Beyond firewalls

Beyond firewalls
By Tim Clark
Staff Writer, CNET NEWS.COM

PORTOLA VALLEY, California--On Presidents Day weekend two years ago, Check Point chief executive Deb Triant did what she often does to get away from the office--ride her horses in a race. The outing turned out to be anything but relaxing: She was thrown from her steed, leaving her with a broken collarbone, wrist, and ribs.

But after only one night in the hospital, she went home to run the security firewall company from her sick bed, returning to the office a week later and eventually leading the company to a successful public stock offering.

"Maybe that's where I got the reputation for being tough," laughs the red-haired mother of sons, ages 14 and 12.

Triant kicked off her professional life as a math professor at laid-back University of California, Santa Cruz. After just a week, she craved more excitement.

"I'm not the kind of person that can keep doing the same thing over and over again--no matter how nice it was," she said. "Mathematics and teaching are just too isolated from the world, and that's not my personality."

So Triant headed over the hill to Silicon Valley, where she worked for 17 years as a technical, strategic, and marketing manager. At famed think tank Xerox PARC, she was bitten by the digital bug.

After stints at Sun Microsystems and Adobe Systems, in July 1995 she became the U.S. chief of Check Point, then an obscure Israeli technology company.

Her mission: Build sales, marketing, and support operations in the United States while research and development remain in Israel under cofounders Shlomo Kramer and Gil Schweid, who also bears a CEO title.

Check Point quickly dominated firewall software and since has delved into new realms. Here Triant reflects on being a female CEO in the technology industry, shares her view on competitors Cisco and Microsoft, and explains why Check Point's vision has always been broader than firewalls.

NEWS.COM: Do you still think of Check Point as a firewall company?
Deb Triant: When we went public two years ago we said, "Today we're in the firewall market because that's the market that's out there, but we're not a firewall company. We're an enterprise security company." That was part of my IPO road show pitch. So I sometimes get slightly frustrated when I hear Check Point identified as a firewall company.

The underlying architecture behind the product (which was developed more than four years ago) was really designed for what we're currently seeing in the market: the world of VPNs and the use of the Internet for business communications, not just for Web surfing.

The founders of this company came up with such a different architecture for doing network security than what had been used before. They didn't think about the product as being the firewall. They also envisioned a time where you might have these gateway points that were monitoring and securing the traffic in many points of the network, not just in one point. And therefore they took a totally different point-of-view in management of security.

They wrote the security policy in terms of the whole network, not just in terms of what goes on at any one point. Nowadays that has become a buzzword: policy management. I'm pretty sure we were the very first policy-based management system ever designed, and that was four years ago.

But you don't call yourself even a "security company" anymore.
The market today is beginning to evolve from a firewall market, which still exists, but is getting sucked up into the VPN market. That's the big growth engine now. It's still very much in the early stages, but virtual private networking means using the Internet for your business communications instead of just for the classic Internet applications.

And virtual private networking requires more than simply being able to secure the network. You've also got to make sure that the applications are going to get through, and that's why you need bandwidth management. You also need to be able to manage the infrastructure of this now broad and complex IP [Internet Protocol] network. So you need infrastructure management and that's why we did the Metainfo acquisition and now have three separate product lines.

We're going to stop worrying in the future about intranets and Internets and extranets. It's all just going to get woven together into these broad and complex IP networks.

These networks require a layer of management that is managing not just the underlying physical structure of the network, but is managing the behavior of the traffic on the network. These networks are highly dynamic, so you can't just manage them as static pieces.

That's exactly the architecture that we're putting in place. So we think we've got a very good shot at creating a de facto standard. Security was the first killer application for IP networks, it's why everybody has to have network security. And because we're the market leader there, we're more broadly installed. That's going to be a strong position to build from.

What other services do you still need to be able to offer?
The main additions will enhance the management components and address the challenges of managing IP networks and directory services. We're not going to compete with Microsoft or Netscape or Novell or anyone for the actual directories, but the challenge is to be able to use those directories in an enterprise-wide environment.

