The Oracle of Security- Nir Zuk
Nir Zuk is a superstar in the cyber security world. He is the co-founder and CTO of Palo Alto Networks. Nir co-founded Palo Alto Networks over a decade ago and changed the landscape of network security forever. He has worked with NetScreen Technologies and CheckPoint prior to starting Palo Alto Networks.
(This is summarized sections of conversation with Nir on our pod. You can hear the podcast here)
(1:31) Do what excites you– Even as a teenager, Nir was fascinated with computers. He wrote his first virus when he was 16 “just for fun”. Nir’s first company was CheckPoint which he left to built better products. He then started OneSecure which was acquired by NetScreen Technologies which was further acquired by Juniper. Nir left all the NetScreen acquisiton money on the table when he left Juniper again to build better products. Products that he believed in. It was then he founded Palo Alto Networks which today is a billion dollar company.
“Life is too short. If you’d like to build products and you’re in a job that doesn’t let you build products, then find another job that lets you build products or start a company to build products.”
App ID and acquiring early customers– App ID was an insertion plan, something that’s going to make customers buy our products and replace other products. Making the enterprises realise that they were not able to lock all the malwares that were coming in and further that their data was not as secure as think it to be. Nir, further provided incidents of how Palo Alto Networks was able to thraught some major attack and also an incident where their product was able to identify a major security breach in Israel.
Early days at Palo Alto Networks- were spent trying to convince the customer to put our next generation firewall as a sniffer on their network. This would show them how their existing products don’t really secure them against almost anything. And then the challenge was to get the box on the network.
Hiring at Palo Alto Network– Nir believes that people who want to make the world a better and safer place in terms of technology are the kinds best suited to be his employees.
Staying grounded – How do you stay grounded after reaching the pinnacle of success? well, there are two main reasons 1) “don’t forget where you came from”. 2) Dont sit back and watch others achive your goals for you.
Why managing people is a waste of time for a technologist– Nir, recommends that technical people that want to stay in technology should stay in technology and not be the CEOs.
Upcoming Industry Trends- Nir talks about how security industry is going to be more data driven. Futher, trends about home security and automation in the cyber industry.
Detailed transcript :
Ankur: Hello everyone. Welcome to the prodcast where we share insight from the industry leaders on how to build great tech products and companies. This is Ankur and Neelima, your hosts. In today’s show we have Nir Zuk, co-founder and CTO at Palo Alto Networks, the leader in cybersecurity. Nir founded the company over a decade ago when he saw clear opportunity in creating the next gen firewalls.
Nir is a celebrity amongst security professionals. You know that because he has no LinkedIn profile but he’s all over the internet. He’s on Wikipedia, YouTube, Forbes, Fortune, TechCrunch everywhere. If you’re a technologist who has a vision for the future and wants people to rally behind your vision and in the process create new markets and industries, you don’t want to miss this episode.
Hi Nir, welcome to the show.
Nir: Hi Ankur. Hi Neelima.
Ankur: It’s so great to have you. I know it’s been difficult to get the schedule lined up but I am so glad that finally we’re able to catch up. As we get started, we’d love to, our listeners would love to rather know your journey leading up to Palo Alto Networks.
I presume that you grew up in Israel, how was it? How was childhood? How were the teen years? Were you a hacker back then? Was security the DNA from the get-go?
Do what excites you
Nir: Yeah. When I was a teenager in the eighties, first I worked for a computer show. I couldn’t afford to buy books. I was working as a consultant for people coming in to buy stuff and in my free time, I was reading computer books and learning how to program , assembly and stuff like that. And then I wrote my first virus, I think when I was 16 or something like that. And, I got recruited into the Israeli Intelligence. Everyone in Israel has to go to the military so I was recruited by Israili intelligence and ended up being with the same small group of two of the three founders of Check Point. And they were older than me and they left the service a few years before I did. And then started Check Point right when I was about to leave the service. So I joined him and that’s how I got into cybersecurity. Not that firewalls are cybersecurity but that was cybersecurity back then.
Ankur: Very interesting background. And for our listeners, Check Point is or has been Palo Alto’s chief rival for over a decade now. So an incredible journey starting with somebody who Palo Alto obviously competes feverishly with now. So you started Check Point, you start working on I presume the Gen One firewalls.
Nir: Well, I don’t know what gen one and gen two and three are. It’s a marketing BS the Check Point is trying to push but back then they were access control based firewall, so ACL’s embedded in routers usually and there were proxies and neither do the work proxy firewalls neither do the work. And I checked one, we created something called a stateful inspection, which is now the basis for all firewalls except for our firewall at Palo Alto Networks. We were stateful but we don’t use that for inspection. We replaced it with something called app ID.
