Palo Alto Networks (TICKER: PANW) Palo Alto Networks Inc S Panw Goldman Sachs Communacopia Technology Conference Transcript
Palo Alto Networks, Inc. (NASDAQ:PANW) Goldman Sachs Communacopia +
Technology Conference September 13, 2022 2:30 PM ET
Company Participants
Nikesh Arora - Chief Executive Officer
Conference Call Participants
Gabriela Borges - Goldman Sachs
Gabriela Borges
All right. I think we can go ahead and kick it off. Thanks, everyone,
for joining stage two. Delighted to have on stage with me, Nikesh
Arora, CEO of Palo Alto Networks. I'm Gabriela Borges. I head up the
emerging software vertical here at Goldman Research. Thank you so much
for joining us this morning.
Nikesh Arora
My pleasure. Thank you for having me.
Gabriela Borges
So, I wanted to start on the platform question, which I know you get in
essentially every fire side chat that you do. So, I thought I would ask
it in a specific way, which is why do you think Palo Alto has been
successful with its platform approach when many other security
companies have tried and failed?
Nikesh Arora
Yes. Gabriela, when I started Palo Alto four and a years ago, and I
walked around the industry, both you guys and the customers said, we're
not looking for vendor consolidation. Vendors are specialized in their
swim lanes and - we'll buy best-of-breed. And if you look at the
history, very few companies offered you best-of-breed in multiple
categories. So, we set off - set about a task of trying to see how we
could build best-of-breed capability in multiple categories. We've got
14 companies. Our last year, we did 49 product releases, which is more
than we did in the first 10 years of the company.
And now we rank in the top right quadrant on 11 different categories.
We used to rank in one called firewalls. And now when customers see
wait, I can buy you and your best in this category too and it works
behind, it's connected. But can I buy it individually? Yes, you can.
Can I buy it together? Yes, you can. Does the integration work will I
buy together? Yes. Does the integration work with others if I don't buy
you? Yes. So now we see that customers are happy to buy because we're
not locking them in. We're giving the best product that's available in
the market in that category, and we're providing the benefit -
integration is a benefit. It's not a selling feature.
Gabriela Borges
Yes. Yes, that makes sense. The other trend that you've discussed in
terms of which markets you choose to participate in? Is this idea of an
inflection point. Inflection point that's happen in firewall as an end
point. Knowing for an inflection point in cloud because that's the
greenfield opportunity...
Nikesh Arora
Itself is an inflection point, yes.
Gabriela Borges
Well, let me ask you specifically about the SIM market.
Nikesh Arora
The what?
Gabriela Borges
The SIM market.
Nikesh Arora
Right. So interestingly, if you look at the history of security, what
has happened is, it is one of the most innovative markets in the world.
Because every day, when you figure out the solution for the current -
the bad actors are figuring out the next act, they're not busy
perfecting the last one. So while we're building a solution to the
problem for today, they're figuring out how to break into your business
tomorrow. Towards that point, over time, what happens is as
technological changes happen, your solutions become old and an
inflection point arise where the industry has to reinvent itself. And
typically, the reinvention comes from outside the industry.
Look at the endpoint market. Symantec and McAfee shared the line like
for many years, and EDR came about and suddenly you hear only about
CrowdStrike, SentinelOne hopefully Palo Alto, right? So the inflection
point came, there was a reason to change your technology. Until then,
there is no reason to change, in which case, it's a much tougher fight.
The endpoint industry saw the inflection point. I think we're thinning
down to three vendors. It will be CrowdStrike, us and SentinelOne. Look
at SASE. SASE was not what Interac started with. Suddenly, you've heard
in the last two years, its business was SASE. We're one of two vendors
in SASE. We made that about three years ago.
We figured there's an inflection point coming, driven by everybody
wanted to go to cloud. If everybody is going to go to the cloud, your
fundamental network architecture has to change. We anticipated the
network architecture. We had 26 people working on the product. We have
800 working now in three and a half years. Infection point was coming
in cloud. If you're going to move to the cloud, every security vendor
chases the category called CASB. And I said in the math is a 80% of the
applications are developed at home, 20% are package applications.
There's no solution for 80%, everybody is chasing the 20% market. We
bought seven companies integrated them in public cloud. We are the
largest player in public cloud in the last three and a half years
because that was the inflection point. So sorry to take you there, but
I want to make sure we understood.
Gabriela Borges
Helpful context.
