Palo Alto Networks, Inc. (NASDAQ:PANW) Goldman Sachs Communacopia + Technology Conference September 13, 2022 2:30 PM ET
Company Participants
Nikesh Arora – Chief Executive Officer
Conference Call Participants
Gabriela Borges – Goldman Sachs
Gabriela Borges
All right. I think we can go ahead and kick it off. Thanks, everyone, for joining stage two. Delighted to have on stage with me, Nikesh Arora, CEO of Palo Alto Networks. I’m Gabriela Borges. I head up the emerging software vertical here at Goldman Research. Thank you so much for joining us this morning.
Nikesh Arora
My pleasure. Thank you for having me.
Gabriela Borges
So, I wanted to start on the platform question, which I know you get in essentially every fire side chat that you do. So, I thought I would ask it in a specific way, which is why do you think Palo Alto has been successful with its platform approach when many other security companies have tried and failed?
Nikesh Arora
Yes. Gabriela, when I started Palo Alto four and a years ago, and I walked around the industry, both you guys and the customers said, we’re not looking for vendor consolidation. Vendors are specialized in their swim lanes and – we’ll buy best-of-breed. And if you look at the history, very few companies offered you best-of-breed in multiple categories. So, we set off – set about a task of trying to see how we could build best-of-breed capability in multiple categories. We’ve got 14 companies. Our last year, we did 49 product releases, which is more than we did in the first 10 years of the company.
And now we rank in the top right quadrant on 11 different categories. We used to rank in one called firewalls. And now when customers see wait, I can buy you and your best in this category too and it works behind, it’s connected. But can I buy it individually? Yes, you can. Can I buy it together? Yes, you can. Does the integration work will I buy together? Yes. Does the integration work with others if I don’t buy you? Yes. So now we see that customers are happy to buy because we’re not locking them in. We’re giving the best product that’s available in the market in that category, and we’re providing the benefit – integration is a benefit. It’s not a selling feature.
Gabriela Borges
Yes. Yes, that makes sense. The other trend that you’ve discussed in terms of which markets you choose to participate in? Is this idea of an inflection point. Inflection point that’s happen in firewall as an end point. Knowing for an inflection point in cloud because that’s the greenfield opportunity…
Nikesh Arora
Itself is an inflection point, yes.
Gabriela Borges
Well, let me ask you specifically about the SIM market.
Nikesh Arora
The what?
Gabriela Borges
The SIM market.
Nikesh Arora
Right. So interestingly, if you look at the history of security, what has happened is, it is one of the most innovative markets in the world. Because every day, when you figure out the solution for the current – the bad actors are figuring out the next act, they’re not busy perfecting the last one. So while we’re building a solution to the problem for today, they’re figuring out how to break into your business tomorrow. Towards that point, over time, what happens is as technological changes happen, your solutions become old and an inflection point arise where the industry has to reinvent itself. And typically, the reinvention comes from outside the industry.
Look at the endpoint market. Symantec and McAfee shared the line like for many years, and EDR came about and suddenly you hear only about CrowdStrike, SentinelOne hopefully Palo Alto, right? So the inflection point came, there was a reason to change your technology. Until then, there is no reason to change, in which case, it’s a much tougher fight. The endpoint industry saw the inflection point. I think we’re thinning down to three vendors. It will be CrowdStrike, us and SentinelOne. Look at SASE. SASE was not what Interac started with. Suddenly, you’ve heard in the last two years, its business was SASE. We’re one of two vendors in SASE. We made that about three years ago.
We figured there’s an inflection point coming, driven by everybody wanted to go to cloud. If everybody is going to go to the cloud, your fundamental network architecture has to change. We anticipated the network architecture. We had 26 people working on the product. We have 800 working now in three and a half years. Infection point was coming in cloud. If you’re going to move to the cloud, every security vendor chases the category called CASB. And I said in the math is a 80% of the applications are developed at home, 20% are package applications. There’s no solution for 80%, everybody is chasing the 20% market. We bought seven companies integrated them in public cloud. We are the largest player in public cloud in the last three and a half years because that was the inflection point. So sorry to take you there, but I want to make sure we understood.
Gabriela Borges
Helpful context.
Nikesh Arora
I think the next inflection point is in the SIM market. SIM is a 15-year-old industry technology. There’s things like LogRhythm, QRadar, Splunk, JAS [ph], Sumo Logic, Exabeam, Devo, all of them. I looked at everyone of them. I think they have not reinvented their platforms based on what’s available today. All of them have taken the approach that security alerts need to be in a data store, and they need to be manually queried. Well, that worked in the past, when your biggest security challenge was to figure out how the breach happen? Now the challenges stop to breach while it’s happened.
