Palo Alto Networks (TICKER: PANW) Palo Alto Networks Inc S Panw Ceo Nikesh Arora On Morgan Stanley Technology Media And Telecom
Palo Alto Networks, Inc. (NASDAQ:PANW) Morgan Stanley Technology, Media
and Telecom Conference 2022 March 7, 2022 12:10 PM ET
Company Participants
Nikesh Arora - Chief Executive Officer and Chairman
Conference Call Participants
Hamza Fodderwala - Morgan Stanley
Hamza Fodderwala
All right. Well, good morning, everybody. Thank you for coming. It's
great to be back in person. For those who may not know me, my name is
Hamza Fodderwala. I'm the cybersecurity analyst here at Morgan Stanley.
And this morning, I have the pleasure of speaking with Nikesh Arora,
CEO Palo Alto Networks.
Before I begin, just a brief programming note. For important
disclosures, please see the Morgan Stanley disclosure website,
www.morganstanley/researchdisclosures.
And with that, Nikesh, thank you so much for joining us this morning.
Nikesh Arora
Thank you for having me.
Hamza Fodderwala
All right. I want to start the conversation around company evolution.
So you joined about four years ago as CEO. You've driven some pretty
significant change. Can you walk us through where you are in that
process, that evolution? And how would you describe the evolution over
the next several years for Palo Alto Networks?
Nikesh Arora
Yeah. So I guess it must have been 3.5 years ago, sitting up here with
Keith Weiss and we're talking about what cybersecurity needs to do. And
many investors had a question, no cybersecurity company has actually
run the full course. You see companies come, they run the playbook,
there's a swim lane, they get to a certain market cap, and then there's
the next sort of flavor of the next generation shows up.
So we sat down and tried to figure out where is the puck going. And in
terms of that, cybersecurity is driven by the evolution of technology.
So to see where's technology going accordingly, you've got to make sure
it's secure. And we made a big bet that the cloud is going to be big,
wasn't kind of hard. It's kind of like the plastics moment. We said,
we're going to reorient the company towards building cloud security.
We also said the consequence of the cloud being big, you'd have to
fundamentally redo your network architecture. All network architectures
are back to the company data center and back to the user. We said you'd
get to get a more distributed network architecture.
And last but not the least, it doesn't seem precise, like AI and
machine learning are going to have a big impact on how secured needs to
happen. So with that in mind, we set about three years ago, and we
reoriented our portfolio in the process - we had a lot of technical
debt debate. We bought about 17 companies in 3.5 years. We paid $3.5
billion to do that. But we got to a point where we felt now, we're
technologically at the leading edge, and in some cases, perhaps the
bleeding edge, as far as cybersecurity is concerned.
And in that context, there's this wonderful thing I've learned in
enterprise called, Magic Quadrants and these beautiful two by two
graphs, you got to be in the far right corner. When I came, we were in
one. Today, we crossed 10, in the top right corner, and in being the
leader in 10 different categories of security. So that tells us that we
did manage to get through the technological transformation. So that's
where we are. Do we keep going?
Hamza Fodderwala
No, no that's perfect. Can you talk about how buyer behavior has
changed since you joined? So obviously, cybersecurity is the forefront
of mind for many companies, and how do you think buyer behavior is
going to change going forward?
Nikesh Arora
There's no secret that the awareness of cybersecurity is high. This
morning, I was watching CNBC, and they asked the CEO and President of
New York Stock Exchange, how are they thinking about cybersecurity?
Asked the CEO, PG&E or PSG, somebody like that. And everybody now
suddenly has to answer questions on cybersecurity. I can't imagine five
years ago, you'd be asking the CEO, how secure is your infrastructure?
And are you worried about the risk of cyber attacks?
So today, with there's a heightened degree of awareness, that awareness
forces CEOs to pay attention to the topic, forces boards to pay
attention to topics, which means there is more of a focus on getting
security right than there ever was. So you're seeing the pressure come
from the top in terms of making sure the infrastructure is secure. And
it's important because any financial services company, the
infrastructure gets breached, they'll be shut down in three days. I
think as generally speaking, we're woefully ill prepared for what could
happen to the technology infrastructure in this country around the
world.
Hamza Fodderwala
Yeah. And that's a good segue into next question. So it really does
seem like a demand environment, security is stronger than it has been
in several years. And now you have, obviously, the Russia/Ukraine
tensions. There's risk of cyber warfare being a potential major theater
in this conflict. What have you heard from some of the largest
organizations, both public and private, that you work with? Are people
worried about this? What's the - I guess the temperature in the room,
if you will?
Nikesh Arora
People are worried about it, but it's yet another risk. People are
worried about a lot of risks. I think the debate have gone from not
whether I'm susceptible, or whether I could be hacked. The debate is,
if I did get hacked, how am I going to get back up again, and up and
running. So there's a lot of focus on work this new practice called
Cyber resilience. Like if I get impacted, how do I stand up and get
better again? But technology buying cycles are three to seven-year
cycles. You bought something sometimes doesn't come up to refresh for
five years or seven years.
So the fact that we started talking about cybersecurity last year
doesn't mean the demand sustains for one year. It leads to the next
seven years. People have to get through the old infrastructure, replace
it, because nobody's going to tripling or quadrupling their
cybersecurity IT budget. So you will see that there's a five to
seven-year cycle it's going to take if you get it right. If you get
your cybersecurity, right, you still have to spend money for the next
five to seven years. This is not a six-month demand cycle or war
inspired a stimulated demands like this is a, I think, secular change
over time. That's going to happen because people get more and more
fixated on upon fixing this cybersecurity.
Hamza Fodderwala
Yeah. And all that secular change going back to the demand environment,
again, it's been really strong. What do you think you would attribute
that to? Do you think there's been a expansion in the attack surface
area for more distributed workforces, and obviously, more remote
computing?
Nikesh Arora
Well, we are going through, I think, it's one of the biggest tech
spending cycles ever in history. And cybersecurity, as I said, it's
driven by tech spending, not only are we going through a big tax
planning cycle, we're going through a sort of technological
transformation in the midst of it. We're seeing people go to the cloud,
shutting down data centers, you're seeing people rearchitect networks
that required to go create the security infrastructure needed to
support that.
