September 15, 2025 • 53 mins
In this episode of Inside the Network, we sit down with Sumit Dhawan, CEO of Proofpoint, one of the largest private cybersecurity companies in the world. With over $2 billion in ARR, Proofpoint protects 85 of the Fortune 100 and is on a bold path toward $5 billion in revenue by 2030.
Sumit’s journey is a masterclass in modern leadership. Having graduated with degrees in engineering and business from IIT Roorkee, the University of Minnesota, and the University of Florida, Sumit led major business lines at Citrix and VMware, including overseeing VMware’s $70 billion divestiture to Broadcom, before making the leap to cybersecurity. In 2023, he joined Proofpoint as CEO and began executing an ambitious strategy: consolidate the sprawl of human-centric security, go deep instead of broad, and prepare the company for its next chapter of growth.
In our conversation, Sumit shares why he believes empathy is the most underrated CEO trait, how acting like a founder, even inside large enterprises, shaped his leadership, and what it means to have “Apple Watch governance” under Thoma Bravo. He explains how Proofpoint has evolved from email security leader to a broader platform for human and data protection, including its acquisitions of Tessian (AI-native email protection), Hornetsecurity (MSP-focused email security), and Normalyze (DSPM).
Sumit also pulls back the curtain on the AI threat landscape, including how prompt injection attacks are already targeting copilots and agents, why AI is both supercharging attackers and empowering defenders, and how Proofpoint built intent-based detection models to defend against sophisticated zero-link phishing. Finally, he lays out three categories of viable cybersecurity startups today: gap-fillers, AI defenders, and category disruptors, and why the last two are more likely to be successful.
Whether you’re scaling a cyber startup, selling into the enterprise, or navigating PE-backed growth, this episode is full of hard-earned wisdom from a leader who’s operated at every level of the stack.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Sid Trivedi (00:04):
Welcome to Inside the Network. I'm Sid Trivedi.
Ross Haleliuk (00:09):
I am Ross Haleliuk.
Mahendra Ramsinghani (00:10):
And I am Mahendra Ramsinghani. We have
spent decades building,investing, and researching
cybersecurity companies.
Sid Trivedi (00:20):
On this podcast, we invite you to join us inside the
network where we bring the bestfounders, operators, and
investors building the future ofcyber.
Ross Haleliuk (00:31):
We will talk about the hard parts of the
founder journey, launchingcompanies, getting to product
market fit, raising capital, andscaling to an exit.
Mahendra Ramsinghani (00:42):
And, yes, we will also be talking about
epic failures.
Sid Trivedi (00:46):
But, Mahendra, we're here to make the founder
journey easier.
Mahendra Ramsinghani (00:50):
That is correct, Sid.
But we cannot make it too mucheasier because startups are
hard, And, of course, youalready knew that.
Ross Haleliuk (00:57):
Alright. You too. And now, let's get started with
this week's episode.
Mahendra Ramsinghani (01:05):
Today, we're joined by Sumit Dhawan,
CEO of Proofpoint. Sumit hasspent his entire career at the
intersection of infrastructure,cloud, and cybersecurity,
holding leadership roles atcompanies like Citrix and
VMware. Before taking the helmat Proofpoint, as president of
(01:27):
VMware, he led the$70,000,000,000 divestiture to
Broadcom. And along the way,he's built a reputation for
being a leader who combinesempathy, technical depth, and
above all, a founder's mindset,acting like a owner no matter
the role. In this episode, Sumitshares the pivotal lessons he
(01:48):
learned scaling some of theworld's most iconic companies
and why empathy is thecornerstone of great leadership.
Above all, how he's shapingProofpoint to grow rapidly and
tackle the evolving threatsenterprises face today. This is
a conversation full of hardearned insights you won't wanna
miss.
Sid Trivedi (02:10):
Welcome, Sumit, to Inside the Network.
Sumit Dhawan (02:13):
Thank you for having me.
Sid Trivedi (02:14):
So we're gonna talk about a whole bunch of different
topics today, but we reallywanna start by talking about
your early days. You gotmultiple degrees in computer
science and business. You're atIIT Roorkee, and then you're at
University of Florida for yourMBA. And you have a pretty
impressive track record leadingat some pretty large companies,
Citrix and VMware in particular.Take us back to the beginning
(02:35):
and what the journey of tech andleadership was like.
Were there a few, you know,pivotal moments or lessons from
those early days that shaped theway that you lead as a CEO
today?
Sumit Dhawan (02:46):
Great question. Thanks for having me again.
Listen. I've been fortunate toto work at great companies under
amazing CEOs and leaders whoI've had a pleasure of learning
from, observing, and they havementored me whether it was the
CEO at Citrix or the CEO ofVMware. And, you know, my
(03:07):
pivotal moments through all ofthose were different as I was
growing up in my career.
Early in my career, the pivotalmoment for me was to gain as
strong of a background in doingmultiple roles so that you can
build empathy across functions.It does make you jack of all,
you know, master of none, butstill it gives you the
(03:29):
background and foundation toactually then leave the company.
And then later on as you startrunning more and more of
business line leadership, Ithink a pivotal sort of learning
I had was acting as a founderand the owner of the company
regardless of the role you'rein. And, and that gives you sort
(03:53):
of this sense of ownership,which is very much needed as you
step into, more and more seniorleadership roles of running a
company. At the end of the day,you know, you're accountable for
thousands of employees that areworking for you and the company
that you're leading, and you'reaccountable for leading them and
(04:14):
taking them to the best possiblesuccessful outcome that they all
deserve.
So I think those were the twopivotal learnings for me in
these great companies andamazing growth stories that both
of these two companies, as youmentioned, have and the amazing
leaders that they both had in interms of their CEOs.
Sid Trivedi (04:33):
Sumit, I'd love your thoughts also on just being
an IIT alum. I mean, a lot hashappened in terms of the
importance of the, you know, thegroup of universities and how
much of an impact they have hadin terms of creating amazing
CEOs. Did those early years atIIT influence you in some way?
Sumit Dhawan (04:49):
Yeah. I think IIT is an amazing place, you know,
and for any of the listenershere who have been to IIT or
know people from IIT, it sort ofcreates this sense of ambition
and aspiration. You sort of cometo a place that has amazing
group of students who have maybedone well in their own small
(05:13):
communities or schools that theyhave grown up with, but then
when they land into this place,they find that, you know, there
there is is many many many morepeople with tons more acumen,
ambition, you know. And and sothat that is a that's just an a
(05:34):
moment of humbling. So that waskind of a humbling exercise for
me and built a sense of ambitionfor wanting to do more and and
wanting to learn from both thepeople who were there as well as
making sure that you can do morebecause you kinda see how more
can be done by having all ofthis intellectual horsepower
(05:55):
around you.
Ross Haleliuk (05:55):
Sumit, after leading several large teams at,
established enterprises, youjoined the web app security
startup, InStart, as a CEO. Atthe time, Instart was just over
100 people, at least that'showever many I was able to find
on the Internet, and the companywas playing in a highly
competitive, in a very fastmoving space. You were able to
(06:16):
restructure the business. Youwere able to drive growth and
ultimately lead the company toan exit to Akamai. Talk to us
about the experience and what ittaught you about cybersecurity
and the startup world given thatyou came from larger enterprise
into this massive startupuniverse.
Sumit Dhawan (06:32):
It's great learning. Okay. I think I came
in, and, the company had thisgreat unique technology that had
been purposed into multipleproduct solution areas. And,
and, unfortunately, what thatled to was, very high spend
(06:54):
because you're acquiringcustomers and solving the needs
of these enterprise customers.And as we all know, when you're
building a new business in theventure world and you're
acquiring enterprise customers,these enterprise customers don't
just buy the product as itstands today.
They just keep expecting acertain pace and certain set of
capabilities to be built. Andthe company had stretched
(07:16):
itself, even though there was acommon technology platform,
stretched itself for doing so inthree different areas on top of
the same technology platform.And so as a result, just the
required rate of investment tokeeping up with customer
expectations, not to mention thespend that more these growth the
growth companies have to have toacquiring new logos was so high
(07:38):
that we had we had to focus. Wehad to restructure ourselves.
That's sort of what I'm what Isort of mean by restructuring.
And so we focused out of thosethree problems into one problem,
and we had to also almost let goof certain customers and revenue
in other areas and then buildthe company up from there. And
then once you build the companywith one specific focus areas
(08:02):
where you have a repeatabilityand a successful outcome of
meeting these enterprisecustomers with needs of not just
today, but in their futureroadmap asks. Then we had enough
of a momentum where we couldfind the right home for their
technology and the people whoare working on it to be
something that was extremelycomplementary to Akamai's
(08:22):
business. So that's what led toit. I mean, learning for me was
essentially in a larger company,the importance of cash flow is a
little less and you're lookingat several other metrics.
