BoB Conference Exclusive: Palo Alto Networks' Mark McLaughlin On The Problems Of Today's Security Solutions, Working With The Government, And Myths About Cyber Insurance
McLaughlin On Record
Security issues are top of mind everywhere from small businesses to enterprises, both in terms of major headline-grabbing attacks like last week's DDoS attack on Dyn, a key junction of the internet, to the multitude of smaller attacks that may never make the press.
The security industry's response ranges from point solutions to security platforms with a wide range of capabilities, but a successful security solution still requires vendors, partners and customers to work together.
One of those vendors taking the platform approach is Santa Clara, Calif.-based Palo Alto Networks. In a keynote interview with The Channel Company CEO Robert Faletra at the 2016 Best of Breed Conference in Atlanta, Palo Alto Networks CEO Mark McLaughlin talked about the top security issues, working with the government to protect business and national infrastructures, and what solution providers can do to better protect customers. He even had time to field questions from a couple of solution providers in the audience. Here are edited excerpts of the conversation.
Security is an industry that is always evolving, making it hard to stay ahead of the bad guys. What is Palo Alto Networks' thinking about all that is going on?
I think we're in a good position. When we started the company, the whole idea was have a very prevention-oriented approach. We looked at the last 25 to 30 years of security and said, 'Hey, there's a good idea that is implemented in the wrong way.' And the good idea is that you interdict the attack and the life cycle of the attack because the difference between an attack and a successful attack is that a successful attack has to do everything right. If you can interdict it some time prior to the completion, you can do something about it. …
[Security has] a tremendous amount of complexity. And almost all that was designed to do one thing, which is to detect and interdict, as opposed to doing something about it.
Can you simplify it?
[Imagine a graph where] the number of attacks is rising exponentially because the cost of compute power has gone down. And it will continue to go down. ... Nobody's going to change that slope of the curve. …
Our idea is to say, you take that interdiction capability approach, but actually build the wall yourself [with automation], and if something does something right, it automatically reprograms everything downstream as fast as possible. You can design it in such a way that every time you add one more network, one more customer node, everybody benefits from the new knowledge that you gained from that environment. And that's what we've done.
How pervasive are the attacks on business? Is there a company out that that's not being attacked? Should we assume we're all being attacked and we just don't know it?
I think so. Go back to my graph in the air. I said the number of attacks is this line. It's not just indicative of what an entity would going through. It's what going on globally.
Look at the Dyn attacks. Very, very complicated outcomes on a very simple attack. As long as the cost of compute power is going down, there's really no reason to believe that's going to change. The number of attacks is going to keep going up.
The business model for the bad guys is great. And the business model for everyone else, when you're dealing with complexity and inconsistency of how you apply security, is not so great. I think that graph applies to attacks on any individual, and on all entities, regardless of government, education.
Wouldn't it be better if we could just buy a package with everything?
I think there's confusion in the market of people thinking that customers want less vendors. Customers don't want less vendors. What customers want is better security. And they assume when they get that they're going to deal with less vendors. But that's not the same thing. …
Palo Alto has developed this platform that I just described. Everybody in the world says they have a platform. Our definition of [platform] is very simple. If I describe to you what we just said, all these interdiction points to leverage the ecosystem, [then] the vast majority of everything Palo Alto Networks has done to become a $2.5 billion run rate sales business we built ourselves. Not because we're arrogant, but because you don't make stuff work like that unless you're in control of it.
But no one can do everything in security, right?
I've been very careful in telling folks that Palo Alto Networks is not going to come to you as a customer and say, 'We're going to do everything for you in security.' Every single company who has attempted to do that in security has failed. They end up doing a lot of stuff mediocre, as opposed to some stuff exceptionally well. We're trying to do some very important outcomes in security exceptionally well. What we're not trying to do is everything. [Almost every] company this size with this amount of cash and market cap, almost everybody who's ever been in this position, has tried to roll up the security industry and say, 'We're doing everything for you.'
We're not going to do that. That's because security is moving too fast, and you cannot do everything for everybody. It's a mistake to think you can.
What does being a platform company really mean in the security industry?
I think it means are there four things you can actually demonstrate to customers/ The first is, can you have a new definition of what security means? And by that, it's a high degree of prevention, not complete prevention, but high degrees of prevention that mathematically show a board of directors or C-suite directors or whoever you need to show, where am I today? Where do I need to be tomorrow?