So I think that's part of it. I think the volumes of post-pandemic are
still higher than the pandemic world. And so people thought we were
seeing tech volume go up or transaction volume go up, because we're in
the midst of pandemic, now people go outside and volumes of all, that's
what happening. The volumes are going up, which means suddenly, people
who would sort of hope that this would be a spurt in tech spend and
it's going to normalize, it's not normalized yet. I think you add all
of those things and go back to what I said earlier about the heightened
awareness of cybersecurity, thank you to demand here to stay for a
while.
Hamza Fodderwala
Yeah. So how is one of the few cybersecurity vendors that really
addresses pretty much all the vectors within an organization from your
network cloud endpoints. And you talked about how you're consolidating
more of the security budget. At the same time, it seems like a broader
security market is still as fragmented as ever been. You have a lot of
smaller companies that have been seeing some pretty prolific
fundraising. I'm just curious, like, where do you see customers
willingness to consolidate these days? And do you think that's going to
change within? Kind of what's your general strategy around here?
Nikesh Arora
So 3.5 years ago, when you asked people, why do people not consolidate
around a single cybersecurity solution? The challenge was, there was
not many people out there who offered you a single cybersecurity
solution. And even then people wanted to get best of breed. So how do
you create a solution, where you have best of breed solutions, as well
as the fact that they work better together.
So the last 3.5 years, we're getting closer to that. It's a fragmented
market. But since about $160 billion market, we used to have 2% share.
We probably have 3.5% share. There's a lot of room. And when you can
showcase that data of your products are industry-leading in the
segment, then you start to see some degree of consolidation begin to
happen.
Over the weekend, I was spending time with some enterprise CEOs. And we
were joking, because I said you knew nothing about enterprises, I still
don't. I said, the only math problem I was trying to solve was, if you
want to double the revenue, we either have to double the number of
customers and sell them the same thing, or sell twice as much the same
number of customers. So when I came to Palo Alto three years ago, our
largest deal was $28 million, over five years.
Last quarter, two quarters ago, we did $100 million deal, or five
years. So we've able to Forex what one customer can spend with us. And
now if we could take that and double that, that allows us the
opportunity to go to our existing customer base, and give them more and
more security solutions because we're still only 10% or 15% of
anybody's cybersecurity spend.
Hamza Fodderwala
All right. That's super helpful. So when we break down the Palo Alto
business, you've got two elements, you've got the the network security
business - those are three elements. But the way that we think about
it, you've got the firewall business and the attached services, that's
about, let's say, roughly two-thirds of the business are a little over
that growing 20 percentage. And then you've got the next gen security
business, which is a lot of your cloud security solution, that's about
30%, growing roughly 70% or so. And it seems like, these are kind of
separate businesses, but they also work together and you're really sort
of attacking the cyber strategy.
So maybe just to start off on the network security side, a lot of that
is still driven by the product. And people probably ask you about the
product refresh. How long you think that last? Where would you say you
are within your customer base, as far as refreshing that because I
think people got confused when you made that comment about 65% of
security portfolio being refreshed, but it wasn't anywhere near your
customer base?
Nikesh Arora
Yeah. As for our business, we said, there is a - I've been trying to
say that for 3.5 years, and hopefully one day people will leave it.
There is a network security element to our business, which is a
composition of hardware and software. In the last three years, we have
transformed that business from 100% hardware to 60% hardware, 40% of
that business is not software.
Now of that business, 80% across the whole business is software
subscriptions. So 60/40 in hardware software, and then 80% of the
President's subscriptions within the network security area. And we're
going to keep driving that hardware to software change. And there are
two elements to that . One is fundamentally software solved security is
much more secure. Like if I had to go put a hardware box in this hotel,
and you have $500, it's going to take you one year to go down every
hotel and put a hardware box. We can light up all these hotels in under
a month and solve the problem the software.
So I think security over time is going to migrate towards software
delivered security. If you - first of all, from that perspective, that
business, the hardware part of that business is also a steady business,
keep continues to grow. The harder part of the business, we have
refreshed less than 5% of our installed base [Technical Difficulty] new
hardware solutions, we've lost the last six months. Now the typical
hardware cycles run from 18 to 24 months, sometimes 36 months. So a
hardware hasn't been refreshed our base.
Additionally, three years ago, we had four software subscriptions.
Every time we sell a box, we offer four different capabilities, which
you can buy with the box. We have taken that from four to 10 in terms
of things we can give you with a hardware box. So not only do we sell a
box of hardware, now we can attach 10 different solutions to that. So,
we're going to see a natural evolution of as you get to our base and
refresh them in better hardware, we can attach more software. So, I
think that's kind of our strategy to drive sustained growth on our
network security business.
On the other side, our cloud and endpoint business does the service
growing about 70%, and I think we're very, very early in the cloud
security space. It's not inconceivable that anybody who's going to GCP,
Azure, or AWS, or IBM, or Alibaba Cloud, is probably going to have to
spend $10 million or $20 million a year in cloud security.
Hamza Fodderwala
All right. Would the attach rate as far as like subscriptions per box
today? You said Forex...
Nikesh Arora
Robust.
Hamza Fodderwala
Robust, and it's been growing, is that fair to say?
Nikesh Arora
Yeah. It's occurring.
Hamza Fodderwala
Okay.
Nikesh Arora
You go from $4 million to $10 million.
Hamza Fodderwala
Okay. Maybe just a high-level question like, can you talk about the
shift from hardware to software? Where do you think we are in sort of
the pace of change?
Nikesh Arora
Smart people are very quick to rationalize stuff away. There's still
people still use hard disk drive somewhere in data center. So, I think
for the next 10 years, we're going to still see hardware being
purchased in the market, because a lot of companies will still own data
centers, the cloud is 20% to 30% more expensive. So, you will see
companies who will not move to the cloud and hang on to the data
center. I think the hardware demand sustains for that period of time.
From a change perspective, as we start to see these big network
security rearchitectures, you're going to see more and more software
come in. You're going to see more and more software get attached. But I
think the market will still grow in the mid single digits on that for
security.
Hamza Fodderwala
On networks or just firewalls?
Nikesh Arora
On network security.
Hamza Fodderwala
Okay. Got it. Just a question on supply chain. Why is Palo Alto been
able to manage the supply chain issues better than some of your peers?
Nikesh Arora
I think everybody is hustling, trying to make sure that we get supply
chain sorted. But nine months ago, every chip vendor cancelled every
order and said, we're not sure we can give you that three months ago,
they started giving you some visibility what you can have, you still
don't get everything that you need. But remember, it's a - I can't
remember the numbers are, but it's multi $100 billion dollar chip
industry. We need 100 and odd million dollars of chips. So it's not a
very, very small part of the overall chip industry. So as long as we
have enough supplies all of this stuff out of the market, we can get
it.
