Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

Hello, everyone, and welcome to the fourth annual Wells Fargo TMT Summit. We are very excited to have Nikesh Arora, CEO and Chairman of Palo Alto Networks, joining us this afternoon. And Nikesh, thank you for the time.

Thank you for having me, Phil.

Now, Nikesh, you're now 2.5 years in your role as CEO. So you are a hardened security veteran at this point. And my question to you is sort of, in that context, how do you assess the progress of your initiatives that you've implemented since joining the company? And also, what's top of mind for you right now?

Well, Phil, where -- I feel better today than I felt 2.5 years ago. That's for sure. I think we made -- I spent a lot of time with Nir and Lee on the product side and, generally, the team at Palo Alto Networks. And we said at the first earnings call I did that there's a lot of fragmentation in the industry, which requires some degree of consolidation. There's a lot of vendors, and we need to figure out how not to repeat the mistakes of the past as we go to the future. Then we identified that we need to convert our hardware business more to software. At the same time, we identified that the cloud is going to continue to be huge. And because of the existence of public cloud, to be honest, and the constantly -- and then Moore's law's transferred to storage and compute out there in data centers and public cloud, not just on PCs. So we're saying data is becoming cheaper and cheaper to store, cheaper and cheaper to access and manage. We think the future of security will rely a lot on data, something you and I talked about in the past. So we made that pivot, and we're going to go create more subscriptions in firewalls. We're going to go really aggressive in cloud security and really focused on AI and data. So 2.5 years in, we feel a lot better. We have a lot of work to do, but we're happy with the progress we've made so far.

Yes. It's hard to believe it's actually been 2.5 years. It's...

Yes.

Yes. Time flies. Let's focus down for a little bit on sort of the near term. Obviously, COVID has sort of colored a lot of sort of IT spending trends this year, whether it be need for capacity, load on the network, remote access. I wonder if you can give us a sense of sort of the spending drop -- backdrop as it affects Palo Alto Networks. Because obviously, there's some positives but also some negatives here. I wonder if you can walk us through near term, and then we'll expand out from there.

Yes. Look, I think what has happened, as you can imagine, is -- I would say that, if you look in the last 7 or 8 months, one thing has worked, and that thing is technology, right? Anybody who's been in the tech business has worked. If your consumers are accessing your applications and technology, your consumers are conducting e-commerce to buy from you, it's worked. I'm -- it's unfortunate, but companies have seen online revenues become 100% of their revenue not because online grew, because everything else went away. So the focus on making sure your tech stack and your tech infrastructure was up and running all the time and didn't have any challenges became very important. Couple that with the need for 100% of your employees to be secure 100% of the time. That's another need showed up. So what we've seen in the last 6, 7 months is focused by CIOs on making sure that their infrastructure stays as secure and focused on making sure people can work remotely and focused on making sure they have incremental capacity to meet the growing online needs. And there is this constant conversation, and my point of view on this is that this is not a COVID spike. This is a step-change. So this will become the new baseline because what we're going through in 2020 will become the new baseline we'll be going from here. I don't think people are forward spending to buy excess capacity. People are spending to meet the capacity needs that they need today. Yes. Is there a spike? Maybe there's a spike on remote work, but we haven't gone through every company in the world which is going to be accessible 100% of the time for 100% of the employees. So I think we'll -- that trend will continue, too. So I think we are in the midst of sustained technology spending trends in the short term. And I think in the medium term, you might see a little bit of dampening, but I don't expect it to go away.

Yes. No, I totally agree with you. I don't think there's excess capacity buying out there, but I also agree with you that you're seeing a pivot in terms of what people are buying and how people are buying, which leads me to my next question. One of the things that I believe is an outcome of COVID-19 is that, for CIOs, a no-cloud strategy is officially a no-go, or at least, that's a line that I've been using. It's...

Yes.

And now when you think of it for Palo Alto, obviously, you've historically been known as an on-premise and appliance company. But I've been very impressed, frankly, over your tenure in the past 2.5 years how you've built out a very robust cloud portfolio. How have conversations with CISOs changed in COVID? And what does that mean for your cloud businesses?

