Cybersecurity In An Age Of Financial Threats: A Q&A With Proofpoint’s CFO
Cyberthreats are constantly evolving and posing new – and dangerous – challenges to every company and industry, with corporate finance departments especially at risk. For that reason, the CFO of a company that creates and sells cybersecurity software must be one step ahead of the fraudsters.
This month, I have spoken with three different software company CFOs to glean insights about this industry and how innovative products can help finance professionals better navigate a risky, uncertain world. In my first two Q&As I focused on supply chain management. For the final Q&A of this month’s series, I spoke with Paul Auvil, CFO of the cybersecurity software firm Proofpoint, a Russell 1000 company providing solutions to many of the world’s largest corporations. We spoke about the most recent developments in this field and how his company and industry have been impacted by Covid-19. I also asked Paul about how his background in engineering has allowed him to take a more hands-on, technical approach to his company’s work, a theme which is relevant to more CFOs as they become more involved in business operations.
Jeff Thomson: Covid-19 has ushered in a new wave of cybercrime, from phishing scams to cyberattacks on companies’ remote workforces. Have you seen an uptick in sales due to the increased threat level? What advice do you have for finance leaders whose purview extends to cybersecurity? How can they cope?
Paul Auvil: We saw a quick shift in the threat landscape as cybercriminals leveraged Covid-19 to create new lures, but our ability to quickly react to changing threat actor tactics is one of our primary points of differentiation in the market. We’ve had several customers accelerate orders and even implementations as a result of the current work-from-home environment, and we’ve seen solid interest in some of our newer emerging products like security awareness training, cloud access security broker software zero trust networks, enterprise data loss prevention software and insider threat management services.
My advice to any CFO who is evaluating the financial position of the company is to invest in protecting your people: identify your most vulnerable employees and secure individuals in critical roles to protect sensitive data and intellectual property. Using a people-centric approach to cybersecurity is critical in today’s work-from-home environment.
Thomson: Companies often struggle to balance the demands of ongoing R&D investment with having cash on hand and paying dividends to investors. A tumultuous year like 2020 shows the risks of not striking that balance. How do you as CFO address those priorities, both in general and in this rollercoaster year in particular? How do you encourage innovation, while taking care of day-to-day responsibilities?
Auvil: Agreed. We believe that this is a great time to invest in the business to emerge from this uncertain period in a stronger position. Proofpoint invests approximately 20% of our revenue into R&D to maintain our world-class efficacy and to stay ahead of threat actors. We also have completed over 20 acquisitions over the past 13 years, which has helped to increase our product portfolio and expand our relevancy to our customer base.
We have never paid a dividend and prefer to invest in growth opportunity, but also have nearly $1 billion in cash on the balance sheet which provides plenty of operating flexibility during the current crisis. In addition, despite the pandemic, we are generating meaningful cashflow and in August we announced a $300 million share buyback program. Given our longer-term growth opportunity, we felt it was the right time to return capital and value to shareholders.
We plan to continue to invest in our overall business, with no plans for layoffs or furloughs in 2020, and we expect that these investments will help us to emerge from this crisis in an even stronger competitive position as the current crisis abates and we return to a more normal operating environment.
Thomson: Covid-19 has taken a major toll on companies across multiple industries. Considering that 20% of Proofpoint’s clients are in one of the hardest-hit sectors – travel and hospitality – how has the pandemic and economic crisis impacted your company? Further, what have you done as CFO to shore up company financials and investor confidence?
Auvil: The Covid-19 crisis has reinforced the relevancy of our people-centric cybersecurity and compliance offerings as our customers endure the current situation, with their employees exposed to an increasingly active threat landscape. This has definitely been a challenging environment for many organizations as a result of the pandemic and recession; however, we have strong relationships with our customers and are working with them as they navigate this unprecedented time.
Proofpoint’s top priority is the health and safety of our employees, while also maintaining our world-class operational readiness to protect and support our customers. I took immediate steps by focusing on discretionary spending, savings from travel, and the shift to virtual events while continuing to manage the business with a keen focus on expenses and cash collections. Overall, our productivity levels remain high and customer engagement has never been better. We’ve faced some expected headwinds from customers in impacted industries like travel and hospitality, but we also expect to continue growing throughout this crisis given the importance of our security and compliance services across all industries.
Our reoccurring revenue business model is based on a standard subscription contract structure, and as such, will renew in future periods. In Q2 2020, approximately 98% of our revenue was recurring, which sets us apart as a leader on this metric across all publicly traded SaaS companies. Our expanding footprint within the U.S. and throughout international markets, coupled with our ongoing innovation, has resulted in double-digit growth. We will continue to execute on our updated operating model that we introduced in May, as well as increasing our communications with the investing community through conference calls, Zoom video meetings and virtual investors conferences.
Thomson: When you first joined Proofpoint it was a promising startup. It’s now a major public company. What have you learned during that journey about managing rapid growth in an industry that’s constantly changing, where today’s superstar company can be obsolete tomorrow? How do you stay on top of emerging trends in technology to stay relevant?
Auvil: Staying on top of the security market requires anticipating where cybercriminals will strike next and developing technology to address it or acquiring technology to help springboard the organization into the market. We’ve diligently worked over the years to successfully transition Proofpoint from an anti-email spam provider to a trusted cybersecurity and compliance leader for over 50% of the Fortune 1000. Proofpoint’s constant innovation and continued investment in R&D and M&A are critical to our long-term success in the technology industry. Our advancements and investments are focused on not only advancing our world-class email capabilities in the never-ending battle with the threat actors, but also expanding the breadth of our product line and total available market to pave the way for continued growth as we scale to $2 billion of recurring revenue and beyond.
The reality is [that] threat actors are constantly thinking and rethinking how they’re going to attack a company, and there are all sorts of different ways into a business. Obviously, email has historically been the number one way to get in and compromise a company, but attack entry points have also shifted as people have introduced an array of different technologies, cloud properties, and collaboration tools. Our continued commitment to ongoing innovation, security efficacy and customer success are all necessary in order to stay competitive.
Thomson: You have a background in engineering, and you hold multiple patents. How has this background impacted and informed your role as a finance leader? How can CFOs best accumulate diverse experiences and skillsets to add more value to organizations? What skills do you look for in potential hires?
Auvil: My engineering background allows me to get into the weeds with our teams, especially when it comes to technology choices, automation and scaling the business. For example, when I meet with someone from IT or Security about a new capability, I’m looking to understand the risk to our organization, third party data that demonstrates effectiveness, and how we are actually going to protect our most attacked people from compromises. In addition, whenever somebody comes to me with an automation project, I work to understand how much it costs to achieve the same outcomes with the people we have today. Automation needs to inherently save the organization money because part of my goal is to deliver some savings to the bottom line. To incentivize teams to bring me the automation, I split the savings with them. Typically, it’s 50/50. For example, if my team can save me $100,000, I’m going to take $50,000 of it and deliver that as profit to the company, and the remaining $50,000 is then provided to the team to spend on something new and important in the enterprise. Setting up a balance like that has allowed me to create a really good incentive system for the teams to go find automation [opportunities], because it actually gives them more dollars to invest in things that are important in their area while also delivering a benefit to the company.
Almost every company aspires to grow, and when it comes to hiring new talent, it’s much more effective if you can find the right technology and tools to support the growth of your business, rather than relying on supporting the scaling of the business by hiring yet more people. While I love employing people all around the world and building a great business, ultimately you want to hire people in places where people are the only solution, and be sure to leverage automation whenever possible.
This article has been edited and condensed.