I don't think it's going to get easier for the next six months. We're
going to keep having to hustle, trying to find the chips. But our
hardware revenues grew about 20% quarter-over-quarter, which is on the
higher side for us as a company. And we still weren't able to satisfy
all the orders that we had. So we ended up building backlog because we
couldn't get it planned for 20%. Our average growth used to be high
single digits.
So we plan to have enough supply for 20% and we got the stuff. But we
had to ship at all. We still have unmet demand. So we've - I've never
had as much visibility in the last 3.5 years into my hardware pipeline
that I have today, like I kind of stopped shipping six weeks before the
quarter ends. Anything you order in the last six weeks, I have to wait
to get the stuff to ship it.
Hamza Fodderwala
Yeah, the visibility point is really interesting.
Nikesh Arora
But that's true probably in the industry.
Hamza Fodderwala
Yeah. You did mention that you don't see things getting easier. But
like, from a lead time perspective, would you say those have been
fairly stable on the product side?
Nikesh Arora
As far as like there's 300 pieces that go into building a box. In one
quarter, it's 10 pieces from one supplier and the other quarter 10
pieces from the other supplier. It's not consistently one particular
supplier. So - and Dipak and his team, our CFO, they do a phenomenal
job of bringing all the stuff together and getting it out there. The
lead times we know what's going to get in the next six months.
Hamza Fodderwala
On the margins within that network security business, they're really
pile ready, I think 40% the last time you disclosed it. You think
there's room for that to move up as you start attaching more
subscriptions and sell the premium maintenance, for example?
Nikesh Arora
Yeah. The network security business, the margin components are,
obviously, our hardware margins, which are impacted because of supply
chain and those should ease over time. There's the software solve our
product Prisma SASE, which competes in the SASE space. As we scale that
and we're seeing phenomenal growth there. As we keep scaling it, our
cloud costs which are the biggest cost than our customers' deployment
cost because cost over time start to amortize.
So you have a mathematical effect of those things, beginning to give
you more margin. And last but not the least, as you attach more and
more software subscriptions to that typically higher-margin products.
So I think the network security margins in the long-term sustain and
get better.
Hamza Fodderwala
Speaking on the component cost, you also did some price increases, I
think, late last year or earlier this year. Do you think these price
increases are going to be durable as we think about next year or the
year after? Or do you think eventually those would get eaten up by
distributor discount?
Nikesh Arora
The price increase you're seeing in the market, they're very leaky,
because a lot of them get negotiated away. So we're in a competitive
market, price gets negotiated away, the yield is very low. It's
typically the smaller end customer that gets the biggest brunt of price
increases. And other large enterprise customers get impacted that much
by price increase.
So we've actively chosen not to drive price increases out of our
portfolio. We've done 1, 1.5, maybe and we've seen people do 2 or 3,
probably big picks was more price competitive. But I - some people have
to cut prices again. Supply chain is not going to suddenly ease up and
not suddenly - I'm sure somebody is going to be left with a lot of
boxes or something after the supply chain receipts, can't be that,
you've got to figure it out perfectly. So prices will come down for
some people.
Hamza Fodderwala
Yeah, that makes a lot of sense. Maybe shifting to the next side,
again, roughly a third of the billings now growing in the 70s. The way
that we think about it, so you've got this next gen business at $1.5
billion run rate in billing, roughly, maybe a little less than
two-third of that is coming from the SASE and the SD-WAN side.
Nikesh Arora
About a third.
Hamza Fodderwala
About a third. Okay, fine. You've seen some pretty significant growth
on the SASE side. Can you just talk a little bit about your
differentiation versus other players in the SASE market like a Zscaler,
for example?
Nikesh Arora
Just an example, yeah.
Hamza Fodderwala
Is an example, yeah.
Nikesh Arora
Most of you must have heard that there's a huge trust towards doing
zero trust. And zero trust is this concept where you don't trust
anything that comes into your technology infrastructure, you have to
validate his credentials. Like that's why we all carry badges when you
go to work. Even if it's a security guard identify you say, hello
mister Fodderwala, how are you? Just please swipe your badge because we
don't know if you've got this employed or not, that's called zero
trust. I know you, but I still don't trust you. That's kind of how zero
trusts work has been working in security for a long time.
A zero trust means that you have to make sure you're treating
everything consistently. So our differentiator is people use our
firewalls in the data center, they deploy security policies. Now when I
work from home and I log in, I'm not in the office. So the security
policies being applied to be a different. You have to be consistent for
you to deploy zero trust. If I'm running a workload in GCP, the same
policies need to apply. So we're the only cybersecurity company, which
can deploy the same security policies in your public cloud, in your
remote use case or in the data center. Nobody else can do that, because
nobody provides all those solutions.
So where are we seeing our growth is our existing very large enterprise
customers want to be consistent in how they deploy zero trust. And we
take the traffic, we offer to Google Cloud, it runs as fast as can
Google Cloud and gets dropped off the other place deploying the same
security policies up in their cloud infrastructure. That's our
differentiators zero trust.
We have and we do better in the large enterprise use cases. So, we have
done the last few quarters. We've done companies with employee size of
between 100,000 to 650,000 to a 1 million. So that's where it works
really well. 2.5 years ago, we're not in the business. We did not have
a SASE product.
Today, I think we see five out of 10 deals in the market. Hopefully,
we'll see 10 out of 10 deals in short order. I think when a bunch of
them and when rates are improving, SASE is going to be big. This is a
very early part of SASE. And the good news is that if I don't win it
today, it comes up for renewal to you. So now I can go, win it
tomorrow. In firewalls, you got to wait seven years. If somebody
doesn't buy my firewalls, we're going to wait for seven years for the
next set of firewalls to be refreshed.
In SASE, you can do this perversity in our industry called people like
ARR. I like DCV. Like ARR means, you do one year deals. I like my
competitors doing one year deals because it means the deals up for
renewal a year from now, I'd like to go ahead and be able to replace
them. So we do three deals, on average, across our customer base and
SASE is big.
Hamza Fodderwala
When you think about SASE, how do you think about the balancing the
growth between selling into your existing customer base versus net new?