Yes. It's kind of interesting. When -- I spent -- my only enterprise experience when I came to Palo Alto Networks was when the Google enterprise team was part of my team when I sold ads at Google. And I saw that early, and we saw that go -- that business grow tenfold in the time I was there, and it was still a small business compared to what AWS was doing. And it became apparent that the cloud is important. It became apparent that there was a ramp-up time it took to get to the cloud. It also became apparent that once you go to the cloud, you're not coming back. So when I came to Palo Alto Networks, we actually shut down our data centers. We transitioned our entire back end to the public cloud. And now we use a combination of multiple clouds to make sure we can provide a service to our customers. To be fair, that's been a phenomenal help in our scaling our services to meet the capacity needs of our customers. That notwithstanding, we also made a point back to, I think -- so the first time I said let's go do something in cloud security. The first wave of cloud security was CASB. People were saying, oh, everything is going to the cloud. Let's all go buy CASB because CASB is going to protect SaaS application in the cloud. In comes the realization that SaaS applications are actually reasonably secure because they're being built by large-scale companies, and that's their bread and butter. And any vulnerability in a SaaS application will impact thousands of customers, so they better be good at their security. So it became about managing access and managing vulnerabilities in SaaS applications, less so the application being not secure. Interestingly, 70% of the world's applications are homemade. Those need to be protected. So the insight we brought was let's go protect the applications that people build on the public cloud or on-prem. Let's not worry about the applications that are built by SaaS. We have a CASB product, too, and it works. It's more aligned with our Prisma Access strategy. And as we went [ down, they posit, oh well, ] why do I need you? AWS has this. GCP has this. Azure has this. And we made a bet saying multi-cloud will be more important because most customers will end up on multiple clouds, which they did. Then we continued to bet that multi-technology will be important. Let's just not focus on workloads. Let's focus on containers. Let's focus on microsegmentation in a new way. So luckily, we've built a 7-module cloud platform that's available. And what's fascinating is that we started with RedLock. Now we have a 45%, 55% overlap in RedLock and Twistlock. Every customer who uses RedLock uses Twistlock. Then we've introduced DLP. We've introduced WAF, RASP. We've introduced IAM. And whilst we haven't been public about the numbers, all I can say is that there's been a healthy uptake of new modules in a short period of time as we've launched them. So the platform approach is resonating. Our customers are realizing the value of using one security product across multiple clouds, multiple technologies. But there's still a lot of work to be done. But so far, we're not applauding ourselves. We're not resting easy, but we're excited that we're able to get to 1,800 customers in the cloud security space in the last 2 years since we've basically started the journey.

You're definitely not resting on your laurels. So I think we can all say that. The -- I want to break that down into those 2 components, multi-cloud and multi-technology, because I think this is important because, frankly, I don't think there's been a more important word over the past 12, 24 months in terms of sort of change in technology than multi. We went from hybrid cloud to multi-cloud, in other words...

Yes. By the way, I just want to let you know Salesforce is buying Slack.

Is it official now? So I can rule out...

Yes.

So Palo Alto is not buying Slack. Okay. So we're going to basically say...

That's a $27.7 billion enterprise value. I just thought that you'd like to know.

So we're going to basically say Palo Alto is not buying Slack. That's -- so I'm glad to hear that.

No, I mean if it was TikTok, it'd be a different conversation. But no, Slack, we're not. Just kidding.

Right. And so the -- now if Palo Alto can just get that revenue multiple, we'd be onto something. And it's...

Working on it, working on it.

And so -- but the -- but let's talk about multi-cloud because I do think this is important. And I think your positioning is pretty interesting, where -- are you starting to see a change or a better understanding from your customers about sort of consistency of policy across multiple clouds? This has been something that I know that [ Barry ] has been focused on, and [ you did mention ] before, like, hey, is the free thing from AWS good enough? Is the free thing maybe from Azure enough? But then suddenly, you have 3 different policies that you're maintaining. Is that starting to change now in your conversations that you're having?

