff and figure out what happened. Well, guess
what? Now that is happening, the fastest we've seen is 5 hours. Getting
in, stealing a terabyte data, going out of the enterprise in 5, 11,
that's the spread, between 5 and 11 hours. The mean time to fixing a
SOC is still six days because this is a problem that is not going to
fix itself. The only way to fix the problem is stop collecting data and
analyzing it later is to start analyzing it as you collect the data.
So we've spent five years building that tech. 45% of data in most
companies is firewall data from Palo Alto. 40% of your data comes from
the endpoint, that's 85% of data. You can cross curate all the other
15% across 700 vendors against that 85% data. We built the tech even
just within Palo Alto, we analyzed 76 terabytes of data per day. We're
the largest user of BigQuery in the world, that's just with the
customers we have today. We have 35 customers where we do the software.
We have 62,000 customers with firewalls. So I'm talking we have the
most amount of data in security. We use that cost correlation -- our
first 10 customers, we've taken them down from six to seven days to an
average of 5 hours of fixing security. Our aspiration is to get them to
under 1 minute, which is where we are. So eventually, security has to
become real time. We are running 1,300 machine learning models in our
product, which is what I like to call precision AI. So this is not
ChatGPT or OpenAI, this is precision AI, 1,300 machine learning models,
the models you'd want to drive your car. You don't want ChatGPT driving
your car, if it hallucinates, the bad idea.
Gabriela Borges
The technology that you're using, the drinking your own champagne, so
to say, to get your own SOC operations down to a minute in response
time. Are there other vendors that you still need to leverage in order
to be able to make that happen? Okay. And so then the question for your
installed base is, where do you think customers are in embracing the
evolution from endpoint to XDR to -- or to XSIAM to full SOC
transformation?
Nikesh Arora
This is early days. We just launched this product about nine months
ago. We did about $200 million of booking the product in the last nine
months, which was a surprise to me and most of my colleagues in the
Company. We were amazed and surprised that how well it did for us in
the early days. So we're really sort of trying to scale it up across
the board across every part of our company. What's fascinating is this
is the first time in the history of security I can show up with an
outcome based product. Every other time it is, can your product do the
following 200 things? I say, why are you worried about what 200 things
I can do? What I can do, which nobody else is willing to offer you, I
can take your SOC from six days to 5 hours. And we're running case
studies every one of our customers that we have sold, our aspiration
event is to walk in and say, we can promise that we'll bring you to
hours. If you have enough data, I can prove that I can bring you to
hours. And I don't know if many of you might have noticed this,
September 1st, it's a red letter day in security. The SEC has required
that every company has to disclose a breach in four days. That's kind
of interesting. You have to disclose in four days, it takes you six
days to figure out what's going on. For two days, you're exposed, which
means every bad actor in the world is going to be looking for SEC
notification saying company X is breached, they're still working on the
fix.
Gabriela Borges
So we've seen examples before where regulation changes. And in theory,
there is a hope that it changes the urgency on SOC transformation or on
security transformation, and sometimes it doesn't happen. Are you at a
point where customers are paying enough attention that you're seeing a
change in the urgency because of something like SEC regulations?
Nikesh Arora
So Gabriela, that's just kind of like the -- that's a conversation
we're having in the context of the next five to 10 years. You said,
where does this miles don't happen. So this is early days over there.
We still do $9 billion of bookings and everything else that we do $7
billion of revenue there. So there's a whole bunch of other stuff going
on, too.
Gabriela Borges
Fair enough. So I'm curious, you mentioned a unique way in which SOC
transformation is differentiated because of the outcomes based results.
Are there other observations that stand out to you in how SOC
transformation is different from network transformation and the types
of network transformation that you've seen at Palo Alto Networks with
SASE, for example?
Nikesh Arora
Yes. I think what's interesting in network transformation and the SASE
product is actually both a networking product and a security product.
We're actually running an operating service now for the first time as a
company. We have north of 14 million users that we run operations for
every day across possibly 2,000 companies in the world. So we're slowly
in-sourcing the network operations for companies. And basically, what's
happening out there from a network transformation perspective is that
there is -- without going through all the details, there's a cost
neutral transformation most customers are embarking upon, whether they
place MPLS with SD-WAN, and they put security on top, in the middle.