Because there are some use cases that you overlap with a traditional
firewall business. So when you talk to customers, is it like either or
like I just want to go SASE or just go firewall or is it kind of a
combination of both and how do you like balance the growth there?
Nikesh Arora
The customers come in all flavors and types and their own strategies.
But most customers want to deploy a consistent security protocol across
everything, across their data center, public clouds and the remote or
branch use case, which is three use cases, in this space. We sell
approximately 75% of our SASE indoor existing base, where we have
57,000 active network security customers. So that's a lot of customers
we cover north of 1,700 of the Global 2000, which means we cover most
companies that are out there.
So we sell 75% there. The interesting fact is though, the 25% of net
new customers are Palo Alto. And typically, their customers who will
take our SASE solutions, who will have other firewalls, in which case,
the conversation is perhaps when their firewalls come up for renewals,
they can then go reverse into zero trust by buying Palo Alto firewall.
So I think our SASE business also is a lead generator for our firewall
business, which we haven't had for a very long time. Because customers
now get comfortable that security policies say, it's working. Maybe I
can buy some hardware next time.
Hamza Fodderwala
Yeah, that's a really important point. And I think you mentioned you
have about 2,000 customers on the SASE side and or the 67,000 firewall
base.
Nikesh Arora
57,000.
Hamza Fodderwala
57,000. What is the uplift that you get when a customer moves to that
the over a period of time?
Nikesh Arora
Yeah, we did this about a year-and-a-half ago, we shared, I think, the
SASE customer is both more valuable and more profitable for us in the
longer-term. It seems the number is about 2x give or take. Because we
sell a firewall with six to seven-year duration. Our SASE solutions get
renewed after three years. And I think the contract values on SASE
typically end up being higher. Because it's a combination of both
network, both network and network security. And the standard
subscription that holds you back on the hardware, almost all the work
on the software solve is on SASE.
Hamza Fodderwala
Got it.
Nikesh Arora
So over time, you can attach more capability.
Hamza Fodderwala
So I want to push to Prisma Cloud. So I guess SASE is securing access
to the cloud. Prisma Cloud is actually securing actually the workloads
in the cloud.
Nikesh Arora
Yeah, I think this is about a $300 million run rate business now
growing triple digits. Palo Alto was pretty early to the cloud security
market. You bought RedLock, I think back in 2018. Back then, nobody
knew what a CSPM or cloud security posture management even was, most
people still don't know.
Hamza Fodderwala
Yeah, I know. How do you think that area has evolved from just like a
feature like CSPM to a broader cloud security platform, when you think
about for the cloud as a whole?
Nikesh Arora
Yeah. So when I came about, we had a company called Evident, which used
to protect workloads on AWS. And we made a bet that people will be on
multiple clouds, and most of our larger customers now are on multiple
clouds. So we bought RedLock, which did cloud CSPM across multiple
clouds. And we try to garden sell RedLock to our customers who did. And
so we're building container security, like don't worry about it,
there's a company out there called Syslog, which is the best of
container security is going to take you for here. So we bought Syslog.
And so to serverless offers, there's another company called PureSec.
So we took them, we merge them, we shut down the individual
capabilities and merge them into one platform as we've had it for three
years. We built four more capabilities on top of that. We built
[indiscernible] as well, an application firewalls. We built identity
access management, prevent data loss prevention. We bought a company
called [indiscernible] mike fragmentation.
So we have now seven modules in our Prisma Cloud platform. And the way
we sold it was we would sell credits upfront. So you buy a bunch of
credits. And then when we launched the product, you start using of the
credit as a new module show. So we're seeing adoption across our seven
modules because of the way we sold it to people. And the consequences
of the customers who consume it, the renewals come up faster, because
they end up consuming more because they are deploying more modules.
We're the only company, we don't see competition in this space. We see
it in two ways. One, there'll be smaller startups, who will provide a
sliver of capability and company will say we're not ready to go the
whole hog. We want to go solve this problem, or we see a bunch of DIY.
People will spin up their own. And we're lucky we've noticed that
people who said we don't want to buy a platform two years ago, but
their own solutions are now migrating because as the cloud gets bigger
and bigger for people.
I'll give you an example a customer who bought $2 million of credits in
the first year. 18 months later, they've up that to $8 million of
credits. And I think they could probably a $50 million customer from a
lifetime value perspective. Because they're barely 3% deployed in the
public cloud, and they have staged intention to go 100% public cloud.
That's what giving the example. This is a customer you would think is a
S&P 500 company. It's not a Dow company or Fortune 50 company.
So if you could think there are probably 500 companies out there, we're
going to end up spending $10 million to $15 million in public cloud
here. I think public cloud security is very early. So you're seeing a
bunch of these private valuations for these companies. We're about 2.5
years ahead of anybody out in the cloud security space.
Hamza Fodderwala
When you think about the size and the opportunity here, I mean, it
could potentially be big. I mean, there's probably going to be billions
of workloads in the cloud at some point.
Nikesh Arora
They got to be.
Hamza Fodderwala
Yeah.
Nikesh Arora
People paid for them. Like, I don't know they accumulated DCB, devs,
Azure, the $200 billion a quarter from year-end.
Hamza Fodderwala
Yeah.
Nikesh Arora
Already $200 million a quarter.
Hamza Fodderwala
But I mean, you've got certain workloads that are more addressable than
others, there's a lot that are just ephemeral, right? So how do you
think about the actual addressable opportunity for Palo Alto Networks?
Nikesh Arora
The simple rule of thumb, 2% to 5% of whatever Google, Amazon,
Microsoft book as a booking sort of cloud workloads should be security
spend. Half of that will go to them because they have tools that people
will use these single shot customers. But I think the other half is
opened down for third-party vendors like ourselves. So if you do the
math, if you start selling $700 billion to $800 billion worth of public
cloud, that in itself is a reasonably large market, $8 billion - $8
billion to $10 billion of your TAM, 300 million ARR, the market there.
Hamza Fodderwala
Yeah. And that $8 billion to $10 billion, obviously growing with
workload growth, potentially here.
Nikesh Arora
Yeah.
Hamza Fodderwala
Yeah, got it. I want to dig in a little bit on cloud code security or
some of the DevSecOps functionality. So Palo Alto talked a lot about
bringing security or shifting security labs into the development
lifecycle. Can you talk a little bit about some of your initiatives
there? And again, how do you think about that opportunity?
