Palo Alto Networks CEO Nikesh Arora On Why ‘The Current Paradigm Is Broken’ In Cybersecurity
In an interview with CRN, Arora speaks about why the industry needs to shift to a cybersecurity platform approach and how Palo Alto Networks is ‘beginning to switch the perception’ in the debate over platforms versus stand-alone products.
Arora On The Record
Five years in as CEO of cybersecurity giant Palo Alto Networks, Nikesh Arora believes the industry transition he and his company have been pushing for—to a security platform approach rather than a reliance on stand-alone products—is now underway. Discussions about “tool sprawl” in cybersecurity are now ubiquitous, for one thing. But even more importantly, partners and customers are increasingly recognizing that there is an array of major benefits from adopting a unified platform of security products that are tightly integrated across numerous segments, according to Arora.
The industry is still in the “early stages of this transformation,” Arora said in an interview with CRN in July. However, there are now many customers who are “beginning to think about a long-term cybersecurity strategy [and] starting to build longer-term cybersecurity architectures to create this integrated platform, which gives a better outcome,” he said.
Channel partners are pivotal to this equation as well, given that many have embraced a solutions- and outcome-oriented approach to helping their customers with security, Arora said. This, too, should only accelerate as more solution and service providers realize the advantages of working with a consolidated platform, he said. “I think as consolidation happens and integration happens, what’ll happen is the partner ecosystem should see a better economic outcome because now you don’t need to understand 200 solutions, you can understand a lot less,” Arora said. “And hopefully, that means that if they understand Palo Alto Networks really well, they should be able to do really well with us.”
For his role in leading the reinvention of Palo Alto Networks over the past five years — turning it from a firewall-focused network security vendor into the provider of a platform covering most of today’s essential cybersecurity capabilities — Arora has been named the No. 1 Most Influential Executive on CRN’s Top 100 Executives list for 2023. The Palo Alto Networks platform offers security capabilities spanning from cloud and applications, to SASE (secure access service edge) and zero trust, to AI-powered threat detection and security operations.
The Santa Clara, Calif.-based company has completed 14 acquisitions under Arora to date, although he said that Palo Alto Networks has gone the extra mile to integrate the acquired technologies as a “first-class citizen” on its platform, so that they work “seamlessly” together. Doing that is far more difficult than the typical approach to M&A taken by many tech companies, Arora said.
Ultimately, as the number of cyberattacks and breaches continues to surge, it should become more and more clear to customers and partners that “the current paradigm is broken” in cybersecurity, he said. “The best-of-breed, single-vendor strategy is not working.”
When it comes to the cybersecurity platform debate, “hopefully we’re beginning to switch the perception,” Arora said. But if Palo Alto Networks’ most recent financial report is any indication, this is more than just a hope at this point: The company generated $1.72 billion in revenue for its fiscal third quarter of 2023, ended April 30, up 24 percent year over year. That beat the consensus estimate from Wall Street analysts for the quarter, despite the challenging economic environment.
Palo Alto Networks is also easily the top-valued publicly traded cybersecurity vendor with a market capitalization of $75 billion as of this writing and is nearing Arora’s goal of becoming the first to reach a $100 billion valuation.
During the interview with CRN, Arora also discussed how he dealt with his cybersecurity learning curve after joining Palo Alto Networks, his vision for making the vendor an “evergreen security company” and the revenue opportunities he sees around generative AI.
What follows is an edited portion of CRN’s interview with Arora.
What would you point to as your biggest achievement in five years at Palo Alto Networks?
As most people know, when I started five years ago, I knew nothing about cybersecurity. And I knew nothing about selling to enterprises. Primarily, I worked at Google in an ad sales role for a consumer product. I also had never been a public company CEO. So I think part of my discovery process was to sit back and think about the security industry and say, ‘What needs to happen here?’ I was faced with what perhaps was what all the traditional security specialists in the industry would say: ‘The industry wants best-of-breed. They don’t want a vendor to give them more than one thing, for the most part. They want the best thing from the best vendor in the space. And integration is not as critical. What’s critical is best-of-breed.’
