Barron's Streetwise - Cybersecurity Threats – and Profits – Are Ramping Up
Episode Date: March 18, 2022Palo Alto Networks CEO Nikesh Arora talks Russia, artificial intelligence, and why the network security industry is poised for consolidation. Learn more about your ad choices. Visit megaphone.fm/adch...oices
Transcript
Discussion (0)
Calling all sellers, Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
What has happened is the attack surface around the world
from a security lens has exponentially expanded.
And that has required every company to take a hard look
to see, am I protected in this current environment?
Hello and welcome to the Barron Streetwise podcast.
I'm Jack Howe.
The voice you just heard, that's Nikesh Arora.
He's the CEO of a cybersecurity company called Palo Alto Networks, whose shares have returned
more than 900% over the past decade.
Spending on cybersecurity has gotten a boost from a pandemic
shift to remote work and a rising fears of online attacks from state actors. In a moment, we'll learn
more about what's next for the industry from Nikesh and a top Wall Street analyst. listening in is our audio producer jackson hi jackson hi jack everyone enjoys a good
cyber security origin story am i right oh don't worry there's a key 1980s movie tie-in.
Is it War Games?
I mean, don't just guess the first one you think of.
It could be, you know, Weird Science.
It could be Splash.
It's definitely War Games.
I'm going to give you longer to think about it.
Cybersecurity was first conceived long before any of us had internet connections.
Consider the following quote.
Computer systems are now widely used in military and defense installations,
and deliberate attempts to penetrate such computer systems must be anticipated.
There can be no doubt that safeguards must be conceived
that will protect the information in such computer systems.
Now, that comes from a paper titled Security and Privacy in Computer Systems,
written in 1967 by Willis Ware,
head of the computer science department of a think tank called the RAND Corporation.
And it was written in response to a defense department project called ARPANET,
a precursor to today's Internet.
ARPANET was designed to share data across a network.
Willis Ware warned that computer networks would be vulnerable to break-ins,
and that warning was mostly ignored for 16 years.
What happened next was pieced together years ago by a New York Times reporter.
In 1980, two former college classmates were writing a movie about a computer whiz kid who
goes looking for games and unknowingly breaks into a computer at the North American Aerospace
Defense Command, or NORAD. Only, the writers weren't sure
if the plot was believable, so one of them called a think tank a few blocks from his home, called
the RAND Corporation, and RAND put him in touch with, you guessed it, Willis Ware, the author of
that 1960s paper, and he said, yes, it's theoretically possible to gain access to a NORAD computer
because workers there sometimes leave a port open to be able to work from home on the weekend.
So the writers wrote their script and the movie got made. And it was a critical and financial
success. War Games, which hit theaters in 1983, I knew it. Cost an estimated $12 million,
and it made about $80 million worldwide.
The lead role was played by a young Matthew Broderick,
and the computer did not sound anything like Siri.
Excellent. It's been a long time.
Can you explain the removal of your...
In the movie, a game labeled Global Thermonuclear War
quickly turns into a real Cold War crisis.
The movie made a big impression on one former actor
who saw it the day after it came out at Camp David,
America's president at the time, Ronald Reagan.
The following day, Reagan asked
his national security advisors if any of them had seen the film and none had, so he described it to
them. Some of them appeared to be holding back smiles. Reagan asked the top general if such a
thing was possible and the general said he'd check. A week later, he returned and reportedly said,
General said he'd check. A week later, he returned and reportedly said,
Mr. President, the problem is much worse than you think.
And that sent Reagan on a path toward issuing National Security Decision Directive No. 145,
calling for the government to better secure its networks and to encourage key businesses to do the same. And that was arguably the birth of the cybersecurity business.
This year, worldwide spending is expected to hit $172 billion, up from $155 billion last year.
I recently had a chance to speak with the CEO of one of America's largest
pure play cybersecurity companies. Hi, Nikash. Jack Howe from Barron's.
