"The secondary celebration will not continue. The market of 2021 is over"
Shlomo Kramer is the godfather of cybersecurity. Since founding with his partners the pioneering Check Point, he has built two more giant companies, his latest being Cato Networks. He's also invested successfully in dozens of startups, several of which have already become unicorns
Shlomo Kramer is the godfather of the cybersecurity world. As someone who was among the founders of the pioneering Check Point, Imperva that was sold for $2.1 billion, and now Cato Networks, and has also invested in nearly every significant company in the field, Kramer is one of the founding fathers of the industry, in the entire world and particularly in Israel. But his enormous contribution to the industry stands in outstanding contrast to his low profile: Kramer is known as someone who prefers to remain far from the spotlight, remains silent, and rarely grants interviews.
Therefore, his agreement to sit for this interview was a special surprise. When I wonder about the meaning of this openness, he explains with confidence, "With all my record as an expert in building companies, and I think that I am one of the best in the world in this field, when I established Cato with Gur Shatz, many investors told us 'This is a very ambitious project.' In "American," it means 'Are you out of your minds? It has no chance of success.' The first years after its establishment in 2015 were dedicated to proving that it was possible, technologically and from a business standpoint. Now - with 1,100 customers, the backing from research firm Gartner that created a new category for the product that we developed, and an IPO on Wall Street in the not too distant future - you can start to be open."
Alongside the quiet confidence, Kramer's remarks evoke a tone of insult in the face of investors' distrust of his new venture. This insult only caused him to work harder at proving to the entire world that Cato is making the task of enterprise network security simpler through a router-like device that enters the corporate communications network and provides most of the protection functions, which will revolutionize the concept of enterprise security. In the seven years that have passed since those initial refusals, the entire regular Silicon Valley investors' club has come around and injected into Kramer's new baby over a half-billion dollars. Since the last round of funding in October 2021 that was held according to a valuation of $2.5 billion, Cato is sitting on a cash reserve of $400 million that is meant, according to Kramer, to lead it to two primary goals: the offering on Wall Street in 2024, and sales of a half-billion dollars in 2026. Today the company is already selling at an annual rate of $100 million.
The numbers that Kramer is now exposing in an interview to the weekend edition of Calcalist show the $2.5 billion valuation as being relatively low - certainly when looking at the funding round held during the same days for Wiz, it too an Israeli company that operates in the cyber cloud market. Wiz, whose sales volume is currently a quarter of that of Cato, received a $6.5 billion price tag. Kramer, however, shows little emotion, "First of all I am quite pleased from the value attained by Wiz because I am invested in them through Gili Raanan's Cyberstars fund (that were among the first investors in Wiz, S.S.). But aside from this, the value of Cato was not built on the point-by-point maximization of valuation that an investor gives but on the future of the company. An investment round is part of the company building process. In such a process, one must look ahead and weigh an uncertain environment: I am building Cato vis-a-vis an unknown future, and this is meant to build a resilient and conservative company that will succeed in any scenario."
"Although our wages are not the highest, the name will look excellent on a resume"
For now, this resilient and conservative company also has a conservative price tag, "The value in the last round was $2.5 billion," Kramer says. "It is built on economic parameters, and I hope that it is the last private round. I formulated a scenario surrounding the value we will receive in the offering two years from now so that investors from the last round will profit, even if the market will not be as hot as now, rather a cold market."
Then to what market value are you aiming for in the IPO? $5 billion? $10 billion?
"Is a double return on money good or bad in a regular market?"
Depends on the year.
"The secondary celebration will not continue. The market of 2021 is over."
Precisely, and therefore the question may be asked why the IPO is at all important to you. Look what happened to the Israeli unicorns that went public in 2021: They were slaughtered by tens of percentage points, while there is a lot of money and willingness to invest at fantastic value levels in the private market.