Nikesh Arora
I think the next inflection point is in the SIM market. SIM is a
15-year-old industry technology. There's things like LogRhythm, QRadar,
Splunk, JAS [ph], Sumo Logic, Exabeam, Devo, all of them. I looked at
everyone of them. I think they have not reinvented their platforms
based on what's available today. All of them have taken the approach
that security alerts need to be in a data store, and they need to be
manually queried. Well, that worked in the past, when your biggest
security challenge was to figure out how the breach happen? Now the
challenges stop to breach while it's happened.
The only way you can do that if you have a normalized AI-enabled data
lake, which means you have to know the source of data. So the old model
you can put 40, 60 security vendor data into one large data lake and
solve the problem, is going to become defunct, you'll need a clean
identifiable single source of truth data lake. So we've spent two and a
half years building that. We have taken our own response time at Palo
Alto from 27 days to under one minute. And every customer needs to be
under that minute because your breaches are going to come real time,
and you have to stop them real time. So that's the next inflection
point. It's early. It's almost an incubation project. But I think we're
sitting at two to five years. So now we'll be talking about how that
market call reinvented by that strategy.
Gabriela Borges
There's a concept embedded in your comments on technology potentially
taking share from human capital in the SOC. Is there a scenario where
your innovation in SIM also solves the human capital problem in
security because of the data approach that you're taking?
Nikesh Arora
Well, I think the current conversation cybersecurity industry is saying
we need faster horses because the chariots need to move fast. It's like
they're not thinking like Elon Musk. You can autonomous cars. You
cannot get faster horses because you can't have enough horses to solve
this. I mean look, we're talking about quantum computing in the other
end. Quantum computing has the ability to break every encryption key.
Are you going to send a human to go to place the key. No, you can't do
that. You need to solve the problem of security with automation and AI.
And you can't do that unless you have good data. And we've never had
good data in the industry on a cross-vendor base. We've always had it
in very specific swim lanes for vendors. That has to change.
Gabriela Borges
The segments of the security market that you choose not to compete in
today because there isn't an inflection point. Do you see a scenario or
are there other end markets adjacent to you that you think are likely
to also inflect so that your platform becomes broader over the long
term?
Nikesh Arora
Well, the good news, Gabriela, I'm old enough to have watched various
technology cycles. Every flavor of the decade eventually got
out-innovated by the next generation, right? And you've got a bunch of
companies there. who talk about living on the shoulders of giants of
the past. So, I don't think that problem goes away. I think every
sector will have an inflection point at some point in time, and they
will have to get reinvented.
When we started four and a half years ago in this journey of
transformation, I was asked by the branding people, what are the two
things that Palo Alto needs to build their brand around and needs to
get really good at culturally? I said, the number one thing we need to
be known for innovation and security, because this is the fastest
innovative market. And the second thing we need to be known as to be a
cybersecurity partner, not a vendor. And in that context, every one of
the [indiscernible] will get out innovator at some point in time. The
question is, do we out-innovate ourselves or we get out-innovated?
And I know every tech company comes talks about that. And hopefully,
we've demonstrated so far in the last four years that we have been able
to pay our technical debt, get back on the innovation bandwagon and
hopefully stay paranoid and stay there because if we don't stay
paranoid, maybe two guys in Israel or two guys in India or two guys or
two gals in San Francisco or whatever, who're going to out-innovate us.
Probably it's two for some reason. I don't know why?
Gabriela Borges
While we're on the topic of innovation. What do you think is the next
big technical challenge that you'd like to focus on internally at your
company, either based on feedback you're getting from R&D or feedback
from the customers, what do you think is the next big technical hurdle
that you would like to be solving?
Nikesh Arora
We had 5,000 people at Palo Alto Networks in my least favorite city in
the world last week, not far from here in Vegas, and they want to do a
sales kickoff. And I was able to plead with my former boss Eric Schmidt
to come talk to us for 45 minutes. And he makes a very compelling case
for AI. And I don't think we have deployed AI in any meaningful way in
any industry in the world. And the problem is, we have bad data. If you
don't have good data, you're not going to be able to deploy AI. Does it
make sense that we go to a radiologist and get our scans looked at, you
don't have to if you had good data and good diagnostics, you should be
able to have that done using AI.
And if you look at every industry, there are 50 examples or housing
examples where AI can be deployed if we had good data against we
deploy. We've deployed more than a million firewalls. Every time we
deploy a new one, it doesn't understand which environment is saying, it
should now right now it's been done a million times. So, we need to get
smarter about applying AI within our own company, within our own
industry. So our biggest challenge as a company right now is to
understand our data well enough that we can use the data, create
predictive capability within our products, so our customers have a much
more easier life than expecting humans to understand everything and
take really complicated products and deploy them effectively.
