Nir Zuk slams Check Point's lack of ambition

Nir Zuk
Nir Zuk

The Palo Alto Networks founder and CTO blasts Check Point for putting too much emphasis on profit rather than investing in growth.

Palo Alto Networks (NYSE: PANW) founder Nir Zuk, 48, has been living in California for 20 years, but has become an important player in the Israeli cybersecurity industry in recent years. Palo Alto Networks' development center in Israel has grown to 500 employees. The company is very active in Israel, having made six acquisitions totaling $1.5 billion in the country. Palo Alto Networks is the biggest competitor of Israeli company Check Point Software Technologies Ltd. (Nasdaq: CHKP).

Zuk told "Globes" about what he thinks about the cybersecurity sector ("too many startups") and about his acquisitions strategy ("competition in Israel and Silicon Valley is similar"). Above all, however, Zuk stresses the differences between Palo Alto Networks and Check Point. This is not new. Zuk previously made a habit of circulating in California with car license plates bearing the saying, "Check Point Killer," and has needled Check Point on many occasions.

Zuk is personally familiar with Check Point, having worked there for several years in the 1990s. He knew two of its founders, CEO Gil Shwed and Shlomo Kramer (the third is Marius Nacht), during his army service. In recent years, however, it seemed that Zuk had settled down, perhaps because Palo Alto Networks, founded 14 years after its old competitor, had overtaken it in market cap and revenue. Palo Alto's current market cap is $24 billion, and its annual revenue is $3 billion, while Check Point's current market cap is $18 billion, with annual revenue of $2 billion.

"Globes": The two companies have different approaches. Check Point is growing slowly, but is very profitable, while you are growing more quickly, but your profit margins are significantly lower.

Zuk: "We're the largest company in the $100 billion cybersecurity market. Nevertheless, our market share is very small - only 3-4%. This is a very special situation in the IT industry; it doesn't happen in other markets. In a situation like this, the right thing to do is to invest in growth and getting market share. I see no logic in Check Point losing market share and still putting its emphasis on profit."

Shwed talks a lot about the need for a consolidator to combine the cybersecurity solutions into a single platform, so that customers can work with a single provider of solutions.

"Anybody can say that he's the consolidator, but you can't do this if you're losing market share. It's weird. The way our market has developed, dozens of companies spring up for every little problem or challenge that surfaces, and raise venture capital. We believe that we can change this. We've also tried to build a platform that startups can hook up to but the market isn't ready for it.

"The information security problem in conventional enterprises - those that haven't switched to the cloud - is that it's very hard to do more consolidation than has already happened. It will take us 100 years to replace all of the dozens of suppliers running solutions for mobile management, risk management, and so forth. It's hard to persuade customers to take solutions outside. That's not where their heads are; it's tilting at windmills."

So you're waiting for them to switch to the cloud?

"Yes, you have to take advantage of the existing opportunity when enterprises switch to the cloud. Surprisingly, the strategy of most of the world's cybersecurity companies, especially the large ones, is to ignore the cloud. They probably believe that this is a dream from which we'll wake up one day, or that most of the customers will decide to get off the cloud. Our competitors have no cloud strategy. Even if they acquired a company for $100 million, it's not based on strategy. You can't take what we did with firewall and translate it to the cloud, and there are customers of the competitors who are buying security solutions for the cloud from us."

What did you do that was different?

"Two years ago, we decided to build a platform that would meet all of the customers' needs on the cloud. We built a platform called Prisma Cloud with the help of five cloud companies that we acquired. This was our way of accelerating processes. Today, we've got hundreds of developers who were born on the cloud, and lived and breathed cloud security for the past four or five years. For us, the cloud is a separate activity, with its own development and sales. We haven't even moved our existing engineers to the cloud."

As you said, in the conventional sector, there are a great many startups developing limited solutions. This has made it very hard for enterprises. Do you think that the lesson will be learned, and that the security market will develop differently on the cloud?

"Today, I can't envision any security company, large or small, trying to do information security on the cloud through a single platform. Customers don't want to buy 20 different products on the cloud, as happened in the conventional market, so their only option is to buy Palo Alto Networks' solutions. If it depends on me, and it does depend on me, because I'm responsible for the biggest company in the sector, it will be a more rational market that will more closely resemble other IT markets, which means less room for startups. It's not that there won't be any startups at all. Innovation is more important than other things, but venture capital investors shouldn't be investing in a new set of companies for every little problem that arises."

Six Israel startups acquired

Palo Alto Networks has acquired six startups in Israel to date. The last two took place last May: Twistlock for over $400 million and PureSec for tens of millions of dollars. They were preceded by the acquisitions of Demisto ($560 million), Secdo (an estimated $100 million), and Cyvera ($220 million). Another acquisition was of LightCyber for $120 million.