You you you learn the importanceof cash flows. And then when you
have even a smaller group ofemployees who on an everyday is
(08:43):
looking up to you to how they'regonna make, you know, their
paycheck true or not next at thenext paycheck, that sense of
responsibility was somethingthat I learned at InstART. I
probably would not have beenable to learn it without getting
into that seat at InstART.
Mahendra Ramsinghani (09:01):
And I think it would be fair to say,
Sumit, that the the seeds ofyour cybersecurity journey
probably were planted at thetime when you are at InstART. Of
course, you went back to VMwarefor, several years, this time
four years. Prior to InStar, youspent five years at VMware in
two very separate phases ofVMware's journey. Know, You
(09:23):
before we dive into Proofpointand the world of cybersecurity,
I want to spend a little time onthose two phases at VMware. In
the first phase of your career,you know, you're heading up the
end user computing business asSVP.
Everything is moving up into theright. In the second phase of
your career, you come back. Thistime, you're leading the entire
(09:43):
10 plus billion dollar operationand, you know, getting the
company ready to put it in thehands of Broadcom. Two very
different phases of VMware. Imean, share with us some of the
experiences in the growth phaseand then back into the
consolidation phase.
Sumit Dhawan (09:59):
Yeah. Very well said, Mahindra. The first one
was the growth phase. Both ofthem were transformation phases
for VMware. One was one businessto multi business and growth
phase of diversifying therevenue and the portfolio by
having more than one businessunit.
This was the phase where thecompany went from just having
(10:20):
predominantly a data centervirtualization business to end
user computing and networkvirtualization and even putting
the early beginnings of thecloud business. Those were the
business units that were set up.And once you set up up more than
one business to multiplebusiness units, there are
several implications as you canimagine. So so so that was that
(10:43):
phase. And then in the secondphase was transformation towards
cloud recurring revenue.
And, and then tail end of mytenure at VMware was obviously
making sure that we execute onour plan for both transformation
and what we had signed up to ourinvestors and the board, as a
(11:06):
standalone company whilehandling all of the various
constituencies that requiredapprovals globally from
regulatory perspective andhandling both of those and so
that you can hand over thecompany to the new, you know,
the new new spot. So so thoseare very, very different very
(11:27):
different times and differentroles that I had at the company.
Mahendra Ramsinghani (11:31):
And, of course, you capped it off nicely
with a $70,000,000,000enterprise value as you
transitioned out of VMware. Nowbeing in the world of
infrastructure, I'm sure you hada lot of options. The world is a
much bigger playground, and youcame to the world of
cybersecurity. Help usunderstand how your decision
(11:51):
making process went about.
Sumit Dhawan (11:53):
You know, there were two areas I was kind of
intrigued by as I made adecision to go do something
different around the time of theacquisition getting completed.
One was around the wholedeveloper software. The other
one was cyber In both cases, Isaw the market structure kind of
(12:15):
non sustaining in the state itwas in. It was highly
fragmented, very point product,and and I sort of felt like this
doesn't seem like the right fit.So my thesis is in the future.
It just doesn't make any senseto let this sort of whole thing
(12:35):
continue. And so those were mytwo primary areas of interest to
join because I thought these arethis is an industry that's gonna
go through a transformation. Soso then the the right player in
those industries would be onethat has incumbency, market
leadership, and size. Okay. Onceyou have incumbency, market
(12:58):
leadership, size, and of course,certain sort of differentiation
in the underlying technology,that gives you an ability to
participate in that next era ofa market change.
Okay? And with the rightleadership focus, at least you
have a potential and apossibility to go go make that
(13:20):
happen. And so looking at thatas the backdrop, Proofpoint
turned out to be one that I gotexcited about. The more I
learned about it, I sort of sawa company that had huge, you
know, market leadership in thespace that it played in, which
was, you know, email securityand had the starting points of
(13:42):
certain other areas the companywas expanding to and the revenue
was diversifying,differentiation from the
competition. And there is nothere's the the incorrect
assessment from the publicmarket that email security is
gonna go away or will getsedimented into a network box or
an or a platform provider.
(14:04):
And so once I sort of believedin that fundamental, then that
led to a conclusion that, hey.Proofpoint can be a company that
really takes helps drive thisnext era of cybersecurity. You
can be a major player in it, andI got excited about leading it
and making sure, you know, Iparticipate in that.
Sid Trivedi (14:24):
Sumit, you you talked a little bit about
Proofpoint, so let's dive alittle bit deeper. And you
described just Proofpoint'scommanding position in email
security. For for our listeners,many of them will know this, but
the company started in 02/2002,and it went public about ten
years later. And thensubsequently was taken private
in 2021 for just over$12,000,000,000 by Thoma Bravo.
(14:47):
It it had several leadershipchanges following that, and you
ended up joining the company asthe new CEO in in 2023, roughly
about two years after Tom hadtaken the company private.
I'm curious, like, what was thedecision making behind joining
the company that had gonethrough its, you know, amazing
heydays, had had the complexityof a, you know, a private equity
(15:08):
partner, and then had hadmultiple leadership changes
already happen. How did youthink about that? And you
mentioned Proofpoint's abilityto be very much on the top of
email security. I a 100% agreewith that. But I think, you
know, you're a big Warriors fan,and Steve Kerr has said this
multiple times that you can'tstay on top forever.
I'm sure that was runningthrough your mind that is there
(15:31):
you know, there's only one wayto go when you're up on top, and
that's down. There there'sthere's no way to go any higher
than than number one. How So didyou think about
Sumit Dhawan (15:38):
It's a
Sid Trivedi (15:38):
it's a
Sumit Dhawan (15:39):
it's a great, great question. Listen, I think,
when I was looking at it, I sortof didn't quite so there are a
few questions in there. One wasabout the fact that, listen,
you're a leader. Is there ascope to go any higher? It's one
way one question.
The other question you askedwas, is there a, was there a
(16:02):
concern I had about just thelast two CEOs leaving in the
last two years. Okay? I thinkthey to me, the former was easy.
Okay? I I wasn't coming here tomake Proofpoint an even bigger
market share leader for emailsecurity.
That wasn't the goal. Thatwasn't the thesis. That wasn't
(16:25):
the right strategy. It was tocoming back to, hey.
Cybersecurity has a sprawl.
There is going to be anarchitectural consolidation in
cybersecurity. And I felt likethere were sort of these
detection and responsetechnologies. There were
networks consolidation happeningthrough SASE, and some
consolidation had to happen onthe preventive part of
(16:48):
cybersecurity. And that'slargely become a human thing.
It's humans that get attackedand humans that lose data.
And once I understood that thereis a potential for that being
something that Proofpoint canhave a dominant position in,
that's not saying that you'realready at the top and you're
(17:09):
only gonna potentially hard togo up. That's saying that there
is a market that you can take onwhich is based on where you have
strength in. Okay? So that'skinda sort of to me like, okay.
Once you become really, reallysuccessful in the g league, now
you get to play in the NBA.
(17:30):
Right? So to me, that's sort ofhow I saw it. Okay. Here is a
here's an opportunity to takeProofpoint from G League where
we are dominating, we'rewinning, to now sort of this
team that takes on a biggercybersecurity market. And, you
know, listen, when we wentprivate, we went private at at a
(17:50):
revenue run rate of1,200,000,000.0 annually.
We crossed more than2,000,000,000 already, and and
we are we are well on our way tobe close to 2 and a half. And
our aspiration is to be a$5,000,000,000 company by 2030.
We call it five project five by'30 within Proofpoint. So so
(18:13):
that was my frame of mind. Sohopefully, that answers the
first question.
Any questions on that before Ianswer your second one?
Sid Trivedi (18:20):
No. I think you you put it very well, and we'll talk
a little bit about where youexpand in subsequent questions,
but I think you put you put theframing very well.
Sumit Dhawan (18:28):
Okay. And then the second question is, listen, the
the leadership transitions andwhatnot. My perspective is if
you believe in the in thefundamentals on the market, if
you believe in the fundamentalsof aligning with the board and
the investment thesis and theaspirations of the board in
(18:48):
terms of what they see, thenit's a leadership challenge for
the CEO to come in and get thatsorted out. And I didn't feel
like I there is no CEO seat thatcomes in that says, hey, this is
a beautiful ship. It's sort ofsailing in the right direction.
And just come in and make surethat you put your headphones on
(19:12):
and sit and do nothing. So tome, that was easy. That was
there was no that wasn't a worryat all. It's something, okay. As
long as we are aligned on whatwe wanna go do strategically and
we have bold aspirations that'saligned with mine and listen, I
had a dinner with the so myinterview process was very
straightforward.
We had a discussion on sort ofwhat we wanted to do over a
(19:34):
course of few days, you know,and then I said and they said,
hey. We're ready to make adecision. I'm like, I'm
surprised you are. If you are, Iwanna meet for dinner. I met for
dinner, both the chair and thelead board members, and I said,
here's my plan.