How are you? I'm good. How are you? That's Nikesh Arora. He was named CEO of Palo Alto Networks in
2018. At the time, he had plenty of experience in the business side of software from a senior
post at Google and in deal-making while at SoftBank. What he didn't have was much
cybersecurity experience. Here's how one analyst describes what happened next.
And everyone kind of initially wrote him off when he joined because they're like,
oh, this guy came from Google. What does he know about security? And he proved everyone wrong,
everyone. And I think Nikash doesn't care what people think about him or his strategy. He picks a lane. If you don't like it, you're out. And he's completely turned heads in the industry with his ability to execute.
That's Brent Thill, and he covers a long list of software companies for Jefferies.
We'll come back to him.
Shortly after Nikesh arrived at Palo Alto, he told investors what he saw when he looked
at the cybersecurity industry.
Too many software vendors offering too many separate tools, which required too much manual
work, at a time when threats were growing
more sophisticated. Palo Alto Networks was best known at the time for its advanced firewall,
a system that monitors and controls network traffic. Nikesh made a string of small and
mid-sized acquisitions and ramped up new product launches to extend the company's capabilities in two key areas.
The first is protecting applications that run in the cloud.
The second is automating the work done at company SOCs, or security operations centers,
by, for example, using data and artificial intelligence to manage an overwhelming number of daily alerts,
which can free up human analysts
to focus on the biggest threats. The result for Palo Alto Networks has been a long stretch of
winning new business and growing faster than the industry. Nikesh says the pandemic has expanded
what he calls the attack surface, assets attached to the internet. As you create more and more
connectivity as people work
from home, in our industry parlance, the attack surface expands exponentially because now instead
of attacking you in your office or in your branch or in your office campus, I can attack you anywhere
because your systems are interacting with somebody who's shopping while they're walking on the street
or your systems are interacting with somebody who's working from home, and you have no idea what kind of connectivity they're using.
In its most recent quarter, Palo Alto Networks grew revenues by 30%, which suggests that to
whatever extent it has gained business from the pandemic, business isn't slowing. Nikesh says,
one of the things that has helped the company win business is the ability to create parity
between workplaces and home offices to give both similar levels of security.
I asked him to describe the role of artificial intelligence in cybersecurity.
Fundamentally, artificial intelligence works when you have good data.
I collected a thousand CT scans, the thousand and first can be analyzed by a computer because it has the collective knowledge of what could have gone wrong in those thousand instances.
It has normalized data.
So our industry is no different.
If you have normalized data, we can look at behavior and say, this looks like abnormal
behavior.
Is this legit behavior or is this somebody trying to attack your infrastructure?
So by getting good normalized data across an enterprise, we can watch
for anomalous behavior and stop attacks which are midway. One example was there was a big SolarWinds
attack I'm sure you've heard about where we observed abnormal activity because we've been
analyzing the data and patterns around it. We saw the abnormal activity. We shut it down midstream.
Now, that's how cybersecurity needs to function. It needs to stop attacks while they're happening.
The SolarWinds attack was one of the biggest cybersecurity breaches ever. It was what's
called a supply chain attack, where hackers attack a network indirectly by going after a
third party that has access to the network. In this case, the third
party was a popular software tool made by a company called SolarWinds, and investigators
believed the hackers were working for the Russian intelligence service. Russia denied involvement.
Palo Alto networks detected the threat quickly, but not everyone did. Many companies, organizations,
and U.S. government departments
were affected, including the Department of Homeland Security and the Treasury.
SolarWinds was not nearly the first recent large-scale cyber attack on the U.S. believed
to be linked to the Russian government. There was a 2016 theft of campaign emails from the Democratic
National Committee and a 2018 attack on critical infrastructure, including the power grid.
At an investor meeting last September, Palo Alto Network said it had seen a doubling in
cyber incidents from nation states over the prior year, with more than 10 attacks per month.
