The Technology Letter: CHECK POINT CEO SHWED: YOU DON’T PICK YOUR BATTLES, THEY PICK YOU

By Tiernan Ray

Reprinted with permission from The Technology Letter

The shares of Tel Aviv-based computer security pioneer Check Point Software Technologies are that rare bird, a software stock that actually increased in price last year.

Amidst a thirty-two percent collapse in the Nasdaq Composite in 2022, and a forty-six percent melt-down, on average, among the dozens of U.S.-listed software names, Check Point had a nifty eight percent rise.

Just as amazing, Check Point beat the returns last year of much larger competitors. Among vendors of what’s known as a “firewall,” a magical appliance that keeps intruders out of a computer network, Check Point’s return is head and shoulders above the awful declines of Palo Alto Networks, Fortinet, and Cisco Systems, down between twenty five and eighty-six percent.

What happened last year was the proverbial flight to quality. Tech investors fled high-priced stocks for a name, Check Point, that has among the highest margins in software, and that has a simply stellar record of topping expectations back to its IPO twenty-six years ago.

Check Point is a legend, one of the few survivors of the first Internet gold rush. In 1996, the year Check Point came public along with ‘90s phenomena such a Yahoo! and clothing designer Donna Karan, there were other cyber-security firms such as Raptor and Secure Computing. They ultimately faded away. Check Point is a survivor.

In nearly thirty years of reporting on technology, I for some reason had never interviewed the company or its founder and CEO, Gil Shwed. Shwed is a large element in the iconic nature of the company, a visionary founder who has stuck close to the company’s technology development and priorities. He is the sole author of key patents of the ‘90s on firewall technology.

Shwed doesn’t do media very much, so I was delighted when he agreed to sit down for an hour on Zoom this month to chat. Check Point is one of the TL20 stocks to watch, and one of the best-performing.

An engineer by training, Shwed’s view of technology remains remarkably consistent, and enlightening. His fundamental insight at Check Point’s founding in 1993 was that the Internet promotes access in proportion to how it invites danger.

Before the Internet, corporations, and individuals, if they used a computer network at all, used a dedicated line reserved for them by the phone company, the equivalent of living in a gated community.

With the Internet, one accepted being suddenly connected not only to one’s intended parties, but to just about any other party that came along, inviting transgression, intrusion and abuse. PCs could become infected with viruses rendering them unusable, and whole computer networks could be brought to standstill by the so-called denial of service attack.

Check Point was founded with the premise of eliminating those transgressions. Until there was a safety net, companies wouldn’t use the Internet for business, so Check Point built a business of providing the prophylactic the internet needed.

Like the army general bold enough to lead by example, Check Point in those early days never used a private line. In fact, “We didn’t even have a dialup connection to the Internet because it cost a thousand dollars a month and we didn’t want to pay a thousand dollars,” recalls Shwed. “We actually did our testing on other companies’ lines the first year or two.”

To this day, Shwed frames his company’s work in terms of an eternal trade-off between expanding connectivity and becoming a target of malice. In fact, the digital world is so full of mischief, he says, malice can strike even if you try to avoid connecting.

“Let me give you an example,” says Shwed, recalling an anecdote from Check Point’s research. “Let’s say you have a company that’s not connected to the Internet; they’ve decided it’s too dangerous, and they’re just not going to be connected to the Internet.

“Then, it’s a conflict: you’re saying you’re not connected to the Internet and I’m saying I want to attack you through the network.”

There are multiple ways for the imaginative attacker to resolve that conflict, Shwed tells me. Most companies still have a fax machine, for example.

As the attacker, “you analyze the fax protocol, and you find out that on the other side of the fax is an HP printer,” hooked up to the fax. “That HP printer is connected to the internal network.

“They figured out the vulnerability in the fax protocol which, through sending a nice picture of a cat, they can get into your fax machine, and through the fax machine, to the machine that’s connected behind it,” and on to the internal network.