One key area is going to be management tools, reporting and auditing tools, as well as continuing to enhance the traffic management capabilities and security. We're fortunate through our OPSEC alliance to be able to not have to do it all our ourselves. We can let third parties do a lot of the development and then we can pull it together under our OPSEC architecture into an integrated system. But over time more and more of those components may become sufficiently widely desired by customers, and then it would make sense for us to pull that under the Check Point umbrella.

How do you see what you're doing in relation to what Cisco does?
They're very complimentary. Cisco and some of the other internetworking

companies come closer to sharing our vision of the future than anyone in the marketplace. Certainly none of the other security companies are thinking about the world this way.

The implied question is: So how does Check Point survive if this is something that Cisco focuses on? Cisco's focus and real strength as a business is in the platforms that they build and sell into the market. Now, clearly the software component of those platforms is their value-add; however, their business focuses around selling the devices that the network is built out of.

Our focus is on selling the management capability, which needs to be able to operate in a highly heterogeneous environment. And I'm not just talking heterogeneous like Cisco and Bay or Cisco and 3Com. I'm talking about Cisco and Microsoft, because the networks of the future are made up of routers and switches and servers and workstation gateways and desktops.

The ability to manage these IP services is critical to our customers. I think they are going to expect to get that from a third party, such as Check Point, that is not tied to any particular platform.

So is Cisco a competitor?
Our relationship with Cisco can go either of two ways: We can either become more competitive or more cooperative. And right now I'm actually optimistic that over time we'll have a chance to become increasingly cooperative in our relationship with Cisco, as we have with Microsoft.

Certainly we worry about Cisco. I don't want to create the rosy picture that we have nothing to worry about. I'm optimistic that we can actually become closer, but today they are our biggest competitor. We're still dramatically larger in terms of market share than Cisco is within the context of the security market. But Cisco's a large company, a successful company, and we'll continue to view them as our biggest competitor.

NEXT: Risking it for security

Risking it for security

But every time there's a news story about Cisco or Microsoft getting into the security market, your stock takes a hit.

Financial people, the most sophisticated of them, may understand a little bit about security. It's impossible for financial analysts, let alone the investors themselves, to have a deep understanding of any business. Security is a much more complicated business to understand than Amazon.com's business model or E*Trade's business model.

In a business that is young and high growth, there's a lot of risk and uncertainty. When you start throwing around names like Cisco and Microsoft or when you throw both names at the same time, it sounds like a scary business.

It tends to be the more sophisticated investor that understands that we've been competing against Cisco for more than two years and thriving in the face of that competition.

I often get asked, "What if Microsoft decides to add that capability to its operating system and suddenly the business goes away?"

It's not something you can just bundle in an operating system like other kinds of desktop applications and then make the market go away. Why we're able to thrive in that environment requires an understanding of security and the needs of network managers in managing IP networks.

Is Microsoft a competitor?
I would put Microsoft in the category of other companies that haven't yet gotten involved but in theory could. They have a proxy server product that some might view as a competitor to our firewalls, but it's effectively not a competitor. Microsoft is far more of a partner than a competitor, but in the future of course we'll continue to try to make sure that the relationship stays that way.

Is there anybody else you're worried about?
I suppose the main other thing that we're looking at right now would be the VPN companies. There's a whole host of young companies that are starting up to do firewall [hardware] or encryption [hardware]. And it's not so much that they compete with us directly. They don't come in to provide the whole security system, but they look to try to take away pieces.

In the investment community, Network Associates has made a whole lot of noise and I'm sure they've had some effect on our stock price. They don't have an effect on our customers or our channels.

Network Associates' vision is not dissimilar to yours, however.
Yeah, but I don't give them a whole lot of chance to be able to pull that off within the foreseeable future. They've purchased a bunch of piece parts which are by and large old technologies that on their own are, I think, not the most effective--to be polite--in the market today.

