Future of Business: Palo Alto Networks’ Nikesh Arora on Managing Risk in the Age of AI
21:54 Share

Welcome to the H, B. R idea cast from harvard business review. I'm alson beer.

Throughout this month, we've been sharing conversations with CEO and founders about artificial intelligence and other critical issues facing leaders. Today, we wrap up our future of business series with niche aurora, CEO of palo alto networks, the leading global cyber security company.

Over his six year, ten year, the case has expanded and reorganized the business to meet the full sweet of enterprise and government client needs, including safely incorporating genii into all of its products. I was excited to speak with him at our recent virtual future of business conference about how he's managing new opportunities and risks and his strategy for innovation when new technologies are developing so rapidly. Here's our conversation, which includes a few questions from the audience.

Let me just start with talking about the threat and the opportunity of AI in the world of cybersecurity. Um you said that the only way to fight A I from bad actors is with A I from good ones. So what tools are corporate cyber attackers developing? And what tools are you building to stop them? How do you stay ahead .

if you all believe that? I think we do that. This is going to have some sort transactions formative power um how when IT fully so of manifesto self to remains to be seen.

But I never seen a technology trend moves so fast and there will be so much excitement around IT. And at the most fundamental level, we expect that things will happen faster. Um as development accelerates, we will end up creating more, more connectivity across the entire landscape.

Our cars will be connected, our homes will be connected, our street plants will be connected. You know, you have technology everywhere in that scenario in that environment. Know when everything gets connected.

In our cyber security partners, we call that the attacks surface magnifies or amplify. So that means bad actor's can attack you anywhere, impact your connectivity, impact your technology and create unwanted outcomes in that scenario. And as that speed of connectivity, as a speed of development increases, as you have to increase the base of defense from a cybersecurity perspective.

And we already noticing that bad actors are trying to figure out ways of entering to people's infrastructure, trying to get in out, extract data, use IT for economic purposes. And this speed is increasing, which means the only rate to fight them back is to increase our speed of defense. And for the sad truth is that they only have to be right once, if you have to be, write every time.

So we have to try hundred times harder. So think there's all of effort that east go into fighting these potential bad attacks. Bad actors are using generally. I recently transfer how to get into people, infrastructure in a world, but all armed up to the same. You've now .

incorporate geni I across your entire sweet of products. IT is such a new technology. So how did you manage to incorporate IT? So quick, just talk us through the process of investigating and then applying use cases, and again, at a speed faster than the bad actors and our business .

we have to get right. So we have done is we have package to whole bunch of A I slash machine learning and you know networks and enforcement learning into what we we politely call precision AI. Uh, we've been working for longer than the last few years.

I think the whole fundamental premise where but ort of rest is that we've been working a project to collect all the data in the enterprise, collect all the behaviors, understand all the data we are connected, every security system that exists in, we analyzed that did a real time using machine learning in precision AI based analyses, we can tell anonymous patterns. And if you believe the an almost pattern is a bad actor, we stop at my flight. The whole idea is to make these cutting more real time. So we we take large amounts of data needed to have stack look for about behavior block IT when we find IT. But they need to happen for every company, every into every piece of critical infrastructure or the next years for us to live in a new where bad actors going to move faster and faster.

So under your tenure, pala to networks has developed this full sweet of solutions. You've been on a massive acquisition spread to do IT. So how do you look at the baLance between that and organic growth?

We are building a business um and as as we just discuss, we are on the most innovated business in the world. I was security, something where people are constantly tly trying to find a new way of getting into your infrastructure.

Now to predict against that, we have to make sure we always are, once step ahead or always thinking head, if this new technology eyes, what's going to be the potential back doors into IT or wait to attack IT or ways to misuse IT? No, we cannot be the most only innovation company in the world. There are other people who innovating subsections how old teases is.

We have to be humble. We cannot be too proud. We have to believe that innovation will come from everywhere, and we can build IT, embrace IT and buy IT.

So we've thought about nineteen company in last six years with the premise that somebody else has figured out a way to find a new solution to a potential upcoming cyber threat. Cyber attack less, embrace them. Let's make them part of bottle auto so we can actually stitch together and provide that real time add base, add high innovation capability to our customers.