Yes. Look, it's kind of interesting what has happened in cloud security. People had 2 different approaches. Some of the big players on the -- even on the SaaS side have built their own, right, because they're looking at AWS APIs, Azure APIs, GCP APIs and building something else and putting it together and putting a dashboard together and then jerry-rigging it with shift left tools with Jira or GitLab or GitHub, et cetera. And What's beginning to happen is as stuff moves into production, not everybody can afford to go build these tools by themselves. And even the people who can afford consider it and say, do I really need to deploy 50 engineers constantly keeping track and building toolkits on top of the APIs? Or should I -- am I better off buying commercial products? As we [ feared ], 2 years ago, there was no commercial product. You couldn't buy a product if you wanted to that took care of you across multiple clouds and [ multiple ] technologies, right? My workloads are interacting with my containers, interacting with my serverless code. Do I need 3 different products? So you'd have to stitch stuff together anyway. And what we've been able to do with the integrations we've done over the last 2 years making these acquisitions is we are able to -- Phase 1, we're able to have one UI and one purchasing model. Now we've taken it to the next level. And so we're integrating functionality that if we saw vulnerability one part of the stack, we can trace it into your next [ part simultaneous ] in run time. Because you can assess everything, but you still got to make sure that, in run time, there are no vulnerabilities and there's nothing happening out there which you need to protect. So multi-cloud is a thing now because people are scared of getting locked into one cloud technology. They want to make sure they have the ability to arbitrage between multiple clouds. So you're seeing a lot of that. A lot of people are saying I don't want to get all-in cloud. I'm going to be partly on-prem and partly in cloud, which means they've got to deploy containers to be consistent across their application in both places, seeing a lot of container security needs, both on-prem and off-prem. And that's why Twistlock does that. It does that on-prem. It does that in SaaS for you across multiple capabilities. So we're seeing more of that. And I think we'll see more because if you look at the big numbers that AWS, GCP, Azure and Alibaba is now -- and Oracle is beginning to post, this stuff needs to be secure. And it must be coming from somewhere. I don't think the entire [ $100 billion ] that is being claimed by the cloud industry that they're selling is a net new spend in the aggregate [ for tech ]. So it must be coming from some hardware-based, data center-based spending.

Yes. No, the numbers are getting big, so it's got to come from somewhere. It can't be all greenfield when the numbers are that big. It's -- the -- and then let's talk about multi-technology, too, because I think this is important because if I think about -- you mentioned RedLock. You mentioned Twistlock. When I think about all the different flavors -- I'm just going to call them flavors, for lack of a better term. It's, okay, do I want a container? Do I -- this is a serverless function, okay, so it's the service mesh connecting these things together. Before, you used to go to individual vendors for all -- for each one of these things. So let's think about sort of next-gen firewall, multi-cloud, consistent policy. But here, when you think about technology, it's a similar idea where it's consistent policy, framework management but across different flavors of tech. Similar to my last question...

It's even more than that -- Phil, sorry to interrupt you. It's more and more than because it's not just the technology [ on this end ]. Remember, you also need agents. It's kind of like those 10 endpoint agents that are running in infrastructure, where each one solves a different problem. Twistlock needs an agent for container security. You need an agent for serverless security. You need an agent for microsegmentation. You need an agent for WAF, RASP. Guess what? We have one agent. We can do all those 4 with one agent. So once the customer deploys one of our products, they get the other 3 functionalities for free. I'll tell you, the hardest thing for a CIO is to let yet another agent into your infrastructure because that's another vulnerability. So it's not just the multi-tech piece of it. It's the implementation piece of it. So like, I already deployed one Palo Alto Prisma Cloud agent. Why can't I do everything with that agent? Why do I need to put 4 more agents into my infrastructure?

Interesting. That's a great point. I really hadn't thought about that. I know I've been so focused on the policy side, I missed the agents. The -- but let's put this together now because -- and talk about sort of your traditional competitors, the Check Points, the Fortinets, the Ciscos of the world, on-premise; but then also some of the cloud-native vendors, sort of like an Aqua versus a Twistlock. When you think about your portfolio right now, how are you positioning Palo Alto Networks versus, call it, the old competitors and the new competitors?