It's still early days. I think about 15% of the market is transformed.
There's probably 85% more to go in the next 10 years. This is going to
be $20 billion, $30 billion market. And I think as I've always said,
there's two and half players.
Gabriela Borges
So it's interesting that you started this conversation with talking
about the fragmented nature of security and 1.5 points of share are
going to something that more accurately represents what we've seen in
all those software markets. The other piece of this is what's happening
at the TAM level. And if I think through the evolution of security
being tied to digital transformation and security bunches up into the
right. The question I have for you is, do you think that the security
TAM could grow faster over the next five years than what it has done
over the last five years because of the next phase of, let's say, AI
catalyzed digital transformation?
Nikesh Arora
Possibly, but honestly, like it's a 200 -- our addressable TAM is north
of $200 billion, and we have nine or seven in a year. Like I don't need
the TAM to grow faster. I just need to take more of the TAM. And that's
why we think we have so many more swim lanes now that we play in. And
it's highly efficient from a sales go-to-market perspective. It's
highly interesting from a customer interest perspective, from a partner
interest perspective that we have. I think we have critical mass now as
a security company. We actually are of interest to every customer, out
of interest to every partner more so than most others. So I think it's
an execution question. Can we actually go out there and get more of the
TAM. Is the TAM going to grow? Of course, it's going to grow. You can
find estimates between 5% to 15% but lots of smart people like yourself
will tell you what the security TAM is going to grow in the next five
to 10 years. It's going to grow between 5% to 15%.
Gabriela Borges
So as you level up the conversation you're having beyond just one piece
of the security architecture to what I would describe as more of an
architectural conversation or strategy conversation at the highest
levels of your customer organizations. How do you think about someone
like a Microsoft as a competitor, or even we had Google on stage
earlier talking about their security business standpoint of security to
their road map, how does the competitive environment evolve at the
strategy level?
Nikesh Arora
The good news is when you start off with 1.5% share, there's 98.5% you
don't have, right? You wake up every morning knowing you're going to
get -- somebody is going to show up and punch you in the face and take
business away from you. You wake up in the morning saying, every deal
is going to be price competitive. You get a deal where nobody competes.
You're like, that was fun. How do I make that happen? So there's going
to be competition all over the place. And there are many people who
compete with Microsoft or partner as well with Microsoft. I'd say there
are some swim lanes where we're possibly a few years ahead of them. And
I think our task is can we run as fast and keep our competitive lead in
that space? Hopefully. I mean, think about it. Security is
approximately 5% of cloud spend and 10% of enterprise spend. So I think
Google is too busy chasing AI and cloud, they should not be spending as
much effort and time on the 5%, that's where they're focused. Microsoft
possibly is going to do the same. We're possibly three years ahead in
SASE than most people. We just are the only one now in the leadership
quadrant in SASE that Gartner just published. So our task is to make
sure we don't lose on innovation. We're not going to. We've
demonstrated that in the last five years. As long as we keep winning on
innovation, I'm less worried about competition.
Gabriela Borges
Does the same level of commentary apply innovation versus competition
equally across all three platforms? And the reason I ask is because
network security, the market leadership there is in order of magnitude
measurable in market share data, for example, relative to something
like Cortex or cloud where it's harder for us from the outside and to
look at market share data.
Nikesh Arora
Yes. Look, on network security, we have the largest market share in
hardware and software firewalls where we did $1 billion in bookings in
SASE, which I think makes us the second largest player in SASE.