Nikesh Arora
So you guys are seeing like, there's a huge movement out of this whole,
the GitLab, HashiCorp, Atlassian, where it's kind of developer lead,
developers pick up tools that make stuff happen. Now, there's this
fallacy that security should work like that, too, it doesn't work like
that. That's why we don't have the 4,000 police forces in every state,
because you can't delete one consistent way of doing security. If you
don't do it, it doesn't work. And so there's a company which built an
open source tool for security. Now developers prefer that because then
they can just look at it, use it and then ship their code for
production.
So what we did was we bought a company called Bridgecrew, where
developers can use that as part of their open source toolkit, but it
checks everything you're doing against the enterprise version of Prisma
Cloud. So you deploy your tools. We check it beforehand. So when you
submit it to the CIO, CSO, it's passed all the security test would have
told you that. You bought a company about a year-and-a-half, a year
ago, almost now. We've integrated into our Prisma Cloud platform. We
launched it about, I want to say, two months ago, and we're seeing
really good adoption of that toolkit amongst the Prisma Cloud customer
base. And we're also seeing independent customers come in because of
that capability.
I think it's very early days. It's kind of akin to what Sneak [ph]
does, which is a separate private company do the same thing, but then
they don't have the other enterprise capabilities we do. So I think,
again, it's part of filling out the entire platform to do
cybersecurity, I think we're very, very early in the whole cloud
security space. And I don't think there's enough companies out there
who billing a platform.
Hamza Fodderwala
Ownership to the core tech side, kind of what you're doing on the globe
on the endpoint protection security analytic, I think another roughly
$300 million run rate business plus or minus?
Nikesh Arora
Hopefully plus.
Hamza Fodderwala
Yeah. Hopefully plus. So Palo Alto has been talking about XDR
detection, detection response for quite some time. I remember you used
to sell traps for endpoint protection. And I think like, three years
ago, you said, "Okay, we're going to kind of give that away." So we can
get the threat telemetry and go after bigger XDR opportunity. How would
you think about your capability relative to some of the other next gen
EDR vendors who are trying to go after it? Is this a area where you
want to be a serious player? Or is this another thing to sell within
your installed base?
Nikesh Arora
If our XDR business was an independent company, it will be valued
somewhere in the vicinity of central one, just myself, right, because
we have we started off at the same time. We have similar kind of
customer behavior and growth. Our technical capabilities are at par or
better than all the vendors out there. It's a crowded marketplace.
I think the more interesting opportunity is goes back to what we
started by saying that AI and machine learning needs to be applied. 3.5
years ago, the meantime to remediate a cyber attack was 27 to 50 days.
So when you find out that we've been breached, it took 27 days to find
out what actually happened. That kind of doesn't work. So today, that
mean time to respond is coming down. In 3.5 years, at Palo Alto, our
meantime responds in the same vicinity.
So it's kind of hard to be a cybersecurity company and do that, because
you will know for 27 days they were breached, or what actually happened
you were breached. But you have to go back and analyze everything to
figure out what happened. We spent 3.5 years, our mean time to
remediate is under one minute. In our company, we can find out and
remediate under one minute. We used to get 67,000 alerts a week. We've
analyzed them, cost correlated them, eliminated them, automated all the
responses. We see about 56 events a week, give or take, those 56 events
are manually analyzed, and remediated and under a minute.
The industry time is still in the 20-day range. And if we don't do that
to cybersecurity, every company will get breached, you will know I
mean, I remember reading newspapers about hacks where large amounts of
data have been extracted. The companies took one year to tell us that
they've been hacked and they've been extracted. So the industry has to
go to this world where you are remediating on the fly.
Now, what does it take to remediate on the fly? It takes an analysis of
data in real-time. Now, on average, every company has about 30 to 40
cybersecurity vendors, and none of us talk to each other. They actually
can't cross correlate data across 40 companies, because we all have our
own mechanisms for doing security. So you can't normalize data. You
take all of that data, you dump it into a large data lake, you can call
whatever you want, there's a bunch of companies out there who does. You
ingest all the data put in large data lake, and then humans go in and
analyze that data. Because there is no mix. There's no technology that
analyzes data. This is what you call UEBA, user behavior analysis,
which basically tells you how to understand the data. But that's still
helping you do it manually.
So we've taken all of that. It says, we're going to use a single source
of truth. We will take our data. We extract. We take 150 megabytes of
data per endpoint in a company, analyze that data, use that as a single
source of truth and cross correlate everything against that. That's how
you get to a wonder response time. So that's what we just launched,
called XIM, which is we're working with now nine companies. We are
going to work with them to replicate what we did amongst our own flock,
using a combination of XDR, combination of all of our analytical tools.
If we can do that, for those nine companies, or when we can do that,
we're going to launch that product in July for all of our customers out
there. I think that's how we transform the whole security analytics
space. That's how we transform space, which I think is a 15-year olds
space where we're ingesting a lot of data, which is the SIM space. You
can go look at the Gartner Magic Quadrant, see what's going to get
displaced. That's the opportunity. The opportunity of XDR is yet
another sliver product that solves a certain problem. It makes it a lot
easier, but doesn't solve the whole problem.
Hamza Fodderwala
Yeah, I want to dig into XIM a little bit. But just that broader data
advantage, as you're talking about, we're going to take all this threat
telemetry, how does that feed into other parts of the business? Because
I think in the past, you've had cybersecurity solutions that have been
focused on securing a particular vector, right? And eventually the
cyber criminals will catch up. So how does this really help your
solution get better over time, so that we start to see more of a steady
compound of cyber security, which quite frankly, in the past, we
haven't seen?
Nikesh Arora
I'll give you a thought experiment. All of you can go back to your
organizations and just for fun, ask your CIO or CSO, how many agents do
we have on our endpoints? I did that three years ago, the answer was
for financial services between five to 11. What does that mean? That
means there are five different companies who would sell your IT team is
solution, which would go on your laptop, and they will extract a little
bit of data and analyze that data and solve the problem. Like, why
don't you deploy five things on my laptop? Why can't you just deploy
one thing? It collects all the data, because everything is analyzed in
the cloud now. That's what we're doing. We're reshaping how this world
of data analytics needs to happen.
Hamza Fodderwala
Yeah. So on the XIM front, I thought it was interesting talking to lead
your Chief Product Officer after the call, and I was like, why are you
trying to, I guess, effectively replace a SIM, right? At least a
traditional SIM, as its constructed, has been inefficient, kind of
causing...
