Gil Shwed is an anachronism: A startup founder who has stayed CEO for three decades, carefully growing his brainchild from nothing into a $2 billion-by-annual-revenue powerhouse, whilst reporting a profit every single quarter along the way. (“Every quarter?” The Stack asks. “Every month,” Check Point’s CEO says softly.)
Check Point made its name in hardware firewalls; appliances deployed to enforce a network boundary that lets users perform inspection of both inbound and outbound network traffic, enforce access controls and other security policies and which traditionally centralised network monitoring and logging in a single appliance.
When Gil tested a prototype in 1993, his investors were not online (hardly unusual given that the nation’s first ISP only became operational in December 1992) and his product tests were the first time that they had connected to the early internet. In under an hour, as he has earlier recounted, his console triggered alerts that suggested a breach attempt. So few companies were online in those days that he popped around (after a friendly call to the CEO) to the offending business that the alerts seemed to be emanating from. It wasn't them.
“All the companies connected to the internet in Israel were… interconnected in the wrong way. [The police later arrested] two teenagers that basically had access to pretty much all the companies in Israel" he told Mixergy.
The world has changed a lot since 1993, even if teenagers sniffing out exposed networks remain a constant, and Check Point’s product portfolio has also expanded far beyond traditional hardware firewalls, to cover the growing attack surface CISOs need to protect. Check Point now has four main product lines, “Quantum” for networks, “Harmony” for end-users, “CloudGuard” for cloud security and “Horizon” for security operations.
That sounds deceptively simple but Check Point’s product sprawl had become something of a minor problem and in 2022 Check Point made a concerted effort to refocus its brand and portfolio, as investors chafed at its steady single-digit growth in a world of frothy growth: (“You talk about the strength of your product and whatnot and the efficacy of it, and yet you're still under-growing one of your major competitors” sniffed one analyst on Check Point’s last earnings call, “ So I'm just wondering, similar to the last question, what do you think needs to catalyse or ignite the product-specific side of the growth?” – a question Shwed answered simply and returns to below.)
“Benchmark yourself”
Sitting down to speak with The Stack at Check Point’s CPX360 event, Shwed is at first a fidgety interviewee; mind seemingly half-present, eyes half on his phone: “Are you using AI? Put the transcript into ChatGPT and ask for a synthesis” he says after the interview, nodding at the phone that has been recording our conversation from the table of a German hotel conference room. (The Holiday Inn is a last-minute location after rail strikes derailed plans for a London event.) We mutter something pompous about the craft of journalism in return.
“Well, benchmark yourself…”
A Check Point colleague otherwise sitting there gnomically briefly raises a bemused eyebrow.
There’s little malice in this observation; more roving curiosity that has clearly sustained him well: “I get bored quickly” he says later in the interview, explaining not distraction in the face of anodyne questions, but rather how he has sustained his interest in security and kept his focus on the company’s growth so successfully.
See also: Hiring a CISO? Know this...
The half-quip about AI is also because Artificial Intelligence is on his mind. During both Check Point’s last investor call and at its CPX 360 event, the opening gambit has been a short video Q&A with a cheerfully youthful CISO who turns out to be an AI-generated simulacrum of the real (and typically more grizzled) deal.
Check Point is using AI more broadly that of course, along with deep learning in threat prevention products focussed on tackling advanced DNS exploits and phishing, as well as in autonomous IoT security. Its AI "ThreatCloud" is a long way from that first firewall appliance. How did Gil Shwed stay the course so consistently, and what advice does he have for a new generation of founders trying to grow profitable companies?
Advice for fellow entrepreneurs…
Success, perhaps obviously, starts with having a product that people actually works well and that people need.
“From the first sale that we made for $20,000 it was enough to cover our monthly expenses” he says.
“When we got the first real deals that were like a $1 million advance, it covered us for a long time” he recalls, visibly brightening at the memory. “We were profitable from day one. I'm maybe unusual, but I don't understand why software businesses shouldn’t be very profitable businesses; you've got something that you can easily replicate…Once you build good software, you can simply sell it and turn it into profit” he says.
“I understand why you asked that question though, and it's interesting because people asked the same question in the ‘90s, which were also kind of a hyper-growth period. It was the same answer then.
“It became worse now because companies are losing far more money than they did in the ‘90s. But the rules of the economy don't change: you need to learn to build a business which stands on its own legs.”