Ankur: Got it. I presume that just after coming out of the service you joined CheckPoint. I assume that you were a developer obviously awe struck by these incredible founders. How many years rather did you spend that Check Point?
Nir: I spent two years in Israel and then I was relocated to California and stayed another two and a half years with CheckPoint and I left in the middle of 99. Took some time off as my first daughter was born at that time. And then in late 99, I started the company called OneSecure, which built the first IPS Intrusion Prevention System in the world. Until then there were only ideas. So I built the first IPS in the world and then very quickly NetScreen acquired us. NetScreen was a firewall company that was Check Point’s biggest rival at the time. And I stayed with NetScreen for two years and then Juniper acquired NetScreen and literally the next day they told us that they are not interested in the products. And then a few months later, they told us that they were not interested in us, engineers in China and India are much cheaper. So everybody left, I left. I started Palo Alto Networks officially in early 2005, practically, we got funded in January, 2006.
Ankur: Got it. We’ll get plenty of time to talk about Palo Alto Networks but I’m really curious. So, you were probably in your twenties, you had moved to California with a big Silicon Valley salary. You just had a kid but you somehow decide to start a company and take that risk when right on the Dot com era. What led you to starting a new company versus just take a cushy job and spend a few years?
Nir: I didn’t like working for Check Point because they couldn’t build products there. It became very political. So, when I moved to California in early 97 we started an engineering group in California and we started building products that we were going to integrate into the firewall. The first product we built was a QoS product which was integrated and I think is still being sold. Maybe I’m not sure. But then we built a product that was a few years early then companies like, what’s the name of the company.. We build a product that does bandwidth management, bandwidth optimization, link optimization in order to enhance the ability of applications to work over congested, internet connections. Riverbed would be that company. So, the protocol is working. We integrated the D to the firewall and then engineers back in Israel started complaining that they’re busy all day fixing bugs in the firewall whereas engineers in California are having fun building new staff. And of course the solution was let’s kill what the engineers in California build rather than let’s fire all the engineers in Israel that are complaining. So I realized that this is not a place to build products. I left the company and started the company to build products. Yes, I did leave a lot of money on the table but I didn’t care. For me, it’s about building products and the same story, by the way, with Juniper, the reason I left Juniper was because we couldn’t build products there anymore. They decided not to take NetScreen products. They said they wanted to rebuild them inside the routers. We told them and with ‘we’ I mean, myself, Lee Klarich who runs product for Palo Alto Networks was there at the time as well, and a few others. And we told them, look, if you’re going to build a new firewall, we might as well build a new firewall, not the same firewall again. And, they just wouldn’t listen. And then they moved engineering to India and China and I realized we could not build products over there. I left and started Palo Alto Networks to build products. And I left a lot of money on the table there as well, all the NetScreen acquisition money.
Ankur: It’s really interesting that you always choose to work in things that interest and excite you. A lot of people are kind of stuck in their good old job for whatever reason. Why do you think some people just can’t move from their shitty jobs and go somewhere else? What advice would you have for those people?
Nir: I think because they’re scared. Usually, it’s because they’re scared. It’s because they don’t know if the money that they live on the table, they can make it again. And for some reason they care a lot about that. I just don’t think it’s worth it. Life is too short. If you’d like to build products and you’re in a job that doesn’t let you build products, then find another job that lets you build products or start a company to build products. I mean, look in every company, you’re going to feel that there is some politics and that there is some fighting before you can build the feature that you really think needs to be built or the product that needs to be built. That’s okay. But when you just can’t do your job anymore and know it takes you forever to do any little thing that you’re trying to do , for me it’s not worth it. And I recommend everyone to just move on.
Neelima: So Nir, very interesting insights. Were some of these insights applied when you started, like in the early days at Palo Alto Networks? Because I do know it was one of the companies where engineering, like all the team was at one place and that really used to fascinate me when I was part of McAfee, everything is at one place, engineering everyone is co located. Was that one of the guiding principles based on some of the acquisition and the story we heard about Check Point?
Nir: Yeah. Well Check Point is in one place in Israel. There is engineering in the U S and dev engineering is just in Israel. NetSecure also. But Juniper was very distributed and other companies were distributed. And when I started Palo Alto Networks in 2005, it was not just my experience but was also the experience of many friends of mine whose boards required their companies to be distributed because it’s cheaper to do engineering elsewhere. And I didn’t want to do that. I had heard all the horror stories and how they have to wake up at 6:00 AM in the morning to work with one side of the planet and go to sleep at mid- night to work with another side of the planet.