Look, I think the firewall industry is going to be around for a reasonable period of time because I don't think -- if you think about it, $10 trillion of IT spend exists in data centers out there. So they haven't yet been overtaken by the cloud vendors. And maybe in our lifetime, in the next 10 years, we'll see 30%, 40% of the world is on cloud, and 60% are still in the data centers. Those data centers still need to be maintained, upgraded, ran. [ So we'll have that happen. ] I think you're going to -- not think. I know you need firewalls against your cloud instances because, if you go to hybrid and you want to make sure there's policy consistency between your hardware and your software in the cloud, you need to make sure stuff going east, west, north, south is protected. So I think you're going to need software firewalls. The third thing which is happening is that the -- what the industry calls the elimination of the perimeter, right? It's no longer in the past. You go to your office. You access it from your laptop on your network in the office. Suddenly, now you're accessing it from home with that wonderful logo behind you. And you're accessing it from the Starbucks, and you're accessing it from a brunch. Your perimeter has extended to your laptop and every place you chose to access it from. That requires a firewall in the cloud, which is what our product called Prisma Access. Now what we are able to provide is a hardware firewall, a software firewall, a firewall in the cloud, and we provide all subscriptions that run across all 3 form factors, right? So that's the future of the firewall industry, that you have to be fungible to form factor. You have to be fungible to where the deployment needs to happen: in the cloud, via the cloud, in your data center. And that industry will continue. Honestly, I don't see -- the vendors or partners or competitors we compete with in the firewall space, I don't see them in the cloud security in the AI space. And I don't know. Perhaps some of them are working hard on that transition. We are, too. And hopefully, some of them make the transition. It's clear as industries go through transition, not everybody makes that transition. So eventually -- that's why we started putting up a metric out there called firewall-as-a-platform, to be sure that we can -- as long as we can grow it mid-double digits or teens, we're good because we're taking share from the market. The market is growing at 6%. So that's what we think about that business, and that's -- as you saw in our earnings, we reported that that's still a very healthy gross margin business, a very high operating margin business. And we haven't quite talked about cash flow, but we had a very good cash flow outcome in Q1. And I'll just say more -- most of our cash flow, if not more than what we show, is made from our network security business. So it's a very healthy, robust business still growing in the 13% to 15% range. On the cloud security side, honestly, like, we have 7 modules. If you try to replicate what we do, you'd have to stitch 6 vendors. If some customers choose to do that, then that's fine. But -- and I don't think we're done. I think 60% of what is needed for cloud security has been built by us or aggregated by us, and we're still the #1 in terms of the functionality we provide. I'm still sure there'll be 20%, 30% more functionality created or integrated in these platforms either at the customer or by us or others that's going to be providing a full solution. And the way I see it, the cloud-native guys, a lot of respect for what Google does, used to work every 10 years, or what AWS, Azure does, but remember, this is a 2% business for them. Security is 2% to 4% of the spend. The 96% of the spend is getting me to put my data and my storage in compute and infrastructure. And we're chasing a 4% market compared to their 96% market. I would suspect they would be deploying their capabilities to win the 96% of the market and not worry about letting have us have some 4%. I know that some of the firewalls, and I won't say who -- one of the [ cloud providers are, yes, ] we know your firewall's 2 years ahead of ours, but we give it away for free.

Yes. I think that's what you'll also hear from our CISO, Gary Owen, tomorrow, is it's not just simply, hey, this is Palo Alto's business versus the CSPs; but, hey, do you actually want your infrastructure provider providing the security for that infrastructure? Does it make sense to actually have a third-party check in addition to your sort of...

Like, I know -- I hope you never have to find out. But if you ever, God forbid, find out the wrong way that you could have -- you should have gone with a more sophisticated firewall infrastructure because you're protecting your customers' information.

Yes. I mean a good friend of mine, who's a pen tester in the industry, was a speaker actually at this conference last year. He said, "This market is not called IT security. It's called job security."

Nobody got fired for getting something which was -- which worked really well.

Exactly. Exactly. But you get fired if it didn't. So the -- but now let's talk about -- I mean we've talked -- spent a lot time on sort of the big industry trends and the evolution of Palo Alto's product portfolio. Let's touch on the go-to-market. Obviously, you have a much broader product portfolio than you ever had, okay, endpoint, cloud, perimeter. How do you think about just your go-to-market right now in terms of capacity, structure, comp plans, et cetera?