The only way you can do that if you have a normalized AI-enabled data lake, which means you have to know the source of data. So the old model you can put 40, 60 security vendor data into one large data lake and solve the problem, is going to become defunct, you’ll need a clean identifiable single source of truth data lake. So we’ve spent two and a half years building that. We have taken our own response time at Palo Alto from 27 days to under one minute. And every customer needs to be under that minute because your breaches are going to come real time, and you have to stop them real time. So that’s the next inflection point. It’s early. It’s almost an incubation project. But I think we’re sitting at two to five years. So now we’ll be talking about how that market call reinvented by that strategy.
Gabriela Borges
There’s a concept embedded in your comments on technology potentially taking share from human capital in the SOC. Is there a scenario where your innovation in SIM also solves the human capital problem in security because of the data approach that you’re taking?
Nikesh Arora
Well, I think the current conversation cybersecurity industry is saying we need faster horses because the chariots need to move fast. It’s like they’re not thinking like Elon Musk. You can autonomous cars. You cannot get faster horses because you can’t have enough horses to solve this. I mean look, we’re talking about quantum computing in the other end. Quantum computing has the ability to break every encryption key. Are you going to send a human to go to place the key. No, you can’t do that. You need to solve the problem of security with automation and AI. And you can’t do that unless you have good data. And we’ve never had good data in the industry on a cross-vendor base. We’ve always had it in very specific swim lanes for vendors. That has to change.
Gabriela Borges
The segments of the security market that you choose not to compete in today because there isn’t an inflection point. Do you see a scenario or are there other end markets adjacent to you that you think are likely to also inflect so that your platform becomes broader over the long term?
Nikesh Arora
Well, the good news, Gabriela, I’m old enough to have watched various technology cycles. Every flavor of the decade eventually got out-innovated by the next generation, right? And you’ve got a bunch of companies there. who talk about living on the shoulders of giants of the past. So, I don’t think that problem goes away. I think every sector will have an inflection point at some point in time, and they will have to get reinvented.
When we started four and a half years ago in this journey of transformation, I was asked by the branding people, what are the two things that Palo Alto needs to build their brand around and needs to get really good at culturally? I said, the number one thing we need to be known for innovation and security, because this is the fastest innovative market. And the second thing we need to be known as to be a cybersecurity partner, not a vendor. And in that context, every one of the [indiscernible] will get out innovator at some point in time. The question is, do we out-innovate ourselves or we get out-innovated?
And I know every tech company comes talks about that. And hopefully, we’ve demonstrated so far in the last four years that we have been able to pay our technical debt, get back on the innovation bandwagon and hopefully stay paranoid and stay there because if we don’t stay paranoid, maybe two guys in Israel or two guys in India or two guys or two gals in San Francisco or whatever, who’re going to out-innovate us. Probably it’s two for some reason. I don’t know why?
Gabriela Borges
While we’re on the topic of innovation. What do you think is the next big technical challenge that you’d like to focus on internally at your company, either based on feedback you’re getting from R&D or feedback from the customers, what do you think is the next big technical hurdle that you would like to be solving?
Nikesh Arora
We had 5,000 people at Palo Alto Networks in my least favorite city in the world last week, not far from here in Vegas, and they want to do a sales kickoff. And I was able to plead with my former boss Eric Schmidt to come talk to us for 45 minutes. And he makes a very compelling case for AI. And I don’t think we have deployed AI in any meaningful way in any industry in the world. And the problem is, we have bad data. If you don’t have good data, you’re not going to be able to deploy AI. Does it make sense that we go to a radiologist and get our scans looked at, you don’t have to if you had good data and good diagnostics, you should be able to have that done using AI.
And if you look at every industry, there are 50 examples or housing examples where AI can be deployed if we had good data against we deploy. We’ve deployed more than a million firewalls. Every time we deploy a new one, it doesn’t understand which environment is saying, it should now right now it’s been done a million times. So, we need to get smarter about applying AI within our own company, within our own industry. So our biggest challenge as a company right now is to understand our data well enough that we can use the data, create predictive capability within our products, so our customers have a much more easier life than expecting humans to understand everything and take really complicated products and deploy them effectively.