The second thing a real platform has [is] leverage in the ecosystem. So every time you add one more customer into that environment, does it help everybody else? And that is an automating statement, meaning does it help everybody else, because if I did something right in security for one customer, how fast can I automatically propagate that knowledge to every single capability in every customers' environment?
The third thing would be consistency, which is if I have a real platform, I have to do it everywhere the data is. I have to do it in the data center. I have to do it in the perimeter. I have to do it in AWS, and Google, and on data in Dropbox, etc. It has to be exactly the same thing everywhere where data is.
And the fourth thing a real platform would do is say, with all the data I have in that giant ecosystem, and all the data I'm getting, can I do something with that to continually make the first point better with security and predictive analysis around that data on a pro-active basis?
How do you advise partners on security right now? What's the easy sell right now?
With or without Palo Alto Networks, the idea of the platform the way I just described it is very real, and is the future. There's no doubt about that … whether we deliver it, or someone else delivers it. The era of selling point solutions to fix one particular thing is over. Now, nothing changes in security overnight. That's an evolutionary comment, not revolutionary. It's continuing for some time. We'll see tons of very old legacy technology in environments that will be there for a long time.
The second thing is, clouds are very real. And despite people saying we're going to go someplace with no data centers in three years, I don't think that's going to happen in a time frame that everybody's thinking. They're really on a journey, or on a journey in their mind. But being able to address that is very important.
So how should partners think about the cloud in terms of security? Security as a service? What's the real opportunity there?
The first is what you said: Security as a service. Let's put that piece in perspective for a minute. About 65 percent of our business today is not hardware. And that piece is growing at 75 percent year over year versus the hardware piece. When I look back at that definition of a platform, you have capabilities no longer being delivered by point solutions. … Understanding this platform concept, I know how do that. As a partner, it's very important, because that's what our business looks like.
[Also], there's a real big opportunity from a service provider kind of business [as security] is consumed that way, there is a lot that can be done from a data perspective that is more hunting and proactive and predictive in nature. And a number of our customers are taking some of our tool sets and using them for new revenue-generating services.
In your role as a member of the National Security Telecommunications Advisory Committee, what are you trying to do? Is it just information flow to the government?
It's something that has been around for a long time. President Reagan started it. It's a group of about 30 CEOs that work with the president and advise him on things on technology and national security and emergency preparedness. Basically, the way it works is, the president says he's interested in this, what do you think? We'll go off and study that for a while, and come back and make our recommendation. Almost always, that recommendation becomes the policy of the U.S. government. …
So there are things along those lines of what's going to be important for the government on national security and technology, and we provide input and advice around that.
Is it really the Russians with WikiLeaks? Are they really behind that?
From an attribution perspective, all the folks that have been called out, whether it's North Korea or Russia, or Iran occasionally, I don't think it's hard to get to the attribution aspect of who's doing what when everybody says, 'It wasn't me.'
I think it's a good assumption that nation states will attack each other. They will probe each other. They're going to spy on each other. That's a pragmatic viewpoint that we should assume.
Is the government retaliating in some way? Do you guys talk about that kind of thing?
We don't do that in the NSTAC. That's not in our mission statement.
Our government does practice all kinds of cybersecurity. I think we want them to do that. I think they do a very good job at it. It's not as if it's in the paper every day.
An insurance company recently talked to us about working with channel partners to scare customers into buying security, something we chose not to do. Should partners become insurance brokers?
I would never try to scare anybody into doing anything, because the reality is, security is a real thing, it's going to be around forever, it's not going away. So the trick is, how do we compartmentalize that risk into something successful in our lives and our businesses. …
When we get to the point where we can buy cybersecurity insurance that actually pays you for the things you want to be paid for without giant deductions, huge exclusions, and things along those lines, we're going to know that we've turned the corner on security. That's where we want to be. There's a huge amount of profit in insurance. But, for insurance to actually work, the insurance companies have to do their own risk assessments which they use actuarial tables for, and figure out the risk so they can come out on top 51 percent of the time. That's a viable financial model in insurance.
So there will be a growing business for this?
It's good to understand it. But it's not a silver bullet. It's part of a package. And boards who think they have insurance and are good to go will be unhappy when they find out it's only part of the problem.
Question From Channel Partner: Customers always ask us about liability. What is the fine print of my liability associated with Palo Alto Networks' portfolio?
