Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

Well, thank you for joining us for our next and last session of our day on SASE versus SD-WAN. I'm Rob Owens, Senior Analyst with Piper Jaffray, joined by my colleague, Jim Fish, who works on the networking side. And we're very pleased to be joined by Palo Alto Networks for our last discussion. Zoom bombing me currently. Nikesh just popped in. Hi, Nikesh, how are you? I think we still have you on mute.

I'm good, sorry. Despite having done 4 months of Zoom, I still sometimes run into issues.

And then Lee Klarich, who I think everyone knows, who's the Chief Product Officer. So gentlemen, thank you for joining us this morning for our session.

Thank you for having us.

Yes. Nikesh, let's start with you. And now that you've had more of a chance to reflect on the quarter and COVID-related work-from-home response from your customers, what's the net impact to your solutions? And I guess, how is this playing out in end customers' digital transformation initiatives?

Rob, as we said in our analyst call, when we -- so when this unfortunate pandemic hit, we saw a sudden surge of customers wanting to expand their global project subscriptions, get more firewall capacity. We saw people using up our surge offers for Prisma Access, putting more users on there. I think people were still unsure, and people, I mean customers, are still unsure how long this is going to last and how long they need this capability for. And what has become clear as time has passed is that this work from home might actually become more permanent in a way that we will need capacity for all of our employees to be able to work from home when they want to. So it's not like 100% of people will work for home forever, but there's a high probability that we as organizations need to make sure our employees are able to do this when they want. And we're seeing, as a consequence, a rethink on long-term architectures, both from enabling working from home in a secure way, both from thinking through how do I manage this more distributed environment from a network architecture perspective, should I be replacing MPLS with SD-WAN? Should I be moving from a data center to cloud? So all these trends you've talked about have gotten accelerated in the past 2 or 3 months, I would say.

And I think that begs the question of strategic versus tactical and where is the customer thought process, where is the customer response right now, differences in terms of geo or size because Palo Alto plays in the kind of past-to-current firewall market. We can argue where that goes longer term. You've got the SASE capability as well. And then you also have a portfolio of how we protect cloud-based solutions. And so as customers are moving on this journey, and obviously, that's a strategic journey, are we still in tactical mode as we look at the second quarter relative to triage and just making sure things are stood up? Or were people able to do that, Nikesh, in relative short order, and now that's accelerating digital transformation to the extent that people are getting strategic with their investments?

I think that's a great question, Rob. And I think I would say right now, the response -- the answer to your question is mixed. I think some customers who have been technologically ready to handle some of the disruption we've seen have probably moved on to think more strategically about the long term. I think some customers are still grappling with the current state, trying to understand what -- 100% of the stores have been shut down for 4 weeks, and you're slowly opening them up. I think you're going through own iterations of how do I enable technology to be able to do all of this stuff. But customers who have been in the online world, customers who have seen a larger pickup in business around the world are probably dealing with it differently. I think net-net, we will see -- this is great for the medium to long term. I think we will see the acceleration manifest itself in people looking for more consolidation across vendors to see how can they get more streamlined solutions as opposed to go work with multiple companies. We're seeing that in spades. Customers want to talk about an expanded sort of product suite from us as opposed to just point solutions on a one-off basis. So we're seeing the conversations which are happening are more strategic, I'd say, but we need to have more strategic conversations. Not everybody is there yet, and I think people are still grappling with the impact of COVID, getting through this quarter or getting through last quarter. I'd say that we're going to see this accelerating into Q3, Q4 of this calendar year. I think you'll see it more next year as people review their budgets and rethink how technology needs to be deployed to support their business.

And I guess, in and around that, how does this make you think about that next-generation security billings number that you've highlighted? And relative to that opportunity, not asking for near-term guidance or anything, but it does seem like that opportunity may have grown as we look 3 to 5 years out relative to where your portfolio sits and where customers seem to be accelerating.

Rob, if you look at it, I mean, this is your chart which you put up there, so it must be true. From the first quarter of 2019, we've taken a business which had $55 million in billings, I've picked the smallest bar, and it's gone 4x between then and now. And you can see the numbers are consistently in the close to the $200 million range. And that's a good thing for us. And this is the entire effort that Lee and his team has put in, in really building out the -- like I don't really like your characterization from the past to the current, but I'll say from the hardware form factor, the virtual form factor to the edge form factor for cloud -- for firewalls, his team has worked hard on building a portfolio of cloud security, both through acquisition and sort of in-house organically. And I think that's been where a lot of the customers' focus has been over the last 6 months. Today, you talk to customers, everybody wants to know how can I do software deployment of firewall, so I don't have to go to a truck roll and put a hardware box somewhere. So everything that our competition sells in hardware, we are able to sell in a software form factor or cloud form factor, which I think is a lot better for customers' total cost of ownership in the long term. Also from an upgradability, remotely, from a software form factor perspective, it's also great for us because it allows us to iterate -- we don't have to wait for one big release every year to go put one box and software together. We can keep updating software for our customers on a more regular basis. So for all those reasons, it's a better answer to deploy security in a software model, and that's where the entire focus of next-generation security has been and will continue to be. And we have withdrawn our 3-year guidance, so we can't say we're going to do what we said. But all I would say is we've withdrawn the guidance as a matter of prudence, not as a matter of lack of belief.