Here's the aspirations, what Iwanna do. Here's how I would do
it. They looked at it andthey're like, you're wrong on
this, but you're right oneverything else. I said, explain
(19:55):
how I'm wrong. They explained itto me.
We debated it. They were right.I was wrong. I said, okay.
You're right.
Let's move forward. We had theoffer. I signed it. So to me,
that's that that showed thatthere was an alignment with the
board, and there was the speedof decision making, which I
really liked, that made thedecision easier.
Ross Haleliuk (20:16):
That is a great story. And let's dive deeper
into it, and let's talk a bitabout the leadership challenges.
So you've led business lines atlarge public companies like like
VMware and then now at theprivate equity owned firm, what
do you find different aboutrunning a PE backed company?
Sumit Dhawan (20:34):
This was my first experience with private equity.
So I I didn't know what I didn'tknow. And, you know, I sort of
asked a few people in otherleadership positions at private
equity firms. And what I learnedwas, number one, I was getting
very inconsistent answers, like,so different that I was like,
(20:54):
okay. This doesn't quite add up.
Okay? So my first conclusion Idrew when I was sort of
comparing notes was there'snothing called working for a
private equity as a as aconsistent answer. Okay? There
is probably some degree ofconsistency working for a public
company. There's probably somedegree of consistency working
for a venture company, but thereis no consistent answer across
(21:18):
private equities.
That's the first thing Ilearned. In other words, every
private equity company sponsorhas a different model. Second
thing I learned was which wasafter the fact, was that what
really, really matters is nodifferent than what matters in
running a public company in ahealthy fashion, which is focus
(21:41):
on achieving the right businessresults with discipline. Okay?
At the end of the day, the onething that private equity does
really, really well is havingspot putting a spotlight on.
And this is more maybe aboutThoma Bravo because I have no
experience in any other privateequity. So what I really, really
(22:02):
liked working with at Proofpointwith Thoma Bravo, which was a
strong positive surprise, wasjust a spotlight on on numbers
in beat format, which is reallyonerous and painful for people
in finance and people inbusiness intelligence because
the amount of work needed inproducing all of that data is
(22:26):
high. But I kind of jokinglycompare Thoma Bravo as, like,
Apple Watch. If any I don't ownit. I don't like it, but I know
who own it or people who own it.
You know how it buzzes you everynow and then and tells you to
stand up if you have beensitting for too long. Okay. Do
you always stand up when itbuzzes you? No. Okay.
(22:47):
But it's a good reminder everythree times it buzzes you, you
know, you maybe you stand up. Somy bravo is no different. It'll
show you all the metrics andmake sure that you have a mirror
right in front of you. Now thereare always ugly spots that we
can see when we have mirror infront of us. Do you always act
on them?
Can you always act on them? Youknow, no. So that's the
(23:11):
relationship we have. Okay? Theywould there is this healthy
healthy discipline of looking atmetrics.
There's a healthy discipline ofthem pushing me, nudging me, and
us debating whether it makessense for us to fix or what are
the things that make sense forus to fix. But then they require
and they lean on me and myleadership to make sure that we
(23:36):
go sort of plan it and executeit. There is no playbooks. Okay?
They don't tell me, here's ourplaybook.
Go pursue it. There is no targetmetrics. There is no none
there's as much as it is for anykind of public company, you're
operating in a certain growth.There's some rule of
expectations. We are verysimilar.
And from governance perspective,given we are in much later stage
(23:58):
with them, we are operating asif we are in the public company
because that's what we aspire togo be as early as as we can. So
so so that's kinda how I havelearned of working with Thoma
Bravo, and it's been quitepositive. I know some teams get
bothered by Apple Watch nudgingyou too much. But listen, as
(24:20):
long as you can take it theright way and do what's right
for you and your health or youand your business in this case,
it's not a bad thing.
Mahendra Ramsinghani (24:29):
So maybe you mentioned, you know, the
word empathy early on in ourprogram. And then as we were
talking about Thoma Bravo andthis notion of results and
discipline, how do you look atthe future in the go to market
and growth areas. These are twobroad areas where the numbers
roll back in and Toma Bravo oryour board is watching the
(24:52):
growth. So when you think aboutgo to market, you know, there
are different tactics. There aredifferent ways you can reach
your customer.
And we'd love to hear what hasworked very well and how are you
changing that.
Sumit Dhawan (25:03):
Yeah. And I think at the end of the day, our our I
can sort of say what we've doneover the course of last two
years, and that's the foundationof where we are headed on the go
to market side. Proofpoint, youknow, when one of the things we
decided when I joined was we Ifelt like we had too many we had
(25:23):
our sort of fingers into toomany things. And if we wanted to
go win, in the world of cyber,even though we agree that there
is going to be fewer players, Ididn't think in the world of
cyber, good enough is gonna begood enough. Okay?
You need the depth of thesolution as as long as you're
serving it to enterprise. Thedepth of the solution that comes
(25:45):
in the form of efficacy andmany, many more things these
days, you know, now there ismore and more sort of, you know,
AI in terms of how things likeSOC power up, of course,
integrations. So there are sortof several elements that go into
building that depth of solution.And we had our fingers into
(26:06):
maybe too many things becausethe world of cloud and mobile
had opened up this large surfacearea of threats. And and and
CSOs can sometimes lead you intotoo many things if you you're
not careful.
Right? So we may we had madethat mistake, too many
acquisitions that were notconnected together. So we
(26:27):
focused. And by focusing what wewere gonna do, we said we were
gonna be the best at two thingsthat people do. People
collaborate with each other, andpeople deal with data.
Okay? And we are gonna build thebest possible solution on
collaboration security whereemail is part of it, but
collaboration is happening nowacross multiple dimensions.
(26:48):
People are collaborating throughsuppliers and third parties.
There are risks that arehappening because of internal
people's accounts getting takenover in the service desk and
whatnot. So there's a wholethreat landscape due to digital
collaboration.
And then there is a sort of datarisk and compliance and and just
information risk aspect becauseof people handling data. So we
(27:11):
created expertise in those twodetails that overlay our account
teams. And we sunset all the goto markets, and we sunset an end
of life everything else. K? Itwasn't done to cut costs.
Actually, we it led to achievingour growth targets and achieving
(27:35):
our margin targets because wewere able to focus. We actually
doubled down in certain areas.Yes. Were we had we gotten
fiscally in this notdisciplined. Every company does.
Okay? It's just cycle that yousort of make some investments.
Not every investment pans out.And as a leadership team, you
(27:55):
have to make a decision todouble down in the areas that
pan out and take investments outof areas that didn't. You know,
you are some of your ventureguys, you you guys do that in
the form of your portfolios.
In the in the world ofcorporate, we have to do that in
in the form of our initiativesand businesses and the bets we
place. And that's what we'dended up doing. Okay? And by
(28:16):
doing so, on the go to marketand the solutions we would go,
we built rich expertise and wedoubled down on r and d in these
areas. And, you know, I wasreally pleased to see at the
beginning of the year whetherit's Gartner Magic Quadrant
market share and data security,which was a brand new space.
It's become a sizable part ofthe business. We took over
market share leadership againstSymantec and and any of the
(28:40):
other DLP players. Now we haveexpanded into DSPM, and we
integrated the first ones tohave DSPM and DLP together at
our upcoming protect conference.We're gonna expand that for
agentic security as well that'srelated to data. So we feel like
we are clearly the innovationleader, market leader there
because of focus.
And we extended our emailprotection to a full range of
(29:03):
threat protection solutions sothat just an email security
player can't just address theneeds of today's threat
protection requirements. Okay?And that's what happened through
going deep in those two areas.And we really came out of
everything else from go tomarket perspective.
Mahendra Ramsinghani (29:21):
Thank you, Shubad. And, you know, speaking
of AI and speaking of how you'vebeen bolstering up your
portfolio, there is a buildversus buy strategy. How should
we think about Proofpoint's rolein building versus buying as you
look at the future?
Sumit Dhawan (29:38):
First of all, I'm very excited about the future.
Okay? We didn't of course, Ididn't expect that coming into
the role. We sort of drew we putin our view, we put human in the
middle and we said all aspectsof human centric security is
what we would sort of sedimentinto our platform, and we keep
going deep into the areas Imentioned. And things have
actually gone to some extent, Iwould even say, of plan in that
(30:03):
dimension.
We, we are looking at two areasof now growth in terms of the
future. One is this humancentric security problem is now
impacting every business ofevery size in every locale.
That's not something that I saweven two years ago. Okay? I have
(30:24):
not seen customers of reallysmall size saying they need best
in class security for phishingprotection and supplier
protection and SaaS securityprotection, things that they
would have never brought up twoyears ago.