And so then once you've found those innovative companies that you want to bring into the fold, what is the secret to effectively integrating them, especially when you have sort of small start of cultures that are coming into this much larger organization?

That's a great question now. So look, I think is an off talk about and a lot of lot of people get IT wrong and we acquire these companies are reporter with them. We solicit.

You're done so well can do this for us. We do. We make our teams work for that.

Plus number one, you know, take the smart people, take the people who are really passionate about this. Get them. Delete these things. Do we actually double down with the more resources?

Because this is, listen, the whole point of getting you to come be part of our forest because we might be a bigger is like this lower, but we have more resources. So we actually give them more resources, which means to get they not worry about raising money, they don't worry about going, you know, harding people and thinking about their budgets. So here's more people.

You drive this thing. The only thing we do is we make sure we sit down and spent hours and hours and hours about what the north star in the products trade needs to be. We do that before we buy these companies because we want to make sure that the people who are leading these are fully aligned with our view of the world. And we of course, we'll listen to everyone trying to find a happy middle, and which actually means that we can go solve a customers problems together in .

a much more effective fast fashion. If the end goal is to make pilot this one stop shop cyber security platform, you know, to have everyone using everything of years, how are you bringing your clients on board? What are those customer conversations like?

I look at this time you differently and in matters all in a one stop shop. But I think the motive is lightly. The other way around I think about is in, listen, if that actress going to move at this space, IT didn't go.

And we have to analyze things in real time. We have to handle, have a handle on all that's happening. The organization to have a handle on that. We have to be at every sensor to understand what behavior is happening, what data coming in.

We have to be the air and logical engine to understand how to analyze the behavior, and we have to be able to connect back to the enforcement points and stop bad behaving from happening. Now if you fragment that across dirty different security companies. So the risk is that you, the customer, have to build our capability.

I just think it's it's unfathomable that in today, IT has been done yet that our customers are can get all this right and get to write two thousand times. Why not let us do IT once and then you can deployed two thousand times so we try slowly consolidate, drive in that direction. And but if this is the new news, like I started my technology thirty plus years ago and I to work for a company where twenty five systems made up our customized management system, that was, that was the way the world work today.

You go buy an oracle cells force microsoft, they do all of IT for you and to and so it's not it's not like this hasn't been done before. Platforms existing exist for H R, for a planning. H.

R. They exist for finance. This is for, you know, I, T. Services, is time that we want exist. Sub security.

You've talked so much about th Epace o f c hange, how quickly you need to adapt. So how do you, as the leader of the whole enterprise, then think about short term versus long term planning? Can you do long term planning anymore?

Of course, like APP, all good things take more time. All good things stick a lot of considered effort, but they're trying to make big cake beautiful. What are you going to build a product around? You have to think about what the north star is.

You have to think. But really trying to get, you have to be constantly learning. Be Better now you to understand how this things gna happen, and you have to take bigger bets like we, we, you guys, teachers and finance theory, higher risk.

I I return the question is, as a leader, our job is to fish out how do they manage risk. But there is very little set of possibility that there is you take no risk of a lot of return. So our job, me and my team, the leadership team here, our job is think about how do we get to something which is differentiated from everybody else? How do we do that in a manage risk fashion? How do you make sure that we don't compromise with the short term, achieve a long term goal? Our long term goal is to make our customers more secure.

Let's talk a little bit more about leadership and talent. So you got some recent press for clapping back at someone on social media who questioned your engineering.

I just fun in games. Come up for the record.

You have a degree in electrical engineering from the institute of technology, P H U, as well as a masters from boston college and an MBA from northeastern. Um so talk about the rise of the engineer CEO and how you baLance overset of both the technical and the business sides of paleo networks business.

As I in the end way, we are all product companies, right? We all solve the problem. We all delivered either product service. And if you don't understand your product, you don't understand your service is very hard to build a great business around IT. The key is the leaders have to be product savy.

They have to have a point of view in a vision for the product, where the product is going and what the product the future looks like. And if you can do that, then you can build a bit, bit business around IT. I think if you get too focused on efficiently running a current product for you, the risk is that you miss the train or the boat or whatever form of transportation you'd like to pick on terms of where your product needs to be. And a leader's job is not just to execute on the current study, also define the chest study for the future or build new products.

