This Week in Startups - Palo Alto Networks CEO Nikesh Arora on cybersecurity in the age of AI | E1806
Episode Date: September 11, 2023This Week in Startups is brought to you by… OpenPhone. Create business phone numbers for you and your team that work through an app on your smartphone or desktop. TWiST listeners can get an extra 20...% off any plan for your first 6 months at openphone.com/twist. Embroker. The Embroker Startup Insurance Program helps startups secure the most important types of insurance at a lower cost and with less hassle. Save up to 20% off of traditional insurance today at Embroker.com/twist. While you’re there, get an extra 10% off using offer code TWIST. LinkSquares. Life for in-house legal just got a whole lot easier. From contract creation to execution and more, LinkSquares is the go-to for all your legal needs. Learn more at linksquares.com/twist. * Today’s show: Palo Alto Networks CEO Nikesh Arora joins Jason to discuss his time as head of Google Europe (2:26), strategies learned from Larry Page (15:23), precision AI’s role in cybersecurity (43:14), and much more! * Time stamps: (0:00) Palo Alto Networks CEO Nikesh Arora joins Jason (2:26) Becoming head of Google Europe and meeting Eric Schmidt, Larry Page and Sergey Brin (10:15) OpenPhone - Get 20% off your first six months at https://openphone.com/twist (11:46) Maintaining Google’s culture in Europe and the hiring process (15:23) Applying strategies learned from Larry Page to Palo Alto Networks (17:59) Sub-categories of EQ manifested in the workplace (22:12) Embroker - Use code TWIST to get an extra 10% off insurance at https://Embroker.com/twist (23:41) What led Nikesh to be CEO of one of the top Cybersecurity firms (30:24) Cybersecurity against artificial intelligence (35:31) The SEC’s mandate on breach reporting (38:35) LinkSquares - The go-to for all your legal needs, learn more at https://linksquares.com/twist (39:51) The SEC’s mandate on breach reporting continued (45:54) Gains from AI and what it means for organizations (43:14) Precision AI’s role in security (53:14) The future of AI technology and the battle of the chatbots (57:41) Nikesh’s time at SoftBank working directly with Masayoshi Son * FOLLOW Nikesh: https://twitter.com/nikesharora * Read LAUNCH Fund 4 Deal Memo: https://www.launch.co/four Apply for Funding: https://www.launch.co/apply Buy ANGEL: https://www.angelthebook.com Great recent interviews: Steve Huffman, Brian Chesky, Aaron Levie, Sophia Amoruso, Reid Hoffman, Frank Slootman, Billy McFarland, PrayingForExits, Jenny Lefcourt Check out Jason’s suite of newsletters: https://substack.com/@calacanis * Follow Jason: Twitter: https://twitter.com/jason Instagram: https://www.instagram.com/jason LinkedIn: https://www.linkedin.com/in/jasoncalacanis * Follow TWiST: Substack: https://twistartups.substack.com Twitter: https://twitter.com/TWiStartups YouTube: https://www.youtube.com/thisweekin * Subscribe to the Founder University Podcast: https://www.founder.university/podcast
Transcript
Discussion (0)
I came to California and Eric and I went for a walk around the Mountain View campus.
And he spent an hour walking around.
He said, you have 10 more interviews after this.
And he says, well, I really like you.
But, you know, this is a job which requires you to sell advertising in Europe.
And you've never sold advertising before.
I'm like, so should that, does that mean?
I should just pack my suitcase and go back or take my bag and go back to London because
this is not my job for me.
And he's like, yeah.
And he was very, very sort of thoughtful.
He said, listen, the business model of Google is going to.
evolve multiple times in the future. So I'm not sure we need to go find ourselves the best ad sales
executive. We need to find ourselves a good executive who can roll with the punches and adapt.
This weekend startups is brought to you by OpenFone brings your team's business calls, texts,
and contacts into one delightful app that works anywhere. Get 20% off your first six months
at openphone.com slash twist. In Broker's startup insurance program helps start a
up secure the most important types of insurance at a lower cost and with less hassle.
Save up to 20% off of traditional insurance today atmbroker.com slash twist.
While you're there, get an extra 10% off using offer code twist.
And link squares.
Life for in-house legal just got a whole lot easier.
From contract creation to execution and more, link squares is the go-to for all your legal
needs. Learn more at link squares.com slash twist. All right, everybody, welcome back to this weekend
startups. It's all-star summer. We're getting all the amazing entrepreneurs, CEOs, investors in the
industry because it's the summer. They got a little bit of time. I might be able to get them on the
schedule and then you get the benefit today. No different. I'm super excited to have Nikesh
Aurora on the program. It's the CEO of Palo Alto Networks, but before that, you know him because he
was the president of SoftBank and was going to be the heir apparent to Masayoshi Sam will get into that.
And before that, he was one of the earliest Google executives and was part of that early Google cadre that included Cheryl Sandberg and Tim Armstrong and Marissa and just all those incredible executives who went on to do great things.
So, Akash, welcome to the program.
Thank you, Jason.
Thank you for having me.
Yeah, yeah.
So I wanted to start with, you know, Google because what an amazing time to go to Google.
And how did you wind up getting the job at Google?
How did you become aware of Google?
I know you immigrated to the United States.
We had talked about that at some point and you came here with nothing.
So I'm kind of curious how you got here with nothing and then wound up at Google.
It feels like the American dream.
Yeah, there was a bunch of things.
just stops before that, Jason.
So I actually went to school in Boston,
went to business school,
did a little bit of the
by-side investment thing,
which didn't quite work out for me.
Well, I liked, I did fine.
I just didn't want to sit in a room.
When you say you went to school in Boston,
that means you went to Harvard, yeah?
No, I went to Northeastern.
Oh, okay.
See, usually people who go to Harvard
and were like, I don't want to say
it went to Harvard because people are going to just hate me.
Well, I can't say I went to Harvard
because I didn't go there.
Yeah, exactly.
I did go to school in Boston,
I went to Northeastern,
I'm in to Boston College.
But you immigrated, yeah.
Yes, I did.
And I worked at Fidelity
and I worked at Putnam
and then I decided to move
to London slash Germany
and I worked at T-Mobile
at that point in time.
What time is this?
This is 1999 to 2004.
This is when
T-Mobile bought T-Mobile USA.
It used to be called VoiceStream.
Yeah.
I was part of the team at T-Mobile.
We did that.
And this is right as the dot-com
market fell apart.
So you got to witness that.
And then the down market of those 2002 to 2006.
I wrote a sell note in 1999, which I still have, which I said, I cannot understand how
the value stocks anymore.
It's November 99.
And I sold everything and I quit my job as a by side analyst.
Did you do the same thing in 2021 by chance?
I wasn't an investor in 2021.
You weren't an investor.
A lot of, yes.
So that takes a lot of courage and fortitude to be in the middle of a roaring party and saying,
you know what, this party's not sustainable.
It makes no sense.
The cops are going to be here any minute and they're going to bust this party and it's going to be over and the lights are coming on.
What gave you the fortitude to kind of write the memo?
I'm curious.
It must have been unpopular at the time.
In hindsight, it's wonderful.
I was just enjoying the party.
I had a good buzz going and I said, I've had enough.
let me go out and go home.
I didn't see the cops getting there.
So now it looks like I was so smart.
The cough showed up right after I left.
This is a key thing.
I have this discussion with my wife all the time.
I'm like, you know, it would be a great time to leave this party right now?
And she's like, this party's amazing.
I'm like, exactly.
That's right.
This is the peak.
And knowing the peak of the party and when it might be a good time to get some rest,
to get some sleep before it kind of gets dark is a key part of doing this.
So I was there.
Yes. And then I was at T-Mobile in Germany, and I did that for four or five years, and I was
34 years old, and I had this moment where I said, wait. So I'm flying every week from London to
Germany. I'm working with people who are 10 to 15 years and average older than me. I'm doing
marketing in Germany, there's got to be something else I should be doing. So I decided to leave
that job, and I was having lunch with a friend of mine who says, listen, this headhunter called
me about this tech company from the U.S. was looking for somebody to run Europe. My job's
big, maybe you might be something, this might be something you were interested in.
