Welcome to the Reboot Chronicles, connecting you to the world's top leaders and CEOs rebooting their organizations and themselves with revealing stories to help you prosper in unprecedented times.
I'm your host, Dean Tobias, and as a serial CEO who's led dozens of companies that created thousands of jobs and billions in revenue, my passion is uncovering powerful lessons that can inspire you to reboot your organization, your career, and your life.
Listen and subscribe wherever you get podcasts or at RebootChronicles.com.
Shlomo is the co-founder and CEO of Cato Networks, who pioneered the next generation of cybersecurity SASE technology, which combines enterprise communications and security into AI-enabled cloud-based platforms.That's a mouthful.
Maybe we'll unpack that a bit.Shlomo was a seed investor and a board member, early one at that, of the industry giant Palo Alto Networks, writing their first investment check.
And he co-founded Checkpoint and Impervia and took both of those companies public.
Speaking going public, Cato has raised about $771 million and were last valued at about $3 billion plus, and lately have been on a growth tear, doubling revenues with a massive ecosystem of thousands of enterprise clients and partners that they protect.
Shlomo, good to see you.Thank you for having me.Yes, sir.Are you joining us from Israel today? Yes, Tel Aviv.So you're looking good.And I've always had this question for you, because you're a serial entrepreneur like me.You've done multiple IPOs.
You could have done anything.Why did you do this?What inspired you to start Cato?
So first of all, I've been in network security since its beginning, checkpoint.I was the first generation.It was software-based. Then things became complicated.I invested in Mirzuk, in Palo Alto, that had the idea of simplifying it into a platform.
It was a plan.And in 2015, We understood that the appliance has overstayed its welcome, and there's a need for a new form factor, which is a cloud network that is as fluid as the digital business, and started Ktor based on that.
That was the core idea in 2003.Be the AWS, the cloud network for network security.
Yeah, you guys made that early prediction and early shift.Why it took so long for us all to get into cloud, I'll never know.I mean, most everything wasn't a cloud.It was just on our own servers, which was a cloud.
So that was a good, smart risk to take.Your year-over-year growth has just been really impressive lately.So what's your secret behind that?What's going on with your momentum?
Customers really need the operational efficiency and business agility that Cato brings and that SASE, the category that was defined based on what Cato invented in 2015 by Gartner.And it's very simple.If you look at the mid-size enterprise,
And you look at the IT security spending as part, as out of IT spending in general, just from COVID in the last four years, this grew more than 40%.And you would say, hey, you know, we spend more, but we are more secure.
And the actuality is that actually, Losses from data breaches in these four years grew almost 50%. So we spend more and we are less secure.And things are getting worse.So something is broken.
And if I summarize what's broken, it's that things are getting more and more complex.There are so many threat vectors.There are so many assets there.
requirement for velocity from the digital business is ever increasing and kind of the second generation appliances cannot address that.So there's real pain and that pain is really driving a generational shift that Cato enjoys and drives its growth.
Yeah, that's what I call being in the right market at the right time.But you also, I know you gave Gartner credit for tagging it, but you guys kind of invented it to get dual credit for that.
You know, I've been involved on the periphery of cyber for since it started back in the early 2000s.And all I've seen is it gets worse and worse and worse.And everyone says they're going to solve it.Like you say, appliance type guys versus cloud.
And then it just gets worse.You know, the numbers I gave at the beginning, trillions of dollars of damages coming up and
hundreds of millions of hacks by the time we finish recording this podcast all major corporations in the US probably get some type of an attack.It just doesn't seem to get better so as a business people that's right market right time.
With AI enablement is it going to get progressively worse?
Yeah, so AI obviously is going to complicate.It's kind of the human nature that every new invention is first weaponized.And then people think about other ways to use it.So AI is going to be weaponized in two main ways.
One is very relevant to what we do. which is essentially industrializing sophisticated attacks.
So an attack, perhaps a nation state attack where a cyber attacker attacked a very high value target can now be spread across many, many different targets and in a fraction of the cost.So that's a real threat.
And that's not yet happening because AI is not quite there yet, but will happen.And the only way to protect against that is embed AI in your defense mechanisms.So fight AI with an eye.