Gabriela Borges
I have an AI-specific question for you, which is based on your comment from last week at an investor conference. The GCP AI tools that you’re embedding within Palo Alto Networks and some of the value that you’re able to extract, would love to hear more what are you doing with GCP on AI?
Nikesh Arora
Yes. Look, I spent any as a Google and I came to Palo Alto, I burned the ships. I said shut down our data centers. If I’m going to run 100 million customers worth of data across our pipes on SASE in the future in 10 years from now, if I’m going to deliver zero latency capability around the world, 120 countries, I either have to get very good at running my own data centers or I have to rely on somebody else who knows how to. I think if you take your pick, whether it’s Google, whether it’s Amazon, whether it’s Microsoft, I think they’re going to outclass every one of us companies trying to run 150 countries with the data center. It’s a matter of time.
So I’d much rather get on that bandwagon early, learn how to leverage their capabilities and be willing to pay the slight premium that I pay than trying to run 100 million customers worth of data and network traffic on my own home-grown data center. I think sub $20 billion revenue companies running their own data centers globally is like the mom-and-pop store against Walmart. So, I think we’ll see how this bears out over time. But these three guys have 42,000 people selling cloud capabilities around the world. They’re spending $20 billion plus a year. I don’t have the intellectual bandwidth, the human capacity, the capital required to go beat them at running a much more efficient and much more AI-enabled data center.
Gabriela Borges
And I have one or two more questions on the concept of innovation. So this idea of being able to out innovate and maintain a barrier to entry versus other companies that may also try to take advantage of inflection point. So first part of the question is, there are so many private companies and securities. When you meet with private company found as CEOs, how do you establish whether they have something real or whether it’s style over substance?
Nikesh Arora
Yes. That’s a good question, Gabriela. You learn something at every place you work. So, I’m not a product guy traditionally. I’m a very product-aware guy. So, I have no pride of self sort of development. If I find something – somebody else is doing it better, my job is to embrace them and get them to Palo Alto. If my team can build it better, I’ll have my team builder. And there’s always an integration question. And I spent too much time in the tech industry why where if I heard every time, give me 10 more engineers and $5 million, and I can beat Netflix or WhatsApp or Facebook, I have worked for amazing companies. But it doesn’t happen like that.
So you have to recognize the talent and the genius when you see it. I saw north of 300 cybersecurity companies in the first year at Palo Alto, myself. I sat in those meetings. So, I was learning cybersecurity, and I was trying to assess, when they tell you what works, what doesn’t work. So hopefully, between me, our founder, Nir Zuk and Lee, who’s our Chief Product Officer, we built some pattern recognition in terms of what works, what doesn’t work.
Even today, we scan 10 to 20 companies a month, even though we’re watching from a distance see where technology is going, where the business is going. And surprisingly, they’ll be a very candidate come share what they’re doing because they believe we’re still the dinosaur and we’re not going to be able to out-innovate them, which is great. So they’ll come and share their stuff. And then at some point in time, we like something a lot, we believe is going to have a huge TAM in the market. we’ll embrace them. But we’ve always bought number one in the category. We did not buy number two or number three. Things trade at number two or number three for a reason because they are number two or number three, and it’s much harder to spit and shine number three, and make them win against number one. Because there’s something that’s not working. So you buy number one.
We retain the leadership team and make our people work for them. Most companies will buy and fail. Meet my Head of Bitcoin. He’s going to have you work from now. These guys kicked our ass in the market. We were a large player. They deserve to run our business instead of us running their business. So, I have – of the 14 companies we bought, majority of the founders still work at Palo Alto have big jobs running that business for us. And we buy product because go-to-market, buying customers, I don’t have to pay 10 times the revenue to buy a customer. The customer is not worth 10 times their revenue. So if we buy product, we integrate product, and we deploy our go-to-market capabilities against them. So far, so good. We’ve – I think the majority of our acquisitions are working, which is hopefully different from most other tech companies that do acquisitions.
Gabriela Borges
It leads into a more specific question on R&D priorities, which is talk to us about some of your philosophy on having your R&D organization be as nimble as it is. You’ve already touched upon getting the founding teams to stay and integrating the product into your organization. Other things that are top of mind when you’re thinking about investing in R&D and the structure of your R&D division?
Nikesh Arora
Yes. Look, I think if you look at the numbers, you realize – we’re a different company than we were four and a half years ago. four and a half years ago we have 5,000 employees. So we have 13,000. Net 8,000 new employees in the company in four years. Of the 5,000, probably, 2,000, 2,500 are new because they left, a new 2,500. So 80% of Palo Alto is a new company. These are not people who used to be firewall people. They are now cloud people. They’re now AI people. They are now XDR people. They’re SASE people. They are new salespeople who’ve been able to sell all these things to the market. So, we’ve transformed the company whilst we’ve been going through this innovation transformation as well as testing our products in the market from a go-to-market perspective.