Yeah.
So, I'm like, and that company was, of course, Google.
And I said, okay, I'll take a phone call or I'll take an interview and I did that.
And it was October 2004, right about in Google and public.
They had not hired a single senior person ever from the outside.
All the 12 vice presidents were internally promoted.
And I think,
Larry and Sergey were probably on their second trip to Europe ever in the history of Google.
They happened to be passing through London.
So, and one thing led to another, I ended up getting an interview with Sergey walking through the British Museum.
Wow.
Then we walked around.
What was that like?
What was Sergey like at that time in 2004?
I mean, it just gone public.
No different than he is today.
It's bubbly, curious, running around.
Larry was busy touring the museum.
with his part of his family
and Sergey was the chosen one to make
to the interview and we walked around
we talked about, we walked into the
Rosetta Stone and
and I just spent five minutes
in a museum shop before that. I'm not a museum
gore but lo and behold, they have too many
Rosetta Stones there so I'd read a little bit
about it so I started telling about it. He said, oh,
what do you think about translation? Do you think
Google translation translates is going to work?
So you're talking about that and that led
to me coming to Mountain you, spending
two days there and long story short I ended up as head of Google Europe.
What was this pitch to you as to the ambition of Google and where it was going?
Because it obviously has become a much bigger enterprise than the enterprise that you joined 19 years ago.
So what was his pitch to you of what they were going to do?
I think his very simplistic pitch.
He just basically said, listen, the world is getting more, more connected.
There's more information around us.
It's going to be hard to parse through it without any sort of something helping you out.
And the thing that's going to help you out is Google.
And you didn't have to be a genius to figure out that even in that short period of time, what is it like?
4 million people are connected to the internet in 1998 and 2004, probably tens of millions.
It wasn't hard to believe that over time, and this number could keep rising.
None of us was smart enough to say that three and a half billion people will be connected,
but it's going to be more than that.
And don't forget, I was out of a job.
Right.
And you were a marketing executive, and they had a very unique idea around advertising and connecting marketers with customers.
So what was your first gig there?
Was it working with the ad networks?
So, you know, I came to California, and Eric and I went for a walk around the Montgomery campus.
And we spent an hour walking around.
He said, you have 10 more interviews after this.
And he says, well, I'd really like you.
But, you know, this is a job which requires you to sell advertising in Europe.
and you've never sold advertising before.
I'm like, so should that, does that mean?
I should just pack my suitcase and go back
or take my bag and go back to London
because this is not my job for me.
He's like, yeah.
He was very, very sort of thoughtful.
He said, listen, the business model of Google
is going to evolve multiple times in the future.
So I'm not sure we need to go find ourselves
the best ad sales executive.
We need to find ourselves a good executive
who can roll of the punches and adapt.
Awesome.
Very insightful by Eric.
Eric's very infleateful for the most part.
Strategic, yeah.
And then I ended up, my first gig was to run Europe.
And yes, it was primarily selling ads, but we had like nine offices and one real office, eight Regis offices.
And in five years, I opened 26 physical locations for Google.
We hired 4,000 people.
And we went from, I think, 800 million in revenue, four billion.
wild what a run
yeah and
you see your joke he's saying
regis office you mean like the pre we work
they had regis office shares which where you could rent
an office with a lock on the door
with old corporate furniture in it
like really the most dismal offices
you could ever be in
a serviced office which traded at
140th evaluation of
possibly we work yes
are you still using your personal phone number
for your startup it's 2023
it's time to stop it is a huge
mistake that founders make. Why? You're just getting started with your company, and you don't think
about phone numbers as being an important part of the IP collection of your startup. With open phone,
you can totally solve this problem. They've rethought everything about a modern business phone
and how it should work. It's super easy. You just download the app on your phone or your desktop,
and you pick a number, and you're done. And you do it for just such a low price. It's so affordable.
And think about it. If you have your sales team using their personal phone
numbers, a salesperson leaves and goes to a competitor, you don't have any insight into what phone
calls occurred, what people's phone numbers are. That's your company's database. And if you allow the sales
team to run them up or the customer support team, it's just unprofessional. Be professional.
Use open phone. And we use it for things like event communication. So we get one phone number,
but it can go to multiple people, like around Robin. Then we have a shared phone number.
do that for customer support.
And Open Phone is rated number one.
On G2 for customer satisfaction.
And I trust G2's ratings.
Open phone, it's ready, it's affordable.
Starts at just 13 bucks a month.
Twist listeners can get 20% off any plan
for the first six months at openphone.com slash twist.
And if you have existing numbers with another service,
no problem, easy, peasy lemon, squeeze, open phone,
we'll port them over at no cost.
Head to openphone.com.
Switch to start your free trial and get 20% off.
You were responsible in some ways for maintaining Google's very unique culture in Europe,
or did they say create another culture?
Because this idea of like hiring really smart people, letting them loose, and, you know, interviewing 10, 20 people.
I mean, it's a very unique culture, especially coming out of corporate German culture that you were in.
So maybe you can contrast the cultures.
Well, I don't know if I fully got into the corporate German culture at all, but I'd say it was definitely.
unique even for a Western culture for somebody to interview, you know, tens of people
for one job.
And then eventually, you had to wait with bated breath for about a week because all these
packages went to Larry and Larry would read through them.
I think I'm pretty sure I moved to the U.S. in 2009.
I know in 2008, I went petitioned Larry and said, Larry, I've been keeping track of all the
recommendations we send you to people to hire and the ones you reject.
And I have a 90 plus percent correlation with the ones you're going to reject.
so can I please have authority to move and hire them?
And he let me have the authority to hire people.
With the caveat that he would have the right to reject an employee,
even if I hired hired him or her, if he chose to do so.
He never exercised that, but there was always that hanging over one's head saying Larry could decide,
he doesn't like this person and that didn't follow his hiring process.
But I think that I honestly think that that was one of the amazing things that,
one of the many amazing things that Google did, is to maintain this constant
debate and dialogue and making sure we're hiring good people.
You deconstructed his algorithm and you got to 90% correlation.
What was his algorithm?
What did you figure out he was doing?
Was it as simple as just hiring very smart people?
Was he hiring people with chips on their shoulder?
Was hiring smart people with chips on their shoulder?
What was he looking for?
I think he had the point of view that, listen, there's lots of people we could be hiring.
A lot of people want to work at Google.
He just has to make sure that we don't end up hiring false positives.
What did it mean?
Well, you know, you want to make sure that there's a set of people who've looked at it from every angle.
Like, you know, there were simple things like you just can't say this person is smart.
He'd say, okay, tell me the three questions you asked them.
And what is their answers to tell me that they were smart?
So it took away all the biases.
It took away friends, you know, people you know from a different job area of perception.
They're really good there.
We can hire them here.
He'd say, write down everything you talk to them about within reason.
And that way I can make my own judgment, whether this person qualifies.
it doesn't qualify.
So it just took out,
take out a lot of the reasons why people sometimes make mistakes and hiring.
And Larry always held the view,
which I fully subscribe to that.
If you get a bad leader,
it can have a multiplicative negative impact to the rest of your organization.
So you're going to be very careful when you hire up senior people
because they can,
they can drag a whole team down.
Yes.
Because of their position in the company,
they're going to have an outsized impact.
And so false positive being,
hey, this person interviewed really well.
They seem smart.
They seem like a leader.
They seem like somebody who could, you know,
motivate people to do great work here or draw in other talent.
But it was a show.
It was performative maybe.
Or somebody maybe hired them because they're friends and they went to college together.
But also, he also was more to make sure that we didn't get under the pressure that we have to fill this job quickly.
And you end up hiring somebody who's 70% of what you need.
But now you're there.
They're there for the next two, three years.
And now they're performing it 70%.
and now you've basically taken what could have been a great performance of part of the organization
and impacted it because you were rushing to solve a short-term problem.
So how many people work at Palo Alto networks?
About 14,000.
Okay.