The ultimate request from customers is to say, 'Hey, your stuff is so good, or you tell me it's good. Why don't you just cover us for losses?' And we don't do that. …
When you come into an environment … from a security perspective, there's a lot going on there. And we have recommendations which will be defined as a security reference architecture. It's defined in outcomes, this is what we think you should do. … And to get these outcomes, this is how we recommend you should use our stuff, where you put it, etc. And a lot of times that doesn't happen. Not because people don't know what they're doing, but maybe they don't [follow] all those recommendations.
So you're basically saying, zero liability?
We have standard liability … that we're going to cover things that are associated with Palo Alto Networks from an equipment perspective, from a services perspective. What we're not going to cover is loss of business, or business interruption, or loss of reputation because of security.
Question From Channel Partner: Are the insurance possibilities widespread and affordable?
One of the fastest-growing portions of insurance portfolios is cybersecurity. That's off a small base of business relative to what they're going to underwrite for floods and fire and all those kinds of things. But it's a very fast-growing portion of their portfolio, and people are very focused on it. And they're going to continue to be focused on it. The trick around this is for insurance companies to get enough data from an actuarial perspective to make bets. Because they're in the business of making bets, and those bets need to turn out more in their favor than not – except in major catastrophes – in order for them to survive economically.
What will a cybersecurity insurance policy look like?
So they're putting a lot of time and attention into that. I think you're going to see some of these companies are trying to be pretty advanced around what their own capabilities are, they're buying assets to have a better understanding, and they're going to try and put together technology recommendations, instant response capabilities and say, 'If you use all of that stuff, or do it in the way I said you should use it,' at a minimum, there's a difference in your payment, sort of like a safe driver discount for auto insurance.
Are you able to refer your customer to an insurance company?
They're usually very separate. We don't get a lot of negotiation anxiety around liability issues. What we're talking about here from an insurance policy is separate but related to technology because there's a lot needed to get security done. It's about technology, it's about process, it's about people. It's not just one of those things, nor is it one technology provider. So we won't refer people to an insurance company.
Do customers often ask for an insurance referral?
Actually that topic comes up very rarely in my role, and I do talk to a lot of boards of directors who will ask about new cyber updates, and things around those lines. They'll always ask me about that from a security perspective, and say, 'What do you think about insurance?' And I'll say, 'Well, I think it's a good idea. However, you should know what you get today, and hopefully, this is what you'll get tomorrow from an insurance perspective.' And I hear a lot of optimism and promises all moving in the right direction. But that's like the difference of saying, 'Do I want to have fire insurance for my house, and should I have sprinklers?' They're related, but separate topics. You could have both.
What are the top buying triggers for the SMB security platform sale?
If you have a traditional security setup, what's happening more often today than not is that you're getting a lot of alerts. You could have lots of technical capabilities, and the result is you get more and more alerts. It's not uncommon to go to large enterprises and hear them say they get 3,000, 5,000, 7,000, 9,000 [alerts] a day, and growing. So that immediately brings into question what are you going to do with them?
How can businesses handle that many alerts?
If you're fortunate enough to pay attention to the right ones, that's when the work starts, which means that somebody has to go and do something. That puts an enormous amount of pressure on the most limited resources any business has, particularly a smaller business, which is people. So it kind of goes back to the platform: Can we get some automation going? Because we don't have enough people to deal with all of those alerts. We're not going to reduce the number of attacks. Which ones do people actually have to pay attention to? And the less resources you have, the more interested you're going to be in making that outcome a reality.
Are we getting better at security, or are we just keeping up with the bad guys?
I don't know if we ever were in front of it. Unfortunately, I think the reality of security is that it's a situation where the exact flip side of everything we love about the digital age is trust. So you have all these massive productivity gains because of the digital reach, SaaS, mobility, cloud and everything else, and all of those wonderful things. And on the flip side of that, the problem with all of that is, do you trust it to work straight? Which then goes to security.
Do people trust their technology to work straight?
There was a study done not too long ago by a U.S. government agency that looked at usage of digital technology. Interestingly, it said it was declining. Why? Because people don't trust it. How many times can you have your personal information stolen out of government databases or credit cards or banks or company passwords, [until] people are going to just get fed up and say, 'I've had enough. I just don't trust this stuff anymore. I'd like to go back to the way I used to do things before.' If that were to happen on a wide-scale basis, and that's very possible, the amount of productivity declines would be astronomical. It would be really, really crushing to our global economy. And that should be a very big concern.
