By Sarah Townsend
For a listed firm already worth $1.4bn, Palo Alto Networks’ annual growth of nearly 50 percent is astonishing. But so too is the growing threat of cybercrime, its speciality. Chairman Mark McLaughlin reveals the inside strategy for fighting a black market industry that rivals the illegal drug trade.
By his own admission, Mark McLaughlin’s career took a “meandering course” before he wound up as global chairman and CEO of the $1.4bn, New York Stock Exchange-listed cybersecurity firm, Palo Alto Networks.
“I’m no hardcore technologist,” the Silicon Valley-based CEO tells Arabian Business during an interview in Dubai.
It is true, McLaughlin’s early career was very different. A graduate of the prestigious United States Military Academy (USMA) at West Point, he served as a pilot flying Cobra attack helicopters for the US Army — his childhood dream.
But that career path ended when the fifty-year-old suffered an accident that put him out of action for nine months. He underwent several unsuccessful operations and was eventually discharged from service. “At the time it was like the end of the world,” he told Forbes in 2010.
Nevertheless, McLaughlin picked himself up and retrained as a lawyer, based in Seattle. The fast-paced world of technology soon had McLaughlin hooked, and after practising technology law for some time he was poached by one of his clients and moved to California.
As his new career paved its own course, McLaughlin joined a technology start-up that was later sold to listed internet services provider VeriSign. He worked at VeriSign for nine years, the last three of which he served as CEO. He left to take up his first role as president and CEO of Palo Alto Networks in 2011, having built up VeriSign into a $5bn market capitalisation firm as of 2010, according to reports at the time.
Following what McLaughlin now views as a fateful accident, he has certainly found his niche and is loving life in the hotbed of entrepreneurial activity that is Silicon Valley.
“Something’s happening all the time, things change so quickly, there are lots of really intelligent and interesting folks; it’s very energised,” he tells Arabian Business.
Today, Palo Alto Networks is a global technology firm focussing on the rapidly expanding cybersecurity market. In the digitalised world in which we live, the risk of being hacked is constant. The US-based Center for Strategic and International Studies (CSIS) estimates that cybercrime costs the global economy $445bn every year, making it larger than the illegal drug trade.
Five out of six businesses globally are expected to become victims of cyberattack every year, while around 2 million people in the UAE alone were affected by cybercrime in 2015, according to last year’s Norton Global Cybersecurity Insights Report.
Companies need to treat cyber threats in the same way as other potential disruptions, McLaughlin says.
Meanwhile, data from Trend Micro this month showed that the Middle East is seeing a rapid rise in threat levels, up 55 percent quarter-on-quarter. The security software firm claimed it had detected an average of 91,965 malwares a month in the UAE this year — the highest in the region — followed by Saudi Arabia with 87,876, Qatar with 21,293 and Oman with 10,173.
McLaughlin is reluctant to disclose Palo Alto’s Middle East-specific data, and, as a listed company, it does not report regional breakdowns in its financial results. “This is a global issue and the risk areas in the Middle East are pretty much widespread,” he says. “Traditionally, they [attackers] go where the money is, so the bigger the economy and the richer the nation — Saudi Arabia, the UAE, Qatar — the more attention it gets.”
However, he concedes geography does matter when it comes to evaluating the risk facing individual countries.
“How close you are to the front lines determines to an extent how susceptible you are to people wanting to attack you. Some places may not have the economic resources of others but by geographic proximity they are closer to the lines of attack.
“South Korea, for example, and other nations in Asia, are often tested to see what their defences are because of digital interconnectedness [with neighbours such as North Korea and China]. Attackers think, ‘if I can find the weak link in the chain, I can get in.’”
For a large company, Palo Alto is seeing impressive growth in most areas of its business. In its fiscal fourth quarter and fiscal year results published on September 30 (the company ended its 2016 fiscal year on July 31), it reported 49 percent growth in total revenues to $1.4bn during the fiscal year 2016, compared with $928.1m in 2015. Billings grew 56 percent year-on-year to $1.9bn, while net loss as calculated using generally accepted accounting principles (GAAP) was $225.9m, compared with $165m in fiscal year 2015.