In terms of R&D, we try not to look at acquisitions now that require us overlapping integrations because when we started the journey, we had a lot of holes in our product strategies. We could acquire things and laterally integrate them. I think it’s the case of depth, if you buy something that is exactly what you do and try and merge the two technologies, it never works. Hasn’t worked in the industry ever, end up with two products in the same category, end up with a really bad culture and an outcome for your company. So our R&D thinking is based on where can we put big bucks.
And in every product category, we have two simple tests. Test number one, will this be a reason to a buy? Or is this a reason to lose? What do I mean by that? What I mean by that is if I build this feature, will the customer want to buy me over everybody else. Or if I don’t have this feature, will I be just qualified? That’s two different philosophies. And the first one, you have to make it so cool and so wow, people is, “Oh my God, I want this.” And the other one says, “Oh, you don’t have this, right?
Gabriela Borges
[Indiscernible]
Nikesh Arora
Exactly right. So every incremental investment we make of significant size is always measured against those two benchmarks. And that dictates the kind of people, the kind of product means management required and the kind of effort required make something wow and to make sure we have this.
Gabriela Borges
Last point on the topic of innovation, which is there’s this maturing security where budgets are up into the right, and companies believe they’ve underinvested budget has to go up. At the same time, many of the innovations that you’re delivering actually drive ROI. And – so the question for you is, do you think security as an industry is inherently inflationary or deflationary because if companies do it right, they can actually flat line or moderate the pace of increase in security budgets in any year-on-year?
Nikesh Arora
Look, I think there’s two parts to it. I think we’ve chronically underinvested in security generally. And it’s because it hasn’t been important, right? Not everything was connected. And the pandemic shown sort of big light on security. Because suddenly you realize everything had to be technically enabled. I was using this example earlier – in a prior meeting where the retail company of the past was a retail store with a point of sale, and you could take a SIM card base point of sale device and sort of wave it in the air, find 3G connection and charge your customers’ credit card.
Today, every retailer wants to have AR, VR in the store, wants to give you instant inventory capability. Tell you if it’s not in the store, I can ship it to your house, and it’s like bringing Amazon to the till in every store. That requires technology. That requires pipes that go into your store. That requires an SD-WAN box. That requires security at the edge. So, you’re turning large traditional businesses into very strongly tech-enabled businesses. The more you spend on tech, the more you need in security. Now, you need more security because you never had to secure your store. You never did. The budget in there to secure my store. Your tax surfaces expanded.
And then unfortunately, you bought security like you bought technology. You bought one of each. I want to make sure there is a Dell server and HP server. Let’s make sure there’s a Fortinet firewall and Palo Alto firewall. Well, it doesn’t work like that. No city has two police forces that don’t talk to each other. Try running a city like that. It’s going to be very hard. We have 40 vendors in a customer, which exist simultaneously. The security problem is not mine, is to customers. It’s their job to integrate 40 vendors, I sell them 40 different kinds of security solutions. That paradigm is changing, right? And I told you, we took down our number of vendors at Palo Alto down to less than 10, and that’s how we got to under one second real-time mean time to respond. Eventually, that’s what securities to become because if your business is shut down, you’ve seen that by where the bad actors are not watching and not paying attention.
Cybersecurity has gone from a hobby to profession. The number of ransomware attacks have gone up, 1,600 attacks, each attacker wants $1 million. So a there’s money to be made here because I can impair your operation. So, I think we’re in a very long secular fix of security. Once it normalizes, we can talk about deflationary, inflationary, but it’s not normalized yet.
Gabriela Borges
The retail color is very helpful. Based on your customer conversations, are there other industries, perhaps industrial and manufacturing, where you feel that there is a catalyst path perhaps to essentially take securities funding a step function?
Nikesh Arora
Well, before when we get into other industries, just think about this cloud transformation.
Gabriela Borges
Sure.
Nikesh Arora
Right? You’ve got 42,000 salespeople for three of the largest tech companies out there telling everyone they have to go to the cloud, that’s the existential threat. So everybody is out there going to the cloud. Do you think anybody is shutting their data center the first day they buy something in the cloud? No. They’re waiting to lift and shift their application, they’ll sunset them later. So this huge surge of income cloud spending and every cloud instance has to be secured.