And that's obviously something that we've been doing in Cato way before large language models and kind of the the new generation of AI came about.
The second, by the way, which is beyond the scope of this conversation, but in my mind, it's extremely interesting, is that AI continues the journey to blur our ability to distinguish between what is true and what is false.
And that creates a huge rift in society, a huge change in the way that humans can organize themselves.And this is going to be a nest addressed.
a major, major threat and a way to also make fraud more sophisticated, financial fraud more sophisticated.But that's the small piece of it.
The big piece of it is kind of the political and social aspects of the inability to know what is true and what is not.
So when you look at AI offensively and AI, I'll call you defensively, it's like an eye for an eye.So they're just going to go at each other.That'll escalate.Do we just step back and watch it all happen?
Well, you know, we have, I don't know how many engineers in Cato that need to build the this AI, you know, AI defense mechanisms.And that's what and find the AI algorithms and kind of use the data in order to develop them and so on and so forth.
So people right now, for the foreseeable future, people are still needed.
Of course, I was kidding a little bit.
But yeah, it's just like that, that pace of always staying ahead just doesn't seem to have an end when you when you look at, I mean, you, you guys re architected the whole idea and said, Let's just do all this on the cloud.
So you can dial it up and down based on what you need.Um, And the legacy big dog guys that started in cyber way too early, or they were just a legacy tech company, seem to still be on the old model.
But you've got to work with many of them, because they're all embedded in these Fortune 500s.So do you see yourself as a sole player, or actually partnering with someone who already has a few security layers, and maybe we can pop yours in on the top?
Oh, no.So basically, the next decade is going to be re-architecture of the entire network security stack.And it happened in the past.
I'm telling you now something, perhaps it's hard to believe, that in 10 years, 90% of, say, network firewalls are going to be SaaS.Perhaps there are going to be some
you know, deep in the data center, whatever appliances, but they're all going to be sassy.But, you know, 25 years ago, all firewalls were software.
And within much less than a decade, the Fortinet and the parlors of the world replaced all of these billions, tens of billions of dollars of install base with appliances.So, These things happen, and we are in the beginning of a cycle of replacement.
So no, this is a replacement play.In every account that Kato comes into, we replace firewalls, we replace remote access, we replace MPLS or standalone SD-WAN, and we replace old SSE, like, you know.
These scalers of the world, you know, that are essentially firewall helpers.So it's a replacement.
And what about, you know, we have the CEO of CrowdStrike come and talk at our events once in a while.And what about you guys getting hacked or messed up, kind of like they did?
Not specifically what happened with them, but, you know, just the idea of, the concentration idea of, is that then again another risk?And then you're the biggest target.
Yeah, actually the concentration is positive from a security perspective.I'll give you one example. You know, every appliance vendor has vulnerabilities that they publish from time to time.
And say I have 1,040 nets in all of my locations around the world, and there's a new vulnerability.It will take me months, and sometimes it will never happen that I will patch these vulnerabilities. if you are a cloud service, we do it for you.
We essentially test the vulnerability, we quietly see that it works, we install it, and the customer doesn't need to do anything.And we were the first ones to have a complete protection for our customers for
For example, I think less than 24 hours and so on and so forth.So the fact that you are a cloud service and are servicing all these customers and you've got the best security talent kind of eyes on, all eyes are on this service versus
I've got an appliance here, an appliance there, and I've got IT security or I don't.It's a much more secure way of doing things, actually.
Let's talk about some threats going on.A lot of threat actors out there.We'll get into the categories of them.But there was one that was selling Amazon, AMD, Apple, Facebook, Microsoft, both their data and even some of their source code.
I mean, Amazon's a huge target, obviously.A lot of spoofing and cyber squatting going on there.But how do you stop that stuff?
So, you know, there are two sides to this coin.First of all, you need to stop the attacks.And there, there's quite a lot of actually cloud infrastructure, CICD protection and application development protection, platforms.
This is an area of a platform. You've got everybody from Wizz to Aqua to Orca that has this breadth from code to cloud, which would prevent from stealing these types of assets that you described.
And then there is the detection piece, which is understanding that you have been attacked.So really going after the dark web and finding footprints of your company assets there.And there are other services that do that.
