‘Get Educated,’ Says CFO of Cybersecurity Juggernaut Palo Alto Networks

There's no excuse today for a finance chief to abdicate responsibility for security, says CFO Steffan Tomlinson.
David McCannJanuary 19, 2016
‘Get Educated,’ Says CFO of Cybersecurity Juggernaut Palo Alto Networks

Shareholders’ ire over what they considered excessive executive compensation may have led companies to retreat from pay practices like tax gross-ups and to temper the value of severance packages, but stock-based compensation that can make executives very rich is still going strong.

In some part that’s because, in addition to being powerful performance motivators, stock and option awards are non-cash compensation. A company can record heavy bottom-line losses and still be a Wall Street darling, because of the weight savvy investors accord to free cash flow and to non-GAAP financial results that exclude stock-based compensation.

How Startup CFO Grew Food Company 50% YoY

How Startup CFO Grew Food Company 50% YoY

This case study of JonnyPops’ success highlights the unusual financial and operational strategies that enabled rapid expansion into a crowded and highly competitive frozen treat market. 

A case in point: Palo Alto Networks. For its most recent fiscal year, which ended July 31, the network and enterprise security company showed a net loss of $165 million — and stock-based compensation expense valued at $221 million. To less-savvy investors, the bottom line disguised what actually was an extremely successful year, with free cash flow (basically, operating cash flow minus capital expenditures) topping $300 million on revenue of less than $1 billion.

To be sure, Palo Alto Networks’ financial performance is an outlier, even compared with other companies whose bottom lines don’t tell the whole (positive) story. It generates an extraordinary amount of cash for a company that’s growing as fast as it is, since hyper-growth usually requires a level of sales and marketing expense that prevents profitability. Its revenue has swelled from $396 million in fiscal-year 2013, to $598 million the next year, to $928 million last year.

Steffan Tomlinson

Steffan Tomlinson

“The big delta [between GAAP and non-GAAP results] is attributable to stock-based compensation expense,” says Steffan Tomlinson, the company’s CFO. “But there are very few companies that are growing the topline the way we are that deliver the kind of free cash flow we do. And when Wall Street values us, they’re looking at our positive free cash flow.”

Indeed. In tandem with the company’s surging financial results, its investors have been increasingly enriched. At the close of its 2013 fiscal year on July 31, a year after its initial public offering, Palo Alto Networks’ stock sat at $48.94, down 11% from the IPO price. A few months later, the company began watching its share price go up, and up, and up, eventually peaking at $193.54 on Dec. 8, 2015, before the overall market’s recent sharp pullback.

How does Palo Alto Networks do it? For starters, you could say that it’s in the right business at the right time, with almost every corporate board and management team these days engrossed in discussions about securing networks and data. Yet it’s been handily outperforming its competitors, including the sector’s dominant company by size, Cisco Systems. That’s possibly driven in part by the smaller company’s vision and ability to execute relative to the competition, as suggested by its position as a “Leader” in Gartner’s Magic Quadrant for Enterprise Network Firewalls for four consecutive years.

As the CFO of a cybersecurity company, Tomlinson is well-positioned to offer insights on what’s become yet another major area of responsibility for finance chiefs. He recently spoke with CFO about how to get educated on security, as well as his company’s product strategy and his interactions with customers. An edited transcript of the conversation follows.

With regard to security, how can companies cope given that the bad actors, the hackers, seem to always be a step ahead?

There is not one company on the planet that can say they’re going to prevent 100% of breaches from happening. But it’s important to remember that companies that embrace a prevention-first mindset are often able to architect a defense platform that makes it more difficult for the bad actors to be successful.

We view the problem as a math problem. As the cost of computing power has been decreasing over time, the number of successful attacks has been increasing. We’re trying to flip that equation on its head by increasing the cost [to a hacker] of a successful attack, and we’re doing it through our prevention-first platform.

We’ve gotten a lot of business traction out of that negative environment. We have 28,000 customers and have been adding 1,000-plus customers per quarter for the last 16 quarters, as companies transition off legacy platforms. Our mission is to protect our way of life in the digital age, and that is resonating with customers.

Some people are suggesting that aiming for prevention might not be the best approach that hackers are going to get into your systems anyway, so it’s smartest to build capabilities to detect them quickly and mitigate the damage.

Other [security] companies are in what’s called the incident response space. After a breach, they do forensic analysis on your network and make changes. But at the end of the day, companies taking an approach that’s not prevention-oriented are at greater risk of breaches.

Everyone’s entitled to their opinions, but if you speak to any practitioner of network security, they’ll tell you that you have to have that prevention-first mindset. At Palo Alto Networks, we’re putting every incremental dollar of investment into increasing prevention rates. Incident response is an important part of the overall security ecosystem, but we’re not investing in it. We’d rather partner with folks to do that.

Most IT departments are reporting to CFOs these days. But say a CFO is late to the game in recognizing and starting to tackle cyber-security risk, and doesn’t know a lot about the topic. What is square one? How do you start doing something effective?

The first thing is, get educated. We recently published a book along with the New York Stock Exchange — which is not a Palo Alto Networks commercial by any stretch of the imagination — called “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers of Companies.” It’s a compilation of input we got from the government, from industry, etc. It’s a great tutorial.

Also, is a resource for officers of companies to figure out what are the best state-of-the-art questions to ask. Because often, CFOs, especially of non-high-tech companies, don’t have a good framework to even ask the right question. And the education part of this is key.

Secondly, companies should consider breaking out information security from the CIO organization so that a chief information security officer has a direct reporting relationship to the CFO. When you have a seat at the table for that function, you will get more visibility and transparency into the company’s risks.

Then you put that under an enterprise risk management framework, where it will get visibility to the audit committee, the rest of the board, and the management team. That’s a way that CFOs can get up to speed and then have a good base of understanding from which to make decisions.

But can most CFOs ever expect to become truly confident about security, since it’s not their chief bailiwick?

Well, cybersecurity is not an IT issue anymore. It’s a business issue. A breach impacts the company’s reputation, the customer experience, and ultimately sales and profits. And if you think thematically about what’s happened with the CFO role over time, if a CFO wants to be a valued member of an organization, he or she needs to broaden the aperture around [his or her] roles and responsibilities.

As the CFO of a security company, which presumably has a lot of in-house expertise, do you spend perhaps less time addressing internal security than you would if you were with a different kind of company?

No, I spend a lot of time on our internal security. As a security company, we have to be nailed on that.

Do you spend any time with the CFOs of customers?

I’m the executive sponsor on a handful of critical accounts. On a quarterly basis, I’m in touch with an executive of the customer in order to understand how the account is doing and whether there are any issues. It could be the CIO, the chief information security officer, or the CFO. Everyone on our executive team who reports to the CEO is responsible for at least a handful of customers as an executive sponsor.

Even, say, the head of human resources?


Can you get into detailed discussions with potential customers on the technology of your products?

I need to be able to articulate the value proposition and get to a certain level of detail, but not to a level where I can sit down with a customer’s network engineer and go through the code or the bugs we’re working through.

One thing I do is spend a small portion of my time each quarter with our engineering and product management teams. That really helps me understand the value and business drivers we’re creating. In the technology world, you have to be facile and knowledgeable about how the company’s products are positioned.

For example, for our new chassis-based product, I was helpful to the sales organization, getting on a call with a CFO at a very large company and talking in CFO language about the product’s value proposition. If I hadn’t spent that time with engineering and product management, I wouldn’t have been able to do that as well as I did. And ultimately we were successful in acquiring that customer.