They are bringing it up now. Sowe expanded into we had an
(30:45):
option, to answer your question,Mahendra, where we could have
sort of built that. We actuallyhad all the email security
underpinnings, and we could havebuilt this solution for micro
businesses that are servedthrough MSPs. In fact, we even
had a product line. But we sawwe didn't have a business.
You need a reach. You need aprogram. You need expertise to
(31:06):
be able to deal with partners ina certain way. You need
academies. You need communities.
So there is an aspect of thisfull value chain of everyone
from from distributors toecosystem to MSP providers and,
of course, end users. Andthere's a whole sort of needs
that come in for providing thatsolution when you're serving a
(31:27):
brand new market segment. So wedecided we were gonna play in
that market segment through anacquisition of a market leader
in that space, and we announcedthe acquisition of Hornet
Security, and we're really,really excited and waiting to
get that closed, hopefully,anytime soon. And then we
continue our journey in having,you know, this human centric
(31:48):
security now brought to everycustomer of every size. Okay?
That's that's our mission there.The second thing is we are quite
excited about well, I shouldn'tsay the word excited because
it's a pain for our customerseven though this the the era of
AI opens up a broad issue whendigital assistants and copilots
(32:10):
and agent agentic AI comes toshape. Last week, I hosted a
special meeting with six CIOsonly through the network. It was
not with CSOs on purpose. And Iwas amazed to sort of hear from
them how much and how fast andhow much AI they're adopting and
the pace at which their mandateis at this point in time to
(32:32):
adopt AgenTic.
And and that when I when Ishowed them, listen, the human
security problems extend tocopilots and agents, they were
like, we gotta solve them. Okay?Humans get socially engineered.
Agents get prompt engineered.Humans lose data.
(32:52):
Agents lose data. Humans getcredential fished. You know,
agents get certificate fished.But at the end of the day, there
is an intent of communicationthat's going to the agents. And
if that's not if that'smisunderstood, just like humans
misunderstand the intent, ifthat's misunderstood by agents,
that's vulnerability.
(33:14):
That's risk. So the good news isthere is some things we can use
from what we have. But there aremany things, Mahendra, we don't
know, and we are gonna belooking in the ecosystem to see
what's complementary that fitsinto our extension of providing
security for AI. Not AI securityis gonna be big, but what fits
in as a natural extension fromhumans to digital assistance to
(33:38):
humans.
Sid Trivedi (33:38):
You talked a little bit about the human factor and
and AI risks. I'm curious. Imean, even in email, we are
seeing a very different type ofattack. I think of it as zero
day phishing in that this is thefirst time when a when a, you
know, individual, an employeegets an email that is a phishing
attempt. Today, we are seeing,you know, these types of attacks
(33:59):
where it's the first time thatemail ID has ever been used.
It's a highly personalized emailto that individual, and it
doesn't have any links. Itdoesn't have any attachments.
It's, you know, trying to getthat individual to to
communicate back and forth.There's a lot of different ways
that attackers are leveragingthe new, you know, kind of
tooling that that has been builtby some of these large
(34:20):
foundation mall companies. I'mcurious.
Just in email security, how doyou think about that at
Proofpoint? How do you thinkabout how do we fight this new
type of AI attack?
Sumit Dhawan (34:30):
Yeah. It's a it's a great one. I think, first of
all, we weren't proud of it. Butwhat happened with us after the
advent of ChatGPT, and maybe itwas not attributed to ChatGPT,
even tools like Grammarly coulddo this. We saw, actually, for
the first time, our drop inefficacy was noticeable.
We take pride in number of sortof things we miss versus number
(34:54):
of things we block, and that'susually in 99.9 plus percent.
That's how we measure. And theseare advanced threats. These are
not simple spam. It droppedbelow 97, and it was all
attributed to a moresophisticated set of attacks
that were more conversationaland had an intent behind them
(35:14):
that was malicious, yet thecommunication was fine.
So we we determined thatsemantic analysis is no longer
sufficient. K? We've always hadall kinds of models that are
deep learning models thatcontinue to enhance rapidly
after you learn about apotential threat and you improve
the semantics. But we ended upbuilding then for the first time
(35:37):
intent based models. Intentbased models use language
models.
Okay? So they are languagemodels based models that at this
point in time are defending andprotecting our customers. And
these models are detecting theintent of communication. And you
can't rewrite a message. Youcan't as long as the intent is
the same, our models will scorethem to be high risk and then
(36:00):
you can, you know, you can do abunch of things, quarantine to
warn, etcetera etcetera.
And we and our efficacy has goneup back to 99.9 something
percent. And so, you know, wefeel like this is not gonna be
the end of the race. There is aconstant investment that we make
in new model creation and threatresearch, and the two work
(36:22):
closely together. And and we areseeing more sophistication, not
less sophistication. We areseeing compromises across not
just an attacker to anindividual, but compromise to an
individual's ecosystem ofcollaborators, and then regular
communication starts beforesomething nefarious comes in.
(36:44):
We see we are seeing, you know,channels of communications to be
more than one, more than email,you know, sending through teams
and whatnot. So so our threatprotection now platform is
expanding to cover this any toany protection, you know, where
more than just an attacker toperson, you're protecting all
(37:05):
the ecosystem of an individualby building a communication
graph and then checking anymaliciousness or abnormality in
that, as well as doing so acrossmultiple communication channels.
And I believe over a period oftime, email security will become
a feature of that kind of asystem that protects from these
future generation of attacksthat are gonna be
multidimensional.
Ross Haleliuk (37:25):
Sumit, there are many conversations about how AI
is changing the threatlandscape, like what is
happening, how it is enablingthe defenders to offer better
types of defenses. I'm curious,from your vantage point, you
have thousands of customers.You're seeing the kind of things
that most startups out there donot have the visibility into.
(37:47):
What is like, what are youseeing, when it comes to AI? How
is AI being used in the wild?
What are some of the novelattacks or attack methods? You
mentioned some. I'm curious ifthere is if there is others that
you haven't seen being talkedabout publicly. And what does
the actual customer adoptionlook like?
Sumit Dhawan (38:05):
Yeah. Firstly, I would say the even though it's
very difficult to technicallyattribute every attack to
generative technologies. Wetried that first, we were like,
what's it's we will only bewrong, and we can be wrong by
several percentages. So we wesort of stopped that exercise.
But what we see is clearpatterns.
(38:27):
The volume of advanced threatshave gone up significantly. It's
a big, big jump that we are atthis point of time seeing.
Second, the places and the typeof customers that are getting
attacked is changed drastically.We are seeing attacks in Japan,
Korea, Middle East. You know,where there is money but
(38:47):
language had been a barrier,language is no longer a barrier.
Okay. Clearly, we know thatattackers didn't go out and
learn Japanese and Arabic. Know,they this is clearly the the
generative technologies that arecoming into play. And then what
we are starting to see isattacks being made on Copilots.
(39:09):
We're starting to seecommunications with white text
in email that is nonhumanreadable to build asymmetry in
context between copilots andhumans so that at some point in
time, a prompt come can comeinto humans with asymmetry in
context that leads to potentialfraud or malware.
So we're starting to see thosekinds of sophisticated attacks.
(39:30):
We see them now in our systems.We're detecting these. And it's
hard for us to what do you whatdo you do with those? Right?
So we are also in ourengineering labs and working
with customers figuring out howdo you score them. Because it's
it's it's got nothing in it.There's no link in it. There's
nothing it's just got some whitetext, which you can clearly tell
is text to train a model. It'slanguage.
(39:51):
It's not like pixels. Okay? Sothere's clearly something that's
intended to happen with the withthat communication and is
nonhuman readable. So those arethe kinds of issues our threat
research and our modelers aredealing with at this point of
time. And, you know, this is thegross AI defending or competing
(40:12):
against AI.
That's what's happening. And soin terms of adoption, the good
news for our customers is, youknow, at the end of the day, we
take pride in 85 out of Fortune100, and 30% of enterprise sort
of email is secured by us. So atthis point, this is global
number. So to me, at this pointin time, when we enable a new
(40:35):
model, it gets activated for ourcustomers within a matter of
days. So we just roll it outwith any rollout practices you
would see in the cloud.
It's a very modern tech stack.It sort of gets enabled rapidly,
which is both good and bad. Itprotects the customers, but many
times the customers don't evenknow that they got additional
protection. So sometimes we haveto sort of keep telling them,
(40:56):
no. No.
Trust us. We we added a bunch ofthese models that without us,
you you would have probably seenbad stuff come in. So but that's
what's happening. It's AI AIdefending against AI every day
in our labs today.