***20***
***20-End****
You’ve got 42,000 salespeople for three of the largest tech companies out there telling everyone they have to go to the cloud, that’s the existential threat. So everybody is out there going to the cloud. Do you think anybody is shutting their data center the first day they buy something in the cloud? No. They’re waiting to lift and shift their application, they’ll sunset them later.
So this huge surge of income cloud spending and every cloud instance has to be secured. So there’s a huge technology trend of cloud security required. It is also driving SASE, driving cloud security. So there’s a whole bunch of secular trends that are going on. Will everything fall neatly into quarters? I don’t know because that’s how the Street likes it. That’s how we have to go deliver it. But I think from a longer-term trend perspective, there are some very strong forces driving these changes. And you take manufacturing. Everybody wants to suddenly do OT and IoT security. You take critical infrastructure. You take the Colonial Pipeline, you want to make sure your pipeline is secure, and the big risk is not somebody coming and punching the hole.
The big risk is somebody shutting it down to cybersecurity attacks. So I think there’s a large security awareness that’s kicking in. I wouldn’t be surprised if there was an SEC regulation in the next one or two years asking for more disclosure of security incidents and more requirement of Boards to pay attention to security. So I think we’re going to get to a new normal. Once we get to the new normal, we can talk about inflationary deflationary.
Gabriela Borges
I’m not going to ask you about a quarters but I would like to ask you…
Nikesh Arora
You can, you should, that’s a little bit.
Gabriela Borges
And sent to you over the next fiscal year because you are one of the first companies to provide an outlook, that goes into the next 12 months. And so as you worked with your finance leadership team, how did you think about some of the factors that could be less predictable over the next year?
Nikesh Arora
I got a secret for you. Every next year is unpredictable. It’s not like next year is particularly unpredictable, but yes, maybe a little more so. Like as of now and every day things are evolving and saw the tech rec this morning. So maybe everybody believes a 100 basis point increase in the future, not 75, whatever you guys decide is important. But the customers are still not seeing all the macro impacts as we are all expecting.
There’s been revenge spending in services and hospitality and airlines. There is supply chain constraints in tech. There is commodities at all-time high. Oil is way better today than it was two and half years ago before the pandemic. So there are certain subsectors which are not feeling any impact, certain subsectors are. Retailers feeling more impacted than they felt two years ago, but does that mean they were shut down their transformation product – project or bringing Amazon to the till.
Are they going to take Amazon on and say for the next year, I’m not going to spend on tech, but Amazon have a free ride because I’m going to wait until the market improves going to start spending on tech. So I don’t know the answers to this. Have I seen belt tightening? Yes. There is some belt tightening. Can I push this to the next quarter? Can I not do this right now? Do I really have to pay as much? Can I pay you later? But that’s normal course of business. That doesn’t change the long-term demand curve for me.
Now if you’re telling me in six months from now, we’ll be sitting at 6% Fed funds rates and the world is going to be very different. I don’t know how to predict that, nor do I plan for tremendously diverse scenarios in my planning. I have anticipated supply chain effects. I’ve anticipated inflation in my numbers.
I anticipated some degree of belt tightening in our numbers, but still there is a secular trend that we’re writing. And then I’m inspecting a lot more than I ever did. I have 5,000 people there. I spent 70% of my time in the first four years of the company on product. Now I’m spending 70% of my time on go-to-market, going my field forces out to the customer, understanding if there’s a real deal there. How big is the deal? What do I need to get it done. So we’re doing what you’d expect us to do as management. And depending on where the chips fall, we’ll see where the world falls. But all I would say is I feel a lot more resilient than other tech companies, and I feel a lot more comfortable than non-tech companies in the current market.
Gabriela Borges
It’s a nice transition to the factors that you can control, such as with your go-to-market. And so you alluded that to spending more of your time on scaling the go-to-market versus product over the last four and half years. Top one to three priorities for your sales force this fiscal year?
Nikesh Arora
Yes. Look, we have approximately, it’s a 13,000 people, roughly more than half of the people are focused on selling and supporting our customers. So it’s a large enough team. And as I said, big tailwinds of the world are SASE, cloud, cloud transformations and automation of the SOC in that order. We’ve just merged our firewall team and our SASE team into one team because I think it’s going to be applicable to every customer. And the functionality has converged in the last three years. So there’s a lot of effort. We started training them last quarter. Hit the ground running this year. Our job is not to get them to a level of execution and excellence that they can consistently do deals. So four years ago, largest deal I did when I came to Palo Alto, we did was $28 million for five years. Last quarter, the largest deal was $75 million.