So now you've got 14,000 people of Palo Alto networks.
Yes.
And what did you take from Larry's algorithm and then what's in your algorithm, Nikash?
You must have evolved it and you must have a way of which you like to run a company.
And also we'll get into like inheriting people because that's also challenging, I assume.
Yeah, so look, we did inherit, I did inherit 5,000 people and some of them have moved on because we've been transforming the company.
We have hired possibly north of 14,000 people in the last five years.
I think the part which you take from Larry is, yes, you know, you have to have a series of filters about good people.
You have to make sure there's an organizational conversation about hiring those people.
It just can't be.
Four people interviewed them for half an hour each.
with two hours of data,
of which probably half of that was spent in pleasantries,
you've decided that you're going to spend
hundreds of thousand dollars, if not more,
to have somebody do that role.
So I think there needs to be that process,
that conversation,
and a series of checks.
I think the only adaptation one has had to do is that
it's both the IQ and the EQ.
Okay.
And I'd say the Google bias might have been more an IQ bias
because of the strong engineering culture
and the fact you have to create products.
and in a way,
ad sales was more evangelical,
like you were going to tell people
because it's quite funny
to joke about this.
Like, when you go to sell ads at Google,
well, actually, what do you sell?
So, well, how many can I buy?
Well, I don't know.
Depends on how many people are going to search today.
What's the price?
Well, I don't know.
It depends on what other people
are bidding for it.
Other than that, yes,
I'd like you to buy some ads.
It's great.
So do I give you a blank piece of paper
saying, buy me ads?
You can set a price.
You can say, I won't pay more than a dollar a click.
Yeah.
So it was kind of here,
here we sell to our customers.
We have to make sure the people we hire have relationships,
have the ability to sell,
have competence and domain knowledge-specific sort of knowledge.
So we adapted the Google algorithm,
but I'd still say that the guts are still significantly influenced
by how we did things at Google.
And if you're selling something brand new
and all sales has a trust component to it,
unless you're selling widgets,
even then, you know, people have to get their widgets on time and they have to be a certain quality.
So there's such a big trust component.
You need the most trust in widget.
You need the most trust in widget because there's no differentiation.
Yeah.
They're going to come on time and they're not going to be Fugazi.
But when you're selling something that nobody even understands, like, yeah, it's like really take a leap of faith.
So talk a little bit more about the EQ piece and why that's important to you and your algorithm.
And how do you quantify EQ?
and what are the subcategories of EQ that you see manifested in an actual work environment?
Well, like, out of the 14,000 people we have here, I think 5,000 to 6,000 are in direct customer-facing roles, right?
You're constantly dealing with customers who are sort of CIOs, CISO, chief security officers,
or who are working in the technical parts of our customer organization.
So, you know, somebody has to come across as empathetic, as somebody who understands a problem,
they have to be trustworthy, like you said.
There's a significant competitive trust.
We're in the security business.
Customers have to believe we solve their problem.
They have to believe our products are going to work.
And most importantly, the customer has to believe when the shit hits the fan will be there for
them.
Because for the most part, our products are working, you're fine, you're not in a breach,
you're not in a situation where you've been attacked.
The moment something bad happens, they want you there yesterday.
They want you there to help solve the problem standing next to them.
They want to make sure it wasn't your product that caused the problem.
So from that perspective, all those things are as important as the technical competence when you're selling the product to them, right?
You have to be there for them, trustworthy, consistent, available, all these things become important.
And part of that shows in your personality, part of that shows in your track record.
Have you been doing this for a while?
You've been doing it for the right companies.
And it's pretty easy to unearth with a few reference phone calls.
Ah, yeah, if you're talking to the people who've worked with them before.
And that, especially, I just never thought about it in terms of security, which is a business you're in.
things are just steady state, everything's working fine, the attack happens, it's very scary,
and now you find out about loyalty, reliability, you know, is this a stand-up person who's going to
fight with you to solve this problem?
I think it doesn't stop at the person, right?
It goes all the way to the organization.
So, for example, you know, we have a very simple set of policies.
If you have a problem, we will open up the floodgates, we will turn on all your licenses,
we will turn on products that to protect you that you even possibly haven't paid for.
we will send people there without saying sign this order and we'll say just sign this NDA so we're not in contravention but we're not going to come and say you got to buy this will return on.
We will throw everything in the kitchen sink at trying to protect you at that point in time because we want to be there for the customer, especially in their time of need.
Oh, so that speaks volumes.
You're not like the sharp elbowed.
Hey, you don't pay for that product.
We told you to buy it.
You didn't buy it.
Now you're suffering.
Now you need to turn it on.
We'll send you a purchase order.
It's, hey, we're going to just, we're going to help you get out of the situation.
And then afterwards, we can have a debrief.
And if any of these products help, you should use them.
Well, Jason, we've got a customer.
We closed it to you recently.
They had it running for four months.
We spent four months getting them back up and running until they were up and running and
secure.
And half of them were not even our products, right?
We're supporting them with other people's products.
It took us three to four months to get them up and running.
Then we had a conversation about, you know, do you want us to leave this stuff there?
and have it running and configure it for you.
And of course, they want you to.
But we don't show up the first day and say sign disorder or we don't say, you know,
we want to get them back and healthy first.
So in terms of responsibility, which is a lot of what IT is about,
I'm security is about who's responsible, who do you get to blame?
You just take the approach.
It's, you know, we're responsible no matter what the situation is.
We're just going to come in there and do as much good as possible.
I don't even know that reputation.
I don't even know if it boils down to responsibility, right?
As you can imagine, if you're thinking about a, you know, as uncool it may sound or cool it may sound,
in a cybersecurity situation, this thing can happen for a variety of reasons.
It could be somebody's credential was stolen, somebody logged in as you, somebody hacked your password.
So it could be a simple thing, social engineering that causes your credentials to be lost.
But then once you're inside, you start moving around and collecting data, extracting data,
you know, locking down desktops and creating ransomware events.
So that's not the time to figure out who to blame.
That's the time to figure out how you go sort of throw a blanket over and protect the customer.
And we'll figure out and analyze it afterward.
All right, listen, we work with super early stage companies at my investment firm.
It's called launch.
I'm talking pre-series A, right?
We're talking seed stage, friends and family.
And you know what?
At that stage, maybe they don't have insurance yet.
In fact, just recently, we have an amazing startup.
They didn't have D&O insurance.
if you don't know what D and O means that basically protects your directors and officers, directors,
board of directors, officers, the people who run the company, your management team.
So what do we do?
We send them right over to Embroker.
Inbroker is business insurance built specifically for startups.
Inbroker's single application helps startups get four quotes for four lines of coverage in 15 minutes.
They connect you with one of their expert brokers for unmatched service, and that goes beyond your policy.
We use this at all of our companies.
It's easy, peasy, lemon squeezy.
And if you're not getting insurance, you know, at some point you're going to have to get it.
So let's make that point today.
Right now, this weekend, tonight, just go to Embroker today with the code Twist.
And you'll get 10% off their startup package.
How do you get the startup package inbroker.com slash twist?
That's E-M-B-R-O-K-E-R.com slash twist.
Make sure you use that code twist for 10% off.
That also more importantly than getting the 10% off.
that shows them that you're listening to this week in startups.
So we love in Broker.
They've been amazing in terms of supporting our founders for years.
And of course, this very podcast.
Great job in Broker.
How does one not coming from a security background wind up being the CEO of one of the most,
if not the most important cybersecurity company in the world?
How?
I mean, I'm sure you must have gotten this.
Like, hey, what are your bona fides here?
like, have you worked in security
for us? No, I did add
sense and I worked on Google and then I
worked with Masayoshi San investing and
now we want you to run a security thing. How did
they recruit you
for a job that you didn't
come from a security background?
And versus also having somebody
come up the ranks there in hiring, like
Google did, you know, everybody who was in senior positions
like you said, they typically moved
up the ranks. How did you get the gig?
You know, it's funny, I got a phone call
from a headowner saying, listen,
a lot of networks
would love to talk to you about possibly joining the board
or maybe something else.