“The level of creativity that they have,” he says, meaning, the attackers, “and what damage could be done to the world, it’s unbelievable.”

Our conversation this month focused on product and technology, and left aside explicit financial discussion because Check Point is in its quiet period.

However, it’s easy to sum up the somewhat pivotal moment at which Check Point finds itself as a business.

When it came public, Check Point was the single largest vendor of firewalls. Today it trails competitors who have grabbed share by a variety of methods.

Palo Alto has been on an acquisition binge for years, which has given it an expanding portfolio to sell in the firewall market, according to Mauricio Sanchez, Research Director at market research firm The Dell’Oro Group. Palo Alto had almost a quarter of the market by revenue share in the most recent quarter, the biggest share of any vendor.

Cisco has gobbled up share simply by being the biggest computer networking firm in the world, which means that a lot of networking equipment it sells brings along with it firewall sales by inclusion. Cisco comes in second place with about sixteen percent share.

Fortinet has pursued the strategy of lowering prices to take share, says Sanchez, giving it third place, about fifteen percent. And Check Point comes in fourth, with a little over nine percent.

As a result of trailing the very fast-growing, much younger duo of Palo Alto and Fortinet, revenue growth for Check Point has been soft the past several years. Analysts bemoan the fact revenue has grown by only single digits for sixteen quarters in a row even as Palo Alto and Fortinet have been growing by double digits — off of a bigger base of revenue in dollar terms.

Check Point’s expected sales growth of perhaps 7.4% in the year just ended, based on its December-quarter forecast, may be followed by about five percent this year, according to FactSet Street consensus estimate.

Balanced against that lackluster growth, Check Point holds other charms for investors. In particular, it has an enviable non-GAAP operating profit margin of forty-five percent, as of the most recent quarter, well above the twenty-four to thirty-five percent range of the three competitors.

With the steady cash flow from that rich margin — Check Point’s free cash flow yield, 8.2%, towers above that of Palo Alto and Fortinet — and with no debt on the books, the company is a well-oiled machine when it comes to capital returns. Although it pays no dividend, the company has consistently bought back its stock quarter after quarter for years, in a steadily increasing clip, to the tune of $1.3 billion in the most recent twelve-month period.

THE GROWTH QUESTION

And yet, among analysts with whom I’ve spoken, the conversation again and again comes back to growth. Investors may love the high margins and the buybacks, but they still want to know if Check Point can approach the double-digit rate of its competitors.

During Check Point’s earnings conference call in October, when asked about growth, Shwed told analysts, “We have plenty of potential not just to grow with the market, but also to grab market share.”

During our conversation, Shwed, without addressing sales growth per se, makes clear that he is counting on superior product as a key element in taking share.

PROACTIVE POSTURE

There is a fundamental problem with the cyber-security world, a problem he believes Check Point is uniquely addressing with its technology. The fundamental problem is that the entire industry approaches threats retroactively, a form of treating the symptoms and not the disease that’s known as “remediation.”

That is a problem because the threat keeps shifting, says Shwed, and being reactive means being a couple steps behind.

In the cyber-threat world, you don’t get to pick your battles, they pick you, is his philosophy.

“In other areas of technology, you can say, I don’t want to use this new feature from Microsoft, I don’t understand it, I don’t need to use it,” explains Shwed. “Cyber[-security] is far more determined not by you, but by the attacker.

“You don’t say, I don’t understand this attack, I don’t want to deal with it; It’s the attacker that decides that you need to deal with it, not you.”

In practical terms, Check Point, he says, has for a few years now been building its suite of firewall and attendant software to be proactive, to anticipate what is about to happen to a customer’s network and thwart it, rather than eradicating the threat after an attack.

“The number one priority that we’re trying to build now is the platform that can actually prevent the attacks, or protect an entire enterprise from the widest spectrum of attack vectors that are out there,” says Shwed.

“You should make every effort to prevent the attack, rather than to remediate the situation,” says Shwed.