And I know McAfee’s like this and there are quite a few other companies like that. And I didn’t want that. And we had an agreement with the board from day zero that they don’t even bring up the idea in board meetings to move engineering to India and China. The first time we had engineering in India was when we acquired RedLock where Ankur used to work and was a founder there. And that’s why we have engineering in India. We never opened one. And when about five and a half years ago, or six years ago, when we did decide that we needed another engineering location, we decided that that second engineering location was going to be Israel because of the cybersecurity talent in Israel.
And we made our first acquisition in Israel which jump started our engineering office in Israel.
App ID and acquiring early customers
Ankur: Got it. Palo Alto’s Wikipedia says- the key insight, I think you alluded to that already in the interview was- Provide ability for enterprises to define fine grim control at application level, take us through your thinking at the time. Our average listener doesn’t understand stateful, stateless application identification. Let’s talk about the anatomy of a network attack. Let’s start there. How does it happen? What did the gen one kind of do? And then what was your key insight as you started the application ID.
Nir: Yeah, so actually application ID was not the key idea behind Palo Alto Networks. I can talk about that in a second. What really was application App ID but the main idea behind Palo Alto Networks was consolidation through integration. Network security is very fragmented. There are firewall vendors, IPS vendors, proxy vendors, sandbox vendors. That was what that was back then. And then over the years, you see more and more network security vendors in different areas like IOT security and network traffic analysis and UEBA and network DLP and so on have come out in the market. And the idea was to build a platform that can take all of these and turn them into a set of subscription services running on top of one product which we ended up calling a next-generation firewall.
App ID was really the insertion plan. So when you build a new product, you have to have something that’s going to make customers buy it and replace other products, right. Going to customers and saying, throw away your firewall, your IPS, your proxy and replace them with our product is not going to fly with most customers. A replacement for enterprise doesn’t work very well. What is something that’s very, very different is what will convince them to take your products, right. And that thing was an App ID. So App ID was an insertion plan, the go to market plan, which was going to cause customers to buy our products. The real reason we wanted to build our products, have customers buy them.
And the real change we wanted to make in the market is to turn network security and later cybersecurity into a SAS delivered industry. So the idea behind the App ID was in the middle of 2005 when we worked on the business plan and presented it to our first investors, our initial investors, which were Greylock partners and Sequoia capital, the idea was that the internet back then was mostly web browsing and SMTP email for enterprises, some FPP, some SSH, some Telnet but it was very clear to us back then and so it was for our initial investors that the internet is going to be used for much more for enterprises. Back then only consumers were using applications beyond those basic ones. No applications like internet based video, internet based audio, social media was just emerging back then, no instant messenger and so on.
It was clear that that technology is going to move into the enterprise and back then stakes for inspection and all the products based on stakes for inspection , as well as the few remaining proxy based products, products just couldn’t handle those applications. So they could secure SMTP, they could secure HTTP, FTP but anything beyond that was not supported back then we saw the need for it.
Initially in order to show enterprises which applications their employees are using. So provide them visibility. Most enterprises were thinking that they’re able to block these applications and that their employees follow the rules and only use the internet for web browsing and email. We went in with our product, put in a sniffer, immediately showed them all the other applications that their employees are using. All the malware that’s coming in, all the data that’s leaking out and so on. And that was the insertion plan. We put our firewall on the network. Within a few hours, we showed them exactly what’s going on. And very quickly, we got a PO not to replace the firewall but for a product sitting behind the firewall then over time as we grew in size as we became more known in the industry, as we proved to customers that our products are stable. They replaced their firewalls with us. And that’s how we became a real firewall vendor. And we could start really delivering on our vision which is to replace not just the firewall but everything around it. When we started Palo Alto Networks, there were IPS companies, quite a few, there aren’t any now. They are all either acquired or killed. They were proxy companies. All the proxy companies back then are now dead. There’s a new proxy company called Zscaler and we’ll kill them too. We’re in the process of doing that too.
Back then there was one sandbox company FireEye. They had probably a thousand or 2000 customers when we came out to the market with our sandbox as a service running on top of the firewall. Today, they have maybe 2000 customers. They’re struggling and we have tens of thousands of customers using our sandbox. So it’s very clear that moving network security from products that you deploy in the network to a set of subscription services, SAS delivered subscription services delivered from the cloud running on top of a single device called next generation firewall was the way to go. And, that’s what customers are buying. Today, if you look at our firewall business versus the business of selling subscription services on top of the firewall, the latter is much bigger. We sell much more in subscription services running on top of the firewall then we sell them the firewall itself.