"There is a phase where a company requires stock share liquidity, for among other things, to bring new employees. At the Lightspeed fund, one of our largest investors, they are constantly asking me how we are the only company in their portfolio that is ahead of their employee recruitment goals by one quarter, consistently. My answer is that Cato is now two years before its IPO and for the employees in an ideal place in terms of the risk-chance ratio: We already have a nice income, we are transparent with the employees and know what value to expect in two years."
So you are playing primarily on the options field and less on wages? What about generous signing bonuses?
"People who come to us must be those who care very much about options because they can get higher wages or a signing bonus from the giant corporations. But what is important for me is that Cato will be a company that builds its employees' careers. In another five years, when looking for another job and Cato appears on their resume, employers will say, 'I know the company, let's talk with them.' We are not doing some small feature or widget, rather building a company for decades to come. It is the energy that I try to pass on."
And yet, for employees to meet with the money, it is not necessary to go public. Today it is possible to do it in a secondary round in which they sell their shares to investors, also as part of a private company.
"In 2021, it was possible because the risk was priced at zero and the lack of liquidity did not interest investors as much. But I am not sure that the secondary celebration of the past years will continue because the risk will no longer be priced at zero. The entire relationship between holding public capital and private equity will be rebalanced in the coming years, with the rise in interest rates and the rise in the cost of risk."
Will we see fewer mega-rounds of funding than those we saw during the past two years?
"The non-liquid asset will have a lower value than liquid assets," Kramer says, noting that the private market that is still distributing hundreds of millions of dollars on nascent start-ups, will close the gap vis-a-vis Wall Street, where valuation levels of technology companies were cut by an average 50% in recent months.
So what do you expect in the coming years in the funding market and valuation estimates in technology in general, particularly in cyber?
"I am not a macroeconomics expert."
And if I ask you as Shlomo Kramer, the legendary investor who invested in nearly every successful cyber start-up?
"My problem as an investor has been resolved because I don't have time. I am still writing out small checks to young and enthusiastic companies, a little help to entrepreneurs, meet with them, brainstorm, but I don’t sit on their board of directors and commit to companies like a venture capital fund."
Could it be that lack of time is an excuse for taking the foot off the gas? When you announced your last round, you said there is a bubble in the cyber market.
"It's not an excuse; just last week, I invested in two seed rounds. But it is a fact that public shares were cut by 50%. A few months earlier, the price was double."
It seems that the private market has yet to internalize the change in direction that Wall Street investors have already sensed.
"I have been in quite a few cycles like these. In previous rounds, it took three-four months until the crash in the public market reached the private market. It could be that this time there is a soft landing and a slower process of the air coming out."
"Until today, I was in a training camp. Cato is the real battle"
Kramer's load returns us to Cato. While he could rest on his laurels and exits (the largest of which was Check Point, from which, according to estimates, he left with a billion dollars in cash in exercised shares), Kramer is a full-time CEO. Instead of sitting on a well-upholstered investor's chair, he is still in the trenches, making the trek between investment funds, at a time when most of the investors around him are young, many of them smug, and will soon learn up close and personal what he has already forgotten.
"I'm not so young, but I am infantile," he says, laughing. "I love creating and innovating. Gur Shatz and I have been together for some twenty years, back in the days of Imperva (Shatz was the first employee hired by the founders, S.S.), and Incapula (a company that the two established with Marc Gaffan and later sold to Imperva, S.S.); Cato is their third company together. In the straightest sense - I open the door in the morning, enter the office, and feel good. I feel young, energetic, and feel like stirring up a revolution. There are not many times in life that you come up with the idea that can truly change the world."
The idea behind Cato is more innovative and exciting than the firewall that you developed at Check Point? You invented the cyber market as we know it today.
"Everything that I did until today was a training camp in advance of Cato. This is the real battle."