“When you’ve been attacked, the damage is done, your reputation is lost,” says Shwed. “Even some of our better competitors are far more on the detection side than the prevention side,” he says, where detection is basically a synonym for remediation.

“From every perspective, it’s far more effective to prevent it if you can, and I think we can.”

ESCALATING THREAT

To anticipate the attacks is, of course, no small feat given the escalating complexity of the attacks.

In marketing literature, Check Point shows a staircase graphic of escalating danger, referred to as “generations” of cyber-threats. Back in the day, at “Gen 1,” simple viruses invaded PCs. You could pick up a virus even without a network connection, just by using a tainted floppy disk, for anyone who remembers what those were.

Threats then escalated to breaking into networks, for which the firewall became the common defense in the ‘90s.

Today’s landscape is filled with “Gen 5,” attacks from multiple “vectors” of attack. And an even more ominous outlook is offered in “Gen 6,” where Check Point’s marketing materials specifies the target as being simply “everything.”

“Gen 5 attacks are in many cases polymorphic,” observes Shwed. “Every instance of the attack, they use the same technology but they look differently,” so that it’s not so easy to scan for the “signature” of the attack. Then, too, such threats are delivered increasingly via ostensibly innocuous code, such as a weather app on a phone that downloads a small “app-let” that may lay dormant until awakened by a remote computer.

“The worst that we’ve seen is networks that have fifty million mobile phones, and the application was installed on them,” says Shwed. “In a very short period of time, you can actually create an army of agents, fifty million, and you can turn on anything that you want in a matter of minutes.”

At the level of Gen 6, of mega-attacks, nation state actors start to come into play.

“It’s interesting to see the structure,” says Shwed. “There are organizations that we’ve identified that behave like a real high-tech company,” by which means, “there are employees, there is HR, and recruiting, and all the facilities of the modern company even though most of the people don’t work there physically.”

Such organizations build ransomeware to steal, but, he says, “they also operate to provide services to government,” a kind of public-private partnership where commercial ends can also serve geopolitical ends. Check Point has “identified several organizations like that in different parts of the world,” he says.

LET US HANDLE THAT

Faced with such complexity, the question arises as to whether customers can handle any of it themselves, no matter how good the firewall is.

And for that reason, the tip of the spear in Check Point’s effort to be proactive is a new product introduced this year, called “Horizon.”

Horizon is an instance of what is known in the industry as a managed service, more specifically, a “managed detection and response” service, or MDR. The MDR, as it’s known, isn’t delivered as a product, it’s sold as a service run by Check Point. Horizon is Check Point’s first time offering its software as a service running in the cloud in any major way. The company has traditionally sold software, and purpose-built hardware to run it, as either a product to be installed on a customer’s premises, or through partners who would run it as a managed service. Now, Horizon is Check Point’s move into running the service itself

“We see everything in the environment,” is how Shwed describes Horizon, which he prefers to refer to by the alternate acronym “MPR,” the “P” in this case standing for prevention.

“If something goes wrong, we stop it,” or, in some cases, “we call the customer and say what do they have to do on their end to stop it.”

Horizon, and MPR overall, is “an emerging category,” notes Shwed, “not tiny, but it’s not big compared to the average cybersecurity category.”

To run security for his customers, says Shwed, is in alignment with the fact that companies are starved for the expertise that knows how to use his tools.

“The typical enterprise, a company anything from five hundred employees to even ten or twenty thousand employees, they simply cannot afford having what we call a security response team that will monitor the network twenty-four seven,” says Shwed. “It’s expensive, but also, you can’t get the talent, there’s not enough people like that.

Conversely, with Horizon, Check Point runs “one center that sees the data of hundreds of companies.” By filtering the attacks from all those companies simultaneously, the Check Point sense of the threats gets sharper. It’s a form of leverage that makes the task of defense more efficient, says Shwed.

“We learn from every customer,” he says. “If we see a new hack indicator in one part of the world, within minutes or seconds, we can block that all over the world with every customer.”