Yes. It's kind of like this. I will say this: one of the things we've had to do is we've had to go and try to see how do we -- take a sales force that was perfectly capable of selling firewalls, how do you get them to understand that network firewall is transforming to software, figure out things like Prisma Access, SD-WAN, and VMs, at the same time introduce them to cloud security and get them to sell AI-based security, right? So don't forget, in each of those categories, whether it's Zscaler against Prisma Access or Crowdstrike against XDR, you've got a specialist sales team. That's all they do. And here, we're trying to take a generic -- a general sales team and trying get through to sell this stuff. So we went about it in 3 phases. I think Phase 1 was -- it's kind of like Darwinian: offer a lot of money, see how many of your people can learn and go out and sell, which we did, because we couldn't go out and hire 200 salespeople to compete with Zscaler. [ So yes, let's find the salespeople who can compete with them. ] We put the products and said, hey guys, here, we'll pay you a lot more money if you go sell this stuff, and it worked. We had a $4 million business a quarter 2 years ago when we were able to prove that these guys can sell the stuff. You just put enough money on the table. Well, it's still not a sustainable strategy because we saw the impact in the other half of our business for the next 2 quarters because they were focused exclusively on the new stuff. So okay, this is not a good idea. So let's go hire some more people, which we did. And we hired more people. And then we said, okay, the really important deals, let's send the specialists because they're competing with specialists in these. [ So that's ] what we did pretty much most of last year, and we kept hiring. And that's kind of why we were able to show the numbers we were able to show on next-generation security, and that worked. Now we're sitting there saying, okay, how do you scale this beyond that? How do we get more sophisticated and not lose the leverage we get from the Palo Alto Networks salesperson? Because I do have salespeople who are amazing that can go sell a customer $40 million of product across all categories. Then I have people who sell specific network stuff in Prisma Cloud, some in Cortex. So what we're like doing over this fiscal year is to make sure we balance that. We have some uber teams which can sell across the entire portfolio. And we have specialist teams which are available when we have to go into a dogfight, where we're competing with specialist teams. And investors [ are more ] rewarding them with phenomenal multiples. We've got to make sure we can go after them and get the businesses from them. So that's kind of where we are. Life doesn't fall neatly in quarters, but in the last few quarters, we've shown that we've figured out our rhythm and our balance across those. And I'm sure we'll tweak stuff as we go along. But the end outcome I think we want and, I think, which we want to aspire to is that we keep growing our network security business in the range we said, keep the high gross margin there and keep generating tremendous amounts of cash flow, use that cash flow in some part to feed the business, which is our fast-growing business on the cloud security side [ and the AI side ], so eventually, these businesses become equal parts of our overall strategy.

Yes. No, I've joked that the -- sort of the, call it, Q4, Q1, Q2 last year were maybe the overpivot or the overspiffing of the sales force. The silver lining was that it proved that, hey, this next-gen security stuff, there's a market for it, and it can be sold. So it was like that was the silver lining.

Yes. The product/market fit, the only one way to prove it is when customers buy it.

Yes. But it also did prove, thinking back to your Analyst Day that you had in New York, that one of the things you laid out was the need for more capacity. So I think sort of silver lining was, a, you proved that, hey, there was demand, and it could be sold; and b, it proved that your initiatives of adding just more capacity in the go-to-market was also necessary, too. So...

Yes, Phil, when I started, I read your financial model on us, and I read many models on The Street. And there was a very respectful revenue decline trajectory for us from 19% to 17% to 15% over the following 3 years. And right now, we're beating those odds. So we have 2 handled in front of our revenue growth. That's what we're calling for the full year. So we skipped the 17% expectation from people. And the only way we're able to do it is by making sure that we're investing in the growth categories in the industry.

Yes. I've been Mr. 2 for you guys. I've been saying, 20% plus, you would probably get those. [ So I was rooting for you ], my friend.

You were ahead of me. You were ahead of me. Thank you.

And so we've got a few minutes left here. But one of the things I do want to talk about, and maybe it's also opportune, too, since the last acquisition did. At a high level, sort of, you mentioned sort of that security is a data problem -- or a data game maybe is a better way to put it. When you think about the acquisitions you made, sort of the unique position that Palo Alto has with next-gen firewall at the perimeter, how do you think about sort of, I guess, how you're positioned if security is indeed a data game? What do you bring to bear that others don't? And what have you brought on board that extends that lead?