Ankur: Very interesting. A lot to unpack in all of this. I think the one thing that struck with me and I think a lot of the product builders and founders can find it useful is that the initial insertion plan was to sit behind an existing firewall because displacing a virtual appliance or a physical appliance is hard if not impossible in the enterprise. So first it’s just going to passively monitor the traffic shortage tunnel value over time kind of do the displacement.
Nir: That is if you are a startup whose idea is displacing others through disruption. Other startups, like the one you’ve been involved with Ankur and the one you have been involved with Neelima build something new. Something that doesn’t exist in the market. And then it’s not a replacement business. The struggle is not to go and replace. The struggle is to build a market. And it’s a different playbook.
Early days at Palo Alto Network
Neelima: Okay. So coming from Demisto, I recall our early days were really, really exciting. There were ups and lows every day. What were the early days at Palo Alto Networks like.
Nir: Yeah. The early days at startups are always exciting until you have to start selling right. (Laughs) When you have to start selling that’s when you get to know if what you’ve done was good or not. And luckily for the two of you, you were involved with startups that had really good ideas and were able to sell their products fast into the market but yeah it’s very exciting to build new stuff. And then after you ship it, some of it moves into maintenance mode, right? You have to maintain what you’ve done and then there are customer requests. And all of the sudden customers start determining a part of your roadmap. At least then it gets a little bit less exciting but that’s life. That’s how it is.
Neelima: And how many times did the customers actually ask like- is this going to be a part of firewall? Are you building a firewall and what was the answer?
Nir: Oh, we were very clear from the beginning. We’re building a firewall. We call it the next generation firewall. It’s not trivial. We had a lot of arguments around it about whether we should call it a firewall or a firewall helper, not literally a firewall helper but some name that would indicate it’s a firewall helper. And we knew we wanted to beat their firewall. We knew we wanted to replace their firewall. So we decided to call it the ‘Next generation firewall’ which of course created some friction in the early days because buying a second firewall sometimes is very politically charged.
Neelima: Yep. In the early days with the sales cycle, did you kind of shadow the sales guys, helping them actually refine the pitches because as you said even selling additional over the firewall the customer would prefer the existing vendors. So it’s very hard to do the insertion point.
Nir: Exactly. Yeah. So what I did in the early days is mostly to generate interest in the product because very early on we learned that when we do an eval, meaning when we convince the customer to put our product, our next generation firewall as a sniffer on their network, we get a PO because we show them so much crap running through the network. We show them how they’re completely insecure and how their existing products don’t really secure them against almost anything that our challenge was to get the box on the network.
Is it easy?It’s not. So I was flying around the country and we did a lot of events in very small places. You know, today when I do an event and I’m not talking about today during Corona time where it’s all zoom but I mean physical events. Today when I do physical events, it’s usually hundreds, if not thousands of people in the audience and I’m sure you are the same, right. Back then, I remember an event, I flew all the way to Boston from San Francisco for an event. Actually it was Connecticut. I flew to Boston, and drove down to Connecticut and there were three people in the audience and one of them was a friend of the reseller that was never going to buy anything anyways. So, that’s the beginning. It’s hard work. And sometimes in the events you only have three people, we have the deal. Unfortunately with Maggiano’s, you know Maggiano’s restaurant chain?
Ankur: Absolutely one of my favorites. Yeah.
Nir: Yeah. So we had a deal with them to do events all over the country. So I think they have like 30 or 40 restaurants around the country and I flew to all of them and I have to eat there. Well they are our customers, sorry; their wonderful food in 40 different places. The same food again and again and again. And sometimes I’ll get 10 people in the audience, sometimes we’ll be 50. And out of each of these events, we’ll have two evals, which was enough. That was my early days. Yeah. And, I think that set applies to too many of our products. It’s all about getting the product in the infrastructure. Prisma cloud is like that, Just get the customer to link it to their account and when you show them what you show them they buy the product and the mystery is somewhat the same. I mean, it’s a little bit more time to deploy it then just putting it in. But yeah. And that by the way is something that would recommend to all your listeners who are planning to start a company is to do a very quick eval (evaluation) and show value very quickly. Meaning if you can with a few mouse clicks or in our case, it was 15 years ago; if you can just deploy a box on the network on a span port on a switch or on an optical tap into the network, or like in the case of RedLock all you have to do is log in into your AWS account, if that’s what the customer has to do. And within a few hours, or a few days, you show them the value, it makes your life as a founder, as an entrepreneur, much, much easier because then the focus is get them to do an eval, then the product sells itself.
Neelima: So a follow-up question on- “started selling with the sales”. When did you basically feel that now we’re getting real traction and we get to -”I have to start thinking of the next” stage.