"We wanted to speed up our roadmap, and there are startups a year or two ahead of us. Our requirements were compatibility in organizational culture and location. We acquired only startups located in Silicon Valley or Tel Aviv. The third and most important thing is the ability to integrate the products in our platform. I don't want to get to a situation in which I'm selling products separately, like other companies do. It's not that these startups aren't good, but the architecture is quite different," Zuk says.

You are generous in the valuation that you give for startups

"It's a question of supply and demand. We don't waste money for nothing. You get what you pay for. Someone who buys an Internet of Things security company for $5 million gets a company for $5 million."

Large companies sometimes become less innovative. How can this be prevented?

"I don't agree that large companies have a problem with innovation. It's true of some companies. The acquisition isn't in order to develop a strategy; the purpose is to shorten processes and bring talent to the company that's hard to hire quickly, and we'll go on doing this. This is especially true in cases in which a transformation has to be made, such as from on premise (companies based on physical servers, O.Z.) to the cloud. I hope and believe that in the coming decade, we'll accelerate the pace of innovation, like we're doing now, not slow it down. Two years ago, we had only one product line - on premise. Now we've got three: on premise, the cloud, and another line of activity that safeguards an enterprise automatically."

What about Microsoft? It is getting stronger in security on the cloud, among other things through the acquisition of Israeli company Adallom. Aren't you afraid of them?

"Microsoft has been moving strongly into the security field since the time when I worked at another Israeli company, many years ago, when they tried to develop a firewall. Microsoft's solutions are good enough for a specific part of the market. I think that companies that carefully check the products and look for the best aren't buying solutions from Microsoft. There are still people who buy something if Microsoft says it's good enough.

"I looked at the startups that they acquired, and I found things that were worthless - products that don't work. It looks like there are companies that know how to check products and companies that don't. It's very difficult for customers and buyers to know what works and what doesn't, because how can you check the product? Develop a very sophisticated attack? Developing enough good attacks costs hundreds of millions of dollars. We won't sell our customers something that doesn't work and isn't the best, but there seem to be companies whose organizational culture isn't like this. For them, customers in any case don't know that it doesn't work."

"We have 100 artificial intelligence employees"

There is an attitude that says that companies have to grow from artificial intelligence, just like you say about the cloud.

"We have almost 100 employees dealing with artificial intelligence. We now have artificial intelligence in everything that we do, but I can tell you that the promise of integrating artificial intelligence in cyber security hasn't materialized, although some portray it as the future. But yes, this is definitely an area developing with us and the competition."

During the conversation, it appears that you are disparaging parts of the Israeli cybersecurity industry: Check Point, the flagship of the industry, the funds that invest in similar solutions, and startups regarded as successful

"No, I'm not really criticizing them. What I'm saying is that you can continue with the situation in which customers have to buy a lot of products. As for Check Point, when I started Palo Alto Networks 15 years ago, Check Point had $1.5 billion in sales, and today they have a little over $2 billion. For me that fact that it has the most employees in the industry - I wouldn't hire most of its employees. There are amazing cybersecurity companies in Israel, and Check Point isn't one of them. There are also amazing people, but the industry has to change, and there won't be any room for niche players."

You have been CTO at Palo Alto Networks for many years. Is the job developing in a way that gives you professional satisfaction?

"I'm not just the CTO; I'm also a founder. People often forget this. This is one of the important things, and the proof is what happens when founders leave. This makes it possible to preserve the organizational culture and promote specific things that only the people who founded the company can do - for example, to build something requiring a combination of employees from different teams, or a project that requires out-of-the-box thinking.

"As for the job itself, technical people have to choose between a management career track and a technological career track. If you choose a management career track, you have to manage a great many people in order to feel that you're making progress, and that makes it hard for you to be close to the technology. I never wanted to do the things that a CEO does, and today I manage only two people: the information systems manager and another Israeli guy who manages special operations for me. I also have no problem with someone else managing the company I founded. Over the years, I've had amazing relations with the CEOs.

Check Point: "The facts tell a different story"

In response to Zuk's remarks, Check Point said, "Check Point protects the world against sixth generation cyberattacks, while its competitors handle third generation threats. The facts tell a completely different story than the assertions made here. Beyond that, neither the content nor the style is worthy of a serious response."

Published by Globes, Israel business news - en.globes.co.il - on February 19, 2020

© Copyright of Globes Publisher Itonut (1983) Ltd. 2020

Twitter Facebook Linkedin RSS Newsletters גלובס Israel Business Conference 2018