Q&A: Check Point CEO Gil Shwed
Channelweb.com sat down with Check Point CEO Gil Shwed in his Redwood City, Calif., office to discuss the company's new Software Blade architecture, its slow expansion into the SMB and forays into the DLP space. Here are a few edited excerpts.
Tell us about recent product launches Check Point has made.
At the beginning of the year, we made a very important architectural improvement. We introduced a new architecture called the Software Blades. And that's a whole new architecture for building security that allows an organization of any size to basically put together the right building blocks for their security. You can have a blade of a firewall, blade of the virtual private networking, add to it the blade of a URL filtering or antivirus or intrusion prevention -- basically a customer can customize a system at any size at any need, at any speed, and also retain the full flexibility of expanding that system in the future.
We announced that at the beginning of the year. We're starting to get deployments, but I think it's quite revolutionary in the way people will deploy security in the future.
Does the Software Blades architecture allow Check Point to scale down to SMB or midmarket?
It does allow us to scale down and up basically. We have a lot of customers that are SMBs -- more than 10 percent of our customers are less than 100 people, so that allows us to scale to them. It allows us to scale to people of really any size. Often with the small customers, they would like to get one box that does it all and get a collection of multiple blades. Large customers in many cases would like to separate functionality and have one function on a single device. At the same time, large customers also like the approach of putting comprehensive solutions in branch offices or remote locations. So that's why we think this architecture will help customers of all sizes.
SMBs tend to like one device with multiple functionalities. But in this economy, are more enterprise companies gravitating toward consolidated suites?
Definitely. They are trying to consolidate a number of vendors. Clearly there are way too many security vendors today. Some have great ideas, but it's not that any particular vendor doesn't have a good value proposition or good technology. It's just that there are too many.
Customers are looking to reduce the complexity, reduce the budget and to cut back on the number of suppliers that they have, and the number of solutions, and our Software Blades architecture should help them do exactly that without sacrificing anything. Let's say a customer had a firewall team and I had an IPS team. We can tell him that he can put the intrusion-prevention blade into the firewall. [Customers] are much more excited and interested in that than they've been in the past because of the value proposition. It's not just the purchasing cost, it's also the operational cost of managing two devices, two vendors and two everything.
Check Point is an enterprise firewall company. But does Check Point have any plans to expand SMB focus? If so, what is your strategy?
We do, but at the moment there is no big initiative. We are developing new products in different areas of the market. At the beginning of the year we came out with a model that was less than $4,000 with full enterprise capabilities but for a much more modest price. Over time we'll have more and more products at all levels of the market.
If the customer says, 'I want cheap security,' we'll say, 'You'll have to use something else. If you want good security we will give you Check Point.' We can do both. We can give you high quality security at different price points. Some of it is finding new channels -- the right channels -- some of it is even addressing the right issues with our existing channels.
Is cost one of the biggest impediments for SMBs in acquiring security?
The cost, yes, but again, remember, we have such a variety of products that cost, it's not whether we cost high or low, it's what solution is the customer being offered? That's the big issue.
We have a $4,000 solution and we have a $25,000 solution. It's a question of positioning and right-sizing the solution to the market, to the customer requirements.
Next: What's Check Point Doing To Stay Ahead Of The Pack?
There are a lot of application firewall companies right now, such as Breach and Palo Alto Networks, that are getting noticed. What is Check Point doing to stay competitive with smaller but technologically innovative companies?
First, I haven't heard their names too often from customers who are really looking for solutions. But I think we will be better, even in these categories, than those companies. What we have continued to do for 16 years is consistently improve our platform, and consistently add to our gateway all the important functionalities that the customer needs. I think there's been a lot of 'companies of the day' or 'companies of the month' for the last 16 years that have simply disappeared, especially in the firewall space. It will be almost impossible to take the comprehensiveness, and the way the security gateway or firewall gateway fits into the customers' architecture today, and replace it with, even augment it, with a single feature. [Customers now have] very, very complex architectures, and it's not easy to come up with one trick and say, 'Let's base [competitiveness] on that.' My answer to that is in the foreseeable future we will have much stronger capabilities in these spaces than some of these companies.
While they might not have the broad customer base, a lot of these companies are touting technical innovation. What is Check Point doing to stay innovative?