And I did some simple math when I came since I hadn’t sold enterprise before. So double our revenue, we had to have double the number of customers, a double number of dollars per customer. And the answer is somewhere in the middle. They’re not making Fortune 500 companies as fast as they used to. So I got to go find the same Fortune 500 spending them, get them to spend double which is why we bought all those products so we can give them more products.
So again, the math still applies. It’s on to double from $5.5 billion revenue to $11 billion; I’ve got to go sell more to the same customers. So what we’re spending our time doing is how do I take the customers through a journey from $1 million to $2 million to $5 million to $10 million. So we report millionaire customers.
We call that seeding the customer base. We don’t call it a milestone. So I can only get a customer with one to 20, if I start them at 1. So the whole process of getting go-to-market to a place, I have evidence customers will spend $20 million with me. I have one spending $75 million. The next one spending $58 million. The next one is spending $28 million and these are typical large deal sizes we do now in almost every quarter. So we know there is appetite in the market. The question is, can I consistently become the partner of choice for my customers and get them up that curve.
Gabriela Borges
Maybe on that topic specifically, what can you affect with your sales force to be able to move customers from the campus, more fragmented point products to growing all in and Palo Alto. The customers that do spend upwards of $1 million, $5 million, $10 million. What do they have in common? And how do you get more customers are?
Nikesh Arora
What they have in common is they are now treating cybersecurity as an architectural issue, not as a point solution, best-of-breed integration issue.
When I sit with a CIO and convince them that they need to secure every ship to the cloud with Prisma Cloud, then it becomes a land and expand for many, many years because we ride the wave as they do their cloud transformation, I don’t have to put an incremental effort. I have to make sure that they’re getting value from my cloud product. When they do a SASE evaluation over six to 12 months, my SASE deals are on average two times to three times the size of a firewall deal, and they’re sticky. There’s no churn on SASE.
Once our largest customer deploys 350,000 of their consultants around the world using us on their laptop, they’re going to call back 350,000 laptops and say, let’s change three years so now because suddenly, somebody has come up with a better product. Our job is to stay current and make sure our product does what it’s supposed to that point in time. So it’s a different sales cycle, a different architectural sale. It’s not a point solution sale.
Four years ago, when I went to see CIOs, I saw 75, and it was a curiosity meeting, nobody actually wanted to buy what I had to sell. So the guy around the corner who buys firewalls, he knows all about them talk to him. Today, I see more CIOs on a regular basis than I saw in the first year of traveling around because they want to talk about cloud transformation. They want to talk about Zero Trust. They want to talk about whether they should be doing SASE. They want to talk about automating the SOC. So we’re solving their big problems. We’re not selling point products.
Gabriela Borges
Conversations, that you’re having at the highest out of the organization. To what extent is it also important for you to have virality and marketing efforts that target security uses, security practitioners. And then the last piece of that question is, where did develop this fit in? And how do you think about appealing to developing?
Nikesh Arora
So yes – none of our customers buy something, who was because the CIO likes me or had a good conversation with me. They go through POCs, they have to prove our product credentials, they go through architectural conversations. My architects need to do a good job. They need everything in our white papers. They go check it. They have deep security researchers paying attention to our threat databases, our DNS capability, our URL everything.
So it has to be a soup to nuts, top to bottom. So we have to market to every part of that customer’s purchasing chain to make sure they appreciate our product, understand it and want it because you can’t force it down anybody unless they want it. So yes, we have to go to that.
Developer is an interesting dilemma. The developer dilemma is that if you talk to traditional enterprise – or not traditional enterprise SaaS companies, they say, I’ve got this developer motion, they’re going to buy my stuff and has enough developers use it, then I can go to an enterprise sale, which is traditionally a lot of the new models that you’ve seen in the market.
Security is slightly different, because in security, you can’t have 1,000 flowers bloom. Every developer cannot pick their tool of choice and hope that your enterprise is going to be secure. So at some point in time, the CIO and the CISO get involved and say, you have to all do it this way. So the question is, can you balance that. We made an acquisition called Bridgecrew, which has an open source tool you can use – but when you use that security tool, it’s integrated in Prisma Cloud. So we go in and say, look, we have a developer red motion, but we also have an enterprise solution that if it’s the entire stack, not just the developer part, but the deploy and run capability on cloud. So we are doing that a little bit more.