Gabriela Borges
I have an AI-specific question for you, which is based on your comment
from last week at an investor conference. The GCP AI tools that you're
embedding within Palo Alto Networks and some of the value that you're
able to extract, would love to hear more what are you doing with GCP on
AI?
Nikesh Arora
Yes. Look, I spent any as a Google and I came to Palo Alto, I burned
the ships. I said shut down our data centers. If I'm going to run 100
million customers worth of data across our pipes on SASE in the future
in 10 years from now, if I'm going to deliver zero latency capability
around the world, 120 countries, I either have to get very good at
running my own data centers or I have to rely on somebody else who
knows how to. I think if you take your pick, whether it's Google,
whether it's Amazon, whether it's Microsoft, I think they're going to
outclass every one of us companies trying to run 150 countries with the
data center. It's a matter of time.
So I'd much rather get on that bandwagon early, learn how to leverage
their capabilities and be willing to pay the slight premium that I pay
than trying to run 100 million customers worth of data and network
traffic on my own home-grown data center. I think sub $20 billion
revenue companies running their own data centers globally is like the
mom-and-pop store against Walmart. So, I think we'll see how this bears
out over time. But these three guys have 42,000 people selling cloud
capabilities around the world. They're spending $20 billion plus a
year. I don't have the intellectual bandwidth, the human capacity, the
capital required to go beat them at running a much more efficient and
much more AI-enabled data center.
Gabriela Borges
And I have one or two more questions on the concept of innovation. So
this idea of being able to out innovate and maintain a barrier to entry
versus other companies that may also try to take advantage of
inflection point. So first part of the question is, there are so many
private companies and securities. When you meet with private company
found as CEOs, how do you establish whether they have something real or
whether it's style over substance?
Nikesh Arora
Yes. That's a good question, Gabriela. You learn something at every
place you work. So, I'm not a product guy traditionally. I'm a very
product-aware guy. So, I have no pride of self sort of development. If
I find something - somebody else is doing it better, my job is to
embrace them and get them to Palo Alto. If my team can build it better,
I'll have my team builder. And there's always an integration question.
And I spent too much time in the tech industry why where if I heard
every time, give me 10 more engineers and $5 million, and I can beat
Netflix or WhatsApp or Facebook, I have worked for amazing companies.
But it doesn't happen like that.
So you have to recognize the talent and the genius when you see it. I
saw north of 300 cybersecurity companies in the first year at Palo
Alto, myself. I sat in those meetings. So, I was learning
cybersecurity, and I was trying to assess, when they tell you what
works, what doesn't work. So hopefully, between me, our founder, Nir
Zuk and Lee, who's our Chief Product Officer, we built some pattern
recognition in terms of what works, what doesn't work.
Even today, we scan 10 to 20 companies a month, even though we're
watching from a distance see where technology is going, where the
business is going. And surprisingly, they'll be a very candidate come
share what they're doing because they believe we're still the dinosaur
and we're not going to be able to out-innovate them, which is great. So
they'll come and share their stuff. And then at some point in time, we
like something a lot, we believe is going to have a huge TAM in the
market. we'll embrace them. But we've always bought number one in the
category. We did not buy number two or number three. Things trade at
number two or number three for a reason because they are number two or
number three, and it's much harder to spit and shine number three, and
make them win against number one. Because there's something that's not
working. So you buy number one.
We retain the leadership team and make our people work for them. Most
companies will buy and fail. Meet my Head of Bitcoin. He's going to
have you work from now. These guys kicked our ass in the market. We
were a large player. They deserve to run our business instead of us
running their business. So, I have - of the 14 companies we bought,
majority of the founders still work at Palo Alto have big jobs running
that business for us. And we buy product because go-to-market, buying
customers, I don't have to pay 10 times the revenue to buy a customer.
The customer is not worth 10 times their revenue. So if we buy product,
we integrate product, and we deploy our go-to-market capabilities
against them. So far, so good. We've - I think the majority of our
acquisitions are working, which is hopefully different from most other
tech companies that do acquisitions.
Gabriela Borges
It leads into a more specific question on R&D priorities, which is talk
to us about some of your philosophy on having your R&D organization be
as nimble as it is. You've already touched upon getting the founding
teams to stay and integrating the product into your organization. Other
things that are top of mind when you're thinking about investing in R&D
and the structure of your R&D division?