I think this phenomenon is positive and good. I'm just saying that in particular, I think we will see that Check Point will have many, many of the capabilities that these companies claim to have and even stronger. By the way, that's the challenge of the entire IT industry, not just security. In recent years, it's moving from a few new companies that are creating new categories to hundreds of new companies that are creating small features. And unfortunately, most of these features cannot survive on a long-term basis.
Several firewall companies, like WatchGuard, are starting to acquire messaging security and other end-point solutions. Does Check Point have any plans to either acquire or develop messaging security or other kinds of content security?
It depends on what you call content security. If we're talking about antivirus and things like that, then we have a module, we have a software blade that does content screening and provides all of that. [It's the] same for URL filtering: We have a kind of content security service, software blades you can apply on every gateway, and apply to all traffic types.
We also have on our road map new ideas and new innovation in the field of DLP, which is completely new, that's more content-sensitive. And that's something that we've spent a lot of energy researching the last few years. Unfortunately the existing solutions are too complicated. There're some good companies there, but it's not like you can plug in something, turn on something on your network and immediately see the number of data leaks drop down. So we are trying to think a lot about innovation, about how we can change that and how we can make DLP not something that's labor intensive, or something that's almost impossible. Because eventually every company will need it , they will be able to quickly use it on their network.
Typically, DLP has had a strong play in the enterprise. Do you see DLP trickling downmarket?
There are technologies that have been hyped but not really used. DLP is one of them --now in recent years we've seen with some industries that are regulated. So companies wanted to make sure that no more than 200 credit cards leave the company at one time in the financial industry.
Same thing in health care. But in 99.9 percent of the cases, based on our customer interviews, the DLP product hasn't been used in active mode. We've generated reports and had to investigate the incident. DLP is needed by everyone. They take a big sensitive document, send it on e-mail, they hit the send button and then find out it's the wrong person, and that's a data leak. Or people send documents to their Gmail address because they want to work from home, usually not in line with the company policy. And that happens in an organization that has 500 and 50,000 employees. It's not unique to larger corporations. So our idea would be to find products that would for the most part prevent these leaks and stop them.
What's your strategy to introduce it to lower markets and make it more user-friendly?
I think the Software Blades architecture clearly is a simple one because we would just say, if you're a Check Point user, just activate the DLP blade on your Check Point gateway and here you go. No new hardware, new software, new vendors, new user interfaces, just use the infrastructure. You have to turn on the DLP capability, which is all the strength of the Software Blade architecture. For customers who want to use more security, on the other hand, they're really, really afraid of having another complex set of management systems. They like to say, 'OK, it's interesting, let's try, let's play with it, let's evaluate it. If it works, we want to route it all over, but if it doesn't, we don't want to get into the network re-architecture because we now need to put 50 new devices in 35 new locations.'
Check Point Covers In The Managed Services Arena
What is Check Point doing to expand managed service offerings?
We've been very successful in that sector actually. Many companies would like to say, 'We're not a security expert; let somebody else manage our security.' So as early as 1997 and '98 we became very active in that. And in 2000 we got pretty much all the major telco providers to use our products to provide managed security services. You can go to almost any large telco around the world and say, 'I want security services with firewall, VPN, and you'll put the equipment in my place and you'll manage it.'
And we have a product we provide that allows the managed security providers to manage multiple customers, multiple environments, from a single NOC, and give everyone their own policy, their own service. That's active and that's available and being used in many places. I think in the future we will be looking to scale that into more areas. That in the past has been two main sectors, one was very large companies used to outsource security, and hosting environments. We also have another product called Safe At Office for more SMB space and we have great tools for the managed security provider, which are much, much simpler because we're not talking about a security team and customizing a customer's security policy but about connecting tens of thousands of devices for small businesses or even home users that can get the security updates and security diagnostics from a centralized location. But it's far from exhausting the market potentially. In the future, we will invest more in that area.
What areas are you looking to expand?
It goes a lot of ways because we're doing a lot of things. But first there is innovative services, like the Software Blade architecture; half the blades that we're doing are blades that we call ongoing. Constant upgrades and constant updates. That's not necessarily managed security by us, but it's more active security. We also introduced a tool that we launched a year ago called Smart Use, in which a customer can send us location and configuration, and we have a set of tools that automatically analyzes that. And the security experts will also come back to them and tell them how to optimize their security products. This is where they might have security weaknesses and also, even more important, we see how you can make it more efficient, and increase the performance. This is an example of a service that we provide that's primarily automatic but it also requires security experts that oversee it, and we sell it with a subscription.