Together, we are the largest player in network security. On cloud
security, we're the only multi-cloud vendor, which came to us 11
modules that give you cloud security. We did $500 million in ARR. Look
the cloud providers have their own security tools. If you are
multi-cloud, you're going to have to use all those tools to give you
one pane of glass. I think it's early days in cloud and I said this to
some of the investors earlier. I said, we're possibly one of the top 10
users of GCP. If I was paying myself for my cloud security products I
use to protect my cloud, I'd be spending $200 million a year. And we're
500 on revenue on Fortune 500. There's 499 other companies which
possibly spend more money on cloud over the next 10 years. And if all I
need is 5% of their cloud spend, I just need to make sure I'm there. I
need to make sure they're using my platform. And I need to make sure as
they move to the cloud, this is the platform they use. So I think
that's a huge market in the future. It's early days. It's not a fully
formed market yet. We're not going to give up our innovation lead.
We'll see how that evolves. The SOC side, we're the challenger, right?
It's a $30 billion market, which I think is going to be an $80 billion
to $90 billion market because of AI in the next 10 years. And our
question is, can we go maintain -- create the momentum we have in XSIAM
over the next 10 years and try and be the CrowdStrike of the SOC what
CrowdStrike did to the endpoint market, I think we should be able to.
Gabriela Borges
Absolutely. So I want to focus the discussion now on to fiscal year
'24. And I remember you made a comment on stage last year on every year
has a degree of unpredictability to it.
Nikesh Arora
Yes. Yes, I have not seen a normal year yet.
Gabriela Borges
And so my question to you is, how did the fiscal '24 process planning
compared to fiscal year '23, are there are one or two things that stood
out to you? I know you've talked about how cost of capital is impacting
customer purchases. What was different this year?
Nikesh Arora
I think customers and companies are still absorbing the change in
behavior. I think the idea that money was free for 10 years, you walk
up to a customer and saying, here's a three year deal. And the guy
said, oh, what do you want me to pay you for three years, $10 million?
Yes, I need $10 million now. Well, give me a discount, here's 5%. No
problem, $10 million here, like I'm making 25 basis points in my
treasury. Now the guy is making 500 basis points on treasury. He wants
a 15% to 20% discount to pay your cash upfront. Suddenly, people
understand the cost of money. So suddenly, you have a choice. You can
take the 20% discount, take a hit on bookings and revenue or you can
take payments every year. That changes all the math that all the
wonderful analysts are used to tracking, and they're all like trying to
figure out, is demand going away. Well, demand is there. Cybersecurity
demand is growing. It's a secular demand. It's not cyclical. People are
getting more petrified. The attackers are moving faster. The plant of
cybersecurity has been chronically underinvested in. So this is a
continued demand story. The question becomes an execution question, can
companies execute in this market. What's happening is you're seeing all
these sort of confounding effects which talk about cost of money, which
is causing every -- possibly every person who sat up here on stage has
said, longer deal cycles and more scrutiny and hard to get deals done
in 90 days, right? That's all. We're just absorbing that change in
customer behavior. Demand is not changing, it's execution is shifting.
Gabriela Borges
Why not make a more active shift towards one year billings duration
where you can maximize annual billings as opposed to total contract
value?
Nikesh Arora
Why?
Gabriela Borges
Because then you solve the value of money equation...
Nikesh Arora
I'm not trying to solve it. I'm trying to get -- build great products
and have my customers use it. I don't -- like 70% of my customers still
pay me cash upfront. It's good. It's called cash flow. I like cash
flow. So that's fine. 30% just started paying me on an annual basis for
getting financing. It's transitioning beautifully. I still have mid to
high 30% free cash flow margins. I think over the next 10 years, we can
keep transitioning them to more and more annual buildings softly. While
we do that, we'll continue to maintain high free cash flow margins,
much better transition. I've seen [CEOs] that do financial
transformation, they get stuck in the middle, it's a very horrible
place to be.
Gabriela Borges
Okay. So in the context of the change in the buying environment. What
were the key takeaways from sales kickoff? I know you spent a little
bit of time previewing with us things like Cortex being sold through
the core sales...
Nikesh Arora
Well, sales kickoff, the number one takeaway was don't have it on a
Sunday and have an earnings call on a Friday. But other than that, what
did we learn in sales kickoff? Look, our big doubling down at this
year's sales kickoff is we've built our best-of-breed amazing products.