So what exactly does Cato do that has made Kramer an enthusiastic 55-year-old kid? Cato bravely enters into a market controlled today by the strong and ancient elephants, the communications operators, the AT&T, and the Verizons of the world. Until today, Kramer explains, companies purchased from their communications operators a range of devices that gave them protection and were assembled on the network until at a certain stage they drowned in a jungle of these types of devices that no one knew how to manage efficiently. Now, Cato packages everything into a single product and digitally transforms all these devices into convenient applications. Cato says to these companies, "Forget all about your collection of boxes, transfer everything up into our cloud." It is this cloud that Kramer compares to an iPhone. "The idea is to do a digital transformation to enterprise network security and turn everything into something simpler. You don't need to buy all the devices separately - everything becomes an application, precisely like the alarm clock, camera, and flashlight. No user needs any particular knowledge to operate the applications on their iPhone, and they can be operated together or individually."
The newest area in the enterprise security field received the acronym SASE (Secure Access Service Edge). "What we wrote as a vision for Cato in 2015 has been wholly adopted by Gartner as the definition for SASE", Kramer noted enthusiastically. "I've never had anything like this happen in my entire career. Take the firewall, for example; Gartner initially went with a different firewall concept, and what Gil and I pushed was then perceived as a competitive solution. Only with time it became the dominant solution."
"The fat waistline of the market is not covered. We will cover it"
Cato's daring stems not only from the fact that it invented a new market, but rather that it enters head-on into the most basic communications infrastructure, one supplied by the strong conglomerates that have been sitting deep in the corporations for decades, and largest among them is the American communications giant AT&T. It is also a very profitable market for all the players since approximately 80% of the security budget of enterprises goes toward procurement from communications operators that supply a basic wrapping of protection for the communications network; the remaining 20% from the security budget is designated primarily for protection solutions against external connections.
In absolute numbers, the SASE market encompasses approximately $10 billion; at present, there are only a few companies - but those companies entering are all the "right" names that give Kramer the confidence that he launched his arrows in the correct direction. Cato is the only start-up defined as a player in the market (although recently the Israeli start-up Perimeter 81 is also strengthening in this field), but alongside it operate companies like Cisco, Zscaler, VMWare, and Nir Zuk's Palo Alto. Kramer was one of Palo Alto’s first investors and even sat on its board until its IPO on Wall Street. "It is good for us that they are there, and this way they are saying that we were right…," he says, and immediately exposes the personal competition between the Israeli cyber giants - "…but it cannot be forgotten that Palo Alto, in contrast to Cato, was not born as a cloud company, and arrived at its capabilities in SASE as part of a lengthy line of acquisitions." To be on the safe side, he adds, "When you attack a new market, it is always important that a player will come with a serious reputation, even if Palo Alto is a small company." Small, of course, is a matter of personal perspective: Palo Alto is traded at a market value of $50 billion and sells over $4 billion annually.
How was the idea at the foundation of your technology born?
"Despite the cyber craze, with the high valuations and growing sales - in the field, in enterprises that purchase security solutions, these solutions were failing, and corporations were unsuccessful in protecting themselves. It is evident, for example, in the cyber insurance world, where the large players left the market after internalizing that most of the companies were breached. Allegedly, there is a showroom with tons of shiny security products, but there is a true sense of failure in the field.
"This is because the entire cyber community is geared towards the large enterprises, which can buy a lot of boxes and invest in the dedicated teams and resources required for implementation and integration. These conglomerates are well protected, but these are primarily giant corporations, the 'Bank of Americas' of the world. In contrast, medium-sized companies - which can reach thousands of employees - lack these resources. They do not have the people, the knowledge, and the budgets. These companies are responsible for 44% of the American GDP. These are the fat waistlines of the market that are not covered."
Whose fault is this?
"Companies have an awareness today, but all of the VC funds are pushing the start-ups in advance to the large corporations because it is easy to sell to them and make an exit."
So you decided to take on the communications operators and the giant cyber companies.
"All the players, from Cisco to Palo Alto, are not cloud companies. This transition is not just a product challenge, but conceptual, at the DNA level of the enterprise. Some will succeed, but it will take them a long time - and during this time, we will run. Last year we grew by 100%, and it will be our growth rate this year too; later on, we will grow by more than 50% each year, so that by 2026 we will reach an income of a half-billion dollars.”
