The story of VMware is well known: an under-the-radar company brought to reality what had been considered a far-fetched idea — full virtualization of the omnipresent x86 computer architecture — that took off quickly and experienced massive growth. It was a classic case of a disruptive technology, one that vastly improved the efficiency of servers and computers.
The CFO of that storied company during the heart of its early growth phase from 2002 through 2006, Paul Auvil, has been toiling for the past 10 years in comparative obscurity at another technology company, Proofpoint, that’s in a seemingly less-exciting niche: email security. While its growth hasn’t been quite on the scale of VMware’s, what was a $20 million enterprise when Auvil came aboard expects to hit the $500 million revenue threshold this year. And plans are in place to double that take by 2020.
Auvil is, of course, looking for Proofpoint to have a major impact on business, as VMware did. At the same time, he’s quite aware of the ambivalent feelings some CFOs may have about investing heavily in security.
“I’ll be the first one to tell you that at some level, security is like a tax,” he says. “We’re not helping you build products, provide better services, make your employees more productive, or find and close new customers. What we’re doing is securing your assets and your reputation.”
Certainly, no one argues today that enterprises shouldn’t make extreme efforts to ward off bad actors seeking to drain bank accounts; steal intellectual property, sensitive customer information, or employees’ identities; or dupe supply chains into shipping things to locations where they disappear into the night.
Still, the question of how much to spend to prevent such ill happenings can’t be ignored.
“If the total risk to a company is $300 million, you can’t spend $300 million on security,” Auvil says. “It’s a really challenging problem for a CFO, because the CIO is often saying, ‘We need to spend more money.’ But as the CFO you’re trading that off against investment in R&D, sales and marketing, and the other things that drive value. There are no simple metrics to figure this out.”
It’s no secret that security can be a lucrative business these days, given the heightened level of hacker activity and the consequent demand for more and better data security. But for security companies, that’s just one side of the coin, as the heightened demand is driving hordes of new players into the security space, potentially diluting market share.
The preeminent security-industry events, the four annual RSA conferences sponsored by Dell EMC, are crowded with hundreds of vendors. But Proofpoint, Auvil says, happens to be in a niche that’s somewhat protected from new competitive challenges.
Proofpoint was among a number of companies founded in the early years of this century to deal with the new phenomena of email spam and viruses. Only a handful of them survived the test of time and the increasing sophistication of email-based attacks. Other than Proofpoint, the survivors were all acquired by bigger security companies such as Symantec and McAfee, or technology giants, including Cisco, Google, and Microsoft.
As the sole major stand-alone player — a fact that Auvil admits is mostly a result of good luck — Proofpoint can afford to devote significant resources to R&D. That’s helping to spur progress toward the company’s revenue goals.
“The characteristics of our income statement look very much like Salesforce’s did 10 years ago,” Auvil says. “Now, we’re growing a little more slowly, and our market opportunities are a little less. But the key difference is that they were spending 12% [of revenue] on both G&A and R&D, while we’re spending 6% on G&A and 20% on R&D. We need that in our business, because we have to match wits with bad guys all day long.”
For the first quarter of 2017, Proofpoint — a publicly held company that sells subscriptions to its services, which are all cloud-based — enjoyed year-over-year revenue growth of about 40%. When last year it announced its intention to be a $1 billion company by 2020, it needed only 30% annual growth to reach the target.
Proofpoint currently counts as customers about one-third of the Fortune 1000 as well as some major Internet services providers. Those large companies are particularly trying to insulate themselves from a growing wave of targeted email attacks. Such attacks take various forms; with spear phishing, to cite one increasingly prevalent variety, an employee in accounts payable, for example, receives a phony email from the CEO or CFO ordering a payment to a supposedly legitimate account.
While such attacks are common, they represent only a tiny percentage of total email volume, making them difficult to spot. That’s where Proofpoint’s big customer base fits in.
“We now have the massive amounts of data needed in order to sift for the needles in the haystacks — the targeted attacks,” Auvil says. “The idea of a new competitor coming in and saying well, this email targeted attack problem is interesting, let’s form a company and go after it? They wouldn’t have the data.”