Well, that's a good question. Look, if you think about in -- 2.5 years ago, the industry process was you deployed a security product, the product came in different flavors, and pretty much 30% of products did in-line security. They protected you while things were happening in flight, whether firewall did it -- or sorry, endpoints did it, endpoint protection. But 70% of security was hygiene, where you're like, so okay, here are the rules. If Phil goes to Korea and downloads 2 gigabytes, stop him because he shouldn't be downloading 2 gigabytes in Korea. Now nobody knows why he did it or why he shouldn't do it, but there was a policy which stopped employees from doing that. There's a policy that stops him from going to certain websites because they have malware or phishing on them. And every time you try and do that, an alert pops up in the SOC, and some poor guys have got to figure out why was this policy written and what is Phil doing that I need to stop him from. And over time, as you deploy more security and write more policy -- nobody deletes policy, by the way. [ Security is to ] add more because you're scared, if you delete something, you might screw it up. So you can go into the SOC, get [ 60,000, 70,000, ] 150,000 alerts a week, and poor people are trying to mitigate those alerts in order to figure out which is the real security threat and which is just an overzealous policy. So we took a point of view that we need to figure out how to eliminate those alerts because that's all noise. We got to figure out how that -- how do you eliminate it, figure out what the events are and then to be able to solve the events proactively in real time. That's security in the long term. It's kind of like Elon's autonomous car because -- can you stop every attack in the -- while it's happening -- because if you stop it -- if you figure out afterwards, the cat's -- the horse had left the barn and somebody had run away with your crown jewels. So we've taken a very deliberate point of view towards that. If you think about it, there are sensors and gates. Firewall's a gate and a sensor in your network. Your endpoint is a gate and a sensor in your network -- or in your SOC. And then there's enablement or security policies to the cloud. In the long term, you've got to make sure all your sensors are collecting all the data, you're analyzing the data real time. And if there's a problem, you're either remediating that by stopping something from happening or reversing it either on your endpoint or in your cloud or in your network. So for that, you've got to be able to collect, ingest and normalize tons of data. Now we've had companies collect and ingest data, but nobody's actually normalized it and tried to make sense of security because there's never been a single source of truth. So what we've done is we established our product, XDR, as the single source of truth at the endpoint. We collect that data, merge that with firewall data. We were then able to eliminate 50x the alerts that show up in your SOC just by doing that. We have started ingesting other data from Okta, from Microsoft AD, from other firewalls everywhere. So we keep eliminating alerts because they [ did feel ] like -- let's like call it the 13 mouse traps and 1 mouse in the room. If we have 13 mouse traps from 13 vendors, every one will tell you there's an alert, but there's only one mouse in the room. How are you going to find it? And by the time you make sense of it, someone says, no, I saw 2 legs. Someone says I saw a tail. Or I saw something in their mouth. I saw a piece of cheese. Like, holy s***. What is this? It's a mouse carrying cheese. Sorry, this is my 2.5 years of security veteran in there, if you can tell.

I like it. I'm going to steal that analogy.

And you've got to figure out what is your single source of truth. Use that as your single source of truth, and they go normalize everything based on that. Well, that's what we're doing with the XDR. We spent a lot of time building that capability. We're able to get 1,000 customers to use that product in the last 6 months. We think that coupled with our capability to ingest, and then we take it to the other end and automate all the alerts which need to be automated with XSOAR. So in Cortex, we have strategy which allows us to start using AI and data to able to resolve a problem. And our most recent acquisition of Expanse is another way of looking at it because all the data we have is from inside, inside the company. Expanse looks at stuff from the outside. So it's like, wait a minute. That's great. You run around your house, tidy everything up and shut everything, but what does the guy from the outside see? And Expanse says, holy s***, I see there's 30 windows still open. I want to come in. So wait, I closed 70,000 windows. What happened to 30? Well, I just need one. So that's what Expanse does. We merged -- we're going to merge Expanse data with XDR data to make sure you can see the inside/outside look with the right automated playbooks to remediate that so you don't have to do anything.

Yes. That makes sense. Now the -- I've got a couple of write-in questions. So I'll ask those now in the last couple of minutes we have. But the first e-mail, and I guess not write-in, question was, "Nikesh, thank you for joining us. How are you thinking about margins and their potential? What is the framework when you think about growth versus incremental margin?"

Look, our margin was 22%, 23% when I joined Palo Alto Networks, and it was a very well invested -- investments were very well done in our network security business. We unwound our margins, took them down a little bit to be able to invest in our cloud security and endpoint security and our AI security business. And I honestly urge you to look at the 2 sides of the business. On the network security side of the business, it is a scale business: $3.4 billion of revenue. It's got a 77%, 78% gross margin. It's got a 28% operating margin, give or take, and it's got phenomenal cash flow margins. That business should sustain. There's no reason for me to sacrifice that gross margin or operating margin if that business is a well-run business. It's a productive business. If I keep growing at 13%, 15% of those margins, that's a phenomenal business. That's worth a lot of money compared to even the [ multiples of people ] in that space. If you look at the right-hand side, what we've shown is we are going to grow our ARR by 89% next year to 700 -- for this fiscal year to $735 million. We have gross margin at the 60% range, which was with the integration of the Crypsis acquisition, which becomes a smaller piece of the puzzle because the other -- the revenue keeps flowing in from our growth from the other parts of our business. And our operating margin is going from very highly negative to less highly negative to hopefully trending towards positively. I think the way to think about the right-hand side of our business is it's following the path of a high-growth SaaS business, and that's how you should model it. So I look at it as 2 parts, and the 2 parts will determine what adds up to the whole. I think trying to manage the business at the total margin runs the risk of me underinvesting on the right-hand side. And I think underinvesting on the right-hand side runs the risk of not scaling a phenomenally amazing next-generation security capability which we believe is unique in the marketplace.

