[PANW – Palo Alto Networks] Thoughts on cybersecurity and stock-based compensation

Every few years, I parachute into the cybersecurity space and conclude my tour bewildered by the expanse of technology and reminded of familiar plotlines.  There are new focal points and different players occupying the Magic Quadrant, but the basic script remains the same, with analysts and management teams touting arcane feature advantages, speculating on impending refresh cycles, and pitching end-to-end value propositions.  Vendors continue to battle each other on feature sets even as they collectively fend off malevolent actors who conspire relentlessly to circumvent progress, forcing rapid product innovation that give rise to new leaders and laggards.

In the early days of the internet, enterprise security was underpinned by firewalls¹, and before the early-2000s most firewalls worked by “stateful inspection”, a method pioneered by Check Point Software in 1993 in which web traffic was matched against a state table of approved IP addresses and port numbers before being waved through².  Because stateful firewalls didn’t inspect the actual applications being accessed, they had trouble with the traffic of dynamic social media sites and enterprise SaaS applications that didn’t bind themselves to specific ports and protocols.

By contrast, Palo Alto’s “Next-Generation firewall” (NGFW) analyzed data at the application layer, which was a breakthrough in 2004 when it was first introduced.  But others caught up in subsequent years and today, next-generation firewalls are commonplace.  PAN and its competitors continue to migrate along the same vector of sustaining innovation, bundling this and that to introduce switching costs to what is basically a filter, programmed with rules that can be replicated on competing appliances.  It is no herculean feat to swap one enterprise firewall for another and when RFPs make the rounds every 4-5 years, displacements are not uncommon. 

The firewall’s challenges extend beyond commodification.  Historically, a firewalled perimeter protected enterprise resources from the scourges of the internet.  Traffic would be routed to centralized, company-owned data centers, to be scanned and inspected.  But as more stuff shifts to public clouds, to be accessed by itinerant users across a variety of devices, the notion of protecting an increasingly borderless and expansive footprint with a walled infrastructure-based defense has become antiquated and so has the assumption that everything inside a corporate network can be trusted.  The defense layer, rather than resting between the internet and the corporate network, now needs to sit between the internet and each of the enterprise’s employees and devices. 

Against this diffuse landscape, the firewall is losing its central position in the defense apparatus to cloud-hosted solutions that can scale across all enterprise resources, wherever they happen to be.  Google pronounced the firewall defunct 5 years ago when it moved its applications from a protected intranet to the open web and adopted a zero-trust setup to secure users and endpoints (PCs, virtual machines, tablets, IoT devices, phones).  In other words, trust no one, not even the servers housed within your firewall-protected network.  Inspired by Google, ScaleFT launched its own zero trust security platform in 2015 before being acquired last year by Okta, who is leveraging its growing leadership in cloud-based identity to make inroads into cybersecurity.  Moreover, browser isolation has emerged as a zero-trust approach to securing web gateways.  Menlo Security, founded in 2012, runs web browsers in cloud containers and mirrors those sites to your device.  It’s doing the same thing for email.  Menlo doesn’t merely detect malware; it precludes the possibility that malware reaches you at all.

Selling firewall appliances never had the characteristics of a good business and the transition to cloud computing makes it a potentially terrible one.  And yet, even with NGFW at the center of its offerings, PAN has grown product gross profits by nearly 30%/year since fy12 (fiscal year ending July).  While firewalls face serious challenges, they remain the keystone of enterprise security infrastructure and the foundation on which other security products are sold.  Palo Alto has stayed at the forefront of innovation, sure, but more importantly, it has absorbed a growing number of point security features into its NGFW, layering in subscription revenue from web gateways, URL filtering, threat prevention, intrusion detection and prevention, anti-virus, and malware protection.  Subscriptions make up 63% of PAN’s LTM gross profits, up from 37% in fy13, with around 80% of that attached to the firewall.  Palo Alto’s cumulative spend per cohort several years after landing (typically, with NGFW) is many times the initial order value (for instance, cumulative orders from the 2012 cohort are nearly 7x that cohort’s initial purchases), gesturing toward the power of incumbency.  A CISO would prefer not to cobble together “best-of-breed” solutions – the complexity of which brings its own security issues – that already come bundled with his most critical security asset.