The other observation I had was cybersecurity is one of the largest technology subsectors and it is most fragmented. [Palo Alto Networks was] still No. 1 at that time for [market share], and we had a 1.5 percentage share of the industry, which is not true in any other subsector in tech.
I think the part that got me the most is there has never been an evergreen security company. Security companies came in waves—there was a wave of firewalls, and Palo Alto rode that wave. And now there’s an endpoint wave. There was a SASE wave. There were other waves before that. I think the aspiration we had five years ago—at least for me and the leadership team—was how do we build an evergreen security company? So we took a slightly different perspective toward the security industry. And let’s just say we had our fair share of naysayers early on. Hopefully we’re on our way to proving them inaccurate.
What to you constitutes an evergreen security company?
If you look a decade ago, the No. 1 security company on people’s lips, or the most relevant [company], was a different one. Then five years later, it was a different one. And we’re hoping that we continue to stay relevant for our customers for as long as we can. And that requires us to be nimble and deliver the solutions they’re looking for, at the moment, not just rest on laurels and say, ‘Hey, you’ve got to get a firewall.’
In terms of this notion of needing to transform the product portfolio, was that something that was pretty clear to you before you even started the job?
No, I think [that] became clearer as I understood the industry. I can’t say I knew the industry or understood it much when I took the job. I kind of understood it, but I had to spend time with the leadership, and spend time thinking about each and every [industry] player. And it became clear that there were swimlanes—there’s the endpoint swimlane, the identity swim lane, the firewall swimlane, the cloud security swimlane, the SASE swimlane. For the most part, very few companies traversed swimlanes, which in the enterprise space is a bad thing. Because in the enterprise space, if you look at the largest companies, they sell very large deals. If you look at the trillion-dollar companies, they sell security, they sell cloud computing, they sell office productivity software, to take one example. Or look at the largest enterprise companies—they sell a lot of things to their customers. So if you have the aspiration of being a large enterprise company, you have to aspire to own multiple swimlanes and deliver value across all of them.
So that realization came through speaking to others on the leadership team and getting to know the industry better? How much of it was due to being at a cloud-focused company [Google] previously?
Some of it came from watching people like Larry Page. If you look at the tech industry, the legendary tech founders, whether it’s Steve Jobs turning Apple around, or whether it’s Larry Page and Sergey Brin founding Google. Or it’s Mark Zuckerberg reorienting Facebook—and you realize, at the end of the day, a great tech company is one that constantly obsesses about delivering value to its customers in terms of great product. Larry used to joke with me, ‘No tech company became great because they have a great sales guy.’ Tech companies are great because they can constantly reinvent the products and deliver great experiences and solutions to their customers. I think that stuck with me when I was at Google—that if the management team and the leadership of the company doesn’t obsess about building great products and delivering great solutions, it doesn’t matter how good your marketing team is, how good your sales team is—eventually it’ll come back to bite you.
So you’d say that thinking about the customer is what led you to focus on this platform approach?
What led us to this platform approach was that most of our customers have more cybersecurity vendors than IT vendors. It sounds bizarre because cybersecurity is 10 percent of total IT spend, at most. This 10 percent of spend has more vendors than the other 90 percent. This is a problem. The only way you bridge the challenge is to say to the customer, ‘What if I gave you best-of-breed in this category yet I deliver it in an integrated fashion?’ Today, we’re leaders in north of 14 categories in cybersecurity. We’re in the leadership quadrant for SD-WAN, for SASE, for network firewalls, for cloud security. So we can go back and say, ‘Listen, you want to buy best-of-breed in the top right corner of any quadrant? We’ve got it.’ Plus, on top of that, we’ll give it to them in such a way that they work together.