On a quarterly basis, revenues also grew fast — by 41 percent year-on-year from $283.9m to a record $400.8m in the fourth quarter, although that was down 48 percent from the previous quarter. Billings grew 44 percent year-on-year to $572.4m and adjusted earnings per share grew around 80 percent.
McLaughlin says in any given quarter the region accounts for around 20 percent of the totals, and the GCC — mainly the UAE and Saudi Arabia — represents the fastest growing part of the business, with growth outstripping the 40 percent recorded for the rest of the world. Palo Alto has offices in Dubai and Riyadh covering the Gulf and Levant regions. Those offices have 50 staff, including 32 in Dubai.
The company is conservative on its forecast for the current quarter, including sales growth slowing to 34 percent. However, McLaughlin tells Arabian Business: “We’ve told investors and analysts that we expect to be in ‘high-growth mode’, which we’ve defined as 30 percent or higher, representing billions of dollars of revenues, for the next few years.”
The recent results were “very strong indeed”. “Both quarterly and yearly billings were up 40 percent and it’s extraordinarily unusual to find companies of our size growing that fast. It’s being driven by rising demand in the market for a real-time platform in cybersecurity, which really matters at a time when everything is digital.”
Palo Alto Networks is helping businesses and organisations worldwide prevent cyber breaches.
In the past three years, Palo Alto Networks has undergone a shift from being a predominantly hardware business, driven by product sales, to a services-driven business model focussed on prevention. Today, the detection (hardware) side of the business is still growing, says McLaughlin, but at a slower rate than the services side, reflecting a “paradigm shift taking place in security today, which we have invented and are leading on,” he states.
“It’s a transition from point technologies that primarily do detection and are usually built over individual hardware capabilities, to software platforms that are focussed on prevention, based on next-generation technology that allows companies to virtualise securities services and operate in the cloud and so on.
“Our business model is very much a hybrid model. All of these things are quite disruptive to the traditional model of security.”
Yet disruptive is necessary, he argues, because ‘disrupt’ is exactly what the hackers are trying to do. “If you have an increasingly digitally-based society, which we do — consumer business, banking, personal life, you name it, everything’s digital — the wonderfulness of that is that you have these giant productivity gains. And we need that, to cater to rapid population growth and maintain a good quality of life.
“But the technologies that drive the productivity gains are the very things that will put them at risk from a security perspective.”
When attempting to illustrate the threat cybercrime poses not just to business but to society, McLaughlin gives long-winded descriptions of dramatic scenarios he says are entirely plausible. He begins one here.
“The example I give all the time is this thing called money. Look, there is no money any more. Money’s just a digital concept, right? If I ask you to check your wealth and investments, you’d probably take out your mobile phone and look it up.
“If it said, $1,000, and then 10 minutes from now I told you to look it up again and it said $10, and so did everyone else’s, well, you’d end this interview and everyone would rush out and try to get their hands on something physical from ATM machines.
“Interestingly, in that example, it wouldn’t matter if the money had actually gone; the only thing that would matter is the perception that it has gone. The line between productivity of the digital age and chaos is very fine. Even if there were no issues with the financial system, if we were to just perceive that there were, there would be chaos.”
That said, the vast majority of cyber-attackers today are criminals, not just looking to stir up chaos but to get their hands on money or at least information they can monetise — be it healthcare records, personal information, or other — and this is happening “all the time”, McLaughlin says.
During his visit to Dubai, McLaughlin met representatives from the UAE government and private businesses, to discuss threats, risks and recommendations, and explain what Palo Alto is doing to help. The main problem, he says, is that cybersecurity is a “math battle”. The cost of ‘computer power’ (using a computer to process actions and information) is going down, and as digital technology gets increasingly sophisticated and you can fit more things on a chip, the costs will drop further as explained by ‘Moore’s Law’, the concept devised by Intel co-founder Gordon Moore.
“What that means from a cyber point of view, is that the bad actors can launch more, and more sophisticated, attacks, at a lower cost. It’s child’s play today to string together computer power to launch major attacks; you and I could rent it from the internet and it would cost a couple of hundred dollars.