So I show up and I talk to the board
and we spend some time. Again,
one more time, I'm not working. I'm hanging
out at home.
This is Post SoftBank. And
we end up having the conversation
and they end up saying, we'd like you to consider
becoming the CEO. And I'm like, listen, I don't understand
cyber security.
My only perception of security is like, you know,
consumer security.
or like antivirus my laptop.
I don't understand how cybersecurity works.
I said, don't worry, you've got 5,000 people who understand cybersecurity.
We need somebody to come help, put this together, and run the company.
Now, that could have been interesting, and I think this is a good conversation for the board
because they went and did this.
I can only imagine in hindsight, you know, if it had all gone wrong, the board should have
been in so much trouble saying, wait, you hired a guy who didn't understand cybersecurity.
He'd never been a public company CEO.
He'd never done enterprise sales before.
I mean, honestly, how desperate were you?
for options that you had to go find this guy.
And I was joking when I took the job.
I still remember my first meeting with a CEO of a very large tech company now.
He used to be a CEO, a different company, not hard to figure out.
I would have to see him like two weeks in a job.
Like he sits to me down and says, okay, so tell me, why do they hire you to be the CEO of Politel Networks?
Like, I had an interview after getting my job with a customer.
He's like, I don't get it.
Yeah.
Why do you have this job?
Explain to me why you.
Yes.
And what was your answer?
What is it that you know and that that board knew that would lead to you having an amazing run so far at this company without having the cyber security background?
I guess the conversation which I had with the board, Jason, at that point in time, where I said, listen, I'm not a cybersecurity guy, but I am a technology guy.
I do have an electrical engineering degree.
I can understand how this stuff works.
But more interestingly, I am a business person.
I said, if you think about the technology industry, which is about a $3 trillion,
industry here, give or take.
And cybersecurity is about $200 billion of that, give or take.
It is the most fragmented industry in technology.
The largest player had 1.5% market share at that point in time.
So the opposite of smartphones, the opposite of Google ads versus Facebook ads.
The opposite of CRM, the opposite of HR systems, the opposite of you pick your enterprise
platform.
No duopoly.
Nothing.
Nothing.
Yeah.
It's 100 opally, right?
So crazy if that is the word.
And I sat there and said,
this has to be something structural in it.
What is the structural problems this industry has?
Where every company taps out at 1, 1, 1.5% market share.
And I said, the problem is that every cybersecurity
companies that comes out, they get there because they
innovated versus legacy, and they stay there
because they stop innovating.
They find some really cool trick.
They go figure out how to go sell it to tens of thousands
of customers.
And here's the funny part.
The moment you solve the last problem, the bad guys are moved on to the next one.
So it's the most innovative adversary in the world.
They're always looking for the way to come after you while you've stopped innovating
because you're busy selling what you had.
In a way, it's all tactics, right?
Like it's a tactical warfare.
Countermeasures, new ideas, and it never ends.
So then what was your approach to get out of tactics and build a platform to have a strategy
here that was more long-term relationship building?
How did you conceive of changing the business?
So what I sat down and said,
listen, I cannot undo,
so I went and talked to 75 different CIOs
and discovered that everybody had 30 or 40
cybersecurity vendors in their infrastructure
and they didn't feel any much more secure.
And the bad guys were getting to it faster and faster.
So I sat down with the founder and the chief product officer
and I spent about two hours a day with them for the first year,
one hour in the morning, hour in the evening,
and I just bang at them
with all these things I'd learned and ideas.
And I'd say, listen, if you think about this,
we can't undo what's broken.
What are the big technology trends of the future?
How are they going to impact security?
So our plastics moment was cloud.
So I said, I spent 10 years at Google.
I used to sell Google Cloud.
This cloud thing is going to change everything.
Sure.
And so we sat down and mapped out.
What does it do?
Well, it fundamentally changes networks
because people have to be able to access it
from wherever they are,
and then the pandemic helped that.
It fundamentally changes how you do application development,
because now you're writing code
using open source widgets
and putting it on GCP or AWS or Azure
out there or whatever else you want to choose from.
And the second moment was because, again,
because having spent the time at Google
and Google was chomping at the bit about AI even then
in 2014 when I left.
So I said, if cloud and AI are the two biggest trends,
how does it change security?
So in five years,
we said first, you said, second,
we used to spend 12% of our revenue
you and R&D.
I said, that's not enough.
That's the amount of money that you spend if you're sort of milking your last cash cow.
So we bought 17 companies all in cloud security and AI in the last five years.
We focused our business on the future.
We now play in three out of the four biggest swim lanes in cybersecurity.
We have 19 products that are in an enterprise.
There's a thing called a magic quadrant where you have to be, you know, people buy you
if you're good.
We're the third company in tech ever after IBM and Microsoft,
we have been in so many magic coordinates ever.
So we turned the whole company around into what I call a cybersecurity innovation engine,
and we've convinced our customers are going to be evergreen.
And then we did that by effectively building three cybersecurity platforms,
which are sort of in the early stages.
And I think our best one is still ahead of us because we're able to build an AI-based
cybersecurity platform, which suddenly with all the conversation around generative AI and AI,
has suddenly become center stage for us.
So I'm giving you the clip notes version of this.
No, no, I mean, I totally get it.
And there's so many jumping off points here.
I want to just, I want to get to be a IPs because that's fascinating to me.
We had a really interesting conversation a year ago when, you know,
chat JPT came out on All In.
We were just kind of talking about what are the possibilities here?
And I was like, you know, this is completely dangerous because you could fire up
fishing attacks and just have an agent running incessantly trying different things.
and iterating on them,
and it can go at a speed that, you know,
right now is throttled by human ingenuity.
Is that actually happening in the field right now?
You're 100% right.
Now, the slight saving grace right now, Jason,
and I don't think it's for long,
is you can have an agent running incessantly,
and the only difference is right now,
the agent doesn't know why it got blocked.
Right?
Now, what we have done in our, quote, unquote, lab,
We actually tell the agent this is how we blocked you.
So we've got agents that have broken through our defenses after 30 plus tries.
Because we keep telling it how it got blocked.
So it's got a reinforcement learning.
Oh, wow.
Are you doing that in the lab right now?
So you're training it how to be the greatest black hat so that you can now be two steps ahead of the hackers using this.
So we're giving them the counter measures in addition to the measures they're trying.
Yes.
So what we do is we do this.
We're training it now, and we've been able to jailbreak most of these public models out there.
It's not hard to get around their guardrails in terms of getting them to generate malware.
Fascinating.
Well, think about it, there's 1,000 plus models out there in open source, right?
So you can get Google to be responsible.
You can get Open AI to be responsible, long out of be responsible.
How are you going to take care of the long tail?
How are you sure that any of that long tail model that's going to sit on an NVIDIA box somewhere
running in some
basement is going to have the guardrails
you want it to. So we've been able to jailbreak them,
we've been able to get them to write malware
or write attack vectors, which
then we run against our own products in the lab
and we keep telling them how we block it.
So we see how many tries it takes eventually gets through.
Then we build antidotes to those and then we put them in our products.
Fantastic.
So it's no longer reacting to what happens
that customer A to protect the next 99 customers.
this is, you know, you've got patient zero here.
Yes.
And you are doing experiments on them and you're seeing if they're inoculated or not.
And it's all happening in a virtual environment.
So there's, you know, no harm is coming to it.
Yeah, but I think we're going to have to work hard with the industry to do that in a grand scale.
Because, you know, we're not, I've not held the belief that Baloato is going to solve every problem.
The good news is we are aligned with everybody in the cybersecurity space.
We're all trying to make sure the bad actors don't get ahead of us.
So I have no problem taking these.
malware antidotes and sharing them in the industry.
I want to make sure that every product inoculates against them, not just mine.
Right.
Why?
Why would you take that approach?
I mean, why not give it only to your customers and let them benefit from it?
So you get the revenues and then you can reinvest it and secure your customers.
Why are you giving them out to other competitors?
Well, look, I have other ways of creating a moat and other ways of creating economic advantage.