I asked Nikesh what effect
Russia's invasion of Ukraine would have on cyber attacks. Jack, I've had the pleasure of being part
of Power of the Networks and cybersecurity for now three and a half or so years, and I will tell you,
I haven't been as concerned as I am now about potential cyber activity. My concern is we're
going to see a spate of attacks
which will be for vindictive reasons.
I think just this war has created the scenario
a lot of the Western companies are leaving the region.
They're all suspending economic activity.
And my fear is we're going to get to a point
where we're going to throw the Russian economy
into some sort of a tailspin
because of all the activities we're doing,
which is appropriate for what we're going through.
But I'm concerned that we have to go make sure we shore up our defenses because I expect
a spate of vindictive attacks which will follow.
Nikesh says that in just the past few weeks, he's seen companies that have voiced opinions
about the war in Ukraine targeted with significant DDoS, or distributed denial of service, attacks. Those attempt to
overwhelm networks with floods of traffic. Nikesh says attacks like that could expand,
and that nation-states have, quote, phenomenal capability. I asked about how individual companies
like Palo Alto Network can compete against the heft of state actors, and whether the U.S.
government lends resources. I think there is a formal and informal relationship, both with the
public-private partnerships that have been around for a while, and which have, under the current
administration, got a lot of focus and attention. So there is actually a functioning public-private
partnership where we share with each other the indications of compromise, the threat vectors. If we see something unnatural happening, we are all quick to share it
so that we can all deploy defenses against that capability. So we're well organized. We have each
other to go support. But I think you're right that the heft that's going to come at us if nation
states start getting involved in this activity is going to be something we're all going to have to contend with. I asked Nikesh to describe the damage a cyber attack could create, and he pointed to the
Colonial Pipeline ransomware attack last year. That was carried out by what are believed to be
Russian hackers, although not necessarily ones linked to the Russian government. A pipeline
operator was forced to shut down operations to contain the attack
and then pay a ransom of 75 bitcoins, or $4.4 million. The Justice Department later
announced that it had seized more than 63 of the bitcoins. Surplus oil supplies since then
have grown tighter. Nikesh says, imagine if a financial organization wasn't able to settle trades for
days. He says hackers can cause chaos in society, and they only have to be right once, whereas
security companies have to be right all the time. I asked Nikesh to describe his growth opportunity,
and he talked about how fragmented the business is today.
So it's one of the most fragmented industries in the world, especially in the tech space.
It doesn't make sense to me.
You would think that these are not used car dealerships.
You would think there would be a few big players.
So I sat down and I did the analysis, saying, what's going on?
Why is this the case?
Then you realize that the threat landscape changes every 24 months.
So a new flavor of the year or the decade is born, and a new cybersecurity comes, builds
a great product that stays in its swim lane and starts deploying that across the world.
So most companies have more cybersecurity vendors than they have IT vendors.
In the last three and a half years, we have bought 17 companies.
We figured out where the puck is going.
Now we're at a 4%, 4.5% market share in the industry from 2.5%.
And we're now a 4%, 4.5% market share in the industry from 2.5%, and we're now the largest
cybersecurity player. And I think there's room for somebody to become a 10% or 20% player in
the industry because you've got to give the customers the comfort that I will be there
as we innovate, as technology evolves, I will solve the problem. You don't have to go look
for the next startup to solve the problem. Thank you, Nikesh. Let's hear from a Wall Street software analyst about how software
stocks stack up after this year's sell-off and about the outlook for cybersecurity stocks in
particular. That's next after this quick break. With TD Direct Investing, new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%.
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31,, 2025. Visit td.com slash DI offer
to learn more. Welcome back. Jackson, how about a game? Does it involve 1980s movies? Only partially.
I'm looking at a list titled Top 10 Cybersecurity Films of All Time.
It was published last year by InfoSecurity Magazine, and War Games is number seven.
Name three of the others. Oh, gosh. My cybersecurity film knowledge is not great.
Would Her be one of them?
Her is not one of them.