And once you do it, you can try and clean it up and remediate the issue.So that's kind of the two main measures.
Yeah.Thanks.So when you look at, what are you most worried about when you look at like state sponsored cyber terrorism, let's just call it what it is, you know, China, Russia, Iran, South Korea, a couple others.
What do you, what are you most worried about versus the profiteering guys?What's your, yeah.
The thing that worries me the most is actually the fact that this war is very different than a kinetic war.Both in the sense that I am, as a business owner, or even as a citizen, let's call it like that, I'm off to protect myself.
I need to buy the security products.I need to implement a security solution.I don't need to do it against airplanes and tanks and whatever.The government is doing this for me.That's kind of one of the basic things why nation states exist.
So why are you not protecting me against cyber attacks?Or at least participate in a constructive way in protecting me.And there are all sorts of ideas of how to do that in a non-intrusive, you know, kind of authoritarian way.
And the second thing that I'm most worried about, can I be most worried about two things?Okay.The second thing is that there's no Geneva Convention to cyber warfare, right?What is allowed and what is not allowed?
What is a legitimate act of war and what is against, what is not legitimate? In kinetic world, this is defined. In cyber, one, I can say, hey, it's not me.It's some ransomware mafia thing.It's not Russia.And two, I can do whatever.
If I'm an attempt to poison the waters, the drinking water of the enemy is illegitimate?I don't think so.But it's definitely on the menu.
And which attacks are you most concerned about like malware phishing?People have heard of that denial of service?Yeah, I'm, I'm, I'm
I'm also, I still am an investor, although I'm a passive investor these days because K2 is full-time job.
I'm an investor in a cyber security, cyber insurance company that provides a combination of security and insurance and creates a new joint category.
It has tens of thousands, one of the leading vendors in the world, they have many tens of thousands of customers, so the statistics is interesting.Really look at where is the risk concentrated, and it's really around, still,
and malware, ransomware, essentially, and financial fraud.I would say these are the two main things that hit small to mid businesses.
I've also noticed for a lot of you CISOs listening in, they've started to go from the fortunes down to mid-market because they're not very well protected.They haven't thought about it.They don't have a lot of cyber governance there.
What industries are you most worried about?Financial services comes up.Medical insurance comes up.What industries do you think are most vulnerable in the next wave here?
First of all, I think the size of the company really matters.And I think the mid-to-large enterprise is the key point that we need to focus.And the cybersecurity as an industry didn't do a good job at all in serving that segment.
Everybody, all the startups, all the innovation went to the tip of the pyramid. And so we need to really take care of that.And I think that SASE, I think that generally the future belongs to platforms and platforms are the answer for that.
segment because they abstract the complexity and deliver the business outcomes in a much more efficient way that these type of organizations can consume.
Yeah, and I think that's the... And again, from cyber insurance, I can tell you interesting things like legal firms are kind of the most dangerous vertical to ensure for some reason.A lot of exposure there.A lot of exposure.
But I assume that there are others.But that kind of stuck in my memory as a surprising one, let's say it like that.
Yeah, it's all shifting so fast and everyone is a threat.You and me and anyone connected, which is everyone now.
So what is CEOs and CISOs and actually the whole leadership team, what should they be doing in the second half of this decade that they haven't really done well up until now?
reset their infrastructure to platforms.I'm sorry.
They've all done that.It took them forever, but most of them have gone to the cloud.Some of financial services haven't.
Yeah, that's on the IT, but IT security and especially network security is really lagging.Networking in general is really lagging.
There are still areas where kind of the AWS, the digital transformation of IT security has not happened yet, and that's... I think that's in general focus on the how is going to be the main thing in the next decade versus the what.
There's a lot of what happening and actually we've got very good tools and we've got kind We are ahead of the curve in terms of the tools, but the solution is built from tools and people.
And how the people consume and deliver these tools is going to be a major focal point for innovation for the industry and a major adoption area for the CISOs.
Very similar to AI, the talk to do ratio is skewed a little bit in the wrong way.
How about, sticking with people here, how about, you know, you and I are on a lot of boards, how about board of directors, besides getting DNO insurance and cybersecurity insurance, what should they be thinking about and asking as good fiduciaries?