Nikesh Arora
Yes. Look, I think if you look at the numbers, you realize - we're a
different company than we were four and a half years ago. four and a
half years ago we have 5,000 employees. So we have 13,000. Net 8,000
new employees in the company in four years. Of the 5,000, probably,
2,000, 2,500 are new because they left, a new 2,500. So 80% of Palo
Alto is a new company. These are not people who used to be firewall
people. They are now cloud people. They're now AI people. They are now
XDR people. They're SASE people. They are new salespeople who've been
able to sell all these things to the market. So, we've transformed the
company whilst we've been going through this innovation transformation
as well as testing our products in the market from a go-to-market
perspective.
In terms of R&D, we try not to look at acquisitions now that require us
overlapping integrations because when we started the journey, we had a
lot of holes in our product strategies. We could acquire things and
laterally integrate them. I think it's the case of depth, if you buy
something that is exactly what you do and try and merge the two
technologies, it never works. Hasn't worked in the industry ever, end
up with two products in the same category, end up with a really bad
culture and an outcome for your company. So our R&D thinking is based
on where can we put big bucks.
And in every product category, we have two simple tests. Test number
one, will this be a reason to a buy? Or is this a reason to lose? What
do I mean by that? What I mean by that is if I build this feature, will
the customer want to buy me over everybody else. Or if I don't have
this feature, will I be just qualified? That's two different
philosophies. And the first one, you have to make it so cool and so
wow, people is, "Oh my God, I want this." And the other one says, "Oh,
you don't have this, right?
Gabriela Borges
[Indiscernible]
Nikesh Arora
Exactly right. So every incremental investment we make of significant
size is always measured against those two benchmarks. And that dictates
the kind of people, the kind of product means management required and
the kind of effort required make something wow and to make sure we have
this.
Gabriela Borges
Last point on the topic of innovation, which is there's this maturing
security where budgets are up into the right, and companies believe
they've underinvested budget has to go up. At the same time, many of
the innovations that you're delivering actually drive ROI. And - so the
question for you is, do you think security as an industry is inherently
inflationary or deflationary because if companies do it right, they can
actually flat line or moderate the pace of increase in security budgets
in any year-on-year?
Nikesh Arora
Look, I think there's two parts to it. I think we've chronically
underinvested in security generally. And it's because it hasn't been
important, right? Not everything was connected. And the pandemic shown
sort of big light on security. Because suddenly you realize everything
had to be technically enabled. I was using this example earlier - in a
prior meeting where the retail company of the past was a retail store
with a point of sale, and you could take a SIM card base point of sale
device and sort of wave it in the air, find 3G connection and charge
your customers' credit card.
Today, every retailer wants to have AR, VR in the store, wants to give
you instant inventory capability. Tell you if it's not in the store, I
can ship it to your house, and it's like bringing Amazon to the till in
every store. That requires technology. That requires pipes that go into
your store. That requires an SD-WAN box. That requires security at the
edge. So, you're turning large traditional businesses into very
strongly tech-enabled businesses. The more you spend on tech, the more
you need in security. Now, you need more security because you never had
to secure your store. You never did. The budget in there to secure my
store. Your tax surfaces expanded.
And then unfortunately, you bought security like you bought technology.
You bought one of each. I want to make sure there is a Dell server and
HP server. Let's make sure there's a Fortinet firewall and Palo Alto
firewall. Well, it doesn't work like that. No city has two police
forces that don't talk to each other. Try running a city like that.
It's going to be very hard. We have 40 vendors in a customer, which
exist simultaneously. The security problem is not mine, is to
customers. It's their job to integrate 40 vendors, I sell them 40
different kinds of security solutions. That paradigm is changing,
right? And I told you, we took down our number of vendors at Palo Alto
down to less than 10, and that's how we got to under one second
real-time mean time to respond. Eventually, that's what securities to
become because if your business is shut down, you've seen that by where
the bad actors are not watching and not paying attention.
Cybersecurity has gone from a hobby to profession. The number of
ransomware attacks have gone up, 1,600 attacks, each attacker wants $1
million. So a there's money to be made here because I can impair your
operation. So, I think we're in a very long secular fix of security.
Once it normalizes, we can talk about deflationary, inflationary, but
it's not normalized yet.
Gabriela Borges
The retail color is very helpful. Based on your customer conversations,
are there other industries, perhaps industrial and manufacturing, where
you feel that there is a catalyst path perhaps to essentially take
securities funding a step function?
Nikesh Arora
Well, before when we get into other industries, just think about this
cloud transformation.
Gabriela Borges
Sure.
Nikesh Arora
Right? You've got 42,000 salespeople for three of the largest tech
companies out there telling everyone they have to go to the cloud,
that's the existential threat. So everybody is out there going to the
cloud. Do you think anybody is shutting their data center the first day
they buy something in the cloud? No. They're waiting to lift and shift
their application, they'll sunset them later. So this huge surge of
income cloud spending and every cloud instance has to be secured.