But you are a thorn in the side of companies like AT&T. They will prefer to buy you before you become too big.
"There are five phases of mourning, and they are somewhere there, in the process. We are already signing several of the companies that have completed this process, like KDDI, the Japanese communications operator. Cato is a company with tremendous potential, which differs from all of my companies until today. It can be a company of many billions of dollars in sales. The IPO that I am talking about is only one more round of funding. The good companies build their value after the IPO, not before."
"I’m here for many years"
Do you see yourself managing Cato for all this time, even after the IPO? Can you imagine yourself as CEO for decades like Gil Shwed, who has become one of the most veteran CEOs of companies traded on Wall Street and has been criticized for this?
"Yes, I see myself here for many years. At Imperva, I managed the company for 12 years. At the moment, I’m not tempted by starting another start-up."
But what do you think when you see today the value of Check Point, $15 billion, which is similar to the value of companies issued this year and far from that of companies like Palo Alto ($50 billion) or Zscaler ($37 billion)?
"I understand how to build companies. How value is determined in the market, I have less of an understanding."
Then let's talk in terms of growth. Check Point is not there, it has been growing for years at a low single-digit rate, but the investors love seeing growth in the many tens of percentage points.
"Check Point is a company with 6,000 employees. I do not know how to manage it, nor do I feel I am in the position of understanding how to make it succeed. People also forget that Check Point brings a billion dollars to its shareholders every year.
"There are five people with whom I have worked throughout my lifetime, and I have the utmost respect for them professionally as exceptional product-oriented people; Gil, who was my friend when we established Check Point, and we are still in contact today, is one of them. Nir Zuk is also one of them."
But today, you no longer hold shares, not in Check Point nor Palo Alto. Why?
"I prefer to invest the money in start-ups. In my soul, I am an entrepreneur. Check Point is only my first famous start-up, but not the first. My first was back in high school with Ofer Shemtov (who later became one of the developers of VoIP and transitioned into a leadership position at VocalTec, S.S.). It was the 1980s, and we sold it to a software firm. Entrepreneurism is DNA. I also love helping entrepreneurs, to mentor, and therefore I am also an investor."
"The cyber industry is facing at least another 20 years of growth"
In 2003, Kramer became the first of Check Point's founders to leave the company. He established immediately, with Mickey Boodaei and Amichai Shulman, who are also Israeli cyber giants in their own right, Imperva. The company, which dealt with enterprise defense software against external attacks, was issued on Nasdaq in 2011 at a value of $460 million, and in 2015 was sold to the Thoma Bravo investment fund for $2.1 billion. Over the years, Kramer sold shares in the company for $150 million. In 2015, he established Cato; his holdings in the company are valued at a half-billion dollars per the last round of funding.
What did you take from Check Point and Imperva to the way you manage Cato today?
"It is impossible to turn lemons into oranges, but lemonade also tastes good."
What is easier for you, and what is more difficult in the current round?
"The jet lag is more difficult. When I was young, I would hop on an El Al overnight flight, change into a suit in the handicapped restroom in JFK, go for a whole day of meetings, dinner at a restaurant, and sleep that night for three hours. Today I cannot do that. On the other hand, I am discovering that everything is easier and clearer to me. I am better trained at reading the situation, working with people, building a company."
Do you make fewer mistakes?
"A lot fewer. I look back at myself from 20 years ago, shocked. Everything now is more on a plain, with fewer ups and downs."
And where are we on the timeline of the cyber market? There is numerous talk about a bubble, and on the other hand, the breaches into companies are multiplying, becoming more sophisticated, and causing security budgets to swell.
"Looking twenty years ahead, the cyber field is only just at the beginning of its path and can expect many continued years of growth. Its growth must be directed not only to the giant enterprises that are regulated but also to everyone because the attacks are already creating real economic pressures. I am full of optimism and energy to be part of the journey of this market.