Nir: from the beginning? We knew what we were going to do in version one zero and two zero and three zero and four zero. And if we could, we would have done everything in one zero, which is enough time. So yeah, we have that and very quickly we realized that our gut feeling that this is going to be big was true. It started very fast. I think we did like 5 million in the first year or something like that and 16 in the second. So even though it was a hardware business, the big change probably came five years ago, so after eight years of selling. More or less we became the largest network security vendor in the world, we saw that being inevitable, we decided that we need to move into the next thing because remember we started Palo Alto Networks to consolidate cybersecurity but not just network security, but other things as well. So about five and a half years ago, I think it was in early 2015, we decided that we’re going to do the next thing which back then the decision was Endpoint security. It was not the right decision, but it was the decision- let’s go into endpoint security with network security and the right decision would have been the decision we made after that which was let’s go into cloud security
Ankur: (Laughs) And you say that Nir because the endpoint is a tough, tough market. The right tech and solution is arguably Endpoint security as it is one of the most critical types of security.
Nir: It is. It is a replacement business, let’s start with that like the network security business we are in. It’s just that it’s very hard to show value and give the customer a reason to replace. We thought that being able to detect many more attacks on the endpoint because of the linkage with the network is going to be a reason for the customer to switch to Palo Alto Networks endpoint security. It turns out customers don’t give a damn when it comes to endpoint security. It’s different today because of EDR but back then for most customers, it was just the checkbooks. And it was a race to the bottom between McAfee and Symantec about who’s going to give the agent for a lower number of cents per year, per endpoint and it’s not a market you want to be in. Cloud on the other end is a Greenfield opportunity. Not a lot of legacy. And that’s why that should have been the decision back then but it’s okay. Took us a few more years. And then we went into cloud security.
Ankur: Absolutely. You know before we move forward, I think one of the things that struck with me was, you started the company in ‘05, in 2007 you launched the product, 2009 Gartner came up with a new category called next gen firewall and in 2011 you’re anointed as the leader. I don’t think a lot of our listeners can appreciate how hard it is- to go from product launch to leadership position, get the mindshare of the analyst all within a span of 4 years. So Nir, beyond you just hustling hand to hand combat and flying and eating Margianno’s there had to have been certain things around the company structure which allowed you for this kind of scale, this kind of marketing. Having 60,000-70,000 customers is not easy for people. It takes decades. Are there any of them? Was there any other magic sauce that we kind of glossed over?
Nir: Well, we had a disruptive product, right? So disruption helps. And like I said, it’s a product that once you put it in the infrastructure, just for trial, just for evaluation, it sells itself because the customer sees things that they just can’t ignore. And the challenge was to find the customers when they have a budget for replacing something in their infrastructure, like the firewall or the IPS or the proxy or something that they will pay us to do and do it at scale, right. Selling the first $5 billion is easy. Most startups, if they work really, really hard can do. But getting to a hundred million is really, really difficult and that requires more than just a good product; even if the product sells itself. That requires a real company and it requires really, really good people.
Hiring at Palo Alto Network
Ankur: So speaking of people actually, I was struck by one of the interviews that you had with one of the security journals. You said “we hire a different kind of people at Palo Alto Networks. Facebook, for example, is a company that’s ruined democracy. There are people that on principle refuse to work for such a company. They prefer working at a company that pushes the world forward, not backward. And we hire those types of people.” Can you tell us a little bit more about it?
Nir: That comment was about today, competing against Facebook, on hiring people, both in the Bay area and in Israel and probably India as well. And we just hire different people. We hire people that want to help the world. People that want to make the world a safer place to live. People that believe that without cybersecurity we are going to go backwards in terms of eCommerce and online shopping. And it’s going to destroy a lot of economies if we don’t take care of cybersecurity and so on versus other companies that will do everything from money, including ruining democracies, get dictators elected and so on.
Neelima: Yeah. So Nir, I’ll ask a very non-technical question. You started the company, you are incredibly successful. You are also very, very approachable and we see this day-to-day on campus. You’re very visible. You’re talking to customers with us in ABCs, How do you make sure that you stay grounded as a founder of such a successful company?
Nir: First, I recommend to everyone not to forget where they came from. I grew up not being able to buy computer books. I had to work for a few dollars an hour in order to work for a place where I can read those books. And yeah, just, just don’t forget where you came from is the most important thing. That’s one thing.
The second thing is we all have the same goal at Palo Alto Networks. And I’m not going to sit on the side and wait for everyone else to achieve the goal for me or for us. I want to be a part of it. Yeah. That’s why I talk to customers every day and I fight our competitors every day at customers and conferences and building products and buying products and integrating products and so on.
Ankur: Got it. Do you remember any incident in your history where you as the next gen firewall prevented a major incident. Obviously, we don’t have to name names but anything that comes to mind.