Sid Trivedi (41:09):
Let's talk a little bit about kind of the changes in
the email security landscape. Imean, certainly, Proofpoint and
Mimecast have been the clearleaders, and Proofpoint well
above Mimecast if you just lookat pure numbers. And and both of
you focused on the secure emailgateway approach. And then we
saw kind of the secondgeneration of email security
players and, you know, let'sjust highlight two of them,
(41:31):
abnormal and material. And theirfocus was on this API based
approach.
Instead of, you know, using thesecure email gateway, let's use
API to, you know, provide thesame level of capability but
with a little less kind ofemphasis on being in line. Now
we're seeing kind of a net newgeneration of players. Many of
them are stealth, which are kindof the AI native startups, the
(41:52):
ones who are going to use AIagents instead of the
traditional regex based model.I'm curious as you see kind of
the the new generations playout, how do you think about
changing where areas where youthink Proofpoint should change
its approach and areas where youwanna stick to the core secure
email gateway approach that hasallowed Proofpoint to be the
(42:12):
significant leader that it hasbeen for well over twenty years.
Sumit Dhawan (42:15):
You know what we have learned? This is not an
either or. It's a market segmentissue. That's what we learned.
Will there be customers thatthat'll go from one segment to
the other?
Yes. But broadly speaking, thisis a market segmentation aspect.
If you look at all of oursuccess, all of our market
share, it is typically in largerenterprises. Let's call it 5,000
(42:36):
and above, you know, and maybethose numbers can change based
on the geographies and what. Andthen so what we found out when
we did an assessment of speakingwith customers and just trying
to understand what was happeningwas larger enterprises, they
have teams.
You know, when they went toOffice March, they didn't get
rid of their teams that operatethe infrastructure for
(42:56):
protecting office. So they havethe team, and they actually
prefer a solution that doesmultistage defense of
predelivery, post delivery, andclick time. That's sort of how
our system works, which isgateway is a foundation, which
is predelivery. But we keepprotecting all the way. There is
a after the fact API that'sbuilt into it, but it it
(43:17):
required a gateway.
But when we spoke with customersthat were a little smaller, they
said they have cyber teams. Theyhave a CISO. But once they went
to Office '3 65, they lost allthe teams that managed,
operated, and secured exchange.They didn't need them. Okay?
So there there was no one tooperate a gateway. There's
nothing wrong with the tech.Just no one could operate it. So
(43:38):
there were too many knobs thatsomeone had to make a decision
on, and there was no one to makea decision on it. Okay?
So that's the fundamental issue.There's no other issue, really.
So we said, okay. That makessense. There's, like, this team
that needs a set it and forgetit and let the configurations as
defined by their gateway inOffice '3 65 play all the
(43:59):
gateway centric things.
And after that, you clean upanything that comes in after the
fact. So that's why we acquireda company called Tessian. We
waited for that product to haveexact same detection stack as
our enterprise product. And thatshipped in March, and we're
seeing now great traction withthat product in that segment
that we didn't really play.Okay?
(44:21):
And that and we are not the Iwould not say we are the market
leader in that segment. We are achallenger at this point in
time, and and our team ischallenging. Now we are in the
market. We are competing withsome of the names you mentioned,
and we'll see how we fare. Okay?
It's we're proud of what webring to the market in terms of
efficacy and the quality ofefficacy and now a product that
(44:42):
integrates with Office threesixty five. And then this new
generation of agentic agenticone, I think at the end of the
day, there is a lot of modelsthat are already very
sophisticated in our solutionsand and maybe even the second
era solutions. I won't speak forthem. But in our solution, these
(45:03):
are as sophisticated as theyget, and they're only getting
better. We're gonna bring someagentic technologies on top,
agents that can help end users,agents that help the SOC, and
sort of it's our belief isunless you're going to micro
customers who really don't wantany technologies and they don't
have any cyber team, purelyproviding an agentic solution,
(45:25):
It's not just premature, but maynot ever be desired.
We're gonna closely watch. Okay?We we have been wrong in the
past. We may be wrong in thefuture, and we're not gonna hold
a firm opinion on this. Andwe'll be nimble and agile as the
customers respond, but we'regonna bring that agentic
solutions here at our upcomingconference in September.
(45:46):
I encourage all the audiencehere to attend. It's called
Proofpoint Protect, but weintend to bring those solutions
as something all our customerswill be able to avail day one.
Ross Haleliuk (45:56):
Many of our listeners are founders or
aspiring founders incybersecurity who are maybe
going through some ideationjourneys. Maybe they're
validating the the ideas thatthey would like to pursue. Given
your experience buildingproducts at scale and now and
also previously leading astartup, what advice would you
give to cybersecurityentrepreneurs that are starting
(46:18):
out today? Are there areas thatthey should focus on to avoid
some well known pitfalls? Ormaybe if they're looking to
innovate in a domain withestablished giants, is there
anything else they should bedoing?
Sumit Dhawan (46:30):
Yeah. I mean, I think there are gonna be three
three types of startups in thecyber world. Unfortunately, the
first one, which is a gap, aproblem, and a solution that has
tended to be the biggest volumeof startups. Okay? I would say
be very thoughtful and cautiousin that space because you're
(46:53):
talking about potentially, youknow, the other two being more
interesting that I'll gothrough.
Second is any aspect of securingAI. I feel like that is an area
where enterprises are enterprisearchitectures are not
established. So startups whohave the ability to pivot faster
(47:16):
and are able to sort of, youknow, build solutions at maybe a
higher velocity rate of velocityhave possibly a leg up just in
terms of how they find theirwedges in terms of various
issues that will exist. Okay? SoI think that becomes probably a
(47:38):
fairly good area for startups ifyou are investing in protecting
AI.
I think it will have a verysimilar dynamic as cloud did for
emerging, you know, the wholesort of security space that
emerged from it. I think thelast one is disruption, which is
disrupting the incumbentarchitectures. You know, SOC,
(48:00):
like x t disrupting XDR ordisrupting SASE or disrupting
Proofpoint, you know, major sortof stents. If you're really one
that can take that on, it's nota bad area. You can obviously, a
disruption is always a goodthing for a startup.
Obviously, it's the highest riskbut highest reward situation,
(48:21):
which is what startups sort oftend to get optimized for mostly
because of the investmentframework from the venture
capitalist. So I'd say those arethe three broad categories. My
only recommendation to theentrepreneurs would be that in
the past, the first category wasrewarded. It's hard. It's hard
in the first category all theway from investors to
(48:45):
potentially even at the end ofthe day, if you wanna be a be a
part of a company, it's a littleharder.
The other two just seeminstinctively at this point of
time, even though I'm not aventure capitalist, a better
place is for for entrepreneur.
Mahendra Ramsinghani (49:00):
Sumit, as we wrap up, you mentioned early
on in our conversation todaythat your internal goal is five
by 30, you know, getting to5,000,000,000 in revenues by
02/1930. Clearly, a veryambitious goal. If you widen the
aperture a little bit and lookout into the next five years,
(49:21):
what are some areas where youfeel like large swathes of
opportunity lie for a companylike yours?
Sumit Dhawan (49:29):
Honestly, I feel like it's not ambitious enough.
But so I I think I think listen.But to answer your question, the
markets we are in, we haveestablished ourselves as
technology leadership, marketleadership, ability to execute
and win customers, make themsuccessful with our technology,
make them fans of our products.And even in the markets we are
(49:52):
in, if I look at just sustainingour growth rate and market and
of course, growing our marketshare because we are growing
much faster than the market, wethink we, you know, we we have
we have ways to to grow and go.K?
Secondly, I'd say the and that'sthe reason I say that is
because, like I mentioned, we'rea challenger in this mid
(50:15):
enterprise space through thesolution we launched. We've just
opened up our sovereignsolutions in India, Singapore,
Middle East, Japan. These arejust new markets. We haven't
even we don't have any kind ofmarket presence as we do in The
US, for example. So there aresort of significant opportunity
for us there.
(50:36):
Second, I think I see a naturaladjacency and growth in the two
areas I mentioned. Inparticular, in going into micro
businesses and MSP, we have a wehave a great start. Yesterday
and day before, we had our topmanaged service providers hosted
as an advisory council. I thinkthey feel a lot of pain right
(50:59):
now in terms of providing highsecurity at high service levels
through a standardizedarchitecture, and we think we
can be the one complementingtheir XDR solution as that's it.
It's us and XDR that canpossibly provide the foundation
of all MSPs.
And then lastly, I think theworld of digital assistance and
(51:21):
agentic security, which is justa natural extension of human
security, that's an area wherewe are setting up a we're
calling it horizon three in thewhole horizon one, horizon two,
horizon three framework as anarea of investment for us, and
we are gonna invest that bothorganically and look at
landscape of potential m and aopportunities. You know, we the
(51:44):
the one thing on this five by 30is one thing we can lose track
of when you're just looking atit through the lens of numbers
is who we are. And you sort ofstart diluting yourself and your
focus into many things or littlethings that are not necessarily
related to your mission andpurpose at hand and your sort of
(52:05):
right to play and right to win.So we have we have used that as
a mechanism to define the scopealong these three areas I
mentioned. K?