And they've lost most of the core people associated with those products that would have been able to move them forward potentially, and they're a bunch of separate components that don't work together. So Network Associates is going to have an enormous challenge on its hands to try to knit these various disparate pieces into a system.

It seems to me that getting Sun as a distribution partner was a key strategic moment in your company.
That was absolutely a key relationship--you're right--because Sun was so dominant in the Internet in those days and it was a perfect match. And since we had a shrink-wrapped product, a Sun salesperson that was selling Sun's hardware could sell them this piece of software that went along with it. It was a relatively easy sale compared to the other firewall systems at the time.

But keep in mind that Sun sells not only through their own sales force, they're like a master distributor for our product [through Sun's resellers].

You've also added this operation in Dallas--the Professional Services. Strategically, why services at this point? Your product is much higher margin.
The reason for services is our customers need to be able to get those services. They get them through our channel partners, but as we grow bigger and as we reach a wider number of customers through a broader variety of channel partners, it becomes more and more important to be able to assure customers that they'll be able to get the level of support that they want. If they can get it through a channel partner, that's wonderful, and that's the preferred route. But if, for whatever reason, that's not suitable, they'll be able to get it from Check Point.

The other reason this is becoming important at this stage of our business is that the market we serve has evolved from a firewall market toward an enterprise security market. If all the customer is doing is installing a firewall to protect the Internet connection, that's much easier to setup and use yourself. When you're trying to secure your entire network operation, that requires a level of expertise that most customers, even the sophisticated ones, don't want to take on themselves. They need that professional consulting help to do security audits, to design a security policy, as well as to implement an integrated solution that may involve parts that come from Check Point and parts that come from our outside partners.

I've heard there have been problems in terms of customer support because some of the resellers are just not up to it. Is that true?
We have some resellers that are extraordinarily good at it and others that, either because they're new or because they're less focused on the security market, may not have the level of support necessary. But again, it comes down to just making sure that the customer is going to get the level of support that they need, no matter who they are and who they're working with.

Talk to me about being a female CEO in the Valley in the technology industry--you're pretty rare.
Yeah, we're certainly rarer than I think we ought to be. But I think that the growth of the Internet has created more business opportunities for women to become CEOs of small companies, which can grow into big companies. There's been such a demand for CEO talent.

I was asked the other day the same question: Is it hard to be a female CEO in this industry? My response was: I don't think that it's hard to be a woman CEO; it's just harder to get there. Once you're there I don't think it's very different!

I think the real issue with women CEOs is how do you get to that position in the first place. I think there's still a lot of unconscious uncertainty in the minds of those that make the decisions about the CEO, which is typically the venture community, which is quite an old boy's network. They tend to want to put their money in people that they know. I don't think there's conscious prejudice. I don't think they are people that would consciously believe that a woman wouldn't be equally capable, but the people that they know and what they're used to and the model they're used to seeing and the behavior patterns they're used to seeing that are familiar and comfortable to them are those that they've seen with white male executives.

So I'm hopeful that now at least we have more women CEOs in the tech industry than I've seen any time in the past. [There are] a number that aren't as well-known because they're with companies that haven't gone public yet, but I think as more of these go public, we'll see more such women. And I think what that's going to do is to create a higher comfort level with those who do make these decisions. [They'll] unconsciously see women as acceptable candidates in this area and get use to the different styles that women have in managing.

Do you think you have a different style than a male manager would?
Well it's sometimes a little hard to differentiate the differences that have to do with you as an individual and you as a representative of your gender. I think in general women tend to manage in more of a coaching role--a little less hierarchical. I think women tend to hire people as team members and to play more of a coaching and team-building role than heavy-handed, tops-down manager. It really is also a great deal about personal style.