***20***
***20-End****
You've got 42,000 salespeople for three of the largest tech companies
out there telling everyone they have to go to the cloud, that's the
existential threat. So everybody is out there going to the cloud. Do
you think anybody is shutting their data center the first day they buy
something in the cloud? No. They're waiting to lift and shift their
application, they'll sunset them later.
So this huge surge of income cloud spending and every cloud instance
has to be secured. So there's a huge technology trend of cloud security
required. It is also driving SASE, driving cloud security. So there's a
whole bunch of secular trends that are going on. Will everything fall
neatly into quarters? I don't know because that's how the Street likes
it. That's how we have to go deliver it. But I think from a longer-term
trend perspective, there are some very strong forces driving these
changes. And you take manufacturing. Everybody wants to suddenly do OT
and IoT security. You take critical infrastructure. You take the
Colonial Pipeline, you want to make sure your pipeline is secure, and
the big risk is not somebody coming and punching the hole.
The big risk is somebody shutting it down to cybersecurity attacks. So
I think there's a large security awareness that's kicking in. I
wouldn't be surprised if there was an SEC regulation in the next one or
two years asking for more disclosure of security incidents and more
requirement of Boards to pay attention to security. So I think we're
going to get to a new normal. Once we get to the new normal, we can
talk about inflationary deflationary.
Gabriela Borges
I'm not going to ask you about a quarters but I would like to ask
you...
Nikesh Arora
You can, you should, that's a little bit.
Gabriela Borges
And sent to you over the next fiscal year because you are one of the
first companies to provide an outlook, that goes into the next 12
months. And so as you worked with your finance leadership team, how did
you think about some of the factors that could be less predictable over
the next year?
Nikesh Arora
I got a secret for you. Every next year is unpredictable. It's not like
next year is particularly unpredictable, but yes, maybe a little more
so. Like as of now and every day things are evolving and saw the tech
rec this morning. So maybe everybody believes a 100 basis point
increase in the future, not 75, whatever you guys decide is important.
But the customers are still not seeing all the macro impacts as we are
all expecting.
There's been revenge spending in services and hospitality and airlines.
There is supply chain constraints in tech. There is commodities at
all-time high. Oil is way better today than it was two and half years
ago before the pandemic. So there are certain subsectors which are not
feeling any impact, certain subsectors are. Retailers feeling more
impacted than they felt two years ago, but does that mean they were
shut down their transformation product - project or bringing Amazon to
the till.
Are they going to take Amazon on and say for the next year, I'm not
going to spend on tech, but Amazon have a free ride because I'm going
to wait until the market improves going to start spending on tech. So I
don't know the answers to this. Have I seen belt tightening? Yes. There
is some belt tightening. Can I push this to the next quarter? Can I not
do this right now? Do I really have to pay as much? Can I pay you
later? But that's normal course of business. That doesn't change the
long-term demand curve for me.
Now if you're telling me in six months from now, we'll be sitting at 6%
Fed funds rates and the world is going to be very different. I don't
know how to predict that, nor do I plan for tremendously diverse
scenarios in my planning. I have anticipated supply chain effects. I've
anticipated inflation in my numbers.
I anticipated some degree of belt tightening in our numbers, but still
there is a secular trend that we're writing. And then I'm inspecting a
lot more than I ever did. I have 5,000 people there. I spent 70% of my
time in the first four years of the company on product. Now I'm
spending 70% of my time on go-to-market, going my field forces out to
the customer, understanding if there's a real deal there. How big is
the deal? What do I need to get it done. So we're doing what you'd
expect us to do as management. And depending on where the chips fall,
we'll see where the world falls. But all I would say is I feel a lot
more resilient than other tech companies, and I feel a lot more
comfortable than non-tech companies in the current market.
Gabriela Borges
It's a nice transition to the factors that you can control, such as
with your go-to-market. And so you alluded that to spending more of
your time on scaling the go-to-market versus product over the last four
and half years. Top one to three priorities for your sales force this
fiscal year?
Nikesh Arora
Yes. Look, we have approximately, it's a 13,000 people, roughly more
than half of the people are focused on selling and supporting our
customers. So it's a large enough team. And as I said, big tailwinds of
the world are SASE, cloud, cloud transformations and automation of the
SOC in that order. We've just merged our firewall team and our SASE
team into one team because I think it's going to be applicable to every
customer. And the functionality has converged in the last three years.
