How Palo Alto Networks wins
Age old strategy: Get lean, then innovate or acquire
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
In a previous post, I wrote about how Palo Alto Networks would fail. You can check out the post below if you want more details, but I’ll provide a brief summary.
For context and disclaimer, I do not use Palo Alto Networks products or services and have no plan to purchase any in the near future. I do not have a financial position in Palo Alto Networks and do not plan to start any in the next 72 hours.
Summary of the previous post
Palo Alto Networks had a legacy and outdated firewall product, but it managed to reinvent itself through a series of calculated but seemingly risky acquisitions architected by Nikesh Arora. Luckily, they managed to time it right and become an important player in the cloud security space. However, companies go through up and downs, and their series of acquisitions bought them time but failed to solve the fundamental problem — the inability to innovate internally. As the cloud evolves, much of security will shift from traditional security operations to developers/engineering, much in the same way much of IT became DevOps. Palo Alto Networks will again need to find a way to stay relevant except they aren’t lucky twice and as a result, they misspend on acquisitions, fail to innovate, or both.
Upcoming changes
I alluded above to what the upcoming shifts might be. We are already seeing this with the growth of Cloudflare and Microsoft. There is a shift of certain traditionally operational work into engineering as companies try to become more technologically focused or brand themselves as technology companies. The growth of SaaS and interest in AI/ML validate this trend. What this means is that traditional operations organizations, such as IT, security, etc., will move under the responsibility of engineering and be disrupted. Leaders will change, organizations will flatten, and OKRs will evolve. We will see more product/engineering goals where aggressive innovation is valued over steady progress.
For the security organization that has been traditionally operations-focused, it will most likely move under engineering and have different objectives. As a result, the tools and software they will purchase and use will also change. The shift from traditional firewalls to cloud security was easier since the GTM motion was the same. They were still selling a product to the same persona that needed to solve a different problem. However, the shift from an operations-focused product to an engineering/developer product will require substantial changes in two areas: product and GTM.
Building a developer product
Palo Alto Networks has always sold into the CISO/CIO organization. It’s primarily a top-down sale focused on a product that has great dashboards and can be staffed with analysts. Typically, Palo Alto Networks sold a premium product that was the best of class, and similarly, when they acquired companies in cloud security, they paid a premium for the top startup.
However, developer products are slightly different. Here are some key differences compared to traditional security products:
Developers tend to like customizable products with open-source communities.
They want a “set it and forget it” type product. This means it’s easy to install and requires little maintenance.
Platforms are important. Developers like to buy from a singular vendor that have pretty good or “good enough” products rather than buying the best of breed product for each category. Specifically, look at the Cloudflare and Hashicorp platforms. Also, it’s worth looking at the API platforms like Postman and Kong.
Platforms might need to be opinionated. In many problems, there are multiple ways to accomplish a task with various tradeoffs, but developers ultimately don’t care. However, they want to buy a platform that is opinionated about one method rather than trying to support multiple.
Palo Alto Networks will have to change their product strategy to adjust to building a product that developers like rather than an executive.
GTM change
This is the most obvious change. The transition to cloud security didn’t require a large shift in GTM. However, with the change to developer products, there might be some large shifts. Executives are less involved in decision regarding engineering products. Similarly, engineers are the largest advocates and tend to want to try an open-source before buying. In fact, many just want to download a product and try it without wanting to interact with a salesperson, which means documentation is more important than demos.
This change requires complete shifts in marketing and sales, but it does seem like with their acquisitions in the cloud and container space that they are partnering and seeing GTM with the major cloud providers.
Palo Alto Networks’s strategy
I just described two major changes that need to happen, which will change how Palo Alto Networks operates. The question is how do they execute on this shift. Doing the ordinary acquisitions and integration won’t work in this case.
First, they have to decide what to do with their legacy firewall business. The business is a cash cow, but it’s shrinking. One option is to sell it off to private equity or another company and get a lump sum of cash so that they can invest into the proper changes. The other (less ideal option in my mind) is to operate it as a separate business and turn themselves eventually into a Microsoft style congolmerate. However, the issue is that it’ll like not generate enough cash flow to take major bets in the developer security space.
Second, they have to figure out a way to create a developer-focused security product. There are two main options here. First, they can acquire a company with a strong anchor product that has substantial security engineering GTM motions, such as Snyk or Lacework. It’ll be interesting to see how they integrate the products. It seems that the Okta-Auth0 and Salesforce-Slack acquisitions, which have similar flavors, have been a bit rocky. Second, they can try to convert some of their cloud security products into ones that developers might like. I have yet to see something do this successfully in security, but it doesn’t mean it’s impossible.
Finally, they have to figure out how to organize their GTM. It seems that large companies can succeed only with some form of self-service GTM motion. Microsoft and AWS have enterprise sales, but much of their platform is self-service, including different parts of their acquisitions. For example, LinkedIn and Github from Microsoft don’t require too much enterprise sales engagement. However, they have to find a way to scale their sales team.
If they execute well on these steps, they will continue to keep their dominance in the security space.
Takeaway
Palo Alto Networks is currently winning, but it seems that this winning might be short-lived. In order for them to keep winning, they have to start transforming their product and GTM into something more scalable and start capturing security engineering budgets, which will likely increase over the next 5 years. I believe they have the ability and capital to do this. Now, it’s a matter of execution.