By getting smarter, he says, Horizon can block more attacks that are “zero day,” meaning, something that hasn’t yet been documented by the good guys. Seeing the threat popping up at customers around the world means not having to wait until long after a computer violation has happened before researchers can understand the threat.

“For other vendors, it takes anything from hours, days, weeks to push a solution,” he says.

Not only can bad things be blocked, but a lot of spurious stuff can be dismissed. “We are able to reduce the number of false alerts, or the number of non-important alerts, by a huge ratio, a hundred to one or a thousand to one, through technology.”

The rest of the cyber-industry has also been talking about prevention rather than remediation, often branded using another acronym, one invented at Palo Alto Networks, “XDR,” for “extended detection and response.”

“Actually, our MPR product already does what XDR does,” says Shwed. In particular, if a PC is threatened by some malicious code, the prevention includes not just blocking that code, but also, tracing it back to its origin “to see where it came from,” says Shwed. The malicious code can be examined to reveal remote computer addresses of a so-called command & control system that is orchestrating the attacks.

“It’s not enough to say a file downloaded to a PC is malicious,” says Shwed. “You can also see what address was embedded in it,” and by tracing those addresses, “we can block more attacks all around the world from that intelligence, and much of that we can do automatically.”

ROCKET LAUNCH

Running a service is not only a major change for Check Point in product terms, it is also a change in how Check Point runs as a company. Irrespective of the recent slowdown in revenue, Check Point has, over the course of three decades, been a consistent generator of profit because of a certain institutionalized predictability.

“We’ve built a very good global model of operation, and that creates things that are very good,” Shwed tells me.

“It creates a unified set of products, it creates a unified go-to-market, it creates really, really good economies of scale in the company, and it creates a good operating model that shows in our operating margins and so on.”

“The flip side of that is that sometimes it’s hard to run fast,” says Shwed. The traditional business of the firewall is “a very big piece of technology developed by almost two thousand people,” he notes. Such a mammoth effort changes only very carefully, with the enormous coordination of engineering resources in a methodical fashion.

“And what we’re trying to balance is between keeping that and making it grow and providing all that value, and letting smaller parts of the organization run fast and kind of independent.”

“In the new business model, part of the change is we’re calling, internally, rocket, that it’s something that behaves in a much more independent way,” says Shwed. “This MPR rocket is like a small startup,” explains Shwed.

Operating Horizon like a startup has the desirable prospect that the nascent business “can run fast, try a new business model, try new technologies and so on,” he says.

If Horizon is successful, the two parts of the business, the fast-growing and the stable, can, ideally, complement one another. “The firewall gets real-time information” from the cloud about what is secure and what’s insecure. “This is the nice thing, that the gateway,” another word for firewall, “can stay a little bit more stable because we operate the engine in the cloud on a constant basis.”

THE NEW FIREWALL

The word firewall has been around for hundreds of years, but in modern parlance, it means a thing that seals one compartment of a built object from another compartment. In an automobile, there’s a firewall in front of the driver to protect the cabin from the burning fuel of the engine.

A better analogy, though, is the firewall in a jet aircraft engine. A jet engine has to let air flow through it. To prevent the air starting a fire in the engine, one form of engine firewall uses a fine mesh between compartments whose holes are big enough to pass air but small enough that the air molecules don’t catch fire. The principle is one of flow, but flow that is safely managed.

Likewise, Shwed’s early, patented insight was a way to allow the flow of data on the open internet while identifying and filtering out the bad bits, so as to reconcile connectivity with exposure.

The traditional firewall has undergone multiple transformations to be broader to fit the ever-evolving creativity of the attackers. Over time, it absorbs new technologies. Things that were a separate product categories on the market just become part of the firewall. “If you look at the late ‘90s, there was the VPN,” or “virtual private network,” a way for remote workers to connect to corporate networks, notes Shwed. “We made it part of the firewall.

