Check Point: An Israeli Cybersecurity Origin Story
Incidentally, my very first job interview – way back, in the pre-cloud days – was at Check Point Software. The senior manager – whom I met after passing the technical interview – asked about my other options, and smiled when I said it was mostly early stage startups. “There is no reason to gamble,” he said. “You can simply work for Check Point. It is already a successful startup”.
In hindsight, this anecdotal saying was reflective of the Check Point DNA.
Check Point Origins
Gil Shwed’s recent step-down as CEO of Check Point – after over 30 years at the helm – marks him the longest-tenured CEO for a Nasdaq company; it’s an opportunity to retell the story of how Check Point got started - in many ways, it’s the origin story of the modern cybersecurity industry, as well as the dominant role Israeli innovation plays in it.
Shwed spent his military service at the Israeli Intelligence unit 8200; as the story goes, he oversaw IT for a confidential sub-unit that – being highly sensitive and careful about its data – looked for a way to protect it. The 8200 intranet (internal network) wasn’t connected to the internet – which was called NSFNet at the time, and was limited to scientific institutions – but that wasn’t good enough; Shwed looked for a way to restrict access to the classified data, and block those who did not hold clearance. So he built a box that filtered network connections, based on a configured policy file - essentially a list of allowed IP addresses. Like building a virtual wall to protect the sensitive data. A firewall.
By 1992, when the US Congress passed the Scientific and Advanced-Technology Act, which essentially opened up NSFNet and paved the way to the commercial internet, Shwed had completed his service, and was working – as a software developer – for an Israeli tech company. Tasked with connecting a software system to this new internet thing, Shwed realized that there is going to be a commercial need for his old military invention, the firewall.
Unlike today, VC capital was still scarce in Israel back in 1994; Shwed and his co-founders have raised roughly $250,000 – alongside their personal savings – to get Check Point off the ground in 1994; only $100k was actually used though, before Check Point became profitable.
In 1996, the company had over $15M in net profit (profit, that is - not an “adjusted” metric), and maintained net margins avbove 43% throughout the dot-com boom and into the 2000s.
Hyper-Growth During Dot-Com Boom
Headquartered in Tel-Aviv – a twelve-hour flight distance from the US East Coast, and seven time zones away – it was challenging for Check Point to compete with local companies on landing US-based customers. It’s still a challenge for Israeli companies to this day, but it was far worse in the early 1990s, before online meeting and collaboration tools were even invented.
The disadvantage of operating remotely, though, turned out to be a positive driver, as it forced Check Point to innovate: unlike competitors who relied heavily on professional services – actually sending a person to each customer in order to install and configure the network protection product – Check Point was able to create an automatic installer for its FireWall-1 product. Moreover, FireWall-1 was configured via a Graphical User Interface – an emerging concept at the time – while competing products relied on command-line interfaces.
The simplified process of installing the FireWall-1 allowed Check Point to distribute their product via channel partners, who bought a bunch of floppy disks from Check Point, and resold them across the US. Not building a large sales force nor relying on professional services partially explains the high margins Check Point was able to maintain, while demonstrating a triple-digit growth in its early days.
As the dot-com boom progressed, companies rushed to connect to the internet – somewhat akin to how organizations abruptly moved to the cloud during Covid – and needed a fast and easy way to secure their internal network. Many chose the FireWall-1 for its management GUI, which allowed them to quickly implement security policies, and better monitor their internet traffic.
In many ways, Wiz of the 2020-2025 era is reminiscent of Check Point of the 1995-2000 period: both built protection suited for an upcoming tech paradigm (the internet in Check Point’s case, the cloud for Wiz), at the perfect time, just moments before pretty much everyone were in a rush to adopt the new technology (during the dot-com / Covid SaaS bubbles); both innovated around ease of deployment and visibility, thus gaining market share quickly.
Check Point’s rise, and its self-service installation model, also allowed it to land OEM deals with Sun Microsystems (1995), HP (1996) and Nokia (1998). Selling its internet security product via some of the leading IT vendors of the time – who were riding the elevated demand environment fueled by the dot-com and telecom bubbles – is part of what grew Check Point’s revenue by more than 40x during the five-year boom; from just $10M in sales during 1995, to over $420M in the year 2000, the eve of the dot-com crash.
The Formative Dot-Com Bust
Unlike with almost any other internet or IT company, it’s hard to identify the dot-com crash by looking at Check Point’s financials; can you spot it in the graph above? Yes, sales were pretty much flat during 2001-2006, but with 40% net margins(!), the company was never really in danger. Something that Shwed and management took pride in at the time.
The following is an excerpt from Israeli news outlet Yediot Ahronot; while published in 2002, I think it deeply reflects Check Point’s culture (shaped by the dot-com bust), and could have just as well been published twenty years later, in 2022:
“We kept our sanity, even when the market went crazy, so we don’t have to do anything drastic”, says CFO of Check Point[...]