We're now pivoting to demonstrate the value of integration. For five
years, people didn't believe that integrated products need to exist in
security. Now they're beginning to -- sort of beginning -- many of our
customers, they'd much rather have integration because not having the
integration hasn't made their breaches stop or hasn't made bad actors
go away. So they're beginning to understand the value of integration.
Our job now is to demonstrate the value of integration to UI. We showed
some examples in our Analyst Day, our analyst call, if you will, how
we're going to make security be more useful from an indicative
perspective. We're going to keep doing that. Our sales team saw those
screens. They were extremely excited because security companies are not
known for beautiful UI. So we're working hard on that, making sure we
can demonstrate the value to our customers. Our sales was really
excited about XSIAM. Our salespeople are in the right way economically
motivated. And when they see you can do $20 million, $30 million, $40
million deals, that gets them more excited than doing $2 million to $5
million deals. So they were really excited that there's a product now
that's hot, people want it, it's got big dollars associated with it. So
that was good. And people generally like the idea of hanging out
together, who would have thought.
Gabriela Borges
Talk to us about the change that happens when you take a specialized
product like Cortex this year or SASE last year and you introduce it to
your broader sales force. Order of magnitude boots on the ground, how
does that change the number of conversations your broader team is
having?
Nikesh Arora
Yes, I think for context, for people, as we've -- in five years, we've
built three businesses of $1 billion each, right? And when you build a
brand new business, you need people who understand the business really
well. So you have a specialist sales force because you don't want to
pitch it wrong and you don't want to disturb the existing business,
because then you guys get all nervous that we're losing sight of the
core business. So you have to have your core team, you build a
specialist team. Somewhat inefficient from a salespeople perspective,
they end up sort of meeting with the same customer a few times, they
end up causing a few -- like some friction, but you do it because you
want to make sure you can improve the product market fit. I think $1
billion is ample product market fit, that's the bookings of many
companies out there in cybersecurity. So once we get there, we think
it's time to now introduce that back into our core team because that's
part of our core business. And in the last five years, we've gone from
5,000 people to 14,000. 86 when company was new. We're making sure that
people we hire actually have the capability of being able to represent
a much broader portfolio. So they usually come from places where they
were selling a different portfolio. Firewalls are a lot easier to sell
than SASE is, than cloud is, than Cortex is. So they can reverse into
understanding firewall. So we've managed to get people out in the field
who understand multiple products. And then last year, we merged SASE.
We did $1 billion in SASE this year despite merging them with the core
team. This year, we're merging Cortex, we did $1 billion in Cortex this
year. We'll see if we can do better next year, because now 80% of our
sales team can sell all these products.
Gabriela Borges
What is the milestone you're looking for to be able to do the same with
the cloud, or do you already have cloud training and enablement...
Nikesh Arora
So cloud is a -- you like an annual billing ACV business, the one you
want, right? It did $500 million in ARR, that's more of a consumption
driven business. We want to make sure people are consuming more and
more cloud security, because it's more certain education. You have to
make sure cloud works end-to-end. They don't like the dollars
associated with monitoring every part of the cloud environment. So we
have to keep educating on that process. Cloud is a substantially
different persona in a company compared to traditional enterprise
security and IT. So we're going to hold off on trying to merge cloud
with our core sales team. Having said that, when the core sales team or
I get all the way to [CIRC], so we tell -- I said everything. I don't
call my specialist to say, buy cloud. So at some level, we are able to
sell the entire portfolio. But as you get down in the organization at a
practitioner level, the whole sale is very different. It's very
hands-on, very demonstrative, it's very -- looking -- show you how I
spin up code here and here's how it needs to get monitored, so more
hands on.
Gabriela Borges
And based on the success that you've already had with Cortex, do you
already have the buying relationships that you need with the key
personas of the enterprise to be able to cross sell Cortex into the
firewall space?
Nikesh Arora
We're still working our way up there. Five years ago, we didn't have
products. We spent a lot of time building the products, started -- a
lot of time, doing product market fit. I think the next five years will
be scaling our relationship with customers, both directly and through a
lot of the partners. A lot of GSIs, a lot of service providers are
interested in now working with us because we've become a sort of must
have part of the portfolio. One of our products has to be there in most
customers. And the SIs are recognizing that they much rather work with
Palo Alto who has multiple products in the category, which are industry
leading, then go find 17 companies to work with to find those 17
products.