Sure. And Lee, maybe weigh in on some of those customer conversations that Nikesh just touched on around the software side of things.

Yes. I think our customers have given us feedback that over the last couple of years that this is the direction that they want to go. Obviously, a number of them have made those initial changes, those initial investments, the initial transformation. Some of them have fully executed those transformations. But one of the things that I'm seeing from the customers that I've been talking to is they've been using this opportunity to not just tactically respond to the sudden shift of needing to support a remote workforce, the sudden shift to needing to have more of their applications right in the cloud, so they're actually using as an opportunity to accelerate strategic projects, accelerate -- in particular, accelerate approvals to move forward with those strategic projects. And as Nikesh was saying, often those fall in the category of consolidating down to fewer vendors. There's many security benefits, there are operational benefits, overall partnership benefits of that; as well as falling in the category of the shift to the cloud, both their applications as well as how they consume security. And so it's actually refreshing for me to see that because what in the past has been harder approval cycles to make these transformations are easing up amongst many of our customers.

And maybe we can transition a little bit into the SASE versus SD-WAN conversation or how the 2 effectively play with one another. And understanding these are definitions by market analysts, but SASE combines WAN with a lot of security functions of secure web gateway, a CASB, Firewall as a Service and the whole prospect of Zero Trust Network Access, which brings up an entire another conversation, additional conversation to the table, I believe. But just to start off, in your view and given some of the recent movements in Palo Alto recently, how important is it to have that SD-WAN or that connectivity layer with regard to a broader SASE strategy? Because I believe you released your SD-WAN solution kind of calendar Q4, around the November-December time frame, and then have since made an acquisition in the space as well, and so obviously, you believe in it. So give me a sense of customer response and maybe how the 2 marry.

So we see -- I'd say, at a very high level, we see 2 primary architectural approaches that customers are taking and how they think about this. Historically, there's more of an MPLS cost savings kind of mindset of I have these branch offices, I pay a lot of money for WAN services to connect my branch and retail offices back to my data center, and maybe there's a better way of doing that, maybe there's a less expensive way of doing that. And I would argue that, that was the primary focus of the original SD-WAN movement. As application deployment though has accelerated to the cloud, whether that's consuming applications as SaaS or shifting applications into public cloud infrastructure for consumption, and now you have branch office retailers trying to connect to not just application, to data center with applications to cloud, you add to that remote workforce trying to access these applications, that is driving the shift from pure SD-WAN to the SASE architecture that is cloud delivered, that integrates the SD-WAN capabilities with cloud-delivered security capabilities. And so that just sort of fundamentally is how I think about the 2 different architectures, and it is a shift toward the SASE architecture that will play out over time. Now we're -- we believe we're very well positioned relative to cloud-delivered security, Prisma Access. We're seeing that piece growing. With the acquisition of CloudGenix, it gives us a cloud-focused, application-focused SD-WAN solution that can seamlessly tie into Prisma Access or simply compete head on for SD-WAN projects. And so that puts us in a position to be very unique in being able to tightly integrate those -- the security side with the SD-WAN side, unlike others out there. And look, we've seen this play out in the past. The industry sometimes likes to have lots of point products. But ultimately, you've seen us very successfully integrate best-in-class products together and be able to provide much better industry-leading solutions, and that's where we're at.

As I think about SD-WAN and Fortinet had success for some time before Palo actually developed its own solution there and then also made an acquisition to really go all in, I think, on the category, so number one, why the lag? Is this a difficult technology to develop, take time? And then number two, I think more so for Nikesh, as you think about how you consolidate, how is the platform? And as you start to consolidate different functions, are there certain thresholds that you need to get through relative to when you think of partnering versus either developing or buying?

Look, I think if you look at our M&A strategy, broadly, what we've done is -- and I have a firm belief that if you have great products that work together and are integrated in the long term, that allows you to build the platform and get more and more of the security problem-solve for our customers. So we've taken that approach very, very disciplined. And when it relates to cloud security, you've seen us made 4 acquisitions in the cloud security space, 5 -- 4 -- Lee, 4?