So there is a war for talent in silicon valley technology in general. So how do you think about recruiting and retaining the best people? And then also, you know as A I of all the human tech max.

we're lucky uh, with a mission driven business, we exist to make our customers safer. Being mission driven helps because there are people, the world, who actually want to go work.

Permission driven company, where the social media company, you know, being the largest side security company, has that if you you have an aspired ration to build the career and side security, we are one of the Better places to come work for because we have proven to a track record that on the bleeding age of innovation, customers like us, we are working on very cold stuff. So the demand functions there, we attract good people. I think once they come here, the key is to like how we work, to like our culture.

So we work, we spell lot of time making sure that our cultures, a place where people have the autonomy, have the sort of alignment from a communication and north star perspective, people feel like this is a comfortable work space from them, whatever they come from. So we're lucky. We get great people that can work for us, but hopefully all happy over here in terms of how A I and humans are going to in set of a evolve in the future.

I need to me. E I is a productivity tool, and we have a productivity tools in the bus. Now we've used email from m argue.

Email may not be a productive way to let me take away from, but that not understanding, we've had productivity tools, which have made up Better and Better what we do, whether it's automation, whether it's industrializing and I C A I. So yes, will the nature of people's work change? Because A I will do some part of IT definitely sounds like IT.

But my early to the public is that it's going to be net positive. It's gonna useful because the first thing that he is gonna is take away the boring reputed desk. Pretty sure none of us get out of harvard college to go out and say i'm going going to do a repetitive task for the rest of my life, because that's really cool, tough.

I want I to do IT take care of IT, take the repudiator task away. So I think the quality of work is going to increase. And in the quality of the the organizational child of the shape oralia and child might have to change the future. Cr works.

So I do want to get to some audience questions because we have a lot coming in. First, nuno asks, what are the key elements of the successful zero trust security framework and how can companies, especially small to medium size businesses, baLances the need for strong cyber security with budget constraint?

A two parts like the zero trust question fundament with zero trust means that and you have to be able to treat everybody who is accessing and infrastructure to the same way of how where they come from. So um we have products and sure other people, the market of products to deliver that capability. But the key is uh IT goes back to what we talked about, do not fragment to inform cure on the network side from a security perspective because if you do, you have to manage multiple security pains of glass and industry problems, and that just make comes more complicated and hard to do. So try and find a single venture that satisfy is a problem for you.

Now as IT relates to budget and and managing, I know a tough question because if you are in a digital business, there is a possibility and you're dealing with any customer data, you have to be careful because there is a possibility if you need the work and somebody y's going to walk in and it's going to be you very expensive for your business. The future, if you are not secure from that perspective, in my view, is focus on remediation fake, focus on detecting security events, on focus as much on security controls, focus on making sure that if something happens, you have the ability remediate as weekly as you can. You have the ability to bring you back up as quickly you can, the focus remediation and recovery to make sure that sort of stitched up, do not compromise on that because that stuff can happen and then spend whatever else you can to make sure that you have robust defense OK.

So we have a couple questions about bad actors and genii. So cam asks, how would you differentiate between a bad actor, a person, human veris, A G, A I, A model, taking control of decisions and acting as a bad actor? And Williams asks, are you more concerned about cyberattacks or the misuse .

of geni resources? So far, I think about gene, is that all building a brain, right? They're trying to create reasoning and infecting. So this thing can even think on on behalf.

Now you think about IT, if you, if you hire a really smart person to work with you, the first thing you do is given a lot of context. What you do, how you do IT. You give you your own information to make that brain adaptable to your business.

I think the wall of in the wall where these people build these large brains, you like little models and all of us to spell time, explaining our domain to them, and try to get them to understand what we do so that they can be smart a lot. Our work, not just generally smart, like you have that. Then there two questions to use that brain a consultative capacity where IT tells you things but the doings done by you.

Or do you get this brain control of the doing part? I think the fear right now is where you talk about the misuse of the abuse of by geneina. It's what if I gave IT to controls and IT this behaves, what happens then? So good news is we haven't given controlled and lambs or a model just yet about things.