Nir: So first, it happens every day, but there have been cases where we discovered… Look with the firewall, it will be hard to tell because the firewall blocks a lot of things.
So you can’t tell that, Hey, we prevented a lot of incidents but there’ve been cases where our detection technology detected the data breach after the fact. One famous case, it’s not famous. I mean we haven’t disclosed publicly but it’s related to a famous case. There was a big attack against Anthem. I don’t know if you remember it. And like many other companies in California we use Anthem. I mean, of course it doesn’t matter how much you’re in cyber and how much you are into cyber and how much you are sending dev my data because they probably have my home address or all the addresses where I used to live in California, my social security number and so on and my medical records because of that attack. And at the same time that happened, we got a hold of the malware. And first we discovered that our sandbox, if our sandbox were in their environment, I have to use this objective here because it’s something that didn’t happen, if our sandbox were in their environment, we would have detected and stopped that.
Nir: But more importantly at that time we were working on a product called Autofocus. Today of course it’s a product. Back then it was just being built and Autofocus is a system that can very, very quickly go through a massive amount of data we have about malware and find correlations. That’s one of the things Autofocus does. So we took the malware that we discovered; we didn’t discover it; the malware that was part of that attack against Anthem and we ran it through our sandbox. And then we took the data that came out of the sandbox and put it into Autofocus and then Autofocus came back immediately and said that a few weeks earlier there was a similar attack against one of our customers.
Nir: Meaning, we saw a piece of malware a few weeks before that had very specific, unique indicators that we haven’t seen in any other malware at any point and of course, in any other clean file. Autofocus has a lot of clean files and malware. So immediately, we called the customer and told them- “Hey, this attack we blocked for you a few weeks ago, know you are the target of the same adversary group Anthem Blue cross
Ankur: Pretty, pretty amazing. I was at one of the largest defense contractors and they had like this big SOC up there and I think the average person doesn’t know how many breaches are prevented every day from crackers and hackers, guy with a black hat, whatever that may be. And it’s pretty fascinating. Obviously, the security industry has enough players that’s helping customers against these massive data breaches but sometimes it feels like we are just a day away from some massive breach where the power grids are going to go off, the computer systems will go down. It always feels like that.
Nir: Yeah. I’ll tell you another incident I had actually here in Israel. You reminded me just now. In Israel, it was quite a few years ago. I went to visit a defense contractor. A company in Israel that builds defense, military related equipment. So I went there and I had a meeting. There were two security slash network engineers in the room and I think it was the Director of Infrastructure or VP Infrastructure in the room, something like that. And I went through our solution. And again, my goal, like I said earlier in this podcast was to get our box on their network. Because I know that when we put the box on the network, what they’re going to see, they’re going to have to do something about it. First, they will be going to their current vendor, which I think was CheckPoint or something and ask them to fix it. They couldn’t fix it. And then they would buy our port. It was Standard operating procedure. So I sit in front of them for an hour and tell them what we do. And they say, well, do you do this? Yes. And do you do that? And, it’s very clear that there are two CheckPoint bigots that are trying to find holes in our product and find this little thing that we don’t do so they have an excuse not to put our product on the network. And after almost an hour. It was almost time to go, I just said, screw it. I said it to myself. I said to myself- screw it. Hail Mary. I took out a bill from my wallet, 100 shekels, which is like $30 today. I put it on the table between us on the conference room table and I started talking to the VP and I said, look, here’s hundred shekels. You’re going to put our product on the network. And if we don’t find anything, you’ll keep those 100. And if we find something, you’ll give it back to me. Okay. You are not losing money here. You can only make money.
Nir: Then a few weeks later, they put our box on the network. Within a few minutes, they saw a workstation that was leaking gigabytes of traffic to some foreign country, which is not the best of friends with Israel. I wasn’t there. I flew back to the US. I was there on a visit. I flew back to the US. This is a story that the sales engineer told me. Immediately, they called physical security, they had six guys with Bren guns, ran to that workstation, shut it down and basically got him arrested. It was all over the news. I mean, they didn’t mention us or anything like that. It was all over the news and they bought our product of course.
Ankur: Oh my God. That is so fascinating. I was going to say they didn’t have to pay us anything but they ended up paying us like $5 million.
Nir: I’ll get my money back. I’ll have my 100 Shekels. That’s 30 bucks. I can live with it.
Why managing people is a waste of time for a technologist
Ankur: Oh, that is so fascinating to hear the stories because the average person just doesn’t know the kind of stuff that really happens.