5.

5. Sorry, I was missing 1, yes. We made 5 acquisitions in the cloud security space. And we've made sure we've integrated those products. We've eliminated multiple UIs, eliminated multiple go-to-market motions because we believe that having a single pane of glass is allowing you to be able to manage the entire estate on the cloud security front is important. We've looked to the market beyond that, and we believe we have a majority of what is needed to be able to deliver cloud security to our customers. Harder to do in the current infrastructure, which is already out there between firewalls and other things, the SD-WAN. But we thought it was important as the SASE strategy came out that we have to have the entire capability as opposed to build it from scratch and take us many years to do so. So that's why we acquired CloudGenix, which we thought, having worked with every cloud provider out there or every SD-WAN provider out there, we felt CloudGenix has the best cloud-delivered capability for SD-WAN. In terms of when we build and buy, as you will appreciate Prisma Access, our product which provides remote secure working capability, works with any SD-WAN provider out there. So we have worked with everyone. It works with everything. But we are also creating the opportunity that if we want an integrated solution, we have one, so you don't have to deploy multiple boxes or multiple solutions, multiple control plans. And that's where we've taken the approach where we both partner and build. In cloud security, we don't intend to make it work with other cloud security modules. We will make it work with a SOC or with other development tools that are out there, and Lee can talk about -- more about them because, at some point, I reach my technical limits of being able to explain these things. But that's why we have Lee.

That's why I have Jim here, too. But Lee, do you want to weigh in?

Yes. I'm trying to think. I don't have much to add beyond what Nikesh said. I certainly agree with everything he said. The -- on the cloud security front, so what we've done with Prisma Cloud, the -- what we've really identified as an opportunity to try to get ahead of the dispersion of point products that so often plagues the cybersecurity industry, right? Just on the enterprise side, we just see and talk to so many companies that have 50, 100 or 200 different cybersecurity companies, vendors that they use. And it's so difficult to make that work. And that's in a static on-prem physical environment. You think about trying to make something like that work in a highly dynamic and automated multi-cloud or hybrid cloud environment, and it just fundamentally can't be the solution. And so in cloud, our focus has been how do we get ahead of that, how do we build out or acquire and integrate capabilities ahead of the customers' needs wherever possible. It's why we've been more aggressive on -- with 5 acquisitions and really focusing on companies that are absolutely best at what they do and then integrating them together so that we can be there for our customers as they need the next cloud security module or the next cloud security module after that.

So in your view then, cloud becomes kind of the great democratizing function, if you will, relative to -- look, we've all talked for years how the average enterprise has too many security companies that it has to deal with, whether that's 70 or 100 for a large-scale organization. So cloud is going to be what really allows people to go on the path of consolidation?

We're seeing it. It's early days. It's certainly not over by any stretch of imagination. We still see a lot of innovation happening. We're driving a lot of innovation. I would say it's an opportunity to do that. And I feel almost personally responsible for providing to our customers a solution that allows them to avoid some of these big challenges that they've seen in the past.

And Lee, maybe this is more for you. We've spent some time here talking about the enterprise side of things. And one of the things with kind of SD-WAN or SASE is that we move from kind of MPLS to over the Internet traffic, and so that can impact a lot of revenue for the carriers. I guess, where do you see the relationship for Palo Alto with these carriers in this kind of SD-WAN or SASE architecture in terms of the go-to-market perspective? And then additionally, while we're kind of on topic with carriers, 5G is around the corner. And I think when Nikesh initially came on board, it was the idea that we can start getting more aggressive with the carriers. And so how should we think about 5G security here as that's starting to come up, in our view, probably about next year?

Yes. It's a good question. I actually think they're separate...

Yes. I agree.

I'll explain it in a second, right? So relative to SD-WAN or SASE and the ecosystem and partners needed from a go-to-market perspective, service providers certainly are playing an important role in this. No question about it. The -- some of the big global system integrators are playing big roles in this relative to building out solutions on a per-customer basis. We see that quite frequently. And I believe that they will still continue to play an important role. At the same time, one of the ways in which we've approached building out our SASE solution is to look at how we can streamline and simplify some of the complexity out of the traditional SD-WAN deployments. And CloudGenix have taken a very similar approach with what they've done with SD-WAN. And I think that, that's important as an industry to -- in order to broaden the appeal and adoptability is to provide a level of simplification for our customers and while at the same time having some of these key partners which we have established in that regard. 5G can potentially intersect a little bit with that. 5G, as many of you probably know, the promise of 5G is to move beyond cellular connectivity being primarily for mobile phones to being a solution that can support homes, small offices, branch offices. We're seeing it be very interesting in even larger enterprise manufacturing and IT or OT type environments. It has a much broader appeal. Now there's still a lot of things that need to happen for that to fully -- to flesh out. The -- and so there, I think it's more about -- the intersection of SASE is more about 5G as a connectivity option, not necessarily just how do you secure 5G, which I think is a different space, a different market almost.