So there's a lot of effort. We started training them last quarter. Hit
the ground running this year. Our job is not to get them to a level of
execution and excellence that they can consistently do deals. So four
years ago, largest deal I did when I came to Palo Alto, we did was $28
million for five years. Last quarter, the largest deal was $75 million.
And I did some simple math when I came since I hadn't sold enterprise
before. So double our revenue, we had to have double the number of
customers, a double number of dollars per customer. And the answer is
somewhere in the middle. They're not making Fortune 500 companies as
fast as they used to. So I got to go find the same Fortune 500 spending
them, get them to spend double which is why we bought all those
products so we can give them more products.
So again, the math still applies. It's on to double from $5.5 billion
revenue to $11 billion; I've got to go sell more to the same customers.
So what we're spending our time doing is how do I take the customers
through a journey from $1 million to $2 million to $5 million to $10
million. So we report millionaire customers.
We call that seeding the customer base. We don't call it a milestone.
So I can only get a customer with one to 20, if I start them at 1. So
the whole process of getting go-to-market to a place, I have evidence
customers will spend $20 million with me. I have one spending $75
million. The next one spending $58 million. The next one is spending
$28 million and these are typical large deal sizes we do now in almost
every quarter. So we know there is appetite in the market. The question
is, can I consistently become the partner of choice for my customers
and get them up that curve.
Gabriela Borges
Maybe on that topic specifically, what can you affect with your sales
force to be able to move customers from the campus, more fragmented
point products to growing all in and Palo Alto. The customers that do
spend upwards of $1 million, $5 million, $10 million. What do they have
in common? And how do you get more customers are?
Nikesh Arora
What they have in common is they are now treating cybersecurity as an
architectural issue, not as a point solution, best-of-breed integration
issue.
When I sit with a CIO and convince them that they need to secure every
ship to the cloud with Prisma Cloud, then it becomes a land and expand
for many, many years because we ride the wave as they do their cloud
transformation, I don't have to put an incremental effort. I have to
make sure that they're getting value from my cloud product. When they
do a SASE evaluation over six to 12 months, my SASE deals are on
average two times to three times the size of a firewall deal, and
they're sticky. There's no churn on SASE.
Once our largest customer deploys 350,000 of their consultants around
the world using us on their laptop, they're going to call back 350,000
laptops and say, let's change three years so now because suddenly,
somebody has come up with a better product. Our job is to stay current
and make sure our product does what it's supposed to that point in
time. So it's a different sales cycle, a different architectural sale.
It's not a point solution sale.
Four years ago, when I went to see CIOs, I saw 75, and it was a
curiosity meeting, nobody actually wanted to buy what I had to sell. So
the guy around the corner who buys firewalls, he knows all about them
talk to him. Today, I see more CIOs on a regular basis than I saw in
the first year of traveling around because they want to talk about
cloud transformation. They want to talk about Zero Trust. They want to
talk about whether they should be doing SASE. They want to talk about
automating the SOC. So we're solving their big problems. We're not
selling point products.
Gabriela Borges
Conversations, that you're having at the highest out of the
organization. To what extent is it also important for you to have
virality and marketing efforts that target security uses, security
practitioners. And then the last piece of that question is, where did
develop this fit in? And how do you think about appealing to
developing?
Nikesh Arora
So yes - none of our customers buy something, who was because the CIO
likes me or had a good conversation with me. They go through POCs, they
have to prove our product credentials, they go through architectural
conversations. My architects need to do a good job. They need
everything in our white papers. They go check it. They have deep
security researchers paying attention to our threat databases, our DNS
capability, our URL everything.
So it has to be a soup to nuts, top to bottom. So we have to market to
every part of that customer's purchasing chain to make sure they
appreciate our product, understand it and want it because you can't
force it down anybody unless they want it. So yes, we have to go to
that.
Developer is an interesting dilemma. The developer dilemma is that if
you talk to traditional enterprise - or not traditional enterprise SaaS
companies, they say, I've got this developer motion, they're going to
buy my stuff and has enough developers use it, then I can go to an
enterprise sale, which is traditionally a lot of the new models that
you've seen in the market.
Security is slightly different, because in security, you can't have
1,000 flowers bloom. Every developer cannot pick their tool of choice
and hope that your enterprise is going to be secure. So at some point
in time, the CIO and the CISO get involved and say, you have to all do
it this way. So the question is, can you balance that. We made an
acquisition called Bridgecrew, which has an open source tool you can
use - but when you use that security tool, it's integrated in Prisma
Cloud. So we go in and say, look, we have a developer red motion, but
we also have an enterprise solution that if it's the entire stack, not
just the developer part, but the deploy and run capability on cloud. So
we are doing that a little bit more.