We are not a developer-first company. We’re an enterprise company in the traditional sense, where we sell to CIOs and CISOs. We are building a developer motion. There is more activity likely in the cloud space, which will be developer oriented. So we have to get more developer savvy and developer friendly. It’s still a nascent market relative to the overall security market, but we think we have a reasonably good toehold into it with our Bridgecrew acquisition.
Gabriela Borges
How do you think about the convergence that’s happening between firewalls and savvy on the sales side, for example? Talk to us about the parallel path there for the channel incentives? And then same question for your sales folks, how are you thinking about evolving incentives towards the platform approach? Or are you already there?
Nikesh Arora
Yes. Look, I think the big shift that is happening in security is – the traditional channel partners were hardware resellers. Hardware resellers remember, how does the channel originate. The channel originated when you had a company in Silicon Valley built a nice box, someone sells this box in 100 countries said, don’t worry, I got people every port. We can get you SCC-equivalent validation, we can take the box, ship and we can go to the customer, deploy it collect money for you and pay the taxes.
That’s what happens. So the channel was a very hardware-centric, hardware facilitation and he actually offloaded 8% to 10% of your cost because the channel took care of all the distribution around the world. That’s where it started. Over time, we’re starting software. I ship software by e-mail. I send you encryption key, you turn that encryption key on, I deploy software. I don’t need VAT in every country. I don’t need shipping. I don’t need SEC equivalent testing. I don’t need to have spares for my box. So the channels evolved.
The new channel is more and more telcos and service providers, system integrators, they come in and say, let me help with your cloud transformation. And then you say, what should I buy for security? I’ll say, let me help you with this big network transformation, I’ll make it PCO neutral, you’re going to save money, get rid of MPLS, deploy SASE, consolidate seven vendors put Palo Alto in. That’s not something every customer can do for themselves. That requires them to get an adviser.
That adviser now is systems integrators and service providers, which is not the traditional channel of – that we’re used to in the past. Some of them are building that consulting capability, but the consultants have always had the capability. So they’re creating executional capability.
There are more SOCs being managed by systems integrators than companies themselves in many cases. A very large auto company in Europe outsourced a $3.5 billion IT deal to a third party. They’re going to make the decision, not the customer. So my job as has been get closer to the system integrators and service providers and embed our capabilities in them. We power six out of the eight consulting companies, SASE at Palo Alto. There’s a reason because we want them to be patient zero, because they use our products, like the old television guys or go to a store and you see 40 televisions and say how you should this complicated, which one do you have? I will buy Palo Alto. Great. I’ll have one of those. That’s what we’re trying to do.
Gabriela Borges
The mix of dynamic and your point on the hardware coming well, it’s a smaller piece of the business mix today. To what extent do you view hardware is still one of the foundational building blocks of the security architecture? Or are we at the point where Cloud World, hardware is an afterthought or doesn’t need to be a foundational building block?
Nikesh Arora
Look, we’ve had this debate in the tech industry for a long time. Server is going to die every hardware server company should be dead by now. Every storage company, which had hardware storage should be dead by enough, it’s not happened. So hardware will have a role. Hardware is very important when you’re looking for throughput. Hardware is way more efficient than software and throughput. You want to put a software file on the data center, you can’t pump terabytes. You need a box.
A box is way more efficient than you can do with software. So there are always use cases when you’re pumping a lot of traffic in the long term for hardware. From a TCO perspective, and especially a security perspective, software is the answer. If somebody walks up and say, I’ll give you an example, right? We sell firewalls. We’re selling firewalls for a long time. We launched a large software lease every year, where we fix a bunch of security stuff; create more usability, amazing stuff.
We ship it to one of our customers, they take nine months to 15 months to deploy our software on the firewalls that we sold them. And they carry firewall some five years ago where they can’t even put it on there because it’s the too old, can’t handle all that code. So the data security risk it is. On SASE, our 2,500 customers get upgraded in two weeks. You’ll have to take the software, you have to deploy it. I can make you more secure. If there’s an issue, I can patch it in a day.
So software is way more efficient and relevant from a security perspective than hardware is. So I think in the long-term, if you get to efficient architectures, hardware be used a lot for throughput and large traffic, and you end up with software deployed around the world. Otherwise, you’ll be driving trucks to 1,400 stores or Starbucks or CBS trying to replace hardware every three years, which is silly.