Nikesh Arora
Replacing, why you're trying to replace the chariot with the car.
Hamza Fodderwala
Right. Okay. That's a good point.
Nikesh Arora
Okay.
Hamza Fodderwala
Fair enough. But I guess what is your thinking behind it? And like how
do you think Palo Alto is going to be better in terms of efficacy in
addition to relative to your - yeah?
Nikesh Arora
Yeah. Look, the way we think about assessing, I've never used to
sitting for an hour and talking about the stuff. Okay. Look, our
current business in network security business, which is what 80% of
business is, we think the world is going through a huge network
transformation. So we think both our innovation and hardware attached
subscriptions is going to drive sustaind growth in network security
with SASE. The world is going to the cloud.
I think we have everything we need on the cloud portfolio and what are
we doing? We either build or buy smaller companies more
product-oriented, nothing big. And we're going to stay competitive and
not letting anybody else into that space where we are 2.5 years at. The
whole world of analytics and replacing the SIM or the chariot, for us,
is where we're going to find growth in 18 months, 24 months from now,
because I think that market gets transformed. So my job is to look for
revenue today, tomorrow, and two years from now.
I think for the next two years, we'll get a great run in network
security. We're going to get a great run for five to seven years of
cloud security. And thereafter, as X5 starts to work, we're going to
see a great problem with that for the next several decades.
Hamza Fodderwala
Thank you for holding my hand through that. On the go-to-market front,
so you've guys done a really good job of enabling your channel partners
to sell some of these next gen security solutions. And quite frankly,
when it - you started do that, it wasn't really in their incentive, or
at least that's what it felt like, especially some of the traditional
VARs who are used to selling boxes. Can you talk about the shift in
mindset among your partners and how they're starting to see more
benefit by selling the butter pile on the platform as well?
Nikesh Arora
So look, there's a big reshuffle going to have - going on in the
distribution world out there. Majority of distribution used to be
hardware-oriented in the past, and you're seeing a software
distribution start to build. So whether it's the systems integrators,
the essentially the Lloyds, PwC is the world whether it's the MSSPs, or
every telecom company now has a star, large enterprise sales team in
every country. It's them, whether it's the cloud providers, Google,
Amazon, Microsoft, they all have Cloud Marketplace advice stuff.
Suddenly, all these guys are becoming very good at value-added
reselling, which is not what they were doing five years ago. A lot of
our newer NGS sales are happening in partnership with many of these
folks. At the same time the traditional large resellers are building
software teams, so they understand where the market is going. And
they're building software capability in the mid to low segment of the
market saying okay, we'll go deploy Palo Alto products for you, monitor
them for you because they can work for you. So you are seeing a
reshaping happening out there in industry. And I think there's a lot of
winners and losers in that space.
Hamza Fodderwala
Yeah. You also run some new sales leadership in the past several
months, be just BJ Jenkins from Barracuda. You also retardant who's
running the sales organization? How are these seasoned sort of veterans
within security? How are they complementing some of your strengths or
weaknesses that have a lot of go-to-markets there? Yeah.
Nikesh Arora
One of the people we can I think he's most of the people who has made
an art out of selling enterprise solutions to the world and you're
chatting about this enterprise sales at 99%, perspiration and 1%
inspiration. You got to cover as much ground as you can. The more
ground you cover, the more customers you can touch. The more customers
you touch, the more likely to buy.
Now have we just did mention Helmut Reisinger. Helmut used to run
Orange Business Services in Europe. For Orange, he now runs Palo Alto
Networks, Europe, Middle East Africa and Latin America. BJ Jenkins
President used to be CEO Barracuda now runs Palo Alto go-to-market
efforts. Amit Singh who was a prior President still there, he's focused
on the very large deals of the company. Rick's focused on selling a lot
of stuff.
So between all of us, again, I keep harking back to three years ago,
that's when I joined like, we didn't meet many CIOs of the company. We
used to sell firewalls. As I said, last quarter, I have seen more CIOs
in the last 12 months than Palo Alto Networks have seen in five years,
right. And see them they need more spread or more coverage amongst our
leadership team. So we've taken 10 of our leaders. We've parsed the
whole large fan base across identifiers and we track how many CIOs we
meet on a weekly basis or a monthly basis, because that's where we have
those zero trust conversation. That's where we build a plan. That's how
you get somebody spend $100 a day when they trust that not only is your
current portfolio useful, but where you're going to the next five
years, what they want to be following you or working with you on.
Hamza Fodderwala
Yeah. Ownerships on the federal side. So I think Palo Alto has one of
the higher FedRAMP certifications, if not the highest. And you also got
FedRAMP certs for some of your cloud security products, I think, last
year or a year ago. How's the pipeline trending in federal? And are you
seeing any incremental traction after the zero trust mandate that was
rolled out by OMB recently?
Nikesh Arora
The federal government is very powerful. They take a lot of time
validating their decisions. As you can imagine, we're still waiting for
them to deploy the public cloud after I think four years of analyzing
bidding, rebidding and trying to deploy it. So until - so, let's just
say, they're slow to show up in vendors' numbers, that's the point. But
there's never been a time where they've been more focused on fixing
cybersecurity than now between Jen Easterly, Anne Neuberger, Chris, all
these guys are very focused on trying to get that stuff sorted.
I think the first six to 12 months of any new administration, it's very
hard for them to get their stuff together, because there's a whole cost
of character that changes, they got to figure out the new working
rhythm. So we have - we are hopeful about good stuff to come to them in
year two and year three. But all the signs point to more focus and more
availability of resources for them to go deploy solutions. And at times
our friends have more time to take longer to take our products get
better and better, more adapted to the federal government as well.
Hamza Fodderwala
Yeah. Just on the organization in the culture, it sounds like you came
in four years ago, you had this narrow window to buy a bunch of great
technologies, maybe something has got disrupted earlier on. When you
look at the culture now, especially given the really competitive labor
market, how is Palo Alto been attracting talent? And how do you see
your potential for attracting talent relative to back then?
Nikesh Arora
Look, we've been very lucky because the 17 companies we bought, we've
retained north of 80% of the founders of these companies. They still
are Palo Alto Networks, they still work there, they're still excited.
Many of them are actually driving the efforts.
So there were three principles we deployed when we did M&A. One, we're
going to buy the best in the market. The reason they're successful,
because they beat us with less number of people and lower amount of
money. So we're going to buy whatever is best out there, because our
customers are not going to buy something that's not best to pay. So we
bought the best companies, one.