But if you do, the risk is that they could do bad thing. So if you get a very smart brain, explains our security to explain all the bad techniques, yes, couldn't develop superior hacking techniques, for sure. And you let you go at IT, we've seen early evidence that there's something warm GPT, there's something no on the dark web that goals and helps to take the case and build capabilities that can attract company ies.

Yes, we are seeing that bad actors are going to be using these tools just the way the good actors are. So as so I said right at the begin, it's and coming upon us to make sure we build defenses that block these things as real time as we gan, because people will use geni for these things in terms of, you know, genii mills being abused. You have to be careful, uh, a the abuse will happen in place where we give IT control.

So but there's just your land driving a car, which will all of a robot taxes and way more and and test la. You seen that giving control to A I to drive your car. So you got to make sure that a whatever driving a car as smart, you got a lot of gorgeous and controls to make sure that you can go over. And you b, you have to make sure that nobility and hack into IT and make you do different things. So now we're going to see lots of lots of interesting work happen and blocking hackers from getting into elements and making sure that the limbs are have not got real, that they can't go off uh of peace.

So this is a follow up question from ravage shanti. I hope i'm pronouncing that right. Should we agree on a universal standard for a kill switch for A I if something goes off script um in the way that we're all thinking about our sick valley onto s meeting to discuss .

this well I look for uh first of all stands are hard. Uh most likely bad actress will follow the form of these resistance. So the risk is if everybody doesn't implemented your request link because biggest problem, the flip side also is that if you put a kill switch in the eye and this running a nuclear power plant and you kill IT and there's a risk that you interceptor process can have an intended consequence.

So I think is a big debate in the bigger question. My personal view is that as we as we march towards A G I, we have be very careful of who gets control. A rich model can get control of a critical process. I think that's where the discussion is going to be is yeah, you can build all the year you want. Please make sure that we are giving up control of critical processes that we understand, uh, how you are managing and how you regulating IT because we don't want A G I or a subter intelligence taking control of critical system that we cannot intercept or perhaps that to use the listeners will have a good switch .

for IT as a global company. How are you working with leaders uh, around the world to make sure that they're educated on all of these issues, which can seem difficult because they're not trained engineers and then that they're formulating the right policies?

We're all very aware of A I. We're all debating the process coins, ai. And there isn't a regulator in the world whose are possibly nation state in the world who's not debating how to build U Z, I for progress and be how to make sure that I cannot be misused to for bad acts, are going to see some regulation arrive. I think most of regulation is going to be around transparency, around understanding how these models work, around how god rails are put around them, on how these models are going to get or or not get control of critical processes. And I think we're gonna some great steps, and possibly some steps you have to revisit in sometime.

What is the biggest cybersecurity risk on your radar right now? Is IT gena .

I or A G I fascinating? A lot of six months or last two months are not complicated. There's just hacks that happen because companies haven't boat their doors and windows carefully or there's an insider whose potentials have been high jacked because they weren't carefully keeping their password.

So the hacks are not complicated. The complication, the real chAllenge with gene or I is, once I get in, the actors are moving away faster. You know, six years ago, I started ed to hear about things and took eight days or ten days in the lives of forty seven days, a dal time for someone to come, in an opinion, infrastructure, take the date out.

Now, here, about hours. I think that's gonna out under an hour. And the question becomes the biggest threat to speed, the biggest threads that large enterprise is not ready to react to be a block, bad thing, quickly recover and under now. So we are going to see possible business interruption if don't get our act together.

That was a cash aura CEO of palo alto networks at our recent virtual future of business conference. That's IT for the future of business series. But I hope you go back and listen to all four of the episodes.

You can also check out all of the epo des we have on the H B A idea cast about leadership strategy in the future of work. Find us at h paradox ork slash podcast or search H B R in apple podcast, spotify or whatever you listen. And if you don't already submit to H B R, please do. It's the best way to support our show. Ht work, slash, subscribe, learn more. And finally look out for more h br events in twenty twenty five, thanks to our team, senior producers and sanny and mary do, associate producer handle bates, audio product manager ian fox and senior production specialist rob backward and thanks to you for listening to the h great idea ast and alone beard.