What does this mean for the industry?
So this trust aspect is critical, what security has to deliver is retaining enough trust for people that people will continue using digital technology and not need to worry about that. But as long as compute power cost is going down, you should assume the number of attacks are going to keep going up. I'm not sure this is a situation where we get ahead of anything. I think it's that compartmentalization. How much of this stuff do people actually have to work on? Because that's a finite resource. So this is an automated knife fight. For operating automation to the knife fight, you can begin to understand the throne.
Do you know whose security product was on Hillary's server?
I do not know that.
What do customers want from their security solution provider?
It depends. But there are kind of a number of different answers. One is some customers are very, very pleased with whoever they've been working with for five, seven, 10 years. So they're set. They'll just keep working with those guys. Others will say they have a great relationship with their partner, but they're interested in the cloud, and they're not sure the partner is giving them any answers. What does Palo Alto think of the cloud? And others will say, 'Can we talk to you directly about some of the things we're very concerned about? Because I don't feel that we're getting a lot of expertise around mobility or SaaS or a lot of things along those lines from our existing partner. So how do you feel about those things?' And they'll want to hear directly from us or other vendors on that.
How can partners be of more help to their customers?
That doesn't mean that we have all the answers either. It just means we're looking for the answers. Really understanding the platform and all the security risks we just discussed, the impact of SaaS and all things cloud. I think they're critically important to understand, and developing capabilities for the customers to look to you as somebody who actually has an idea on how do I get from A to B, from point solutions to platform. Or even better: How do I get from point solutions to platforms that can operate consistently with the data? That would be a very good thing to have expertise on.
What do you do inside the organization to test your own processes?
On the competitive side, we have our own folks that will get technology and look at it. But most of that is just performance testing stuff, which is, does it actually do what it's supposed to do, and the competitive analysis around that. We'll beat the snot out of ourselves very consistently as a security company. You've got to be worried about that all the time. I certainly am. So I think we do everything we can think about to test for our security, as well as, of course, also eating our dog food. That's one of the things we have done for quite some time.
How does Palo Alto fit into the broader technology ecosystem?
If I were talking to boards of directors, I would say, 'Think of security as our cause. Don't think about other technology, think about it in actual business outcomes.' And if you think about it that way, you're going to get 12 to 15 [outcomes], depending on how you define them. Here's what that looks like in a reference architecture. Here's the outcomes involved, and the problems we're going to solve for you. It's not all of them. In the cases where we don't solve these problems for you, we will do tons of technology work [with] selected companies that we think are doing something really great from our perspective in a different area where we're not. We'll put those together for you technically, so that you're not the back-end integrator anymore among all these disparate pieces of technology.
What other companies have you selected?
We're running Splunk, we're running Tanium, and we're running VMware NSX. All the ones where we'll go out and say, 'These are the future strung-together outcome solutions. And we're doing that ourselves.'
What are you looking for in a partner to represent your products?
It should be, do you understand the platform? Like what it really means? And are you prepared to go to what the conclusion of that is with customers, away from the 'I've been selling multiple point solutions for a long time, or every vendor's the same.' All those mentalities, I think, are really starting to fall apart. Not because of us. It's because of the customers. They don't buy that anymore.
What's the impact of that?
It if worked, if the 'I have 17 vendors, and two of everything' actually worked, then we wouldn't exist. There are very, very few customers who believe that works anymore. ... It means that they're sure that that's not the answer. And there's a lot of pressure to do something different. So are you the new different, or not? And what we've been doing for the last 10 to 15 years has proven that.
How would you advise a partner wanting to set up a security practice?
I would say for sure to think about the platforms using the definitions I just laid out. Like prevention-oriented security with leverage that we can consistently apply wherever data is, and increasingly better use of analytics to do more predictive outcomes. So that's the definition of a platform. To do that from an expertise perspective means a number of things. You look inside there to talk about any specific technologies.
What must partners understand to build a platform?
From a security standpoint, you have to have understanding of the attack life cycle and all the things inside of there. So it doesn't mean that ideas like IPS [intrusion prevention systems] are bad, or that sandboxing [a mechanism for separating running programs] is bad. They're actually really good ideas. What partners have to do is understand how they work individually today, and even more important, how they need to work in conjunction with each other. So that's the definition of a platform.