We are not a developer-first company. We're an enterprise company in
the traditional sense, where we sell to CIOs and CISOs. We are building
a developer motion. There is more activity likely in the cloud space,
which will be developer oriented. So we have to get more developer
savvy and developer friendly. It's still a nascent market relative to
the overall security market, but we think we have a reasonably good
toehold into it with our Bridgecrew acquisition.
Gabriela Borges
How do you think about the convergence that's happening between
firewalls and savvy on the sales side, for example? Talk to us about
the parallel path there for the channel incentives? And then same
question for your sales folks, how are you thinking about evolving
incentives towards the platform approach? Or are you already there?
Nikesh Arora
Yes. Look, I think the big shift that is happening in security is - the
traditional channel partners were hardware resellers. Hardware
resellers remember, how does the channel originate. The channel
originated when you had a company in Silicon Valley built a nice box,
someone sells this box in 100 countries said, don't worry, I got people
every port. We can get you SCC-equivalent validation, we can take the
box, ship and we can go to the customer, deploy it collect money for
you and pay the taxes.
That's what happens. So the channel was a very hardware-centric,
hardware facilitation and he actually offloaded 8% to 10% of your cost
because the channel took care of all the distribution around the world.
That's where it started. Over time, we're starting software. I ship
software by e-mail. I send you encryption key, you turn that encryption
key on, I deploy software. I don't need VAT in every country. I don't
need shipping. I don't need SEC equivalent testing. I don't need to
have spares for my box. So the channels evolved.
The new channel is more and more telcos and service providers, system
integrators, they come in and say, let me help with your cloud
transformation. And then you say, what should I buy for security? I'll
say, let me help you with this big network transformation, I'll make it
PCO neutral, you're going to save money, get rid of MPLS, deploy SASE,
consolidate seven vendors put Palo Alto in. That's not something every
customer can do for themselves. That requires them to get an adviser.
That adviser now is systems integrators and service providers, which is
not the traditional channel of - that we're used to in the past. Some
of them are building that consulting capability, but the consultants
have always had the capability. So they're creating executional
capability.
There are more SOCs being managed by systems integrators than companies
themselves in many cases. A very large auto company in Europe
outsourced a $3.5 billion IT deal to a third party. They're going to
make the decision, not the customer. So my job as has been get closer
to the system integrators and service providers and embed our
capabilities in them. We power six out of the eight consulting
companies, SASE at Palo Alto. There's a reason because we want them to
be patient zero, because they use our products, like the old television
guys or go to a store and you see 40 televisions and say how you should
this complicated, which one do you have? I will buy Palo Alto. Great.
I'll have one of those. That's what we're trying to do.
Gabriela Borges
The mix of dynamic and your point on the hardware coming well, it's a
smaller piece of the business mix today. To what extent do you view
hardware is still one of the foundational building blocks of the
security architecture? Or are we at the point where Cloud World,
hardware is an afterthought or doesn't need to be a foundational
building block?
Nikesh Arora
Look, we've had this debate in the tech industry for a long time.
Server is going to die every hardware server company should be dead by
now. Every storage company, which had hardware storage should be dead
by enough, it's not happened. So hardware will have a role. Hardware is
very important when you're looking for throughput. Hardware is way more
efficient than software and throughput. You want to put a software file
on the data center, you can't pump terabytes. You need a box.
A box is way more efficient than you can do with software. So there are
always use cases when you're pumping a lot of traffic in the long term
for hardware. From a TCO perspective, and especially a security
perspective, software is the answer. If somebody walks up and say, I'll
give you an example, right? We sell firewalls. We're selling firewalls
for a long time. We launched a large software lease every year, where
we fix a bunch of security stuff; create more usability, amazing stuff.
We ship it to one of our customers, they take nine months to 15 months
to deploy our software on the firewalls that we sold them. And they
carry firewall some five years ago where they can't even put it on
there because it's the too old, can't handle all that code. So the data
security risk it is. On SASE, our 2,500 customers get upgraded in two
weeks. You'll have to take the software, you have to deploy it. I can
make you more secure. If there's an issue, I can patch it in a day.
So software is way more efficient and relevant from a security
perspective than hardware is. So I think in the long-term, if you get
to efficient architectures, hardware be used a lot for throughput and
large traffic, and you end up with software deployed around the world.
Otherwise, you'll be driving trucks to 1,400 stores or Starbucks or CBS
trying to replace hardware every three years, which is silly.
