In the world of acronyms and memes that are cybersecurity, a BHAG is a “big hairy audacious goal.” BHAGs are used to build vision and dreams, motivate people, and inspire them to reach heights they never thought they could. This is the story of a BHAG that wasn’t a BHAG. The BHAG was something even more significant.
On October 10, 2022, Nikesh Arora, the CEO of Palo Alto Networks (PANW), gave an interview to Sophie Shulman of CTECH by Calcalist. In that interview, he talked about his background and history, how he views business success, his decisions to leave both SoftBank and Google, and, most importantly to this article, his predictions on the cybersecurity market.
First, the BHAG
Arora came to Palo Alto knowing nothing about cyber, but a lot about how to grow a business from small numbers to much bigger numbers by looking at the market as a whole. Despite this lack of cyber experience, or maybe <more likely> because of it, Arora grew Palo Alto Networks from a $19 billion valuation in 2018 to $50 billion in 2022. That wasn’t the big goal, though. Arora’s BHAG was to double PANW’s valuation to $100 billion and become the first cyber company to hit that goal. He did it before the end of 2023, just over a year later. And it looks like PANW’s valuation and market share will continue to grow. So how’d Arora do that in a year that saw market consolidation, more difficulty in getting funding for small players, longer sales cycles, and more challenges in closing deals?
More Cyber Attacks, More Regulation
There’s no way to avoid saying this. The cyber industry gets more attention and more customers when there are a lot of cyber attacks, which often coincide (not coincidentally) with an increase in chaos in the world. Last year, there was plenty of chaos as the war in Ukraine dragged on, chaos that only increased when the war in Gaza began. FBI Director Christopher Wray is now warning that Chinese hackers are getting ready to target American infrastructure, while Congress is stalled on providing aid to Ukraine, Israel, and Taiwan due to disagreements about border policies. These disputes embolden malicious actors to take advantage of areas of weakness.
Plus, the new U.S. Securities and Exchange Commission (SEC) regulations regarding rapid, comprehensive reporting on cyber incidents in public companies went into effect on December 18, increasing the urgency to have the tools in place to be able to report on an adverse cybersecurity event within 96 hours of discovering the attack. The additional pressure on boards of directors to understand cybersecurity risk also changes how organizations make cyber investments and what they’ll expect of them. More regulations are coming, too, both related to incident reporting and artificial intelligence, particularly as hackers figure out how AI can help them carry out an attack successfully, and cybersecurity companies add AI capabilities to prevent those attacks.
More Money, Less Security?
It rarely seems like a day goes by without a significant breach or a new vulnerability. Granted, sometimes the vulnerability sounds more critical than it is, either because it’s hard to take advantage of or it allows access to something that no one really cares about. Either way, there’s a lot of noise in the cybersphere. And perhaps because there are so many breaches, it’s hard not to wonder whether any of these companies actually have cybersecurity solutions in place.
The short answer is that they do, but hackers are getting faster and, frankly, better at executing attacks. Arora knows the answer is to deflect those attacks in hours instead of days. His acquisitions, combined with the belief that companies need modern, integrated cybersecurity systems, seem to be proving that PANW can do just that.
Strategic Acquisitions and Integrations
Last summer, Palo Alto indicated that point solutions were over and platforms needed to take over. It’s not new news. Plenty of companies have tried to make strategic acquisitions and built cyber platforms that deliver what companies need in terms of cybersecurity today, but none have really succeeded. Arora’s slightly different approach has been to build a comprehensive set of cyber products through acquisitions, with an increasingly close eye on how the technology will integrate with what it already has in place.
Unlike many other organizations that grow cyber capabilities through acquisition, Arora maintains the existing management and teams. He buys companies that have achieved product-market fit and have a management team with a strategy they can (and do) execute. Then, he leaves the managers of the acquired companies in charge of their departments, minimizing the disruption and loss of talent that so often comes with a poorly executed acquisition. That method helps integrate those new companies into PANW and increases the likelihood of quickly and successfully integrating the technology.
The Next BHAG?
Arora is getting a lot right for someone who didn’t know anything about cyber just 4 or 5 years ago. Clearly becoming the first $100 billion company wasn’t much of a stretch for Arora, for all that it sounded pretty audacious last year. So, what can we expect next? In the past, Arora hasn’t stuck around just because of an impressive compensation package. At Google and SoftBank, he got record-breaking comp packages and still chose to move on to new challenges. He’s already proven his ability to build the world’s largest cyber company, so will his next BHAG be to expand market share to an unprecedented 200B in valuation? Or will he find a new company in a different industry to gain next-level success? Either way, he’s someone to watch as he sets his next BHAG and likely achieves it!
Damn it. I've been in cyber for a bunch of years and this is the first time I've come across the awesome BHAG acronym.
Maybe it's because I have never been on the business side, just a happy GRC foot soldier - but still, I feel like my life would have been a bit richer if I was introduced to this term sooner.
To compensate, I now plan to throw it into conversations in meetings at least three times every day :)