Think about the example that if you are suddenly suffering some intrusion in your enterprise infrastructure, and it passes through an endpoint, the endpoint sends an alert. It passes you through a whole bunch of other security vendors, and sends you an alert. It passes through a firewall, it sends you an alert. It passes through your cloud infrastructure, it sends you an alert. Then you say, ‘Oh my god, I got 17 alerts—but it actually is one event. Because you have 17 different vendors deployed, everybody alerts you in their own way. And it’s some poor security analyst’s job to try and stitch it back into one event. What if I could say, ‘Don’t worry about it—this is one event.’ I’ve reduced their alerts by 50 percent. The problem was, the industry had never seen solutions that work together that well.
This was obviously a little bit of a leap when you first started on this idea, but do you feel like it’s still contrary to the usual assumption about how to deploy cybersecurity tools today?
Hopefully we’re beginning to switch the perception. That’s what we see with some of our largest customers. They understand. If you look back historically, the number of breaches and attacks are the highest today than they’ve ever been. So clearly, this idea of chasing best-of-breed and integrating [the tools] yourself is not working because there’s still more breaches, more attacks, more ransomware. If the idea was working, it should be the reverse. So clearly, people have seen that the last strategy has not worked. They’ve got to look for a different strategy. And today, the conversation is about, how quickly can I detect a threat? How quickly can I remediate it? And if I get breached, how quickly can I stand back up again? So the conversation is becoming not just about cybersecurity—it’s becoming about cyber resilience, it’s becoming about mean-time-to-resolution. And that’s something we offer.
In terms of you coming in without a security background and without an enterprise sales background, what were some advantages and disadvantages of that?
The advantages were we could take a look at the industry slightly differently, from first principles and say, ‘What the customer eventually needs has to be more automation-driven, has to be more machine-learning-driven. And it has to be something where multiple things work together.’ However, what we cannot do is we cannot go and reinvent the past. We can’t go back and say, ‘All this stuff is outdated, you’ve got to take it out.’ So we have to identify the trends of the future and deliver that integrated experience and the trends of the future. So we identified the cloud as a big trend, which is clearly proving itself out. We built an integrated cloud security platform. And we built an integrated SASE platform to navigate cloud traffic.
I think you will see more and more consolidated outcomes in the industry. And I think you’ve got to distinguish [the difference with] ‘true’ consolidation. One way you can interpret consolidation is, ‘Oh, let’s buy some companies in identity and email security and cloud security and put them together,and sell them together.’ Well, that’s consolidation, yes, but that’s economic consolidation and financial consolidation. I think a better word for what we did is that we did an acquisition-integration. Because customers need to make sure everything works together. And that’s a little harder [than financial consolidation]. The way we’ve done it in the last five years is we actually go look for companies where we believe that their offering would build value to our customers. Then we spend time working with them in an integration plan. Then we spend anywhere from six to 18 months integrating their tech into our stack, and making sure that it’s not sending you two alerts, it’s sending you one alert—and hopefully, one less alert. That’s a very different bar toward consolidation-integration.
One of the common conversations that I’ve had in the last few years with many of our customers, as well as our investors is, ‘Nikesh, a lot of M&A doesn’t work.’ And I agree, it doesn’t work. It only works if you don’t actually treat it as a merger and acquisition, which is a financial term —but you see it as a product integration opportunity. You ensure you can integrate that as a first-class citizen as part of your platform, so it works seamlessly. And that [approach is] just harder. I f you look at what we’ve already done, I’d say more than half of our acquisitions have been in net-new spaces where we haven’t played. So there’s very little overlap, very little contention. That’s why we steer clear from overlapping acquisitions. We always look for adjacent spaces and then we try and figure out the points of integration and how we deliver value to our customers as an integrated solution.
Palo Alto Networks CPO Lee Klarich
What were the challenges of not knowing the industry when you started?