Gabriela Borges
Yes. It leads to a nice question about the system integrator ecosystem,
because we know that SIs have relationships with multiple point
products to your point. So how do you go about converting or bringing
over more SIs over to the platform approach? Can they collectively make
the same amount of money or more money selling the Palo Alto platform
versus the point products? What are the selling points that you
communicate to them?
Nikesh Arora
Look, at the end of the day, the SIs are very often involved with large
scale technology transformation for customers. They'll do very large
amounts of business, either they'll build, they operate, they'll run
it. Sometimes, they'll advise. So they are involved in multiple parts
of this. Now the moment they get in the build and operate mode, they
actually don't want to deploy 17 products, they don't deploy one,
because it's more sort of efficient it is for them to deploy one
product, the more profitable possibly it is for them, the less error
prone it is, the less amount of skills they need to learn 17 different
products and deploy them. So it actually is a good thing for them to
partner with a single vendor on multiple certain lanes as opposed to
multiple vendors as long as the products are good and they will meet
the requirements of the customer. So that is a prerequisite. You can't
go with bad products and security because they work together. You have
to have a good product. So I think it's a proposition, they continue to
warm up to. There are some of them like Deloitte just launched an SSDL
called secure software double life cycle. The whole thing is on Prisma
Cloud and the Deloitte train their entire sales force on how do we go
do better software development and make it secure, and the way you do
it is by using Prisma Cloud as part of the underlying sort of the
product solution, because eventually, the customer is looking how do I
deploy this in my environment. So we deploy Prisma Cloud and that's how
you get a secure software at the life cycle or something similar to the
SOC transformation, well, here's the way to do it, what am I measuring
in the end? Well, we need to figure out how long it takes to solve the
security problem. Well, are you SI going to guarantee with that? Well,
I don't know. Well, I will.
Gabriela Borges
Absolutely. All right. I'm going to pause and go to questions from the
audience. So I'll come back to one of the older debates in the firewall
space, which is physical versus virtual. And I'm curious, as you've had
more success with virtual firewalls, how do you think about that TAM
being substitutive versus additive?
Nikesh Arora
So I'd say the way to think about firewalls is basically any time a bit
travels into your organization, outside your organization, you have to
look at it. If you don't look at any bit that comes in and out, it
could be malware, it could be a bad IP address that your employees are
going to, you need to inspect every bit. Traditionally, you call it a
hardware firewall that inspected every bit that came into your data
center and went out. Now your bits are going to the public cloud, you
got to inspect them, but they can't be inspected by your hardware
firewall, you got to inspect them with the software firewall. You've
got bits going into your 5G network, got to inspect them with the 5G
firewall. You have bits from a laptop going into your data center or
going to Workday or Salesforce or SAP, you've got to inspect that bit.
I'll tell you one thing. The amount of data that is floating is
increasing way faster than any IT TAM or cybersecurity TAM. It doubles
every year, so you have to inspect every bit. As long as you have to
inspect bits, this concept of a firewall will exist. How you manifest
the firewall doesn't matter. It's either hardware or software or SASE,
that's what it is.
So I would say the network security market is robust, it will stay
robust for a very long time. Actually, software is much easier to
maintain, it's much easier to upgrade. I have customers who haven't
upgraded software for 12 months because they're still testing it. In
software, I don't wait for them. I upgrade them anyway. My SASE
customer is up to date every day. My hardware customers can be one year
delayed on upgrading. One year old software is not as secure as current
software. So you want me to be more software, you want it for better
security outcomes as a company and every bit has to be inspected. So if
you're only a hardware firewall company, you're going to miss the
software bits, you're going to miss the SASE bits.
Gabriela Borges
Do you find that customers that the network transformation piece of
this towards more distributed network security is still tied to the
classic three to five year firewall refresh cycle or has it leveled up
into something that's independent?