NEXT: Checking into Check Point

Checking into Check Point

Are there special challenges to running a binational company? You have the Israeli operation and then you have an outbound, as you call it here. Is that a challenge?
Yes, it's definitely a challenge, but on the other hand it has some real benefits that I think make the challenge quite worthwhile. Probably the major benefit is that the company was born thinking international. We didn't start life as a U.S. company that as an afterthought decided that maybe some people in other countries might want this stuff too. I've worked for enough U.S.-based technology companies to know that that's generally how U.S. companies approach the rest of the world. So Check Point began being focused on the international market and we do about half of our business outside the United States, which for Internet companies is rare.

Secondly, we can draw on different localities for talent. Right now it's extremely hard to find talent in Silicon Valley. It's getting harder in Israel as well because there are so many start-ups there, but I still say I think it's much easier to find really top-flight engineers and developers in Israel. So that's been an advantage for us.

The company has at least two different CEO titles. Is that awkward?
It is only when we have to answer questions like this! We actually evolved kind of an organic way to figure out what Gil [Schweid] focuses on and what I focus on. And it's one of the interesting things about Check Point and maybe one of the unique things. We're not a particularly hierarchical company. We didn't go around giving everybody job descriptions and putting them in little pegs to figure out what they did. Instead we've tended to evolve toward people doing the things that they're the best at doing.

But Gil and I have, I think, very complimentary skills and luckily they're merged together with a common vision. So we've taken on different responsibilities within the running of the company and never sat down and even directly talked about it--we just started doing it. And while they continue to change, our visions continue to morph in the same direction.

When you get up in the morning what's the thing you most look forward to in a day?
Seeing what's unfolded that day. One of the things that I most love about the business that I'm in is that it's different every single damn day. We have to keep changing and reinventing our business on a very rapid pace. And you can't stand still even for a month.

What is it about risk that you like?
I'm sure excitement; I guess anybody that's going to get into this crazy business of high-tech start-ups has got to some extent enjoy risk. If you didn't enjoy risk, you couldn't do your job.

But that's a different risk than what you do...in your hobbies.
But I think there's a lot in common. If you're going to enjoy sports like that and, in the same way, if you're going to enjoy a business like this, you've got to, on the one hand, know how to manage risk and not be stupid or you'll either lose your money or lose your life. On the other hand, [you've got to] not be afraid of it and be able to decide you're going to do something within the bounds of sanity, managing the risk as best you can. Just go out and do it and enjoy the thrill of being on the borderline of control!

When you started, Check Point was an obscure Israeli company with some technology. What did you see in the company that made you think "Gee, this is worth my trying it out"?
It was Internet-related, so that was appealing. It was general management of a start-up, which was appealing. But who knew about firewalls back then? Security was not a market that had happened yet...and I had never heard of this company.

But then when I met with the founders, two things became apparent. One is the more I got to know about what the product did and why it was needed, I came to believe that [security] was a very real market and not a niche market.

But then what really did it was, as I saw the technology that they had developed, it was clearly a reflection of genius. There wasn't just one good idea; it was an entire design of an architectural approach to doing security that was radically different than anything that existed. It was just one of the more elegant architectures that I had ever encountered in my whole history in the profession.

But then, the thing that made the company even more remarkable is that this extraordinary technical architecture was embedded in this beautiful, easy-to-use product that had just been so beautifully designed with a focus on what people really do. And as I talked to the founders, I recognized they had real market savvy and it was instinctive. And that just seemed to be an extraordinary combination. Plus, the most remarkable thing of all is that they were already profitable, even though they had just begun selling the product. They were profitable like from their first quarter of sales.

What is the next frontier for you after Check Point? Is it retirement? Volunteer work? Horseback riding?
I don't think I could ever give up the tech industry all together. It's just plain too exciting and too much fun. I don't think, on the other hand, that I'm likely to go and start another start-up myself. I've gotten to the point that the amount of complete dedication, 80 to 100 hours a week focused on that, is not something that I want to take on for another four or five years. So I'll be with Check Point as long as Check Point needs me and whenever it's time to move on I think what I'd probably do is maybe get involved with other start-ups, but more in a supportive role. And I do hope to start increasing the amount of time I spend on volunteer work as well.