What I don't want to do is to hold the cure as ransom, no pun,
intended for the rest of the world have to buy my products.
Right.
You could take another approach like licensing it or, you know.
Yeah, but I also want the benefit of their research and intelligence, right?
I don't believe this is a singular problem.
I want to make sure that Microsoft does it or CrowdStrike does it or Google does it that we all share in this common goal.
Is it collaborative?
Did you find it was collaborative when people find exploits solve for them?
Do they quickly tell their cohorts and their compatriots, hey,
you know, we figured this out, there's an attack vector,
or do people kind of hold it slow, you know,
when people go for the check and they slowly go get their wallet?
Do they kind of slow roll it before they tell you
so they can get the max advantage of having it?
Well, there's two different scenarios, right?
Jason, one scenario is that I've discovered a vulnerability
in somebody's product, right?
Or my own product.
Now, of course, there is a bilateral connoisseational
we tell them, listen, we found this,
you want to fix it before we tell the world, right?
Because you really don't want to, you know.
You have to, right?
And that's what happens in most, even public-private partnerships.
There are certain nation-states that won't tell you, because for them, that is a future
exploitable opportunity.
But in most cases, let's just say 99% of the case, that communication happens with some
nuance, but people tell each other.
I think the other scenario is that there is a certain attack factor.
Somebody's figured out how to break into something.
I think it's fair to say there's probably 10 or 15 high-quality research labs around the
world, which are both private and public.
and there is a very strong collaboration
something called the cyber threat lines
where people go and provide their solutions
to everyone as quickly as they can
because if there's an attack vector out there,
you want to make sure that everybody's products
are inoculated against that attack vector.
How much of the impact?
Yeah.
Well, no, I get the alignment piece.
Yeah.
And so how much impact has the SECs,
you know, now kind of coming down on companies
and saying, listen, they're kind of intervening, right?
They gave a mandate.
You have to, like, report this stuff,
and there's consequences I know from some of the companies I've invested in,
there were people who didn't report,
there were CSOs who didn't report things,
maybe they had egg on their face,
they slow rolled it,
they tried to solve it before it came out.
And now it seems like we got a lot of three-letter agencies
who are now monitoring this.
So what is the state of our government intervening,
whether it's the SEC or others,
and saying,
when you have an exploit,
we need to know about it.
Because the incentive as a CSO
or the person on the security team
who messed up,
if they in fact screwed up,
if they have to go report it, self-report it,
they lose their job or they could get fired.
I mean, it's just, yeah.
So like, like, I think,
let me, let me give you a little bit background on this.
I think I still believe security is still broken, right?
So what happens is in 30 or 40% of the case,
I know a bad thing, I stop it.
If I'm in your enterprise infrastructure,
I see a bad URL you're clicking on,
I see malware.
I know it's bad.
I stop it.
But I don't know,
it's bad, I just find it suspicious.
What I do is I give you the tools to save,
and if it's suspicious, I'll send you an alert.
Now, the problem is, I got organizations
with 70, 80,000 alerts a week.
They don't know what to do with them.
That's the current state of affairs
as most organizations get between 30 to 80,000,
even 100,000 alerts from security events
across their infrastructure, which is like just noise.
And that's a function of the fact that the attackers
can do very large-scale attacks
from banks of computers,
or there's just a large number
of them.
No, it's just a function of, let's just say that, you know, an organization in
the Apollo says, listen, downloading one gigabyte of data is bad from our network.
But don't stop that download because it could be legit.
Just send me an alert.
I got it.
So the rules.
The rule.
So it's 80,000 alerts flipping around.
And I don't know if it was right or wrong.
Somebody has to investigate it.
That was cool 20 years ago when you had 20 of these.
Now you got 80,000.
So, and the reason I bring that up is what we've done is we basically said, we're going
to watch every bit floating through your day.
infrastructure, and we'll tell you if it's good or bad.
So we collect 75 terabytes
to data a day at a day at Palo Alto.
We analyze that, we take those 80,000 alerts, make them
200 events if they're real.
So we basically flipped it to an AI problem.
The reason I say that is,
I sorry, sorry we gave me a longer answer, but
in the industry, there's something called
mean time to remediate. How long does it take
you to fix a security event?
How long does that take on average?
The average United States is four to six
days. Four to six days?
Yes. The mean time to Xfilms.
trade data today is 11 hours.
The hackers come in and steal it.
Too late.
That's like me reporting my house got robbed like a week later.
In San Francisco, they won't care.
They won't care anyway.
Don't bother.
You could wait.
You can hang on to that one.
It's funny because it's true.
Yes, it is.
That's why both jokes are funny.
Life for your in-house legal team can be so hard
chasing down signatures,
pouring over contracts,
toggling between all the different tools,
the back and forth with the sales team, it's brutal.
And legal stuff, oh my God, bane of my existence, right?
It's just so much.
It's a deluge.
But it doesn't need to be that way.
All you have to do is use link squares.
It's the first AI-powered end-to-end contract management solution.
What does it do?
It gives your legal and your revenue teams the tools they need to help sales close deals
faster while delivering a seamless experience for your customers.
So you can create, review, approve, and execute.
your contracts easily in one place while prioritizing tasks and integrating with the tools your
team already knows and loves. Link Squares is where all your legal needs come full circle. Start
streamlining your contract management process today and make life for those in-house legal people
so much easier with just a few clicks. Learn more at linksquares.com slash twist. That's linksquares.com
slash twist to start streamlining your contract management process today.
And if you're not doing your contracts right, it's going to cause all kinds of downstream
problems. Do it right, link squares.com slash twist.
Back to the SEC. The SEC has put out a mandate that they must report in four days.
Oh.
Which I think, yeah. So I think that puts the pressure on a lot of organizations because you really
don't want to report. You are breached if you haven't fixed it.
Talk to me about this.
tension of the people who are responsible for reporting it are also responsible for
causing the problem in some case or not defending against it.
How does that tension get resolved in the industry?
Are there groups of people who are responsible reporting and then groups of people
responsible for defending and they don't talk to each other?
So if something blows up, they're not covering stuff up.
What's the best practice there?
I'm curious.
Look, this rule is about two weeks old.
I think what the SEC has put a gun to the head of boards and management.
It's like, I don't care, CEO, CFO, you are not following the rules if you haven't reported this.
I think that that's like no longer a debate because I think it's pretty clear to most organizations when they've been breached that they've been breached.
This is not, it doesn't happen on the slide.
You don't get an email saying we've locked down 10,000 your desktops.
You have ransomware attack going on.
You owe us millions of dollars.
You know what that happens.
and you know how to count four days from there.
So I think the reporting is not the issue.
I think the bigger challenge is most CEOs,
most boards don't know how long does it take for them
to reliably block, stop, clean out a cybersecurity event.
So I think there's going to be a lot more pressure and focus
and trying to get that done sooner than later,
which is good for all of it.
It's such an after though security, right?
People worry about it after they've been compromised, not before.
And so they're reactive.
So generally, the whole.
ecosystem has to get an education from boards on down.
And take it more seriously?
Yes. And that's where I said, you know,
five years ago when I joined Palo Alto,
we were an $18 billion company.
We were in one swim lane.
Today, like you said, we're now a $70 plus billion dollar company.
We play in three swim lanes.
And our big underpinning and our big pivot five years ago
was to focus on collecting good data across the enterprise and applying AI.
So at any point in time,
we have about a thousand plus machine learning models that run
underlying our AI product to solve the problem.
And I think we're going to talk about AI,
but we did a big analyst here on Friday,
and we tried to distinguish or try to figure out
if this term will hold.
I call it precision AI versus generative AI.
So if you're in your Tesla,
you don't want it to hallucinate.
I thought that was a good turn.
That's kind of like lifetime anyway.
I'm on somebody's lawn.
I'm on Zucks lawn.
That's right.
If you're lucky.
Yeah.
You're probably
plenty of room
to slow down.
You're wrapped around
a wrap around
electricity pole
is a bigger problem
than Zucks long.
But for sure.
That's notwithstanding.