I’m going to change the subject on you a little bit, actually going back to the people stuff. There was this fascinating quote by you, which I want you to double click. You said and I quote, this is about people management- “as far as I’m concerned, managing people is a waste of time”. Well, first of all, can you expand on that and second is what advice would you give to a fellow technologist who wants to build a better future but doesn’t want to go through the grind of managing people and doing the annual reviews and so on and so forth.
Nir: Yeah. No, my quote was about myself. I find it myself that managing people is a waste of time for me and it’s a waste of time for technical people, meaning that I recommend technical people that want to stay in technology rather than those that want to move to management. It’s completely valid, there are a lot of people that are technical that see their career going forward in management, not in technology but those that want to stay technical, I think they should focus on technology and not try to manage people. It’s completely valid. That’s the CTO versus the VP of engineering role or Chief Warrant officer? Now, what I also said is that for founders, it’s very unlikely that the technical founder is going to be a good CEO. So, if you’re a technical founder, especially if you want to stay in technology and you’ve never been a CEO and your company might go big and you’re really near the sales and marketing CEO. My recommendation was from the get go, just find a CEO, don’t be the CEO, focus on technology and let someone else raise money, hire people, fire people, deal with the board and so on. You focus on technology, which is really why you started the company. That’s what you know how to do well. The other challenge with technical people saying to themselves, well, I’m going to start as the CEO and then when the company starts growing, I’m going to find a CEO and I’m going to do something else. It’s very difficult. It’s very difficult for a new CEO to run a company where the old CEO is still in the company. It too often doesn’t work. It might work but too often it doesn’t work. So my recommendation to technical founders is don’t be a CEO, hire a professional CEO.
Neelima: It does matter who you work with or who you found or started the company with because there is a trust factor when you’re focusing on the technology side of things that you know, the right people are getting hired and there is an equal say.So definitely having the right team to start the company is also very key.
Nir: Of course, look even if you hire a professional CEO, an experienced CEO to run your startup, certainly in the early days of the startup and until pretty late in the life of the company, the founders are much more important than the CEO and the CEO knows it. If there is, for some reason a fight, it’s the CEO that’s going to have to leave and be replaced, not the technical founders, not the entrepreneurs. So yeah, it has to be cooperation.
At Palo Alto Networks we went through a few CEOs in the early days. We started with the CEO, Dave and then as we started growing Dave left and we hired a CEO named Blaine and then as we were preparing to go public with the CEO that was able to do that, we hired Mark McLaughlin. And then Mark left, not because of a change in what the company does but because he wanted to spend time with his family and we hired Nikesh. In between Blaine and Mark, we had nine months where myself and Rajiv, we were co CEOs . I always joke that that’s the period of time where Palo Alto Networks was growing the fastest. We grow at an analyzed rate of 300% at scale. At scale of tens of millions of dollars per quarter during that period of time.
Ankur: That is fascinating. Yeah. You know, Silicon Valley should experiment more with different types of work structure. One where there is no CEO . There are I guess a couple of core CEOs, if you will, but it’s a completely decentralized organization. Hire the best engineers they know what to do. Hire the best legal people, they don’t need a CEO to set the tone. Pretty, pretty fascinating.
Neelima: So, you are in Israel right now. And Demisto, a company from where I come, is Israel based. I am just fascinated with the cybersecurity DNA that’s there. Why do you think there are so many security startups coming out from Israel?
Nir: I think it’s CheckPoint. CheckPoint, some people say is related to the military, maybe. There are cyber organizations in militaries around the world, not just in Israel, not just in the US. I don’t see a lot of cyber companies in those areas, but probably somewhat related to the military where you have people with experience in cyber when they leave the military, which is a requirement, there’s conscription in Israel. So I think part of it is military, but I think a big part of it is CheckPoint. I think that CheckPoint is the largest Israeli company. In Palo Alto Networks last announced quarter, I think we were almost three times bigger than them in sales or even more than three times, about three times bigger than them in sales but still they are the largest, most valuable company in Israel. So,people see that and they want to be the same. And of course there’ve been a lot of exits in cyber., some IPO’s, a lot of sales like Demisto. People see that and they know that cyber is a good area to be in and it’s just a machine that’s fitting itself. You have a lot of people with experience or starting with CheckPoint and then those people leave. They start companies. I started mine in the US because I was living in the US but many started their companies in Israel and it started to snowball.
Neelima: Sometimes also I think it’s a mindset. I worked in India, I worked in the US. I worked with people in Israel. The mindset is very inquisitive and nothing is taken for granted. I think that is also a huge differentiator. A kid, a college kid coming out of an Indian college versus Israel is going to be very, very different. At least that’s what my experience has been.
Ankur: Great. All right. Last couple of questions before we go to rapid fire round. So, what’s the next billion dollar idea in security?