Two, we made them responsible for our efforts, not our team's
responsible for their efforts, because they beat us. So we had a lot of
change in leadership, as a consequence acquiring all these companies.
And the third principle was we forced integration. We forced tough
technical decisions. In fact, when we buy companies, we don't sign the
deal until we have an integration plan between the two of us from a
product perspective, because you get all the emotions out of the
system. So, we do that. And as a consequence a lot of - all of our
products are now integrated.
From a cultural perspective, we've been lucky because lucky and lucky,
suddenly Palo Alto Networks has become a place where people want to
draw talent from. So we see a lot of people trying to hire people to
Palo Alto because even early in many spaces. The flip side, we just run
a campaign. Those of you who frequent LinkedIn, we run a campaign
called Welcome Home. Because many of our employees have left for other
cybersecurity companies have seen their personal network get destroyed
or depleted, given the current markets. And we've offered to reinstate
them back the number of shares they had at Palo Alto, and they're
looking at the math thing, holy [explicit], I should have stayed. And
we're seeing a lot of success and people wanting to come back.
We've been running a program called Flex Work in the midst of pandemic,
which we started with Zoom, Splunk, Box and Uber. And now we have 300
companies that are part of the flexible coalition who are deploying
flexible workplace policies. And we were sort of early in that space.
Our Head of HR drove a lot of the efforts. So culturally, I think it's
the best cybersecurity for companies you'd like to work for you want to
work for. But we see churn like most people in the industry.
Hamza Fodderwala
Maybe shifting to the margin side. So you talked about how operating
margins will start to expand beyond this fiscal year. So we all know
the core sort of the firewall, NetSec business is very profitable, 40%
free cash flow margin, and that's funding what you're doing on the next
gen side. At what point do you see that next gen business becoming
breakeven or profitable on its own and sort of sustaining itself?
Nikesh Arora
Let's make sure I say it right, because they're all public investors
and whatever I say, then you go and suddenly a seed happen in software.
So we're seeing way better growth than we expected when they started
out here. And we're trying to make sure we manage the operating margin
in the context of what we promised the street and we will do so out for
a three-year plan. At the same time we have more opportunity to invest
than we have time and resources.
So we're going to be balancing our resources to live up both to our
commitments, at the same time to keep investing for growth, because
very few cybersecurity companies growing. There aren't any
cybersecurity companies growing at 30% in the current market deploying
across multiple categories. So, we will keep investing, but we'll
balance the amount of investment against the promises you've made to
the Street.
Hamza Fodderwala
Yeah, makes sense. Just last question for me, I want to open up to the
audience. M&A, you talked about less frequent M&A. I think Q4 last
year, you reiterated on the Analyst Day. Just curious on your strategy
going forward, how do you make sure you're not missing out on anything
by doing less frequent M&A?
Nikesh Arora
So we don't do M&A to do M&A. We do M&A to complement our product
strategy. We're not going to miss out on product strategy. If there are
opportunities that we believe we should participate in, it's an area we
missed, we're going to go build. Remember, 3.5 years ago, we were not
in the sock transformation business, we were not in the SASE business,
we're not in the cloud security business, we were not in the Incident
Response business. So the net few businesses, we could acquire
companies, integrate them and go do what we need to do.
Today, anything that's out there typically is an incremental feature to
what we already do, or anything is out there is already a space we're
playing. So it's very hard for - I don't want to buy stuff and have two
companies with the same space. I don't want to do SD-WAN businesses to
endpoint businesses, we're happy with the ones we have. So actually,
the target opportunity set is a lot smaller. There are opportunities in
cloud security because I still think there's a whole bunch of products
that haven't been built.
So we - Walter and his team track, I want to say, 50 to 100 companies a
month. We visit with them, we see what's going on, we see what's
interesting or not, is interesting to work. But I don't think we're
going to miss out on the opportunity to acquire. But if you look, we
only acquired product. We don't believe there's a value to acquiring
customers' revenue and being multiples that we have to go back and then
earn both investors. So on a product basis, I don't think M&A is going
to be meaningful to our financial profile over the next few years.
Hamza Fodderwala
Walter seems like a busy man, just give him raise.
Nikesh Arora
They still have to work at some point in time.
Hamza Fodderwala
Yeah. I just want to make sure there's no questions in the audience. If
anyone has a question, feel free to raise your hand. Doing that one
right here. Oh, I think the other way some mic, sorry.
Question-and-Answer Session
Q - Unidentified Analyst
Hello, there is an increasing need to protect against sophisticated
malicious governmental actors around the world. Some have advocated a
united front made up of various companies as the first defense against
these attacks. Former Chief Cyber Command Chief [indiscernible], for
example, is such one person. My question for you is where is your
thoughts on having a united front against a malicious, very
sophisticated attacks other governments like North Korea, for example,
or Russia, attacking against companies such as Sony, for example. You
thoughts on this, please?
Nikesh Arora
So there is a - there are various groups in this country and other
countries, I'm sure, where there's a lot of threat sharing that goes
on. So we see something if you see a sustained attack of certain kind.
There are protocols we follow to make sure those that information is
shared aggressively with both cybersecurity companies in the private
markets as well as the federal government as and when required. And
that kind of becomes the way to protect against a concerted attack.
But given we need to know what the attack is first, whether you take
example of SolarWinds, take example of blog for J when these things
happen. There's currently an attack underway called Viper, which has
been malware being sent around try and wipe out your data. So you don't
have any ability to respond both from a critical infrastructure
perspective or from a military perspective.
So when you know what the nature of the attack is, then you can rally
together and figure out what the threat vectors are, what the IOCs and
go and perpetrate them through the entire infrastructure. The challenge
is, as we said, it's not like every company has its own proprietary
infrastructure. It's not like Palo Alto can provide the solution to
everyone because half of them are not our customers. So we have to work
as a collective between public and private to make sure that we
understand the IOC. We make it available. So each of the practitioners
in the individual companies can then deploy them based on what their
proprietary infrastructure is.
Unidentified Analyst
You perceive a need for a governmental or non-public and number of
private sector, over public sector in organization that actually serves
as a united first defense front against these governments...?
Nikesh Arora
Yeah, those are in place. Those things are in place today, whether it's
just with Jen Easterly, whether it's the NSA they have.