“Then there was the intrusion detection [systems],” to protect whole networks, and again, “we made it part of the firewall.

“There’s many, many other technologies that we consolidate to make these gateways a much broader system.”

The most recent significant mutation, in 2018, was Check Point’s introduction of CloudGuard, a version of the firewall clients can use to protect their cloud computing facilities.

A cloud world is so many times more complex than the pre-cloud world that it becomes a different kind of problem.

“In the ‘90s, it was relatively static, you defined what’s a physical network,” explains Shwed. “In the traditional environment, the [corporate] data center, you secured the entrance to the network, and that’s it,” says Shwed.

In a cloud world, though, “It’s far more than a firewall, that’s the challenge.” In Microsoft Azure, or Amazon AWS, “there’s not one entrance, and there is no one server,” says Shwed. “Cloud applications are usually built by stitching together and connecting many, many different modules, some are by our own company and some are by third parties that provide service.”

That soup of applications means, in a sense, many thousands or millions of potential backdoors for invasion, and the applications are connected to one another. Each application in the cloud is secured by a cryptographic code, a key. “If that key is used for accessing the current application, and someone finds that key, that key can be used to penetrate the whole system,” says Shwed.

To make matters worse, the system that’s being defended, the soup of applications, changes, sometimes moment by moment. Companies start up one server in AWS, and the next moment, they’re using something in Azure or Google’s GCP. Sometimes they’re alternating a mix of those resources, to varying degrees, minute by minute or even second by second.

“In today’s environment, things like where is my asset can move dynamically, change in real time,” says Shwed. “One of the things we provide is the uniform environment that you can get the same management, the same security, the same standard of the data center on the public cloud with multiple public clouds and so on.”

“You can actually ensure that everything’s secure, all your assets are secure.”

EXPLORING AS A BUSINESS

Because it is early yet with Horizon from a business standpoint, Shwed speaks in broad terms about the financial implications. “We are exploring,” he says of Horizon and other such rockets. “We’re growing as a technology company, we’re exploring different options of growth.”

While he expects Horizon and other rockets to take market share, Shwed has also told the Street that growth will come not just from superior product but from selling differently. On the October conference call, asked what is going to kick-start revenue growth, Shwed replied, “I think a lot of it is also about our sales execution.”

He noted that Check Point has “created a new go-to-market or what we call commercial organization,” as well as “put a big investment into getting more frontline sales, more people that would address the customers and go there.”

CHANGING HEARTS AND MINDS

In the battle for market share, and for revenue growth, new products such as Horizon, and new ways of selling, are not the only elements. There is another factor that is hard to quantify.

“I think we have what we need to protect people,” says Shwed, when I ask if the portfolio is complete. “But, the big challenge is, because it’s not a brand-new industry anymore, it’s a thirty-years-old industry, people are doing things their own way,” the people being his customers. “And convincing them to change the way they move from protecting against Gen 3 to protecting against Gen 5 is not that easy,” he says.

“That’s the real battle that we have,” says Shwed. “And when we are successful in doing that, it’s very, very fulfilling, to see the customer switched to our platform, and within the first day we’ve identified, you know, the Chinese inside your network, and we got them out.”

That success doesn’t come, however, and the platform, the portfolio, can’t grow as a business, if customers don’t get the big picture, if they don’t appreciate the escalation in threats, the rise of nation state-commercial hybrids, the polymorphic nature of attacks, the many backdoors of the cloud.

Much of that is arcane, abstruse, the kind of thing that only a person with a natural genius for such stuff can grasp. “Even today, most people, even people within security, don’t understand everything,” says Shwed. “It’s very, very technical.”

And, he says, “There’s always a struggle between what works in theory and what’s practical.”

“I think that’s the secret in Check Point,” he says, “that we know how to take the most sophisticated technology and turn them into something far more practical and far simpler.”

“That’s what we started with thirty years ago, to take this whole concept of security, pack it, make it strong, make it real. And the customer should see it and say, Okay, it’s simple, I get it.”