So even in security,
you need precision AI.
I need to be able to block
an attack.
I need to know it's a real attack.
I can't start blocking
legitimate things in enterprise
while hell will break loose.
So there's this notion
of precision AI
where you cannot afford to be wrong.
Then there's this notion
of generative AI
where there are many right answers
or many possible answers.
I don't have a right.
Like, you know,
show me a blue.
a blue bird on a black background.
Well, there's probably 200 different variants from grade to horrible,
which are all perfectly legitimate answers.
Yes.
Our business is a business of precision AI.
It's not a business of generative AI.
Is precision AI possible today?
Because generative AI, like you're saying,
I ask it for five ideas for a blog post.
Three of them are terrible.
Two are pretty good.
Then I ask it to take those two, refine them,
give me some bullet points, give me some sections.
And then I polish the last.
20% and oh, wow, I got two great
blog posts out for my corporate blog
in 10% of the time. Okay, great,
that was a fine process. That's not the process
of precision AI. It's not the process of making
a left turn or a right turn into an intersection
nor is it blocking. It's great.
So is precision AI here?
And I guess that's very verticalized, right? You have to
narrow the scope in order to get to
precision AI. Well, yes. I mean, look,
at the end of the day, the precision AI, as you
rightfully articulate, like, it
boils down to first and foremost
owning data collection and
and making sure first-party data belongs to you.
Elon's not going to rely on you and me sending him a data feed.
Here's the data feed for all the traffic information that you can have like,
no, I'm going to have every car that's out there, assess it every second,
and go to feed into large AI system, process it locally,
and give it the response time that it needs so that you can sit there and feel safe.
So, yeah, it'll be there, but it'll be very domain-specific.
You'll have to own the first-party data.
You'll have to have full control.
You'll have to make sure the models run the way you want them to run,
and you're going to determine it every second,
and you probably have guardrails and safeguards
against actions that are taken post-precision AI,
and they'll get very, very, very specific.
Like, I'm pretty sure everything that Tesla does,
all the gig petabytes of data they're collecting
is focused on one thing,
is one thing called driving experience.
Similarly for us, we're collecting 75 terabytes in our own,
in our own instance at Palo Alto.
We connect four petabytes a day across our customers,
and we only focus on finding the anomalies
to stop bad things from happen.
So precisionary will come.
Yeah, it's exactly how Tesla does it.
Like now if your Tesla disengages, it asks you, describe what just happened.
So as a tester in FSD, full self-driving, you hold the button and you say, oh, you know, a bicycle went across the middle of the road.
And then that is what, you know, they don't need people on the 280 driving perfectly.
They need the instances where something weird happened.
And that's by definition what you're doing, right?
Yeah.
But I think on the flip side, I think, you know, what we've been seeing,
in the last one year with Open AI and this whole
generative AI, I think, I think this is going to be huge.
This is going to be so big.
It's going to transform how we do technology.
Okay, so this is going to open up a big can of worms here,
and I think this is the next jump-off point.
I wanted to get into the 17 acquisitions and ask you how you did those,
but we'll put that on the side for now,
because this is, I think, a more important discussion,
which is this technology has captured people's consciousness
for about a year.
You've been out of for years.
You've been out of for years.
You've been out of for decades.
It's obviously ready for prime time.
And so when you look at running your organization, what are the gains like inside of the organization right now?
And then what does this do for the core business that you have?
Because when you were talking about data, this to me seems like the greatest moat ever.
Yes.
Tesla has two million cars, I think, on the road that have the cameras in it.
You can't buy a car without full self-driving on it.
You can turn it on or off if you want to pay the $12,000 or whatever it is.
but they have that data, I think even in the cars that are not on and they have the right to pull that data,
you have all this data from where your customers collected.
This becomes a compounding moat and advantage over time, does it not?
So let's separate.
I think the data, just the case of Tesla and for us, is a precision AI opportunity.
I think you cannot do precision AI if you don't control first-party data access, right?
So the fact that he's got millions of cars, which are collecting the data the right way,
it's not something you can replicate
just because if you're GM or Ford.
You don't have the data collection going on.
You have the cars in the road.
Similarly, we have 62,000 customers with firewalls
who have been analyzing their data for the last 17 years,
and obviously in the last four years more so,
we have customers with 14 million plus endpoints
on various different technologies.
So we're collecting first-party data
and delivering AI outcomes.
That's on the precision AI side,
and I think that's hard to beat
if you haven't been doing it,
if you haven't been collecting data.
Many of our competitors haven't.
I'd say there's probably,
four out of
3,000 who
have tons of data and cybersecurity
and that's going to be a sort of a
race between those four and we think was still
the largest and the most comprehensive route to them.
So that's one side.
I think that Generative AI side is a whole different
followbacks. I think there's two
if you abstracted, the two
best things that Generative AI does for you is one, it is
phenomenal summarization. So take my
last employer, right? If you did it search
for what's the best restaurant in San Francisco,
It'll give you 10 links, if you're lucky, maybe 20.
Now it's your job to read through those 20 links to find out.
And Parsons said, how many times did I see a reference to A, B, or C?
And you could have mentally say, oh, okay, it looks like A is the right answer.
Now, what opening eyes doing is reading all those 20 and saying,
based on everything I read, statistically, I think this one is the most mentioned, hence,
it must be number one because it's associated with the word number one everywhere.
So it's providing you phenomenal summarization capabilities.
And two, it is based on all this training, able to talk to you in natural language.
I think those are the two most interesting things that it does, if you abstract it.
If you take that and say, what does that mean for me in my organization?
One, there are many use cases in my organization where there are lots of documents where we don't have good summarization and good sort of answer extraction out.
I could save hundreds of millions of dollars in every enterprise if I figured that out.
every
it requires, like you said,
requires us to do that Tesla thing,
FSD thing,
you know,
click here and tell me what happened.
I get 300,000 plus customer issues here.
If every issue was recorded,
I'd figure out how the solution was created for that customer.
Anytime those things reappear,
I can fix that using some sort of generative via LLM
under pinning that stuff.
So that's kind of like logical.
We'll see that explode across every enterprise in the world.
I mean,
incredible.
I mean, customer support.
It's already happening.
That's the perfect data set, customer support reps.
And there's tons of enterprise use cases where this is going to be sort of brute force
perspiration work where data cleaning will be required.
You'll get efficiencies.
I think the more profound impact is going to happen on product development.
Now, if you think about product development, yes.
If you think about product development, we have spent our life and technology doing phenomenally
good engineering work.
Then we have these guys called product managers.
What do they do?
They take all that wonderful engineering work and say,
how do I make it easier for the customer to consume?
Let's design a UI for this.
Yeah.
Right?
Take the travel booking example.
I'm pretty sure all of us are trained.
We can go to any travel site.
We know you want one-way round trip.
You want to have multi-stop, single-stop.
You want economy first, business.
And you have to fill about 10 boxes and out pops a set of options for you to buy a ticket.
We're all trained now.
We have been trained to interact.
in doing those searches.
Yes, but some product manager actually designed that UI.
That was their job.
They took engineering backend, built UI on front,
and allowed us to interface.
It's like learning a new language.
All of us can, all of us can envisage a scenario which says,
find me a quick, inexpensive ticket from here to New York.
I want to go this evening.
I'll be back, you know, day after,
and make sure it doesn't cost me more than $1,000.
I can say that phrase.
You can all imagine a generative AI LLM looking at through all the options and popping it out and saying, here, here's three options.
Right.
And you say two.
Yes.
And it books it.
So what did I do?
What did I do?
I just eliminated UI.
Yeah.
The UI chat window.
Yeah.
But if you take that and abstract that to the hundreds of thousands of companies and apps that are out there, I think 50% UI vanishes in the next five to 10 years.
Incredible.
talking to a computer was like going to happen, Star Trek, etc.
We were just going to talk to a computer and then the task would be accomplished.
And then actually we're just on the cusp of that happening.
But if you think about it, you know, people say, well, I don't know.
So I say, well, when I worked at Google, there was this thing called a web page.
We used to all interact with the web page.