There’s two different sets of challenges. One set of challenges from not knowing the industry is I always needed the support and wisdom of my product colleagues and my founder. Because these are the people who have done security forever. It’s something they understand. [Founder and CTO] Nir [Zuk] and [Chief Product Officer] Lee [Klarich]—I call them ‘my partners in crime’—are amazing first-principle guys. They can sit back and think about the problem and say, ‘Yes, this is going to enhance our ability to deliver a solution.’ Or, ‘No, this is not going to enhance our ability to deliver a solution.’ So [I’ve had] them be my sounding boards, my co-conspirators—somebody who I can rely on heavily to help make great decisions for the company.
[Before] I joined Palo Alto I went through the interview process, and the board said, ‘Yes, we’d like you to come take this role.’ And I said, ‘Wait, I’d like to go back and talk to Lee Klarich and Nir Zuk’—the two technical founders. And I said to them, ‘Listen, I’m coming in and I don’t understand a lot about security, so I’m going to rely on you, No. 1. And No. 2, I might have some disruptive, nonconventional ideas so you should understand what you’re signing up for.’ And so they wholeheartedly embraced the idea that we were going to be disruptive and do something different. And I would say, down to a tee, they have both been supportive and very forward-leaning in what we’ve been able to do from an M&A perspective.
I think one of the other challenges was, we were a firewall company. We had 5,000 people in the company [in 2018]. We really do a phenomenal job of being the best firewall company in the world. The question was, how were we going to transform from being just a firewall company to being a great cloud security company, to being a great AI-driven SOC company, to being a great SASE company? That required both a transformation in our processes and our technology and our systems but also a constant training of our people, them being open and willing to participate in this transformation, us making acquisitions and integrating them. So today, we’re about 14,000 people, almost three times from what I inherited five years ago. So between retraining people and their willingness to embrace the fact that we were going to transform Palo Alto Networks, and the acquisitions we made, we’ve had the opportunity to transform the culture and, I’d say, create this innovation mindset.
Do you feel like it was pivotal that you didn’t come in with an attitude that you knew everything already? That you were open to learning?
I still don’t know enough. Literally the next two phone calls I have is on network security and cloud security because I have a few questions. And I read a few things, and I was curious about something. That constant curiosity—that constant desire to disrupt ourselves—is something that I brought to the team. People today will say, ‘Oh come on, Nikesh. Don’t say that, we don’t believe you.’ But I still don’t know enough [about security]. And I’m very open about not knowing it. But that is what allows me to ask the questions. Sometimes that forces [others] to ask the question, and say, ‘That’s a good question, we never thought about that.’ So I don’t know the answer, but I’m good at asking questions. So maybe that’s what’s been helpful for us.
On the flip side, I do have a sense of how businesses need to operate. I do understand relentless execution. That was something we did at Google. When I joined Google, [it was] a $2.5 billion revenue company. I think they do that [revenue] in a day or two now. So we built this huge execution machine at Google over time, in partnership with all my colleagues there. And I think I brought that to Palo Alto—how do you take something and build a scaled business out of it? So I think combining that with Nir and Lee’s foundational thinking [was important]. And I’ve had lots of amazing partners in crime—our president, BJ Jenkins, who used to be CEO of Barracuda, he’s one of the best go-to-market people out there. Or [Chief Business Officer] Amit Singh, he’s got an amazing brain. So I also surrounded myself with great people. Having natural curiosity, surrounding yourself with people who are direct and who are great execution people—and then some amazing specialists who understand the market—it’s kind of the winning team combination.
You’ve also benefited from a lot of tailwinds at Palo Alto Networks, of course. What aspects of your accomplishments would you attribute to good calls versus to tailwinds?