Still, is there an impact caused by the global recession? “There is, because things are unpredictable. We do everything more carefully, exercise judgment, not following promising new directions without analyzing the implications, including on the long-term. Every move is far more cautious and considerate. Not that we weren’t always cautious, but the global recession impacts everyone’s plans”.
Did you have to do layoffs or cut wages for employees and managers? “We did not cut wages, because we always kept our sanity… we are not laying people off, but rather continuing to hire” [...]
Perhaps an optimistic view, but there is no denying that the last year wasn’t easy even for Check Point [...] CEO Gil Shwed remains optimistic, and said that given the state of the market, Check Point’s results are still remarkable.
The results were indeed remarkable, for 2002! That’s the thing though: Check Point started at such an early stage – alongside so many other companies that haven’t survived the dot-com boom and bust – that the company was designed for survival. Later entrants to the Cybersecurity scene weren’t burdened with the same scars, and were free to aggressively pursue growth. The latter approach was far better rewarded by the booming cybersecurity market of the last 15 years.
Missing the Cloud Boom
Sure, Check Point is still around, and quadrupled its annual sales over the last 25 years; its post-dot-com growth rates, however, never came near anything like its hyper-growth heights of the 1990s (see previous graph). Moreover, Check Point’s growth rate (yellow line in the graph below) was significantly dwarfed by almost any other major security company, for over a decade.
As a result, Check Point – who had pioneered the modern cybersecurity industry – has lost its dominant position, and gradually turned into a niche player. It’s revealing that its market cap today – around $25B – is almost 25% less than what Google recently paid to acquire Wiz, another cybersecurity company founded by Israeli intelligence veterans who served at unit 8200, just as Shwed did. Wiz started almost 30 years after Check Point, raised close to $1B – yes, that is 400x the $250k Check Point had ever raised – and so far, has mostly accrued losses; yet, five years into its existence, Wiz commands a valuation that is 30% higher compared to 32-year old Check Point.
Safety First
Shwed just never set out to build a high-flying risk-taking cash-burning company. That would be out-of-character for him. In his interviews, Shwed usually elaborates on how risky the internet is, with an ever-growing number of malicious actors and new ways for them to attack. That’s what you have to do in order to sell security products. But it also seems like being alert, and constantly seeking threats, are just part of Shwed’s personality.
In multiple earnings calls Shwed described a challenging business environment, while competitors were presenting rosy outlooks. To the puzzled analysts, he explained that other competitors might not consider business risks as seriously as Check Point does.
It’s almost as if Shwed views Check Point high margins, alongside its fortress balance sheet holding over a billion dollars in cash, as a financial firewall of sorts. It sure helped protect Check Point against the adversary markets of the dot-com bust and the global financial crisis. Yes, growth is important, but Shwed is not the kind of CEO that would simply remove a critical protection layer, and increase its company’s exposure to financial risks.
Back in 2012, when asked about Palo Alto Networks going public, Shwed mentioned that “during our 16 years of being a public company, we’ve seen 4 generations of competitors come and go”. But what was the right call for Check Point’s first 16 years of existence – being prepared for a slowdown – did not turn out to be the rewarding mode of operation over the next 16 years. The golden age of SaaS and Cloud and Mobile created a rapid expansion of the cybersecurity market, only a small portion of which ended up being captured by Check Point; a far larger portion was captured by Palo Alto Network, which today is a cybersecurity juggernaut valued at over $120B, roughly 6-times Check Point’s market cap. Its net margin, however, doesn’t come near Check Point’s impressive level of profitability.
A new CEO would probably be needed, in order to reconfigure the financial guardrails and re-architect how Check Point allocates its resources; that is exactly the job of its new chief executive, Nadav Zafrir. Interestingly enough, he was formerly the head of the entire 8200 unit. I’ll leave Zafrir’s background, as well as the changes he has been making since taking the CEO role at Check Point, for a different post; for now I just wanted to share this bit from Zafrir’s first earning call, that made me smile:
Gil Shwed Check Point Software Technologies Ltd. – Founder & Executive Chairman: [...] Many people ask me what do I going to do as a Chairman? [...] yes, I am riding my bike, and as the Chairman, I intend to do it not once a week, but maybe twice a week, but I still come every day to the office. I'm very, very excited about the future of Check Point.
[...]
Nadav Zafrir Check Point Software Technologies Ltd. – CEO & Director: [...] I can tell you that I've asked Gil, with his biking, not to do any double black diamond routes or singles within the next few months as I need you by my side here. And he said he won't and let's see.
I don’t know that Zafrir should really worry about Shwed’s biking. He doesn’t strike me as the kind of person who engages in high-adrenaline risky sports. If I had to guess, Shwed’s biking style is not about being first to the finish line, but rather on making sure you don’t injure yourself on the way there. Safety over speed.
As for Check Point though, with a new boss steering its wheels – we may start seeing this company starting to take some higher-risk black diamond routes for a change.