Yeah, you know, that's a, I would say that this is, first of all, try to quantify the problem and see that there are programs put in place. projects within these programs with milestones and deliverables and their KPIs.
That's the way to manage a complex system and security is just one other complex system.And the question about KPIs is there's a
absolutely a way to quantify the security posture of an organization and the risk that is associated with it and the board needs to demand to see that quantification.
They end up ordering a risk report because what we're talking about is way over their head already.We're probably getting more geeky on this subject.
It's easy to obfuscate this subject.It's so complicated and so nuanced. So the real way to handle it is to boil it down to KPIs, deliverables, projects, and treat it as a very systematic problem.
Yeah, top of the list, though.What about your partnering strategy?Tell us a little bit about that. As it relates to your growth.
Yeah, so we are really focusing on the network side of things and we are
We came out a year ago with an XDR that tells stories that are built from the fact that we are the network, we are the infrastructure, we provide network security, and we integrate with third parties like Microsoft Defender and CrowdStrike.
FileCon and Identity Management and Detection and Response from Microsoft, I think it's called Entra.And the list goes on and on.
So really, we are able to collect signals from many different partners together with our own signal from the network and deliver to the customer interesting stories.
actionable stories that not only the sophisticated SOC can handle, but also a simple security engineer.
You know, I know how it feels to take companies public.I've done a couple, but what did you learn from Checkpoint and Privia, and to an extent Palo Alto Networks, because you were kind of there through the getting ready for IPO.
What did you learn that's really helped you nail this one?
The IPO process or building the company?Scaling the company.Each one of them was a very different challenge, Dean.If I look at Checkpoint, it was all pool company, right?How do you handle, how do you scale fast enough?So it was a lesson in scaling.
that was network security.In Perva, we were one of the, I think the first data, one of the first data security company.And we were actually early to the market.We were a year to year before PCI, before disclosure laws in California was even enacted.
So it was more of, how should I say it, resiliency. and belief in the fact that the market will arrive and driving the culture and vision of people to hold together until the market arrives.
And that was the lesson there, that you need to believe in your vision. And with Cato, we have done something, you know, when we started Cato, both me and my partner at the time, Gurshatz, had a lot of
I should say that we had a reputation for building good products and good companies and we came with the idea that was really contrarian back then to the leading idea that was the telcos are going to continue to drive that with NFV, it was called.
And people said, hey, this is ambitious, which I guess means you're crazy, go away, it's never going to work. And indeed, this is an ambitious engineering project.
And I'll tell you exactly what it is from a product perspective, and then we'll go back to the lesson learned.We've built a network that is stable as a telco network with the best network security stack that is most dynamic.
3,000 updates a year, and the two work together.And for that, we had to invent a whole new set of capabilities and IPs and patents and whatever.And we are the only ones that did that.And as you know, only version three works. So yeah, three plus.
And if you've got a network, that kind of works. you get a phone call from the CIO at 3 a.m.in the morning saying, what the hell, right?So believing and executing.So this was a lesson in execution, really.
And executing for years, three years of getting to version number three that perfects this, was the most challenging execution period in my, you know, I've been an entrepreneur since I was 16, so 42 years.So, you know, you learn all sorts of things.
You learn how to scale, you learn how to believe in your vision and hold the team together, and you learn how to execute extreme challenges.
Yeah, one thing I've heard from you is you're often early into the market, so you've also learned patience and you're playing the long game.And that is a rare thing these days.
I'll tell you, I think that startup is as valuable or as completely not valuable, depending if you were right or wrong. How contrarian were you when you started this stuff?How different did you think than everybody else?
Because if you didn't, if everybody thinks the same, then you've got 20 startups and you know, perhaps one of them will be bought or two or not.If you really want to build a big thing, disagree with everybody.
So that's, I can say about all three startups that it was completely contrarian approach when we started them.
I like it.Sounds good.Thanks for joining us, Shlomo.I really appreciate it.Thank you very much.You've been listening to Shlomo Kramer, who's the CEO of Cato Networks.This is Dean Tobias with the Reboot Chronicles.Thank you for joining us today.
Sign in