Unidentified Analyst
Just private companies. So for example, when Sony was hacked, I mean,
they were hacked by North Korea. They didn't have the sophistication to
actually prevent these types of attacks. My question is, do you think
there's a need for a sector organization that actually protects these
private companies early on really quickly?
Nikesh Arora
There's an industry out there. There's the - between the combination of
us Mandiant CrowdStrike, we have enough resources that get deployed.
The problem is they were hacked. So once they're hacked, you can't
unpack them, you just have to go figure it out, pick up the pieces. So
everything you and I read was a consequence of the hack. But once they
were hacked, I think they didn't take too long to plug the hole for.
But when the data has gone, the data has gone.
Hamza Fodderwala
Anybody else have a question? Maybe I'll throw one in there. So you
talked about the cap allocation being skewed a bit more towards your
buyback. We saw that I think this most recent quarter, you bought back,
I think, $50 million in shares. How do you think about your share
buyback strategies, the more opportunistic or should we expect more
like a regular cadence for quarter?
Nikesh Arora
We usually get analysis and approval for a $1 billion share buyback
every year, which kind of roughly equates to our dilution from a
stock-based comp, give or take. And we don't get paid to time the
market. So we will just have some sort of regular cadence depending on
what's going on in the company where we have information on private
MMPI where we can't trade. But it's going to be somewhat more on a
cadence relative to the markets, but I don't get paid to buy it at very
cheap prices and not buy at high prices.
Hamza Fodderwala
Yeah. I think you talked a little bit last quarter about your focus on
becoming GAAP profitable, I think, in the next year or so. So is that
part of it that's driving down that dilution with the share buyback
or... yeah?
Nikesh Arora
But that doesn't impact it. So I didn't say next year, by the way. I
said we will talk at the end of this fiscal year and share the plan
with you in terms of how our numbers transformed to get us we're
profitable. But look, the difference between us being GAAP profitable
or not right now is the overhang from the M&A we did in the stock we
reinvested for the founders of the companies we bought. Once that wears
off of our GAAP P&L, we will end up becoming profitable. So it's not
hard to compute mathematically when that wears off, given when we
stopped acquiring companies. It also helps if you're growing revenue at
30% and holding margins because then that also washes out some of that.
So it's not a hard math problem.
Hamza Fodderwala
Yeah. I know we got a few minutes left, but anything that we didn't
talk about or asked or any closing remarks that you wanted to touch on?
Nikesh Arora
No. Look, I think you've said it. There's a very large sector, which is
growing in high single digits, possibly north of that. There are not
many players who are consolidators of that sector. It's still - I think
the 3.5% was still the largest market share, depending on how you count
Microsoft securities revenue. And our anticipation is that if we
continue on the path that we've laid out for ourselves, you'll see the
first $100 billion cybersecurity company ruling.
Hamza Fodderwala
We still have a few minutes left.
Nikesh Arora
Yeah, I think [Multiple Speakers] they'll sell faster clothes. We're
done buddy.
Hamza Fodderwala
Exactly. I read the clock wrong. So you made a point at the NOC where
you talked about partnering more with a cloud service provider.
Nikesh Arora
Yeah.
Hamza Fodderwala
Just how do you think about the competitive threat from the CSP, in
particular, and like versus partnering with them?
Nikesh Arora
There are a certain set of customers where they're better suited using
the native tools of the cloud service providers and a lot of them as
their environment gets more complex and there are multiple clouds, a
better sort of adopts. So I don't think there's a challenge. I'm very
happy with 50% of the cloud security market share.
Hamza Fodderwala
Yeah. Just on going back to the margin front, so I think you - oh,
sorry, we have a question over here. Happy with that.
Unidentified Analyst
Maybe, all right. I was just going to say you warned us not to conflate
the current geopolitical events Russia with the CapEx cycle that's
going on. But I do want to ask, if you're seeing incoming right now,
what the nature of it is, whether this is raising awareness by
companies about things they need to do differently?
Nikesh Arora
Look, as you can expect, given the current circumstances we're in, a
lot of the critical infrastructure companies are in alert, because they
have to be because right now, there's not as much cyber as a cyber
attack going on right now in the direction of the U.S. or the West, as
you would expect, because I think it's quite concentrated, where
everything happening. But who's to say that in a few days, or a few
weeks, when things get more desperate for certain people that the guns
are not going to get pointed, the cyber guns are not going to get
pointed in different directions.
So I'd say generally, there's a heightened state of alert across the
board, both in critical infrastructure companies or companies where
they're getting impacted could create chaos, for some way, shape or
form. So I would say, everybody is watching carefully. And the
challenge, as you know, it's like, you can't fix it. If you didn't fix
it one year ago, you can't certainly call me and say what, can you come
protect me? Of course, I'll say, yes, I'll charge you a lot of money,
but I'm not going to be as effective.
So bad strategy for companies call and say fix it in 24 hours. But
again, as I said, it just - this is a mistake, this is why we still
take off our shoes on and we go to TSA. So now people are going to be
aware of this. Over the next five years, we're going to make sure the
security is covered.
Unidentified Analyst
Yeah. As you mentioned your broad capabilities you have this discussion
in the industry best of breed versus people like Palo Alto with the
broad capabilities. And I wonder on the really enterprise level, if you
talk about Fortune 2000, et cetera. Why do you believe an integrated
platform will win versus best of breed, where people like CrowdStrike,
Zscaler work together versus you offering a product solution and
integrated platform?
Nikesh Arora
So you said a few things. First of all, I agree with you that our
customers want best of breed. So we don't sell just an integrated
platform. We sell an integrated platform, which is comprised of best of
breed. We have 10 solutions we can sell you independently, which will
meet or beat any public vendor out there in the same space, or you can
have them from us, and they will also work together better. And so
that's one part.
The other part is, I don't think we lose affiliations of my product is
integrated with somebody else's product works. I mean, I don't buy any
of these industry partnerships is that our product is integrated with
this other third-party product because we have a lot of security
products, but very hard to integrate your product without sharing
security protocols and nobody does that. So it's - they're two
different spaces and therefore, they can work together because they
don't have overlapping capabilities.
Hamza Fodderwala
All right. I think with that, we'll end it here. Sorry for the...
Nikesh Arora
Can I say the $100 million thing one more time.
Hamza Fodderwala
It's good to say. Okay. Thank you so much, Nikesh. I really appreciate
it.
Nikesh Arora
Thank you.