I mean that's one of the things that I talk about, is sort of -- and have for, I guess, 20 years now, is that software moves in waves and platform shifts, and you don't want to underinvest in the beginning a platform shift because, hey, software is a long-duration asset class. You can keep customers for 10-plus years. So you don't want to underinvest in the early stages of these shifts. And obviously, there's a shift happening right now.

I hope so.

It's a -- okay. Last question for me. And let's say, Nikesh, you are sitting here in 5 years. And here, hopefully, is going to be back at the conference in Las Vegas. But what trends or technologies do you think you're going to look back on in 5 years and say, hey, this was more transformative than maybe I thought or it happened faster than I expected back in 2020?

Yes. Look, I think in 2 years -- just 2 years ago, the conversations were we're all going to go to the cloud, but we're going to pick our one cloud vendor and go gingerly. I think a combination of COVID and combination of the market has proven now, hey, we're going to multiple clouds, and we're going to go there as quickly as we can. I think that trend is going to continue. I think that trend is actually accelerating. I think that acceleration is going to have collateral damage on what was traditionally the old data center business and how we thought about the world. And it's going to suddenly arrive upon us so we should be prepared for it, and I think we are. I think people need to understand that, that trend is going to be -- from 5 years from now, you'll turn back say, holy s***, yes. It's obvious. 20% of volumes are on the cloud. And if 20% of volume moves to the right and you're left with 80%, if 80% is not growing -- it's going from 100% down to 80% -- holy s***, yes, of course, I'm going to predict a 3% to 5% downward trend every year. Mathematically, [ it will accrue ] 5 years from now. I think we're sort of like -- so we're all being boiled by the -- the traditional boiling the frog strategy. We're all being lulled into a notion that it's not going to happen. So I think that's going to happen. I think as is already evident between the crazy enterprise stories you hear about companies that help you manage data whether it's a Snowflake or, [ I don't know, some company called ] Rubrik yesterday. So all these people are helping you manipulate and manage data. And you know what? I tell you what, good news, bad news. Like, [ I used to do this for ] Google. I'm thinking until 2004, like, I don't remember, like 5 exabytes of data was created. Now we create 5 exabytes of data every hour or something. That needs to be stored somewhere, and that means you're going to have cost of storing and manipulating data [ is going to ] to go decline rapidly, so faster than Moore's law, right? When that begins to happen, we're going to be using AI with low latency all over the place. I just don't think we've seen the application of AI in a scaled way yet. And I think when that becomes easier to do, then we say, holy s***, I guess I could have told you that. AI was already hot 5 years ago. Well, guess what? AI requires a single source of truth. Until you go anchoring on a single source of truth and use that to normalize data and find a solution, you can't do it. So I think AI and the cloud transformation, which are trends we talked about today, I think they will truly manifest themselves in 5 years from now, and we're going to say, holy s***, I could have told you that. It's kind of like -- and I'll stop with this analogy. And I used to work at Deutsche Telekom in 2004. I used to work at Putnam on the buy side in 2000 -- '97. And there's to be this new trend where the Internet [ was around, and the first service call was this ] Chief Digital Officer. That's is the way you absolved yourself from having to think about Internet. So yes, the Chief Digital Officer worries about this, [ but ] they're going think about it. And today, [ by generally hiring ] a Chief Digital Officer, [ you're saying ] your entire business depends and lives on the Internet. In 5, 10 or so, we're going to say our entire business depends on our ability to manipulate data and our being able to be in the cloud, and if I can't do that, I can't exist as a good business because our competitors are way better than we are.

All right, sir. Well, our time is up. You were super informative as always. Thank you for the time today, and be well. We'll be talking soon.

Thank you, Phil. Thank you very much for having me again.

Thank you.