This thing showed up called mobile.
Right.
And people are, oh, yeah, guess what?
We're going to have to have a mobile presence.
And I'll tell you, the first wave of mobile presence for most web-oriented companies was a diminished user
experience. You couldn't do everything on the mobile phone that you could do on the web page.
That was your primary interface. Then you saw this wave of companies called WhatsApp, Uber,
DoorDash. All these things are mobile only. There is no web interface. So I'm telling you
in five to 10 years, we're going to have AI, generally AI, only UI with no mobile or web
interface. If that could happen on mobile, it's going to happen with this. And that's going to be
very interesting to watch how many companies get sort of obliterated.
or possibly refactored because either all or half your UI has vanished.
Yeah, I mean, I am an expert at finding restaurants, and I use Eater, and I use Yelp, and Google Local,
and I was explaining to somebody how I find incredible places in Tokyo, and that I put them on
on Google Map, and then I share them with friends, and they lose their minds, because I've done all
the work.
And AI is clearly going to take that little proud process that I have of finding whatever the
hip new places in Tokyo.
are from a bunch of bookmarks and it's just going to be totally abstracted.
Now, if you have a good data set like you're saying, then you could still be the winner
or if you have the network. So it'd be quite nice to just take your watch out and ask for
an Uber and it just knows where you are. It knows what your preconditions are and it just
works. But right now, I wouldn't trust. I think Uber, you can do that. I think you can order
an Uber through Siri. I just don't trust it to do that. Yeah. Well, that's going to be a whole
different debate. You said something very interesting in what you said. Like, you know,
I'll do the jumping off point.
You can tell me the answer.
You said you can tell Siri to order an Uber.
So is it going to be the Siri chatbot or the Uber chat part you're going to talk to?
I have a feeling it's going to be the Uber one.
I think it's going to have more knowledge.
Siri sucks.
The question then becomes, are you going to talk to 40 chatputs?
Wow.
I mean, I think you're going to have to have a comp, maybe.
Maybe they're, yeah, that's a really great question.
You could have a DoorDash chatbot and Instagram.
chatbot or Uber chatbot, a booking chatbot, a kayak chatbot, or pick your favorite.
I think they're all being built right now.
And the four seasons chatbot because they'll want their own.
So now you're basically taking the apps and exploded that into a series of chatbots.
Yes.
Right.
Well, there could be a meta one.
So I think Claude and some of these ones that people are building are supposed to be your chatbot that'll interface with the apps and the APIs that are out there.
So the quote, we're going to have to have a whole new episode on that, Jason, because I don't know.
I think this is a battle.
It's going to be a battle of APIs because it hasn't been done before.
Today, most of your Spotify's, Instacard, DoorDash are not opening APIs for action.
Because they know if they open an API for action, they've lost the customer interface.
Yeah.
I mean, that is the scariest thing to ever happen.
I was talking to it somebody who owns hotels and he was just talking about the relationship with like the expedias of the world.
Or Rupert Murdoch had this relationship with Steve Jobs where he's like, you can't subscribe to Wall Street Journal.
I need the person's contact info.
And Steve Jobs told Murdoch, you don't need the contact info.
And Murdoch looked at him and was like, yeah, I'm not putting my stuff on your iPad
silliness if I don't get the person's name.
And it's Steve's credit.
He caved with, he caved with Rupert Murdoch and let him get the contact info.
We'll be back there with the battle of chat boats.
Yeah.
And this is, I think, yeah, with the interfaces.
I see some people, like I think kayak and.
Zillow made like little
plug-ins already, but
yeah, I don't think you want to
abstract that similar.
Let's take your Tokyo analogy, right?
If you went to your favorite chat button,
booked a ticket from next week to Tokyo,
somebody knows you're going to Tokyo next week.
If your restaurant app knew
that you're going to talk to you next week, it could
recommend restaurants for you next week.
But the question is who's going to have what data?
Yeah, see, that's why I think the data
provider wins.
When you were saying it and you were like,
everybody has a chatbot.
I'm like, there's a group of 30 people at Yelp right now building that chatbot.
There are a group of 100 people at Amazon building that.
Yeah.
Yeah.
And my view is that that's why, again, distribution becomes very interesting.
If I am a phone, if I'm Apple, I still have some degree of influence on how all these
things get shared with the customer, right?
Because there's got to be some semblance of control.
There's got to be some control of data.
in here because suddenly now you've got the same problem you had with, you know,
five million apps taking your data and running away from a data privacy perspective.
You've got five million chat boards.
They're going to do worse things to it than the last set of app guys were doing.
Interesting.
If you think about it, right now, you can, when you talk to Siri, they built a plug into Spotify.
So you don't go to Apple Music.
If you said you wanted to play a song, it would automatically go to Apple Music.
Now you can tell it, hey, go to Spotify.
And so I think that's going to be, it's very interesting that Apple could intercept all that
information.
They're going to just
intercepted.
I don't know
on a very
microscopic way.
I think I have
some of a
home automation
app.
And until about
a few months
ago, it had
I could play
songs from
Spotify and Sonos.
Now it makes me
go to those
apps.
It doesn't,
they've sort of
restricted their
API to take
control back.
It's going to be
interesting to
see what happens.
It is if you
try to use
Questron or
savant,
like many of us
who have nice
homes, they
they come with this.
It's the
worst interface on
the planet.
Yes.
And then you're just
rip it all out and you put in Sonas and Apple TV
so you actually can use your products.
Yes.
It's where everybody eventually winds up.
Everybody I talked to is like,
the savant remote control sits there,
the $800 Savant Remote Control sits there,
and then everybody immediately just picks up the Apple control and they're done.
If it's only $800, you've got a great deal.
Exactly.
Having somebody come program,
how to make your Netflix work is a really great experience at 400 an hour.
Let me ask you a question about your time at SoftBank.
You got recruited to be,
I guess, as I understood it, you tell me if I'm right or wrong, to be Mossa's right-hand man.
And then eventually, maybe the era parent is, number one, was that reporting correct?
And then number two, what was it like working with Masa?
I know Mossa.
I've had a couple meetings with him.
He's kind of like a mad genius swing for the fences, Hail Mary throwing, visionary.
What was it like coming in there and experiencing Mossa at peak gamble?
Like, Masa making peak bets.
I mean, that must have been extraordinary.
Yeah, so like, Masa and I, our sort of association began when he came to Google one day with a crazy idea saying, listen, I've been left at the altar.
Yahoo and Microsoft have a deal to do this thing with Bing and Yahoo's getting out of the search business, but they kind of didn't focus in Japan.
And I also have Yahoo, Japan, which uses the algorithm from Yahoo U.S.
So would Google be willing to work with me on the algorithm in Japan?
Like, wait a minute, how can that be possible?
And we're competing with each other in Japan.
How do we do this?
And to Ramosa's credit, and his crazy idea, he and I sat down and crafted away for us to have both be powered by Google Search,
but to have separate ad auction so it would be not anti-competitive.
So they have their own ad sales team.
They had their own ad sales pricing.
We had our own pricing.
So the customer got good pricing and they got the best technology.
It was kind of unique because it was hard to construct.
But we became friends then, and long thing led to another.
He did come to the conclusion that he wanted to be to become his heir apparent when he turned 60.
So he hired me when he was 58, and then, you know, he changes his mind at 60, and that's kind of, that's the story that's true.
But in the meantime, those two years, I'll tell you, when I turned 40, I decided that from now and I'd look at people and see, what do they do something that I can't do?
how can they do this in a way
that I cannot do it
and Massa has this amazing quality
where he's untainted
What do they mean?
Well, you know, we all get, look,
from the time we're born
we're constantly risk minimizing ourselves
when our kids walk across the street
we're like be careful, look left, look right
when like, you know, don't do this and don't do that
what is happening?
That's a constant process of risk minimization that happens
you buy a house, you get married,
your risk appetite continues to go down.
Masa is a guy, I think, unique in his ability to have infinite capacity for risk.
Every morning.
Infinite capacity for risk.
Wow.
Do I need to explain that?
