In the view of Paul Auvil, the CFO of Proofpoint, a cybersecurity firm, no single way of fighting online attacks against companies is infallible.
Hence, on January 20, the company announced that it had formed a partnership with Palo Alto Networks, which builds firewalls to defend clients against cybercrime.
Before the agreement, Proofpoint was a “security-as-a-service” cloud and on-premises vendor focused exclusively on sifting through corporate emails to nab hackers. Thus, “we knew all sorts of interesting things about email that [Palo Alto didn’t] because they’re within the network world as a firewall,” he adds.
“But they know all sorts of things about the network that we don’t know. And so by sharing their network intelligence and our email intelligence, together we both can be more effective,” Auvil says. “We very much think that this is the likely paradigm that will evolve over time” in cybersecurity technology.
Auvil speaks with technical savvy about cybersecurity because he possesses something very rare among finance chiefs: an engineering background. His tech education and experience is hefty enough to have enabled him to hold patents in digital video compression in Japan and in a high-speed, on-chip payment card connection system in the United States.
Last month, Auvil spoke at length about cybersecurity and how his career path shifted from technology to corporate finance. An edited version of that conversation follows.
How will Proofpoint and Palo Alto team up to curb cyber attacks at your corporate clients?
A classic example would be a spear-phishing attack. Let’s say potential attackers have gone to a social media website and figured out who the vice president of finance is at a particular customer. Then they send an email with a link that looks like it’s going to a completely legitimate website. Now in fact that website is infected with malware, and if the target were to click on it, that would end up in a bad outcome for the company and the individual who received and responded to that email.
Proofpoint has a system that looks for those spear-phishing attacks in emails and blocks them. Separately, Palo Alto Networks has a system that looks for links from bad websites and tries to block them before they get into the client’s network. But neither of our products is infallible, so while we might let it through, they could catch it, or vice versa. It improves the blocking rate of nefarious content. You need a combination of knowledge about the email sender and about the network URL link to effectively identify and block an attack.
As a cybersecurity company, how do you handle your own data security?
We use our own products because we think they’re quite good. And we use a variety of other world-class solutions from vendors across the security landscape for our firewall infrastructure and our capabilities in and around end-point security. We’re like any other company in that we’ve got our own set of capabilities. But one thing that may be different is that we have an army of engineers who are security experts. And we have a pretty meaningful advantage over the average company in that we have a bunch of people who worry about the security of our company every day, because if we were to be compromised that would have an impact on our brand. These people do that every day in addition to their regular jobs.
What assets are you most focused on protecting?
In our case the most important thing to protect is our customers’ confidential information. We do business with financial services companies and health care companies, and there are all sorts of very important information related to their customers and clients that has to be protected. We need to protect that first and foremost. And then we want to protect our employees’ confidential information, their Social Security numbers, and payroll records. Of course, we have $400 million in the bank [i.e., in total cash holdings] that we would really rather not get wired off to somewhere in Russia where we can’t get it back.
As the CFO, what are your security responsibilities?
The IT organization works for me, so I’m responsible for putting in place and maintaining the security infrastructure. I have a head of IT, and he and his team are constantly looking at the nature of the ways that we could be attacked and how to try to remediate that. I have a unique background because I started life as an engineer, so I have a technical understanding of how the infrastructure works – how all these systems work together. As a result I work collaboratively both with the head of IT and the security experts on our engineering team.
Do you see yourself as a liaison between tech and the board on internal cybersecurity issues?
That is certainly part of my role. Having worked as an engineer and had patents, I have a granular understanding of the technology. When dealing with members of the audit committee, I help them understand in lay person’s terms what we are doing, why we are doing it, what we should be thinking about, and what other questions they should be asking.
How does your perspective shift when you talk to your tech team about their design of Proofpoint’s products, rather than internal security?
A lot of my time spent with the engineering teams is listening and understanding technically what they’re doing and where they’re going with the product line. My input is about doing this in the most cost-efficient manner possible. We want to deliver a high-quality service that involves a process of inventing and reinventing. But we want to do it in a way that we can hit the price points we need to deliver profitability and cash flow to shareholders.
Engineering’s an unusual background for a CFO. Describe your career path.
I graduated from Dartmouth with a degree in electrical engineering and went to work for Sony in Japan for a year as an engineer in their digital television labs. Back in 1985, that really was rocket science, because TVs were analog. The idea of digitizing the TV signal was a big deal. It was the early generations of what ultimately became HDTV. And so I filed patents as part of the team there and received a number of patents for the work that I did.
But part of what I ultimately came to realize is that while I really liked engineering, starting life as a beginning engineer meant that it would be a long time before I could have a significant impact on a company. And I always had aspirations to play a role in helping to build a big technology franchise. The other thing I realized is that there were a lot of engineers that were a heck of a lot better than me. I could probably be an above-average but not exceptional engineer.
So I went back to study marketing at the Kellogg Graduate School of Management at Northwestern University. But when I graduated in 1988, other than maybe Microsoft and Apple, nobody understood what marketing was in technology, and I couldn’t find a decent marketing job. But Ken Goldman [the current CFO of Yahoo], who at the time was at a chip company called VLSI Technology, was looking to hire some MBAs to help him build the finance team. Within the first year and a half, I realized that the combination of a technical background working in a technology company along with my quantitative skills and focus on finance was a unique combination.
With Gary Steele [the chief executive officer] here at Proofpoint, it’s the same thing. Gary wanted somebody who really understood and appreciated the technology, especially because we were building out in the cloud, which he’d never done before. Quite frankly, I’d never done it before either. The question was: How do we take this complex technology and put it in the cloud — and do it in a way where we can hit price points that make sense for our customers.