Nir: I think we have quite a few of them at Palo Alto Networks. (Laughs)
Upcoming Industry Trends
Ankur: Are there anything like, if you think about 5, 10 years anything privacy related. I know, it’s kind of on top of mind. Outside of the stuff that obviously Palo Alto does. You know, Cloud and network and Endpoint, any big industry trends that you foresee?
Nir: yeah, of course a few. There is data. I think cybersecurity is going to be more and more data-based and of course we believe we’re leading that at Palo Alto Networks. There are other vendors that do that. I think data is going to be more and more important for cybersecurity and the difference between vendors is not going to be as much as how good the software is. It’s still going to be that but I think how good your data is going to be will be more important. So that’s one trend.
I think that the pandemic has accelerated some trends that are going to be very important going forward. Of course, Cloud security, where you’re involved Ankur. The move to the cloud is accelerating and cloud security is going to be very important but also work from home or the workforce is important. Not having infrastructure, not just data center infrastructure, but any infrastructure, that’s accelerating and that’s important.
I think home security is going to become more important as more and more people work from home and that I think is going to be an important trend in cybersecurity and I think an area where Neelima is focused on which is automation. You know, we’re getting to a point where security cannot be operated by people. We’re getting to a point where they’re just not enough talent in the world for security. And more and more of security will need to be operated by machines.
Ankur: Security or just about everything. I think the AI and robots are taking away jobs from just about every industry vertical and yes, security for industry will not be spared.
Nir: I don’t think security. I’m not worried about the jobs of security analysts. I think they will always be needed. It’s just that we’re going to give the machines, all the mundane work that they do today. And have them focus on difficult work that machines can not replace. Work that requires thinking. Of course that means the security analysts will need to have additional skills on top of what they have today. Like for example, the need to know big data and machine learning and things like that and we can figure out how to educate them around that but I’m not worried about their jobs as much as I worry for example, about the jobs of network engineers. As the network disappears and it all becomes delivered from the cloud so, that’s probably a job that’s going to be more at risk versus security engineers and security analysts.
Neelima: And last question before our rapid fire Nir. You don’t really have to work for a living anymore. What gets you up and excited every day?
Nir: Convincing our customers to use our solutions? No, it really upsets me that there are customers that don’t. The challenge in cybersecurity is that it’s very hard to tell what works and what doesn’t work. So it’s very easy to fake cybersecurity. And most of the vendors in the industry are faking cybersecurity. They count on customers not knowing how to test products so they’re faking security. Most of the testing labs work for money and can be convinced as to what to test and what not to test.
At Palo Alto Networks from day zero, we decided that our culture is going to be different than that. We’re not going to lie to customers and we’re going to be proud of everything we do. And we believe that our products actually block attacks versus many of our competitors that don’t. And convincing the world of that, one customer of time is hard but that’s what I do. I’ll rest the day we have a hundred percent market share.
Ankur: amazing. Spoken like a true founder. Thank you, Nir. So we’ve got a couple of minutes for the rapid fire round. Quick Yes or no, or short answers. So we’re gonna get started on that. All right. Best engineering mind in the industry in your opinion.
Nir: Machine learning.
Ankur: Okay. Yeah, they GPT three. Your favorite book, blog, pod, anything on security. If somebody wants to get into security, what’s like the thing that has made the most impact on you.
Nir: I haven’t read security books but I would go to the security cannon and look at the list of books there. There’s a really good list of books there.
Ankur: Okay. Do you expect more fragmentation or consolidation in the security industry over the next decade?
Nir: Both. Meaning, I think that we’re going to see more consolidation of the larger vendors but I think that the data economy is going to enable very small vendors, innovative vendors, two or three, very smart engineers in a garage to build a really meaningful solution.
Ankur: Very good. Are there any white spaces in security that nobody’s thinking about? Obviously, even if you knew one, you wouldn’t give them the idea but any big area nobody’s paying attention to?
Nir: Not that I know. Okay.
Ankur: Got it. Couple more flute or piano.
Nir: So I play the piano. I’ve been playing the piano for almost 40 years and I played the flute when I was in second and third grade. So I know a little bit of flute but I can certainly play the piano.
Ankur: And the last question, what advice would you give your 18 year old self?
Nir: I wouldn’t change anything. I wouldn’t change anything in my past. No, no advice just to keep doing the same thing you do.
Ankur: Pretty incredible. It’s been such a pleasure to speak to you. Like I said, you are a celebrity and just to have an opportunity to speak with you for an hour. It has been really informational for us and I’m sure for our listeners. We look forward to maybe having you a year from now or something like that when there’s a gen five of the firewall or the cloud security. We’d love to have you. Thank you so much