In general we provide the tools, and for the partners, whether it's a local partner or a large telco, we provide the managed security service. There are a few exceptions but for the most part, with our business model, in 99 percent of the cases we are the technology providers, and our partners are the security service providers.
Do you hope to recruit more managed service resellers?
Yes. I don't know if it's recruit more or get more from the people we have today. And I think the big challenge we have today is in the beginning of 2000 and in the late '90s, when there was a big buzz around that and people were investing a lot in very, very high-end markets. Because to that point, the high-end market was exploding. And I remember back then that I was fighting somewhat against that because I felt that some of that was not the right long-term solution, that not every company would pay that amount for that level of service. I think that is still a challenge today.
There's been a lot of buzz around behavior-based technology and heuristics, and some people have said traditional perimeter security is becoming obsolete. What would you say to that assertion?
Well, I wish that there were better ways we could make the network more secure, and I think [firewall companies] have a bigger part around end point and making the end point more secure. Clearly that shows perimeter security is not going away, it's becoming more sophisticated, more challenging maybe, but definitely it's here to stay for many, many years.
Check Point partners have said that its support systems, such as partner portal and wait times, are lacking. What is Check Point doing to address these support issues?
We're absolutely doing that. We're adding another technical assistance center in the U.S., helping the North American customers. We did shift in the last year and a half, in order to make more customers part of the Check Point support network, because in many cases we would like to be the first line of support. We're getting better and better reviews and rankings from these customers. And many customers were only receiving software updates from Check Point and they were unclear where they were receiving their support. That created a support problem. Because if you're getting support from the channel but the channel doesn't have the right arrangement from us to escalate and to get the back line support, it creates a support issue. For the customer, they don't know if it's the channel or not the channel. So what we've been doing the last two years is to try to manage those programs to get more and more customers to be able to buy this kind of front-line support from the channel, and more back-line support from the channel. With the move to appliances, we drastically reduce support rates, so customers can get direct support from Check Point. I believe that not all of that is completely solid in the U.S. We're sort of restructuring the programs. Europe, by the way does. In Europe, pretty much 100 percent of customers can choose -- direct support from Check Point or indirect support from the channel, but full back-line support from Check Point. In the U.S., there's still some unsolved mechanisms to resolve, but I think it's improved over the last year.
When are these systems going to align? Do you have a set deadline?
I think probably in the next year, it should be all aligned, and especially with more appliances it helps them to be. And a lot of it is business-model issues, how to do things that would be fair to the customer, to the partner, and to us.
Speaking of the channel, what is Check Point doing to help its partners through very challenging economic times, if anything?
First, I haven't seen a lot of requests for help from the channel. I don't know that there are big issues like this. We have the regular mechanism of working with the channel, and again, we are a 100 percent channel company so we work very closely with them. We are trying to, in marketing programs, leverage more and more programs. We are trying to make it easier in their organization, more economical, a more focused message. We haven't got any of the channel incentives like market development funds and so on. But let's put it that way, our market is never 100 percent efficient, sometimes these kinds of economic times are calling for rethinking to make them more efficient and effective. And that's usually a good investment, because in the short term, it's how to do things better. In the long term, when the market grows, you can scale them and do them in a much, much better way. But frankly, I'm surprised that I haven't heard too many channel issues about the economy and the recession. Maybe over the years, the channel has had more and more service business with customers, and is less affected by more sales of new products or less sales of new products.
What do you see as the next big threat? Do you see denial of service attacks being used in cyberwarfare? Is that a new trend?
Attacks like denial of service attacks we see every day. Some of these attacks are very, very easy to create and very hard to prevent. [DoS attacks are] less damaging than killing people or destroying people. It's much easier to fix than an attack on the network operation center. There're actually some efforts to stop them, but sometimes to take a service down it's as easy as sending 5,000 requests a second. You won't need the big guns to prevent it, you'll just need the developer to write something to sustain [the traffic].
It's also very hard to say when the shift from five requests to 50,000 requests a second is an attack or just an increase in interest.
But there're enough big threats today that exist in our systems that haven't been exploited enough, that haven't been in some cases protected enough. You can see that in malware at the end point, not the kind of generic viruses that attack everyone but more targeted attacks and more of Trojan horses.
If we find the right effective solution, people will suddenly start using them in a much, much bigger way.