“So the advice we’re giving, and what we’re doing as a company, is to say that the whole economic model has to be turned on its head. As long as it’s cheap and cheaper to launch successful attacks, the number of attacks will keep growing at a wildly exponential pace.
“Nobody wants to increase the cost of compute power — that’s bad for productivity — so we need to make attacks more costly, and successful attacks really costly. Today the cost of an attack and a successful attack are basically the same thing.”
The difference between an attack and a successful attack is that that the hacker “has to do a bunch of stuff right” (see page 47). And if any of those things fail, says McLaughlin, the attacker has to start over with research, social engineering [of victims], data building, hacking and so on. All of that costs money, time and resources.
Therefore, Palo Alto’s technology seeks to seamlessly interact with the various stages of an attack ‘life cycle’ and interject to prevent the attack from reaching its end goal — which could be entering the private server of a global utilities company and disrupting operations.
“You could be Machiavellian about it and say, ‘right, if I was the attacker and it cost me $100 to successfully attack this organisation, I could use that same campaign over and over again for no extra cost’. But then say, if Palo Alto Networks was in there, and it cost me $200 then fail, then $300 then fail, then $400… $800 and it still hasn’t worked? Well, I’d just think, this is too expensive, why don’t we go somewhere else.”
Some people argue companies in the Middle East are easier to hack as they might have less sophisticated technology — the problem of “legacy infrastructure”, says McLaughlin. But he believes the opposite is true.
“The region is newer and fast-growing, so you have more opportunity to start with fresh ideas and fresh technology.”
McLaughlin has been chairman of US President Barack Obama’s 30-strong National Security Telecommunications Advisory Committee (NSTAC) for the past two years, and a member for six years. The committee meets once a year and is tasked with making policy recommendations on a variety of US-specific topics, including priority wireless access during national emergencies, security in cloud computing and how to manage a national cybersecurity attack.
Cyber criminals are better resourced today because the cost of computing power continues to decrease.
He declines to comment at length on the US general election campaign, but says: “Cybersecurity has been and, I think, will continue to be a non-partisan issue as it is just too important a subject to be political in nature. So, my expectation is that it will remain a top priority for the government regardless of which party is in power.”
In the meantime, Palo Alto Networks continues to evolve its business to battle the world’s hackers. Acquisitions are not a priority, says McLaughlin, who is critical of inorganically grown market players. “Our platform has been almost entirely developed internally, as the best to get the automation and high degrees of prevention capabilities required to fight an automated and sophisticated adversary. This is unlike pseudo platforms that are cobbled together through acquisition and never truly achieve high degrees of integration.”
That said, the firm is open to acquisitions that would extend the platform capabilities, he adds.
Either way, Palo Alto is in a strong position to capitalise on the rapid growth of one of the most important industries in the modern world.
How a cyberattack works
“If I wanted to launch an attack, I’d first have to socially engineer you. I’d go on Facebook, LinkedIn, and see everything you’ve freely shared with the world, and from that I could figure out who you are, where you work, what school you went to, friends’ names, pets’ names, all sorts of wonderful things you’ve freely told the world.
“Let’s say you work in an energy utility firm and I want to take over the control system. You’re the receptionist, so not technical, but I’d socially engineer you, gain access to your computer and then I’d go into your network and pretend I was you. But actually, I’m not after you, because you don’t have any credentials to access stuff from the network. I want this guy, because he’s the director of IT, and if I had his credentials I could go anywhere inside the network.
“So I figure him out on social media. I discover he likes to sail, and I know you two know each other because I saw you were connected on LinkedIn. So I sent him an email [saying], ‘I thought you might be interested in this article I saw on sailing — what a wonderful boat!’ And it’s actually going to be a real article and a picture of a real boat attached. And he’s going to open it because it came from you and it’s about sailing. He’s going to open the picture to look at the pretty boat, and when he does, it’s going to download malware to his machine and I’m going to take over with a ‘keylogger’.
“Next time he goes into the database, I own his machine. I’m logging his keystrokes and I know his password and username, I know everything. He goes home for the night and I come back in (electronically) at 2am and log into the database as him. Now I’m in. I can do anything I want. That’s how it works. It’s called ‘the lifecycle of the attack’.”