Nikesh Arora
No, I think the SASE transformations have overtaken this idea of
hardware refresh cycles. Like hardware refresh cycles are the most
boring thing customers do today. One thing we didn't talk about is
margins and operations. I want to make sure we talk about that.
Gabriela Borges
Yes, absolutely. Here's my question on margins. So your FY '26
operating margin targets 28 to 29 points. If I think about the best
software businesses that we know that are doing north of 40% with
scale, and I think about the comments that you've made on cross-selling
into the installed base and how accretive that is from a cost of
acquisition standpoint because the cost of acquisition is lowering and
selling all of this really [indiscernible] revenue. How do you think
about the limit to where your margins can go over time?
Nikesh Arora
If you think about most enterprise companies, if you're a traditional
enterprise company, you're not blessed like Adobe or Atlassian, which
have quasi user led or other consumer business as part of it. The
biggest cost to enterprise is sales and marketing. If you look, a $1
billion companies spend 60%, a $7 billion company spends 35%, a [$200
billion] company spends 18% to 20%. So the maximum leverage is in sales
and then there's cost of operations and customer support. So these are
three buckets, right, broadly customer support, sales and marketing,
and cost of regular operations. Regular operations, this 100, 200 basis
points. Most companies are within 200 basis points of operating margin
operation in those areas at scale. Sales, you can get lots of leverage,
we're doing $200 deals, it's a lot more fun and a lot cheaper than if
you're doing $20 million deals. So one metric we track is how big can
our deals get with each customer. The bigger they get, the more
efficiency we get from a cost of sales perspective. The other thing
we're going to track is customer support. I think most companies should
be looking hard at that cost. I think AI is going to cut that cost by
half for the next five years. I think in operations, you probably get
100, 200 basis points. So if you add it all up, if AI lives up to its
promise in the next five or eigt years, you should probably be able to
get the best-in-class margins you talk about in the next decade.
Gabriela Borges
How do you reconcile that with this idea that security is one of the
most innovative or fast paced product cycle industries? And maybe
that's more of an R&D leverage question.
Nikesh Arora
Yes. Again, 12% to 16% of $20 billion is a lot more than 12% to 16% of
$1 billion, mathematical speaking. So I say the bigger we get the more
leverage we have from an R&D perspective, because we have cross
leverage across all of our platforms, right? If I find a threat in the
network side, I can make sure I can protect in the cloud, I can go
cross reference that in the SOC. But if I'm only running one vertical I
have to spend the R&D to understand the other verticals on our
platforms. So from a priority perspective highly scalable, highly
useful.
Gabriela Borges
I'll end with a capital allocation question, which is you've talked
about the volume start-ups that your [corp dev] team meets with. Any
interesting observations to share about the types and qualities of
companies your team is finding interesting today versus a year ago or
three years ago?
Nikesh Arora
Look, the good news is the bad actors keep innovating, which means we
have to keep innovating at our end to make sure we understand new
threat vectors and treat problems. One year ago everybody sitting here,
nobody knew about AI and what the threats of AI are. Today, I have AI
models in-house generating malware. We're actually using all publicly
available models to generate malware to see how good they get. They can
get pretty good. Then we're building anecdotes tools malware that we're
creating using generative AI to protect ourselves, right? So what's
happened is now there's tons of innovation going on. AI is a new threat
vector. Every company wants to put data into all these public clouds,
in data stores to be able to leverage for AI. You need to hold new data
security paradigm. So there's constant innovation going on. You have
two choices, you can build or you can buy. But it's harder for us to
buy because now we have three integrated platforms. We have to look at
every acquisition thought, every company and say, what is the cost of
integrating this versus what is the cost of building it ourselves in
terms of time and competitive advantage, not economically. As I've said
before, I'm interested in buying great tech, I don't need to buy
revenue. I know how to generate revenue, I need to make sure I buy
great tech, which is what we've done, we did $2.9 billion in NGS ARR,
the majority of that was from acquisitions.
Gabriela Borges
Absolutely. Fantastic. Please join me in thanking Nikesh for his time.
Nikesh Arora
Thank you very much.
Gabriela Borges
Thank you.