Tons and tons of opportunity togrow by addressable market
growth that's happening in thecore markets. This MSP space and
agentic security. Have youfigured out answers in all of
those three? No. But that's whyI said it's 2030 and not 2025 or
(52:28):
'26.
Mahendra Ramsinghani (52:28):
Thank you, Sumit. Thank you. You know, your
background coming from the worldof infrastructure and having
worked with companies likeCitrix and VMware brings a very
unique perspective to the worldof cybersecurity. And most
importantly for our audience,you laid out the three types of
companies that founders shouldfocus on, you know, filling
gaps, securing AI, as well asdisrupting incumbents. You know?
(52:51):
I feel like this has been a veryproductive conversation for us
today, and I sure hope that ouraudience will benefit from this.
So thank you so much.
Sumit Dhawan (52:58):
Yeah. Thank you for having me. And, the more the
cyber ecosystem develops throughthe investments, the more we
benefit. We obviously love topartner and acquire the
technologies that get built. Soany of the startup founders, do
think about us, talk to us asyou're thinking about your
(53:18):
growth plans and potentiallytaking the technologies that
you've built to the nextheights.
Maybe we can help.
Sid Trivedi (53:25):
Thank you for joining us inside the network.
Ross Haleliuk (53:28):
If you like this episode, please leave us a
review and share it with others.
Mahendra Ramsinghani (53:33):
If you really, really liked it and you
have some feedback for us, wrapit on a bottle of Yamazaki and
send it to me first.
Sid Trivedi (53:43):
No. Don't do that. Mahendra gets too many gifts
already. Please reach out byemail or LinkedIn.
Welcome to Inside the Network. I'm Sid Trivedi.
Ross Haleliuk (00:09):
I am Ross Haleliuk.
Mahendra Ramsinghani (00:10):
And I am Mahendra Ramsinghani. We have
spent decades building,investing, and researching
cybersecurity companies.
Sid Trivedi (00:20):
On this podcast, we invite you to join us inside the
network where we bring the bestfounders, operators, and
investors building the future ofcyber.
Ross Haleliuk (00:31):
We will talk about the hard parts of the
founder journey, launchingcompanies, getting to product
market fit, raising capital, andscaling to an exit.
Mahendra Ramsinghani (00:42):
And, yes, we will also be talking about
epic failures.
Sid Trivedi (00:46):
But, Mahendra, we're here to make the founder
journey easier.
Mahendra Ramsinghani (00:50):
That is correct, Sid.
But we cannot make it too mucheasier because startups are
hard, And, of course, youalready knew that.
Ross Haleliuk (00:57):
Alright. You too. And now, let's get started with
this week's episode.
Mahendra Ramsinghani (01:05):
Today, we're joined by Sumit Dhawan,
CEO of Proofpoint. Sumit hasspent his entire career at the
intersection of infrastructure,cloud, and cybersecurity,
holding leadership roles atcompanies like Citrix and
VMware. Before taking the helmat Proofpoint, as president of
(01:27):
VMware, he led the$70,000,000,000 divestiture to
Broadcom. And along the way,he's built a reputation for
being a leader who combinesempathy, technical depth, and
above all, a founder's mindset,acting like a owner no matter
the role. In this episode, Sumitshares the pivotal lessons he
(01:48):
learned scaling some of theworld's most iconic companies
and why empathy is thecornerstone of great leadership.
Above all, how he's shapingProofpoint to grow rapidly and
tackle the evolving threatsenterprises face today. This is
a conversation full of hardearned insights you won't wanna
miss.
Sid Trivedi (02:10):
Welcome, Sumit, to Inside the Network.
Sumit Dhawan (02:13):
Thank you for having me.
Sid Trivedi (02:14):
So we're gonna talk about a whole bunch of different
topics today, but we reallywanna start by talking about
your early days. You gotmultiple degrees in computer
science and business. You're atIIT Roorkee, and then you're at
University of Florida for yourMBA. And you have a pretty
impressive track record leadingat some pretty large companies,
Citrix and VMware in particular.Take us back to the beginning
(02:35):
and what the journey of tech andleadership was like.
Were there a few, you know,pivotal moments or lessons from
those early days that shaped theway that you lead as a CEO
today?
Sumit Dhawan (02:46):
Great question. Thanks for having me again.
Listen. I've been fortunate toto work at great companies under
amazing CEOs and leaders whoI've had a pleasure of learning
from, observing, and they havementored me whether it was the
CEO at Citrix or the CEO ofVMware. And, you know, my
(03:07):
pivotal moments through all ofthose were different as I was
growing up in my career.
Early in my career, the pivotalmoment for me was to gain as
strong of a background in doingmultiple roles so that you can
build empathy across functions.It does make you jack of all,
you know, master of none, butstill it gives you the
(03:29):
background and foundation toactually then leave the company.
And then later on as you startrunning more and more of
business line leadership, Ithink a pivotal sort of learning
I had was acting as a founderand the owner of the company
regardless of the role you'rein. And, and that gives you sort
(03:53):
of this sense of ownership,which is very much needed as you
step into, more and more seniorleadership roles of running a
company. At the end of the day,you know, you're accountable for
thousands of employees that areworking for you and the company
that you're leading, and you'reaccountable for leading them and
(04:14):
taking them to the best possiblesuccessful outcome that they all
deserve.
So I think those were the twopivotal learnings for me in
these great companies andamazing growth stories that both
of these two companies, as youmentioned, have and the amazing
leaders that they both had in interms of their CEOs.
Sid Trivedi (04:33):
Sumit, I'd love your thoughts also on just being
an IIT alum. I mean, a lot hashappened in terms of the
importance of the, you know, thegroup of universities and how
much of an impact they have hadin terms of creating amazing
CEOs. Did those early years atIIT influence you in some way?
Sumit Dhawan (04:49):
Yeah. I think IIT is an amazing place, you know,
and for any of the listenershere who have been to IIT or
know people from IIT, it sort ofcreates this sense of ambition
and aspiration. You sort of cometo a place that has amazing
group of students who have maybedone well in their own small
(05:13):
communities or schools that theyhave grown up with, but then
when they land into this place,they find that, you know, there
there is is many many many morepeople with tons more acumen,
ambition, you know. And and sothat that is a that's just an a
(05:34):
moment of humbling. So that waskind of a humbling exercise for
me and built a sense of ambitionfor wanting to do more and and
wanting to learn from both thepeople who were there as well as
making sure that you can do morebecause you kinda see how more
can be done by having all ofthis intellectual horsepower
(05:55):
around you.
Ross Haleliuk (05:55):
Sumit, after leading several large teams at,
established enterprises, youjoined the web app security
startup, InStart, as a CEO. Atthe time, Instart was just over
100 people, at least that'showever many I was able to find
on the Internet, and the companywas playing in a highly
competitive, in a very fastmoving space. You were able to
(06:16):
restructure the business. Youwere able to drive growth and
ultimately lead the company toan exit to Akamai. Talk to us
about the experience and what ittaught you about cybersecurity
and the startup world given thatyou came from larger enterprise
into this massive startupuniverse.
Sumit Dhawan (06:32):
It's great learning. Okay. I think I came
in, and, the company had thisgreat unique technology that had
been purposed into multipleproduct solution areas. And,
and, unfortunately, what thatled to was, very high spend
(06:54):
because you're acquiringcustomers and solving the needs
of these enterprise customers.And as we all know, when you're
building a new business in theventure world and you're
acquiring enterprise customers,these enterprise customers don't
just buy the product as itstands today.
They just keep expecting acertain pace and certain set of
capabilities to be built. Andthe company had stretched
(07:16):
itself, even though there was acommon technology platform,
stretched itself for doing so inthree different areas on top of
the same technology platform.And so as a result, just the
required rate of investment tokeeping up with customer
expectations, not to mention thespend that more these growth the
growth companies have to have toacquiring new logos was so high
(07:38):
that we had we had to focus. Wehad to restructure ourselves.
That's sort of what I'm what Isort of mean by restructuring.
And so we focused out of thosethree problems into one problem,
and we had to also almost let goof certain customers and revenue
in other areas and then buildthe company up from there. And
then once you build the companywith one specific focus areas
(08:02):
where you have a repeatabilityand a successful outcome of
meeting these enterprisecustomers with needs of not just
today, but in their futureroadmap asks. Then we had enough
of a momentum where we couldfind the right home for their
technology and the people whoare working on it to be
something that was extremelycomplementary to Akamai's
(08:22):
business. So that's what led toit. I mean, learning for me was
essentially in a larger company,the importance of cash flow is a
little less and you're lookingat several other metrics.