You look around it from an investor perspective.
You watch what he does, and that explains it perfectly.
Yeah.
And the beautiful part is there is no reinforcement learning there.
No.
No.
He's just going to keep doing it.
He'll end up on Zakslan every time.
It doesn't matter.
Yes.
Yeah.
He's going to swing for the fences.
And you know what?
It seems like it works out.
It works out.
And I think the only thing, you know, when you do that, that's fine.
But it kind of goes back to how you guys do investing.
Like, you got to play in your weight class, right?
If you're constantly investing a million dollars in a million companies, your math will work out.
But he's starting doing one big one here and small ones here.
The one big one can wipe you out and everywhere else, right?
Yes.
Risk of ruin is what we call that in gambling.
That's right.
There we go.
So I think that's where it may.
may have gotten a little more complicated for him.
But other than that, I think he's,
he's got immense intellectual curiosity.
He's got, at some level, he has immense humility.
At some level, he has immense confidence.
And he has, as I said, an insatiable appetite for risk,
and he works hard.
So all those make for great ingredients.
And sometimes, you know, I was, you know, the ying to his yang.
Right.
You could create some structure there, maybe some downside protection,
thoughtfulness around how big is this bet?
Does this bet need to be this big?
Yeah.
There's an example out there on WeWork, which is written in the book, where I was not
for investing in WeWorks multiple times, but then I left and he became a large investor
in Reward.
And what do you think his blind spot was there?
I mean, all of us looked at it, including the early investors, like benchmark probably made
more money than anybody off of WeWork because they sold their position.
and maybe second only to Adam himself with his buyouts.
We all saw it and said,
that is not a technology business.
It's a real estate business.
And what didn't he see?
What was his blind spot there, you think?
Look, Massa is, as I said, all those things,
is also, and he falls in love with certain ideas and certain concepts.
And, you know, he, and that also, that is where he gets his passion from, right?
he's an extremely passionate guy.
He gets very excited about certain things.
And he does a reasonably good analysis most often than not.
And sometimes they work against it.
So he can't pick anybody's one bad investment and go back and question him.
At the end of the day, he's still made billions of dollars for himself and many other people out there.
So I think the good swings come with the bad swings.
Yeah.
I mean, there's a very famous phrase in China, no gamble, no future.
And I think he's like,
I think it's probably his operating system.
I'm staying away from the word gamble because I know you guys like your poker, but, you know, I think
Amasa's an investment.
Placing bets.
I mean, you are placing bets in venture is the nature.
What did you take away from that?
What did you take away from the time there?
Like that added to your game and then what did you sort of file away as, yeah, this is something
I don't need to add to my game.
Look, I think the risk appetite, the lack of the, the, the, the, the, the, the, the,
then don't become complacent,
constantly be looking at seeing
what's around the next corner,
this desire to constantly learn.
All these things are things I saw Massa do,
and they have helped me at Palo Alto.
Like, you know, we are constantly paranoid.
We're constantly out there trying to figure out what's around the next corner.
We're constantly looking at what's the next technology event
that's happening in the industry.
We talked about generative AI.
I was on a plane to India.
When opening I came out, I logged in,
I was supposed to make a graduation speech at my alma mater,
which I did.
I rewrote my entire speech
on how this is going to be
the next big thing
that's going to happen
and I literally called
the iPhone moment there.
I think Jensen said the same thing,
possibly a few hours
or a few days later
or the same time.
I don't know.
I've embraced it.
We have hundreds of people
of Pall Alto working hard
towards making that a reality.
Now, if I haven't learned
the lesson that you've got
to embrace these technology trends
as quickly as you can
because these become inflection points.
Those inflection points
allow you to distance yourself
from competition.
So you got to grab them and run with them
as a lot as you can't.
Yeah, and this is something Microsoft didn't do
when it came to mobile, right?
They just totally missed it.
They whiffed and...
Zuck did it.
Facebook did a phenomenal.
I think Facebook was on the best bivots
from the web world
to the mobile world,
and most people,
even better than Google, I think.
And he was a couple,
he stumbled a couple of times, right?
The app didn't come out perfect
and they built it with React.
They had to take two or three swings
at that bad.
And then he realized it,
and he's like, you know what,
I'm buying Instagram,
what's that because this is the future.
I mean,
yeah.
Let's close on M&A.
You bought 17 companies.
Yeah.
What did you learn about M&A,
proper way to do it,
and how to integrate those crazy pirates
into a ship of 14,000 people.
And let's be honest,
people who are attracted to working at a big company
are slightly different than the people who start companies.
So how do you bring in 17 founders, probably more,
because there might be two at each one of them?
How do you bring in those founders?
And then you've got this executive team here
that's cranking on this.
aircraft carrier
and now you got all these speed boats
whipping around
doing donuts and these are two different cultures
yeah and how do you integrate it?
So I think first and foremost
I think most people get M&A slightly wrong
we have some principles
one, the other was look for the best in the field
I think number two and number three
trade at a price for a reason
so you always try and buy number one or two
because the markets get really small
after the first two or three players in enterprise
it's like just there's a long tail
you want to be one or two
so you always buy and you pay for what you buy
so one we did that two
I always tell my team
they kicked our ass
by having less resources
working 80 hours a week
going to customers
understanding the problem
we were there at the customer
we didn't understand the problem
we didn't solve it
so they will run that space
for us we want
so our people end up working for the founders
wow
that's
that's intense bro
so we give them
our people and our resources
and we double
down. So we didn't get it done. They did. We admit that they got it done and now they're in charge.
They're now, yeah, they're not a shock call.
70% of my product organization is run by acquired founders, not by existing by lots of people.
Well, that's a way to change the culture real quick, yeah.
So that's the second rule. The third rule is, once we make a deal, we spend the time between
term sheet and due diligence and DA on having a joint product and resource plan.
I don't do, my lawyers do the diligence.
I do the product and diligence plan.
And I say, before you sign the definite agreement, this is what's going to happen.
This is my house.
I'm going to decide what color I painted.
But you see right here, it says yellow hair, blue hair, green here, you sit in this box.
He sits in that box.
He sits in that box.
If you don't have agreement, we don't have a due deal.
Right.
So there's no surprises after the deal is closed.
They know exactly what's going to get built, how it's going to get built, who's going to do what.
So we saw all of that beforehand.
We know exactly what we're going to inherit, who's not going to work in the job.
We map every individual to what's going to happen.
Because with our first one, we realized it takes three months,
once people have all the money,
and people fight for a position, fight for role, fight for a strategy.
We solve all of that way ahead of that.
That is so brilliant.
You know, when I got acquired by AOL and John Miller bought the company,
he said to me, what's important to you or whatever, and Jim Bankoff,
and I said, well, we have this earn out.
I got to keep my sales team because that's one of my things I'm good at.
I'm good at sales.
and I know what the customers want for blogs
and for this kind of content.
And he's like, well, we've got a really big sales team.
And I was like, yeah, I want to keep the sales team
for as long as I haven't earned out.
And then if you take the sales team away for me,
the other big sales team can sell into it,
but my guys still get the commission for processing it.
So we pay double commission.
And if Jim Back goes credit, they respected that.
And I think that's what made the easy transaction for me as a founder
because you have founder regret.
After you start your company, that founder regret's real.
Yeah, Jason, I don't do earnouts.
I don't do misaligned incentives, objectives.
I align them.
They all get model auto stock and they have only one incentive, double, triple the parlorato stock.
We'll all make money.
See, that's much better.
You don't get, and we pay up.
It's fine.
They always have a private company at the time, so they had to, you know, come up with a different incentive structure.
But I like the approach because you do have this founder regret moment.
Yeah.
Yeah.
And that could kill the company, kill the deal.
All right.
Listen, this has been an amazing episode.
of this week in startups.
Thanks so much for coming on the program,
Nakash. It's amazing.
Will you come on again in a year
and just catch us up on how this AI thing worked out?
We booked you for one year from now?
Sounds like a plan. I look forward to it.
All right. We'll see you all next time
on this week in startups. Bye-bye.