Well, you have to identify the tailwind. What we’ve been doing is we identified the cloud security wave. We were early. We identified the impact of cloud security on the network security business, and we built our entire SASE business from scratch. When I started, there was only Zscaler that did what we now call SASE. And I said, ‘This is an area which should get impacted when cloud takes off. We should invest.’ So it wasn’t just a tailwind. It was identifying the opportunity and building the capability to execute into that tailwind. Or [consider] cloud security—we have the largest platform. But [when I started] we had just bought one company—Evident. We looked at the market, understood where the puck was going. There are probably 1,000 cloud security companies out there—we identified six or seven of them and bought them. But that required me, personally, to meet north of 300 cybersecurity companies to decide on the ones we wanted. So yes, we had tailwinds, but tailwinds have to be executed against.
I don’t think the tailwinds are over. I think cybersecurity will continue to become a more and more relevant space across all of our customers. Every customer is becoming more technology-reliant, not less. Everybody wants to implement generative AI—that’s the next wave of tech. But the cloud, mobility, the internet, generative AI, e-commerce—all these trends are all manifesting themselves in every company. And the more they’re technologically reliant, the more they need to ensure that there is security around the enterprise, around their customer interaction. So I think security is going to have very long-term [growth]. I think the consolidation theme is just beginning to take shape. I think we will see continued integrated-consolidation at platforms in the next 10 to 15 years. Hopefully, I think there’ll be not one, but multiple $100 billion cybersecurity companies, possibly some even bigger.
And you’d expect Palo Alto Networks to be among the ‘even bigger’ ones?
We are, I think, the largest one today, and we hope we can continue to execute in this tailwind environment and continue to go deliver what our customers want. If you ask me, ‘Who’s my competitor?’—my competitor is ourselves. We’re competing against ourselves because we’re trying to make sure we can deliver the best solution to our customers. Is CrowdStrike a competitor? Zscaler, Microsoft? We have 3.5 percent of the total cybersecurity market. So I don’t have to compete with people around me. I have to compete with my own ability to execute and deliver solutions to my customers. The better I do that, the more solutions I create, the more I can convince a customer that we’re the right choice, the biggest share I can have. In a way, it’s kind of not at the expense of everybody out there. Over time, technology changes, companies evolve, some will go by the wayside. We can be a bigger and bigger company as long as we keep executing our vision and delivering great solutions. We don’t have to go out and say, ‘I compete with X or Y.’
How are things progressing in terms of your efforts to focus more on go-to-market and channel partners?
What has happened in the last five years because of the huge evolution of the cloud, I think the cybersecurity industry has separated from the IT industry. The IT industry was very product-centric, and there was a whole set of solution players, which was somewhat independent. I think cybersecurity is not just a product business—it’s becoming more and more a solution business. So what you see is that even our traditional partners are building solution capability. Customers need not just products—they need advice, they need transformation, they need integration. They often need managed services to deliver security because security is a complicated product. So what you’re seeing is the partner landscape has been amazing in transforming itself to deliver more of a service orientation and a solution orientation. Our aspiration is not to be in the services business. Our aspiration is to deliver the best products—simple to use, more secure, with the ability to deliver the outcomes the customer wants. And we want to make sure that we go lockstep with our partner ecosystem so they have the service capability and we can deliver the products to them and with them to our collective customers.
So there’s been the emergence of more solution-oriented, integration-oriented partners—whether it’s the systems integrators who are making a bigger play, or even the telcos are making a bigger play—and traditional partners, who were originally hardware solution sellers, now they’re actually getting the software solution business. So I think we’re lucky to be part of a very robust ecosystem. It’s a symbiotic partnership. The better we do, the better they all do. And I think those tailwinds have been equally shared and relevant with the partner ecosystem. So I think it’s a secular trend which will benefit both the partner ecosystem and us over the next 10 years.