You you you learn the importanceof cash flows. And then when you
have even a smaller group ofemployees who on an everyday is
(08:43):
looking up to you to how they'regonna make, you know, their
paycheck true or not next at thenext paycheck, that sense of
responsibility was somethingthat I learned at InstART. I
probably would not have beenable to learn it without getting
into that seat at InstART.
Mahendra Ramsinghani (09:01):
And I think it would be fair to say,
Sumit, that the the seeds ofyour cybersecurity journey
probably were planted at thetime when you are at InstART. Of
course, you went back to VMwarefor, several years, this time
four years. Prior to InStar, youspent five years at VMware in
two very separate phases ofVMware's journey. Know, You
(09:23):
before we dive into Proofpointand the world of cybersecurity,
I want to spend a little time onthose two phases at VMware. In
the first phase of your career,you know, you're heading up the
end user computing business asSVP.
Everything is moving up into theright. In the second phase of
your career, you come back. Thistime, you're leading the entire
(09:43):
10 plus billion dollar operationand, you know, getting the
company ready to put it in thehands of Broadcom. Two very
different phases of VMware. Imean, share with us some of the
experiences in the growth phaseand then back into the
consolidation phase.
Sumit Dhawan (09:59):
Yeah. Very well said, Mahindra. The first one
was the growth phase. Both ofthem were transformation phases
for VMware. One was one businessto multi business and growth
phase of diversifying therevenue and the portfolio by
having more than one businessunit.
This was the phase where thecompany went from just having
(10:20):
predominantly a data centervirtualization business to end
user computing and networkvirtualization and even putting
the early beginnings of thecloud business. Those were the
business units that were set up.And once you set up up more than
one business to multiplebusiness units, there are
several implications as you canimagine. So so so that was that
(10:43):
phase. And then in the secondphase was transformation towards
cloud recurring revenue.
And, and then tail end of mytenure at VMware was obviously
making sure that we execute onour plan for both transformation
and what we had signed up to ourinvestors and the board, as a
(11:06):
standalone company whilehandling all of the various
constituencies that requiredapprovals globally from
regulatory perspective andhandling both of those and so
that you can hand over thecompany to the new, you know,
the new new spot. So so thoseare very, very different very
(11:27):
different times and differentroles that I had at the company.
Mahendra Ramsinghani (11:31):
And, of course, you capped it off nicely
with a $70,000,000,000enterprise value as you
transitioned out of VMware. Nowbeing in the world of
infrastructure, I'm sure you hada lot of options. The world is a
much bigger playground, and youcame to the world of
cybersecurity. Help usunderstand how your decision
(11:51):
making process went about.
Sumit Dhawan (11:53):
You know, there were two areas I was kind of
intrigued by as I made adecision to go do something
different around the time of theacquisition getting completed.
One was around the wholedeveloper software. The other
one was cyber In both cases, Isaw the market structure kind of
(12:15):
non sustaining in the state itwas in. It was highly
fragmented, very point product,and and I sort of felt like this
doesn't seem like the right fit.So my thesis is in the future.
It just doesn't make any senseto let this sort of whole thing
(12:35):
continue. And so those were mytwo primary areas of interest to
join because I thought these arethis is an industry that's gonna
go through a transformation. Soso then the the right player in
those industries would be onethat has incumbency, market
leadership, and size. Okay. Onceyou have incumbency, market
(12:58):
leadership, size, and of course,certain sort of differentiation
in the underlying technology,that gives you an ability to
participate in that next era ofa market change.
Okay? And with the rightleadership focus, at least you
have a potential and apossibility to go go make that
(13:20):
happen. And so looking at thatas the backdrop, Proofpoint
turned out to be one that I gotexcited about. The more I
learned about it, I sort of sawa company that had huge, you
know, market leadership in thespace that it played in, which
was, you know, email securityand had the starting points of
(13:42):
certain other areas the companywas expanding to and the revenue
was diversifying,differentiation from the
competition. And there is nothere's the the incorrect
assessment from the publicmarket that email security is
gonna go away or will getsedimented into a network box or
an or a platform provider.
(14:04):
And so once I sort of believedin that fundamental, then that
led to a conclusion that, hey.Proofpoint can be a company that
really takes helps drive thisnext era of cybersecurity. You
can be a major player in it, andI got excited about leading it
and making sure, you know, Iparticipate in that.
Sid Trivedi (14:24):
Sumit, you you talked a little bit about
Proofpoint, so let's dive alittle bit deeper. And you
described just Proofpoint'scommanding position in email
security. For for our listeners,many of them will know this, but
the company started in 02/2002,and it went public about ten
years later. And thensubsequently was taken private
in 2021 for just over$12,000,000,000 by Thoma Bravo.
(14:47):
It it had several leadershipchanges following that, and you
ended up joining the company asthe new CEO in in 2023, roughly
about two years after Tom hadtaken the company private.
I'm curious, like, what was thedecision making behind joining
the company that had gonethrough its, you know, amazing
heydays, had had the complexityof a, you know, a private equity
(15:08):
partner, and then had hadmultiple leadership changes
already happen. How did youthink about that? And you
mentioned Proofpoint's abilityto be very much on the top of
email security. I a 100% agreewith that. But I think, you
know, you're a big Warriors fan,and Steve Kerr has said this
multiple times that you can'tstay on top forever.
I'm sure that was runningthrough your mind that is there
(15:31):
you know, there's only one wayto go when you're up on top, and
that's down. There there'sthere's no way to go any higher
than than number one. How So didyou think about
Sumit Dhawan (15:38):
It's a
Sid Trivedi (15:38):
it's a
Sumit Dhawan (15:39):
it's a great, great question. Listen, I think,
when I was looking at it, I sortof didn't quite so there are a
few questions in there. One wasabout the fact that, listen,
you're a leader. Is there ascope to go any higher? It's one
way one question.
The other question you askedwas, is there a, was there a
(16:02):
concern I had about just thelast two CEOs leaving in the
last two years. Okay? I thinkthey to me, the former was easy.
Okay? I I wasn't coming here tomake Proofpoint an even bigger
market share leader for emailsecurity.
That wasn't the goal. Thatwasn't the thesis. That wasn't
(16:25):
the right strategy. It was tocoming back to, hey.
Cybersecurity has a sprawl.
There is going to be anarchitectural consolidation in
cybersecurity. And I felt likethere were sort of these
detection and responsetechnologies. There were
networks consolidation happeningthrough SASE, and some
consolidation had to happen onthe preventive part of
(16:48):
cybersecurity. And that'slargely become a human thing.
It's humans that get attackedand humans that lose data.
And once I understood that thereis a potential for that being
something that Proofpoint canhave a dominant position in,
that's not saying that you'realready at the top and you're
(17:09):
only gonna potentially hard togo up. That's saying that there
is a market that you can take onwhich is based on where you have
strength in. Okay? So that'skinda sort of to me like, okay.
Once you become really, reallysuccessful in the g league, now
you get to play in the NBA.
(17:30):
Right? So to me, that's sort ofhow I saw it. Okay. Here is a
here's an opportunity to takeProofpoint from G League where
we are dominating, we'rewinning, to now sort of this
team that takes on a biggercybersecurity market. And, you
know, listen, when we wentprivate, we went private at at a
(17:50):
revenue run rate of1,200,000,000.0 annually.
We crossed more than2,000,000,000 already, and and
we are we are well on our way tobe close to 2 and a half. And
our aspiration is to be a$5,000,000,000 company by 2030.
We call it five project five by'30 within Proofpoint. So so
(18:13):
that was my frame of mind. Sohopefully, that answers the
first question.
Any questions on that before Ianswer your second one?
Sid Trivedi (18:20):
No. I think you you put it very well, and we'll talk
a little bit about where youexpand in subsequent questions,
but I think you put you put theframing very well.
Sumit Dhawan (18:28):
Okay. And then the second question is, listen, the
the leadership transitions andwhatnot. My perspective is if
you believe in the in thefundamentals on the market, if
you believe in the fundamentalsof aligning with the board and
the investment thesis and theaspirations of the board in
(18:48):
terms of what they see, thenit's a leadership challenge for
the CEO to come in and get thatsorted out. And I didn't feel
like I there is no CEO seat thatcomes in that says, hey, this is
a beautiful ship. It's sort ofsailing in the right direction.
And just come in and make surethat you put your headphones on
(19:12):
and sit and do nothing. So tome, that was easy. That was
there was no that wasn't a worryat all. It's something, okay. As
long as we are aligned on whatwe wanna go do strategically and
we have bold aspirations that'saligned with mine and listen, I
had a dinner with the so myinterview process was very
straightforward.
We had a discussion on sort ofwhat we wanted to do over a
(19:34):
course of few days, you know,and then I said and they said,
hey. We're ready to make adecision. I'm like, I'm
surprised you are. If you are, Iwanna meet for dinner. I met for
dinner, both the chair and thelead board members, and I said,
here's my plan.