Clock is ticking.
I think I can only think of movies that vaguely have computers in them.
I'm sure some of the Mission Impossible movies must have some sort of cyber element.
No Mission Impossible movies, I'm sorry.
James Bond?
No James Bond.
Iron Man?
No.
Are you waging a denial of service attack yourself right now sounds like it all right i'm throwing in the towel catch me if you
can the imitation game millennium trilogy i don't know what that is enemy of the state snowden
sneakers war games tron hackers and the net, Jackson, don't beat yourself up.
Half those movies came out before you were born.
I've only seen like three of them, and I'm super duper old.
In 1980s movies terms, I'm as old as Wilford Brimley when he shot Cocoon.
You can Google that later.
To learn more about the opportunity for investors in cybersecurity stocks and software more broadly,
I reached out to Brent Thill, who covers the group for Jefferies.
I asked what he's hearing lately on cybersecurity spending.
I think demand remains elevated. We're not seeing any deterioration.
And companies like Palo Alto on the network, CrowdStrike and SentinelOne
on the endpoint, SailPoint and Okta and Identity, you know, Varonis on the insider threat. There's
a number of companies that we follow and no one has said, yeah, things have dried up. You know,
we had COVID and we went hybrid and everyone's done with their security infrastructure. Like
no one is saying that. They're all saying demand remains elevated. Big deals are growing. Volume
of deals are growing. Palo Alto Networks is one of Brent's favorite cyber stocks. As he says,
there are a lot of tech companies growing at 20 percent to 30 percent a year, but there aren't a
lot doing that with 20 percent plus operating margins and good cash flow.
Brent also likes that Palo Alto's deal-making streak might be done for now. They have said
they're done with big M&A. They spent billions of dollars in the last handful of years acquiring
companies to build out their portfolio, and they were on public record and said, look,
we don't need to go buy a bunch because we have the technology we need. And investors love that
because they've got the products integrated. They've got an organic approach. They've got
great top and bottom line balance. And the stock's not expensive on a multiple basis relative to
those characteristics.
Not expensive, Brent says.
That's subjective, of course.
Palo Alto trades at more than 60 times forward earnings estimates.
For software companies, I think it's often more helpful to look at free cash flow rather than earnings.
That's because there's often a lag between when companies collect customer funds and when they book the revenues.
Palo Alto trades at 30 times forward free cash flow projections.
That's ambitious, but by no means extravagant for a fast-growing company.
The stock has returned 31% a year since Nikesh took over as CEO, a little bit more than double the yearly return for the S&P 500.
Finally, I asked Brent for the names of some of his other software favorites
and for his outlook on the industry in general.
Iron Source IS is the ticker, Vimeo, V-M-E-O, and small cap.
We like Procore and Midcap PCOR is the ticker.
They build software for the construction industry.
And then in large cap, you know, Adobe and Microsoft are just phenomenal stories that
will keep growing double digit.
You've seen a massive multiple correction across software.
And we're now back to historic averages.
We were more than double historic averages in November. We were at
18 times revenue for the software industry. We're now at eight times revenue, which is the historic
average, which is a very bullish sign that, you know, again, the big open question for software
is fundamentals are fine, Multiples massively corrected. They
obviously overshot in 2020 and 21, and now they're going to undershoot. The big billion-dollar
question is, are fundamentals going to continue to remain sound? We've seen no evidence yet that
the war, rising interest rates, inflation, that these have had a negative impact on demand.
The biggest concern right now is, are we going to see some fundamental correction?
We just haven't seen it yet.
It's not multiples anymore.
Multiples are back to historic average.
Thank you for listening.
Jackson Cantrell is our producer.
Subscribe to the podcast on Apple, Spotify, or wherever you listen to podcasts.
And if you listen on Apple, please write us a review.
If you want to find out about new stories, new podcast episodes, you can follow me on
Twitter.
That's at Jack Howe, H-O-U-G-H.
See you next week.