We can’t deliver the products to our customers without our partner ecosystem being trained and ready to be in an advisory role to our customers. And I think a lot of them are stepping up to the opportunity or challenge. I think as consolidation happens and integration happens, what’ll happen is the partner ecosystem should see a better economic outcome because now you don’t need to understand 200 solutions, you can understand a lot less. And hopefully, that means that if they understand Palo Alto Networks really well, they should be able to do really well with us because we have larger and larger deals to do, larger and larger customers to satisfy, and actually allow them to generate a reasonable margin profile against that.
Even just during the first half of this year, have things been moving up to another level in terms of what you’re doing with partners? Can you say anything about what’s going well or what’s accelerating there?
If you look at the first two quarters of this fiscal year for us, the proportion of business we do through some of the key partners who are building services capability has increased. Whether it’s our traditional partners’ services teams or transformation teams or cloud adoption teams—or whether it’s MSSPs with network transformation skills, or systems integrators with cloud security skills or SOC transformation skills— you are seeing a clear trend toward more solution orientation [by partners] for the customers. They don’t want to buy just a product. They want the partner to be a first-class citizen solutions integrator with us. As I said, I think it’s still early. You’re going to see this happen over the next five to 10 years.
What are some of the emerging opportunities you’re focused on right now?
The last three or four months we’ve seen this juggernaut called ChatGPT, and generative AI seems to have caught everyone’s fancy. The way I parse it, security companies have been doing deep learning, machine learning already. If you look at the security industry, we ingest a lot of data. We process a lot of data. And part of delivering security, for us, requires us to understand the data and deliver a security solution based on data. I think what is new from generative AI is this notion that it has great natural language capabilities. It has great capability to summarize data. I think you will start to see that get manifested in security products. We will all have natural language interfaces, we will all have some sort of generative AI that’ll be used to summarize information and share with our customers. I think that product transformation is going to cause both a bit of risk with AI—‘What do I do with all this data in my company? Is it going to get shared with a whole bunch of [Large Language Models] out there? How do I build security around it?’ People will require integration services and support around, ‘What do we do with this?’ So our partners need to step up and help our collective customers through that challenge. We have to step up and build more products that cater to that idea of generative AI, and the threats created by that. We also have to make sure we treat it like a first-class citizen and embrace it wholeheartedly to deliver products which leverage generative AI.
Is that a major revenue opportunity for you? Could generative AI be a business growth driver for you?
I think you need new products which actually help you protect against the potential bad acts of generative AI. The biggest opportunity is you need a lot more data, and a lot more data means you have to have more cloud resources. You have to ingest more data to the security solution. So I think our customers are getting to understand that you’re going to have to hold on to a lot more data [than] in the past. It should definitely create more opportunity—both in the cloud space as well as the data ingestion space—not just for security companies but for tech companies.
What do you wish people were more aware of about Palo Alto Networks?
I think we are in the early stages of this transformation in the security industry. It’s becoming apparent to us that there are customers who are beginning to think about a long-term cybersecurity strategy. Some of the forward-thinking customers are starting to build longer-term cybersecurity architectures to create this integrated platform, which gives a better outcome. And a better outcome is my mean-time-to- remediate security issues is a lot less today than it was one year ago or two years ago. As you start thinking about it from an outcome orientation, you actually will make different choices of what cybersecurity companies you partner with. That is something I would encourage our CISO friends and CIO friends to embrace—that the current paradigm is broken. It is not working. When I say ‘current,’ I mean the prevalent paradigm of having best-of-breed solutions, with which the onus of integration is on the customer. I think that is not working. We have a shortage of 3 million security specialists in the world. If you don’t have the specialists who are going to integrate this for you and monitor this for you, then you’ve got to rely on more integration coming from the industry. So platforms are more important, integration is more important. The ability to parse through a lot of data and find the true positive, in terms of the true threats, and being able to remediate them quickly, is the call of the hour. And that requires more AI and more machine learning to be deployed against it—more automation. So from my perspective, our CIO/CISO partners need to know that they have to embrace the notion of integrated products and platforms in securing for the future because the best-of-breed, single-vendor strategy is not working.