Gabriela Borges
Yes. No, that makes sense. I'd like to end with a couple of questions
on the financial model. Specifically, you've talked about how there
have been ongoing supply chain issues that have impacted the margin
this year, talked about pace of hiring. How do we think about margin
progression over the course of the next 12 months? And then longer
term, how do you benchmark your uniquely growing at scale. You've
talked about the leadership in 11 different product categories,
potential for that to even extend? How do you think about long-term
volumes?
Nikesh Arora
Yes. Look, when I started for now he's going to look to the math. And
if you look at the math of an enterprise company, the biggest cost at
small numbers of revenues is sales and marketing and R&D. Everything
else you can normalize your G&A and the other stuff, you can bring it
down, move around and your gross margins. Those are two things that are
most important. Gross margins, cost to sell and R&D. So these three
things. R&D has a spread. You can go from 12% to 15%. And the bigger
you are, you can manage R&D in the 12% to 15% spread. So there's no
leverage there. The biggest leverage is in gross margin and sales and
marketing.
So the question is what is the long-term gross margin of our business
in our industry, I think the right security companies are going to end
up being cloud delivered or cloud supported at some point in time. And
because of the cost of running cloud and consumption, your gross
margins are going to be in the low to mid-70s, 73% to 75%, not low,
whatever, 70%, 75%, with the long-term gross margin security industry,
unless you're dealing with non-cloud consuming software, which is going
to be less and less of.
So that's the case of package software out there as well. It will be
hard to find a security company long-term with 80%, 85% gross margins,
which means you're not doing some major part of security that you
should be in for your customers, which means your biggest leverage is
going to come from sales and marketing. Now it goes back to my thesis,
the more products my salespeople can sell, the bigger deals they can
sell, the more leverage I have.
And we have green shoots like I can do $75 million deal, $60 million
in, it doesn't take three times as many sales people who are selling at
a deal that it takes to do a $23 million deal. So there is leverage in
our go-to-market and selling motion. There is leverage - there's still
a lot of leverage in our gross margin because it got impacted by supply
chain. In the last four years, we've built three new businesses in
addition to our firewall business. We built SASE, we built Cloud, we
build XDR. All three businesses have line of sight to get to $1 billion
in the next 12 to 24 months.
No security company has done that. but they're not at scale from a
gross margin perspective because these are all bookings and over time,
they have to flow from my revenue. When I get $1 billion in revenue,
they start becoming interesting from a gross margin perspective, which
may be three years out instead of 12 to 24 months. So at that point in
time, I can start looking for gross margin leverage across these
businesses. I think the long term - a longer term, we should be able to
improve our gross margins from where they are today, both because of
supply chain abatement as well as improving economics for our
businesses as they scale. And I think as we scale, double our revenue,
we should be able to get more leverage of sales and marketing. I think
the right math is in the low to mid-20s for operating margin. If you're
going to stay an innovative security company. And some of that leverage
needs to come from gross margins, some of the leverage need to come
from sale of the market.
Gabriela Borges
When you benchmark your sales and marketing efficiency, do you
benchmark to best-in-class security? Or do you benchmark to
best-in-class enterprise software in tech?
Nikesh Arora
It has to be best-in-class enterprise. And I'm being careful about
software tech because there are different flavors of enterprise
companies. Some have developer-led motions, which have much better
sales and marketing economics. Some have highly retention consumption
businesses, which are better economics; some are sell and run like
hardware, which has different economics. So we should end up somewhere
between the mix of a hardware company and a SaaS software business in
the future as our business scales.
Gabriela Borges
Last question on the capital structure. How are you thinking about the
right balance of debt versus equity? You have convertible debt coming
to especially now that the biggest pot of the lift on M&A, it sounds
like you're entering a new phase of maturity. A little more color then.
Nikesh Arora
I'm smiling because I find it a tough question sitting in Silicon
Valley with some of the big tech giants with highly inefficient or very
large amounts of cash. I got $5 billion of cash; I've got $3.6 billion
in convertibles. My net cash is $1.4 billion; I buy a $1 billion stock
a year. I'm going to generate $2.3 billion of cash at my guidance next
year. So he got that cash rich as compared to many of the people around
here. But from our perspective, we always have a $1 billion
authorization to buy back equity. We are focusing on bringing our SBC
down.
Opportunistically, we initiate stock buyback programs when we believe
the spread between what the market thinks about us and what we think
about ourselves is widening. And we've done that consistently over the
last two years, and we hope to be able to keep doing that.
Gabriela Borges
Thank you so much for your time. We really appreciate you sharing some
of these insights with us.
Nikesh Arora
Thank you so much, Gabriela. Thank you everyone for listening.
Question-and-Answer Session
Q -