Gabriela Borges
Yes. No, that makes sense. I’d like to end with a couple of questions on the financial model. Specifically, you’ve talked about how there have been ongoing supply chain issues that have impacted the margin this year, talked about pace of hiring. How do we think about margin progression over the course of the next 12 months? And then longer term, how do you benchmark your uniquely growing at scale. You’ve talked about the leadership in 11 different product categories, potential for that to even extend? How do you think about long-term volumes?
Nikesh Arora
Yes. Look, when I started for now he’s going to look to the math. And if you look at the math of an enterprise company, the biggest cost at small numbers of revenues is sales and marketing and R&D. Everything else you can normalize your G&A and the other stuff, you can bring it down, move around and your gross margins. Those are two things that are most important. Gross margins, cost to sell and R&D. So these three things. R&D has a spread. You can go from 12% to 15%. And the bigger you are, you can manage R&D in the 12% to 15% spread. So there’s no leverage there. The biggest leverage is in gross margin and sales and marketing.
So the question is what is the long-term gross margin of our business in our industry, I think the right security companies are going to end up being cloud delivered or cloud supported at some point in time. And because of the cost of running cloud and consumption, your gross margins are going to be in the low to mid-70s, 73% to 75%, not low, whatever, 70%, 75%, with the long-term gross margin security industry, unless you’re dealing with non-cloud consuming software, which is going to be less and less of.
So that’s the case of package software out there as well. It will be hard to find a security company long-term with 80%, 85% gross margins, which means you’re not doing some major part of security that you should be in for your customers, which means your biggest leverage is going to come from sales and marketing. Now it goes back to my thesis, the more products my salespeople can sell, the bigger deals they can sell, the more leverage I have.
And we have green shoots like I can do $75 million deal, $60 million in, it doesn’t take three times as many sales people who are selling at a deal that it takes to do a $23 million deal. So there is leverage in our go-to-market and selling motion. There is leverage – there’s still a lot of leverage in our gross margin because it got impacted by supply chain. In the last four years, we’ve built three new businesses in addition to our firewall business. We built SASE, we built Cloud, we build XDR. All three businesses have line of sight to get to $1 billion in the next 12 to 24 months.
No security company has done that. but they’re not at scale from a gross margin perspective because these are all bookings and over time, they have to flow from my revenue. When I get $1 billion in revenue, they start becoming interesting from a gross margin perspective, which may be three years out instead of 12 to 24 months. So at that point in time, I can start looking for gross margin leverage across these businesses. I think the long term – a longer term, we should be able to improve our gross margins from where they are today, both because of supply chain abatement as well as improving economics for our businesses as they scale. And I think as we scale, double our revenue, we should be able to get more leverage of sales and marketing. I think the right math is in the low to mid-20s for operating margin. If you’re going to stay an innovative security company. And some of that leverage needs to come from gross margins, some of the leverage need to come from sale of the market.
Gabriela Borges
When you benchmark your sales and marketing efficiency, do you benchmark to best-in-class security? Or do you benchmark to best-in-class enterprise software in tech?
Nikesh Arora
It has to be best-in-class enterprise. And I’m being careful about software tech because there are different flavors of enterprise companies. Some have developer-led motions, which have much better sales and marketing economics. Some have highly retention consumption businesses, which are better economics; some are sell and run like hardware, which has different economics. So we should end up somewhere between the mix of a hardware company and a SaaS software business in the future as our business scales.
Gabriela Borges
Last question on the capital structure. How are you thinking about the right balance of debt versus equity? You have convertible debt coming to especially now that the biggest pot of the lift on M&A, it sounds like you’re entering a new phase of maturity. A little more color then.
Nikesh Arora
I’m smiling because I find it a tough question sitting in Silicon Valley with some of the big tech giants with highly inefficient or very large amounts of cash. I got $5 billion of cash; I’ve got $3.6 billion in convertibles. My net cash is $1.4 billion; I buy a $1 billion stock a year. I’m going to generate $2.3 billion of cash at my guidance next year. So he got that cash rich as compared to many of the people around here. But from our perspective, we always have a $1 billion authorization to buy back equity. We are focusing on bringing our SBC down.
Opportunistically, we initiate stock buyback programs when we believe the spread between what the market thinks about us and what we think about ourselves is widening. And we’ve done that consistently over the last two years, and we hope to be able to keep doing that.
Gabriela Borges
Thank you so much for your time. We really appreciate you sharing some of these insights with us.
Nikesh Arora
Thank you so much, Gabriela. Thank you everyone for listening.
Question-and-Answer Session
Q –
Be the first to comment