"I am also very proud of my role during the past 30 years in building the Israeli cyber brand. When we started in Check Point we sat in Boston with an American consultant who said to us, 'Hide the fact that you are from Israel, say that the company headquarters are here in Boston.' It was the spirit of the times back then. Now I sit in a meeting in Japan with 20 Japanese who know nothing yet about Cato, and they say to one another, 'it's an Israeli security company,' and that is enough.
"Israeli cyber is the real deal, and it is the world leader today. It's like a pandemic. First, some bring it from abroad, and it can be said that this is what the army did - but what is happening today is a 'community acquired infection,' everything is fermenting within itself, start-ups beget start-ups, and the whole thing is exceptional. We have achieved quite a lot, and we are at the start of achieving something very significant."
Speaking of Israeli identity, Check Point, and Imperva, you managed primarily from abroad, while at Cato, you do everything from Israel. Is this something that has changed in you or the world?
"When I was with Check Point and Imperva, I relocated to the United States around the time of the IPO, because it was believed that Israel was a place for development, but the moment you want to begin selling, and seriously enter the market, you need to move to the United States. At Cato, I decided to establish a company entirely in Israel, the headquarters and its entire management. I am fed up; and because my wife (the filmmaker Dorit Hakim, S.S.) refused to relocate once again. I had a feeling that there was a maturation of the ecosystem in Israel that makes it possible to establish a whole company and that there is tremendous talent here in the field of online marketing. We are a superpower in this field, like in cyber. The entire senior management that reports to me sits here, on the floor where we are sitting. I had a perception of a decentralized company with Zoom and Slack. The idea was strange here for many of the managers, and they requested that we establish offices in other locations, but then came Covid-19."
In light of the expose in Calcalist regarding the use of NSO products to hack into telephones of Israeli citizens, is the next phase of cyber protection going to be for private phones? Is this the next boom?
"This field already exists, although it is for the most part aimed at the corporate market and not the private consumer market. I invested in the Israeli start-up company Lacoon before it was sold to Check Point for $100 million in 2015. They turned to the mobile device security market, and from what I know, it has become a very successful Check Point product when it comes to investing in offensive cyber. I have long since decided not to invest in offensive cyber companies. I concluded that you must choose sides, either you are on defense or offense."
"There must be an integration between hi-tech and the rest of Israel"
Cato is currently entering into an accelerated employee recruitment process after it was decided to advance the plans and hire 180 new employees, who will join the existing 500 employees of the company. Half of the employees are based in Israel, and half of these new employees will also be based in the company’s Tel Aviv offices.
Will this madness of increasing the company's workforce by almost 50% within a year continue? As a tribal elder, don't you ever say to yourself, "soon, the whole thing will burst?" Is it not exaggerated; the gaps between those in high tech and those who are not? Can it continue?
"The important point is how to reach a better integration between hi-tech and the rest of the country. Many sectors do not find expression in the job market and need to be nurtured. We have 15-20 employees in Ramallah, for example, through an outsourcing company; I have not been to Ramallah, they do come here from time to time, I see them in the dining room. But it is impossible to hire them directly as employees at Cato.”
How can this gap be reduced?
"This is a very big question," Kramer says evasively, careful not to enrage the entire sector - the way Nir Zuk did at the "Calcalist" Conference this past December when he declared that the tax rate on high-tech workers' salaries should be raised. "Just because I know how to build a company does not mean I know how to integrate a business sector within the country effectively. I contribute what I can."
Kramer’s notable investments
Palo Alto Networks - Valued at approximately $44 billion
Gong - $7.25 billion
Exabeam - $2.4 billion
Sumo Logic - $1.8 billion
At-Bay - $1.35 billion
Fundbox - $1.1 billion
Aqua - $1 billion
Trusteer - $800 million - $1 billion
Secure Islands - Acquired by Microsoft for approximately $150 million
Lightcyber - Acquired by Palo Alto Networks for $105 million
WatchDox - Acquired by Blackberry for $100 million
Lacoon Security - Acquired by Check Point for $100 million