Got it. Yes. I tend to try to copy Rob and ask multipart questions that sometimes have stuff to do with each other and sometimes don't, but I appreciate the color there.

What about the Zero Trust side of SASE and kind of your thoughts around Zero Trust Network Architectures. And I think it's a question for Nikesh as well, but whether this -- does this require a better understanding of end users and kind of the authentication of end users? Or is there enough within your portfolio relative to the perceptions of what Zero Trust means?

Go ahead, Lee. Go ahead, Lee.

Zero Trust is an interesting term. We've -- I would contend that the -- what we've done from a network security perspective from day 1 was designed around the notion of Zero Trust. Zero Trust to me is all about collecting, assuring and using context as part of security policy. Who is the user? What role do they have? What device are they on? What is the state of that device? What application are they trying to access? Where are they trying to access it from? Any other information that allows you to make an appropriate security decision whether or not that should be allowed as opposed to implicitly trusting not because you have information but just because a connection came in from your network and saying, well, it came from my network, therefore, it must be good. That's sort of the opposite of Zero Trust, right? So our network security approaches has always built in the sense foundational to how we do things. It's only recently that Zero Trust as a term has really become part of the more commonplace known [ approach here ]. But we feel -- I feel incredibly comfortable with our capabilities relative to Zero Trust, our ability to understand and use and enforce these context-driven policies for users through any connectivity method, remote workforce, branch office, headquarter, connecting to any applications, whether that's data center, SaaS, public cloud. And I would even contend that we are unique in being able to support those different use cases in a single platform with a single, consistent control plan. And it's through years of being able to do this, we've been able to reach this point.

And does it require a broader sense of understanding the end user? Because Zero Trust is also thrown around in the identity space, too, right, understanding users and applications, and I think it gets back to, Nikesh, as you're building the platform here, do you stay on the networking side? Or we've seen you get into end point. Do we see you also start to try to understand users too because we have the roaming element now of wanting to work from anywhere, now at home, on any device?

Well, we're already on endpoints. Our product Cortex XDR is the endpoint product. And I think Lee and his team did a great job in leapfrogging our endpoint capability, making it more behaviorally based, merging the data from the endpoint and the firewall to do XDR. And we have since announced ingestion of multiple data sources so that you can actually cross-correlate and reduce the noise in your SOC, reduce the number of alerts that go in there because, eventually, it's about the signal-to-noise ratio that comes out of cybersecurity. So from that perspective, we need to be in as many places, so we can actually automate the security postures and automate remediation as much as possible. So the SOC analysts or the customers are only focused on the most important things because a lot of time is spent by the customers just trying to figure out what happened as opposed to what needs to be solved. So with that intent, I think we have a pretty robust portfolio. As in cloud security, we have it covered, whether it's any public cloud, it's any technology in the cloud. We have endpoints covered with XDR. We have data ingestion, where we're spending more and more time and putting more data sources into our data lake where XDR operates. So across the board, we feel we have a comprehensive portfolio. I know the one area we do not play is in identity. But to be honest, we look at identity as that's what you get authenticated with as your credentials. And then we want to look at what your credentials do once you cross that authentication phase. And that's where all the behavioral analytics kicks in because I can go steal anybody's credentials -- not that I can, but one could -- anyone could steal anybody's credentials and choke their network. The question is what is happening with those sorts of credentials. And at some point in time, we have to go past the -- always trusting the credentials once you're authenticated to watching for all those behavior because that's the easiest way for somebody to hack is once they ride on the back of valid credentials. So you have to go to -- you call it Zero Trust because the endpoint is authentication point. And I call it Zero Trust because you can't trust this once it's inside, which is what Lee talked about how we do Zero Trust in every product is we don't trust the fact that you came in without a credential. We've got to watch you given you came in without credentials.

Sure. Well, gentlemen, I think we're out of time. I really appreciate your time this morning, and have a good weekend. Thank you.

Thank you very much, Rob. Thanks, Jim.

Thanks, Rob. Thanks, Jim.

Thank you, Lee for my -- being my technical crutch.

Anytime, Nikesh.

See you guys.