Phishing & Fear
The targeted attacks, if not detected, are disturbingly effective, according to Auvil. At many large companies, he observes, employees are “deathly afraid” of leadership. “If an accounts payable clerk gets an email he or she thinks is from the CFO or CEO, they [often] send that payment right out and get it done,” he says. “They don’t want that executive coming to their office. It’s human nature.”
Such attacks have arisen partly because of improvements in firewalls that hinder unauthorized access to company databases, according to Auvil. He compares trying to get through such a firewall today to trying to rob a bank by getting into its vault. It’s much easier to get money out of a bank by compromising individual depositors’ accounts. The same goes with spear phishing. “Email is a wide-open window that you can walk through and collect whatever that person may have,” the CFO says.
Proofpoint within the past couple of years has expanded beyond email threats with products addressing attacks that may come through social media, file-sharing services, or other cloud applications that allow people to upload files into a corporate system.
“Our long-term vision is to defend companies wherever their employees might be interacting with content,” Auvil says.
But why shouldn’t social media or file-sharing firms, or email providers for that matter, be responsible for adequately securing their products?
First, it’s a difficult problem to solve, says Auvil. But also, the question is similar to that confronting Facebook, for example, as to why it hasn’t effectively blocked fake news. “They’re a publishing platform,” he says. “They’ll do a little, but ultimately it’s up to the user to decide whether to read that news, or click on a link that may have malware on it. If you’re Mark Zuckerberg you say, ‘I’m just providing this way for all of you to talk to each other. What you do to each other is not my business.’”
Traditionally, companies have trained employees on how to recognize suspicious emails and links, among other security threats. That’s still a wise step, according to Auvil, because no security company can guarantee that it will block every attack attempt.
But, he adds, Proofpoint has found that so many of the threats are so well-crafted that “you’re inevitably going to have people clicking on them no matter how well you train them.”
Auvil, who functions as a chief operating officer (minus the title) in addition to running finance, offers a detailed breakdown of how he spends his time:
- Financial planning and analysis: 15%
- Accounting: 10%
- IT: 5%
- Facilities: 5%
- Legal: 5%
Those add up to 40% of Auvil’s schedule. What accounts for the other 60%? “That’s all literally walking into the office every day thinking, if I were the CEO, what would I be worried about and want someone to help me with?” he says.
Educated as an engineer and the holder of multiple patents, Auvil says he tends to “be in the weeds and torture the engineering team” over technology choices. He prefers open-source tools, while the engineers will often argue for using proprietary technology. So he makes them do deep analyses on, for example, how much a choice is going to cost after five more years of company growth; what are the open-source alternatives; and what are the human capital costs of one choice versus another.
He’s also involved in pricing deals with customers. “The sales folks have the [emotional intelligence] to get in with the CIO or CFO and convince them to buy our product,” he says. “But I’ve got the algorithms for pricing it so that we meet our profitability metrics and grow cash flow over time.”
Speaking of sales, one of Auvil’s top challenges of the moment is scaling the sales organization, especially internationally. While 80% of the company’s current business is domestic, that will have to change for it to reach $1 billion in revenue.
Another important area of focus is the evolution of Proofpoint’s cloud. When Auvil first joined the company, he says, he told CEO Gary Steele that no matter what else they did, if they didn’t improve the gross margin on their cloud system from 50% to more like 75%, Proofpoint would never go public.
Getting there involved writing a lot of new code designed to create efficiencies. “I take no credit for that in that I didn’t write a single line of code or make any hardware decisions,” Auvil says. “What I did was motivate everyone to see the importance of improving that margin and bring them together to think about how to solve the problem.”
Finally, Auvil says it’s imperative to continually provide customers with evidence of the benefits Proofpoint is providing.
“Once you secure an enterprise,” he says, “people tend to forget what things were like before and start thinking, ‘We don’t have any email attack problems, do we really need Proofpoint?’ So the analytics showing them that there are a lot of barbarians at the gate that we’re keeping out is critical.”