How can partners leverage their platform to grow their business?
Being able to go to the future with prevention, and say in five years' time, I think endpoints are just going to be part of the enterprise from a security perspective. It's not going to be a separate thing. It's going to be, 'That's my environment.' Part of my data is on endpoints all the time, part of it is inside the network, part of it is off in the cloud. They're all the same. They're all the same from a security mindset in the mindset of a customer. Now, "What are you going to do about that for me?" is going to be very important from a difference perspective, but I think some of these concepts of dedicated volume centers are going away.
What doesn't the industry scare people more about security problems?
Nobody likes to be scared into doing anything. It might result in some sales sometimes, but I think what folks would really prefer is to feel more in charge of their future, as opposed to reactive. From a practitioners' perspective, people who have been scared into purchases over time -- you know, I better buy this [or] I better buy that' -- that usually doesn't turn out too wonderfully for them because there are no silver bullets in security. So if you are scared about something and say, 'I better go get this' and make a big deal out of it internally because you're trying to get an off-cycle budget to get it done, people don't forget about that.
What typically happens in those instances?
They'll come back to you and say, 'How are we doing on that?' Or, God forbid, you have an attack later on, they'll come back and say, 'I thought you said this was supposed to be the saving grace of everything.' That almost never works out that way. We've been very careful for a long time not to run the scare sell. We don't chase the ambulances. We don't have an incident response business for that reason. Not that that's bad. That's actually very important to have those capabilities prepared in the event that there's an attack. But we don't do it ourselves because we're a technology company. It's not in the business model.
Should customers bank on a separate PC that they don't use for anything else?
Uplevel that comment to, 'Maybe we should have different internets.' And there's a lot of serious talk about that right now. There is one in the defense industry. And there's been talk about having a separate internet for the banking industry, and the insurance industry, and people are out there working really hard around that idea. The obvious problem with that is half the juice, if not more, of the productivity gains and all the things we like about the internet is the network effect, that it all works together.
How does that play out?
Take that laptop example to a conclusion and say, 'Well, I've got one for banking, and I've got one for health care.' You're not going to have five desktops or laptops lying around, with a [single] use for each separate one. That's just not an acceptable outcome in how you want to run your life. So people aren't going to do that. The big problem with security is convenience. There's lots of ways to design security to say this is exactly what you should do, and then it run smack in the face of convenience or business needs. And customers are like, 'Well, I'm not doing it that way.' So you better come up with something different.
Is the talent level what it needs to be out there?
It depends on what kind of talent we're talking about. So usually if you hear people, government officials say we don't have enough trained cybertalent, what they're usually talking about are threat intel folks, the really talented attribution experts and some of the forensics expertise. And I don't think there's enough of them. I also don't think that that's the answer to the problem here. If we don't substantially change the level of automation in that problem in the first place – a slight exaggeration, if we could train to train every human being on the planet to be a cyberforensic expert or threat intelligence expert, we would still have this problem because we're up against computers. That's what happening. So we need more of that kind of talent trained out, but we have to recognize that that is not the only answer to the problem.
Is the government helping or hindering our security capabilities?
With nation-state attacks and all the things we read about, it's exactly the kind of thing where citizens look to government and say, 'You should do something about that. It feels like a national security issue, or a law enforcement issue.' … Now the problem with that, of course, is that more than 95 percent of all the assets we're talking about are not in the hands of the government. And we wouldn't want it there. So that's why when the government's out talking about cybersecurity, one of the first thing they love to talk about is this public-private partnership, and threat intelligence sharing, and other things along those lines. Which are very important, because there are limitations as to what the government can actually do here given where the technology resides. It's not all in their control to do exactly what they want.
Do the best minds in security want to work for the government or for you?
I think we have a lot of talented folks, but I'll tell you, there are a lot of talented people in my experience working for government and government agencies. The reason for that is partly mission: People get pretty excited about the mission. The second thing is that you get the best toys to work with on some of the hardest problems. And a lot of people get motivated by that, not just the monetary gains. So I think the government has a lot of smart people behind them.
Is the security market slowing down?
There are a number of factors at play in the market that are sorting out the market. When you have the move to platforms, you have the move to cloud, you have third-party SaaS applications being used more and more often, I think companies are becoming more and more thoughtful about what they're going to do, which means that they're not going to run out and buy everything that the industry is going to offer.