Shwed is happy to expand on some lessons from his experience doing just this: “People [software company founders] have a lot of misconceptions around, for example, ‘let's run fast, do it first, then we'll optimise it and fix it [later]’ – that’s far more expensive than building it right to start with” he says. “That approach [move fast and break things] is very expensive: I’m talking not just dollars but time and effort and resources that you lose.
“So for me it was always spend two or three days, if not months, learning the subject; understanding how to do it right, instead of saying ‘let's first do it and then figure out how to optimise it.’ You see all the companies [making] layoffs today? It's heartbreaking that companies are first hiring many people when they realise that we don't need them and they let them go. I look at it from not just from the financial standpoint, but from the individual standpoint. I'm committed to my people, the people are committed to the company… I'm actually encouraging us to think first and plan very carefully; always remember that resources are not unlimited.”
This “build carefully” point is re-emphasised in other ways during the conference, at which Check Point threat research professionals emphasise the companies relatively low number of CVEs compared to rivals and detail their own secure development practices, during which products are robustly tested for vulnerabilities before shipping; not a non-trivial point given the number of security vendors with bugs that have been used to piggyback into corporate systems; rival Fortinet being a case in point – a search by The Stack shows the latter showing up 28 times in CISA’s “known exploited” catalogue, in which Check Point does not feature once.)
Check Point CEO Gil Shwed on acquisitions…
That caution and rigour extends to Check Point’s approach to acquisitions. It’s made a significant number over the years (three in 2019 alone) but does not do it lightly and has slowed the pace significantly since then.
Shwed says: “When we want to get into a new technology and we've been thinking about acquisitions, sometimes the first step that we do is actually to build an R&D team that will do that internally. If you acquire a company in our industry, it's not cheap… it's very expensive. Whether it's a small acquisition, it's $30 million, or a bigger acquisition, a few $100 million which is very, very expensive, it's actually better to take five people and make them learn, develop. If I figure out what I need to acquire, at least I [then] have people that can evaluate that technology. It's hard, by the way, internally, convincing people who worked on something [that] they have to let somebody else do that bit, but at least they have a benchmark, and I have experts on the subject…”
Returning to that analyst criticism, Check Point CEO Gil Shwed says that a pivot to subscriptions is paying off, the company saw subscription revenues reach $231 million, representing 30% growth year-over-year, with its CloudGuard and Harmony pillars both delivering double-digit growth. Most CIOs and CISOs are looking to consolidate sprawling sets of security, visibility and management tools and Check Point has been streamlining its own portfolio of solutions to help make it clearer how it can support customers doing this – particularly those who are unaware that it has diverse capabilities outside that traditional perimeter security heritage.
Asked for his priorities over the next year Shwed is disarmingly straightforward: “Provide the best security. That’s the first. Get and gain more customers. That’s the second… For 20 years people know us for network security. We need to go and engage with new customers” he says. Whilst the ARR from subscriptions is nice Check Point has also launched a more hands-on managed security segment and at the Munich event on March 15 announced the launch of its “Infinity Global Services” that provides “30 proactive services”; it also has an experienced incident response (IR) team that it is far less well-known for but in a world of desperately overstretched IR professionals may be worth exploring by its customers. All good news. But what keeps him up at night, or is the biggest security challenge, beyond the perennial threats from phishing/malware, unpatched security and all of the many offensive activities both nation state actors and cybercriminals continue to pursue?
“The software supply chain” he says. “[That area] is very challenging.”
“When people write software they are using tonnes of open source libraries; in a positive way, millions of people in the world contribute to your source code; in the negative way they have access to your internal source code” – that concern drove his acquisition of Israeli startup Spectral in early 2022; the company offers a range of automated code security tools that Check Point has baked into its proposition (“from code to cloud”).
Talking of cloud, Check Point like most organisations now is a big user but Shwed has been forthright about the margin compression resulting from that, noting on the last earnings call: “Many of our products and technologies are now delivered from the cloud or are using the cloud. The margins on this are usually lower than the margin that we have on just software or even in some cases, on just appliances” he acknowledged.
Our interview time is up: There’s a German camera crew waiting. Back in Check Point’s other global locations a team of over 200 people responsible for cyber warfare are running honeypots, “seeing what kinds of attacks are happening on the wire” and then crunching the data. Shwed looks like he still lives and breathes it.
No, it's really not boring at all.