Here's the aspirations, what Iwanna do. Here's how I would do
it. They looked at it andthey're like, you're wrong on
this, but you're right oneverything else. I said, explain
(19:55):
how I'm wrong. They explained itto me.
We debated it. They were right.I was wrong. I said, okay.
You're right.
Let's move forward. We had theoffer. I signed it. So to me,
that's that that showed thatthere was an alignment with the
board, and there was the speedof decision making, which I
really liked, that made thedecision easier.
Ross Haleliuk (20:16):
That is a great story. And let's dive deeper
into it, and let's talk a bitabout the leadership challenges.
So you've led business lines atlarge public companies like like
VMware and then now at theprivate equity owned firm, what
do you find different aboutrunning a PE backed company?
Sumit Dhawan (20:34):
This was my first experience with private equity.
So I I didn't know what I didn'tknow. And, you know, I sort of
asked a few people in otherleadership positions at private
equity firms. And what I learnedwas, number one, I was getting
very inconsistent answers, like,so different that I was like,
(20:54):
okay. This doesn't quite add up.
Okay? So my first conclusion Idrew when I was sort of
comparing notes was there'snothing called working for a
private equity as a as aconsistent answer. Okay? There
is probably some degree ofconsistency working for a public
company. There's probably somedegree of consistency working
for a venture company, but thereis no consistent answer across
(21:18):
private equities.
That's the first thing Ilearned. In other words, every
private equity company sponsorhas a different model. Second
thing I learned was which wasafter the fact, was that what
really, really matters is nodifferent than what matters in
running a public company in ahealthy fashion, which is focus
(21:41):
on achieving the right businessresults with discipline. Okay?
At the end of the day, the onething that private equity does
really, really well is havingspot putting a spotlight on.
And this is more maybe aboutThoma Bravo because I have no
experience in any other privateequity. So what I really, really
(22:02):
liked working with at Proofpointwith Thoma Bravo, which was a
strong positive surprise, wasjust a spotlight on on numbers
in beat format, which is reallyonerous and painful for people
in finance and people inbusiness intelligence because
the amount of work needed inproducing all of that data is
(22:26):
high. But I kind of jokinglycompare Thoma Bravo as, like,
Apple Watch. If any I don't ownit. I don't like it, but I know
who own it or people who own it.
You know how it buzzes you everynow and then and tells you to
stand up if you have beensitting for too long. Okay. Do
you always stand up when itbuzzes you? No. Okay.
(22:47):
But it's a good reminder everythree times it buzzes you, you
know, you maybe you stand up. Somy bravo is no different. It'll
show you all the metrics andmake sure that you have a mirror
right in front of you. Now thereare always ugly spots that we
can see when we have mirror infront of us. Do you always act
on them?
Can you always act on them? Youknow, no. So that's the
(23:11):
relationship we have. Okay? Theywould there is this healthy
healthy discipline of looking atmetrics.
There's a healthy discipline ofthem pushing me, nudging me, and
us debating whether it makessense for us to fix or what are
the things that make sense forus to fix. But then they require
and they lean on me and myleadership to make sure that we
(23:36):
go sort of plan it and executeit. There is no playbooks. Okay?
They don't tell me, here's ourplaybook.
Go pursue it. There is no targetmetrics. There is no none
there's as much as it is for anykind of public company, you're
operating in a certain growth.There's some rule of
expectations. We are verysimilar.
And from governance perspective,given we are in much later stage
(23:58):
with them, we are operating asif we are in the public company
because that's what we aspire togo be as early as as we can. So
so so that's kinda how I havelearned of working with Thoma
Bravo, and it's been quitepositive. I know some teams get
bothered by Apple Watch nudgingyou too much. But listen, as
(24:20):
long as you can take it theright way and do what's right
for you and your health or youand your business in this case,
it's not a bad thing.
Mahendra Ramsinghani (24:29):
So maybe you mentioned, you know, the
word empathy early on in ourprogram. And then as we were
talking about Thoma Bravo andthis notion of results and
discipline, how do you look atthe future in the go to market
and growth areas. These are twobroad areas where the numbers
roll back in and Toma Bravo oryour board is watching the
(24:52):
growth. So when you think aboutgo to market, you know, there
are different tactics. There aredifferent ways you can reach
your customer.
And we'd love to hear what hasworked very well and how are you
changing that.
Sumit Dhawan (25:03):
Yeah. And I think at the end of the day, our our I
can sort of say what we've doneover the course of last two
years, and that's the foundationof where we are headed on the go
to market side. Proofpoint, youknow, when one of the things we
decided when I joined was we Ifelt like we had too many we had
(25:23):
our sort of fingers into toomany things. And if we wanted to
go win, in the world of cyber,even though we agree that there
is going to be fewer players, Ididn't think in the world of
cyber, good enough is gonna begood enough. Okay?
You need the depth of thesolution as as long as you're
serving it to enterprise. Thedepth of the solution that comes
(25:45):
in the form of efficacy andmany, many more things these
days, you know, now there ismore and more sort of, you know,
AI in terms of how things likeSOC power up, of course,
integrations. So there are sortof several elements that go into
building that depth of solution.And we had our fingers into
(26:06):
maybe too many things becausethe world of cloud and mobile
had opened up this large surfacearea of threats. And and and
CSOs can sometimes lead you intotoo many things if you you're
not careful.
Right? So we may we had madethat mistake, too many
acquisitions that were notconnected together. So we
(26:27):
focused. And by focusing what wewere gonna do, we said we were
gonna be the best at two thingsthat people do. People
collaborate with each other, andpeople deal with data.
Okay? And we are gonna build thebest possible solution on
collaboration security whereemail is part of it, but
collaboration is happening nowacross multiple dimensions.
(26:48):
People are collaborating throughsuppliers and third parties.
There are risks that arehappening because of internal
people's accounts getting takenover in the service desk and
whatnot. So there's a wholethreat landscape due to digital
collaboration.
And then there is a sort of datarisk and compliance and and just
information risk aspect becauseof people handling data. So we
(27:11):
created expertise in those twodetails that overlay our account
teams. And we sunset all the goto markets, and we sunset an end
of life everything else. K? Itwasn't done to cut costs.
Actually, we it led to achievingour growth targets and achieving
(27:35):
our margin targets because wewere able to focus. We actually
doubled down in certain areas.Yes. Were we had we gotten
fiscally in this notdisciplined. Every company does.
Okay? It's just cycle that yousort of make some investments.
Not every investment pans out.And as a leadership team, you
(27:55):
have to make a decision todouble down in the areas that
pan out and take investments outof areas that didn't. You know,
you are some of your ventureguys, you you guys do that in
the form of your portfolios.
In the in the world ofcorporate, we have to do that in
in the form of our initiativesand businesses and the bets we
place. And that's what we'dended up doing. Okay? And by
(28:16):
doing so, on the go to marketand the solutions we would go,
we built rich expertise and wedoubled down on r and d in these
areas. And, you know, I wasreally pleased to see at the
beginning of the year whetherit's Gartner Magic Quadrant
market share and data security,which was a brand new space.
It's become a sizable part ofthe business. We took over
market share leadership againstSymantec and and any of the
(28:40):
other DLP players. Now we haveexpanded into DSPM, and we
integrated the first ones tohave DSPM and DLP together at
our upcoming protect conference.We're gonna expand that for
agentic security as well that'srelated to data. So we feel like
we are clearly the innovationleader, market leader there
because of focus.
And we extended our emailprotection to a full range of
(29:03):
threat protection solutions sothat just an email security
player can't just address theneeds of today's threat
protection requirements. Okay?And that's what happened through
going deep in those two areas.And we really came out of
everything else from go tomarket perspective.
Mahendra Ramsinghani (29:21):
Thank you, Shubad. And, you know, speaking
of AI and speaking of how you'vebeen bolstering up your
portfolio, there is a buildversus buy strategy. How should
we think about Proofpoint's rolein building versus buying as you
look at the future?
Sumit Dhawan (29:38):
First of all, I'm very excited about the future.
Okay? We didn't of course, Ididn't expect that coming into
the role. We sort of drew we putin our view, we put human in the
middle and we said all aspectsof human centric security is
what we would sort of sedimentinto our platform, and we keep
going deep into the areas Imentioned. And things have
actually gone to some extent, Iwould even say, of plan in that
(30:03):
dimension.
We, we are looking at two areasof now growth in terms of the
future. One is this humancentric security problem is now
impacting every business ofevery size in every locale.
That's not something that I saweven two years ago. Okay? I have
(30:24):
not seen customers of reallysmall size saying they need best
in class security for phishingprotection and supplier
protection and SaaS securityprotection, things that they
would have never brought up twoyears ago.
They are bringing it up now. Sowe expanded into we had an
(30:45):
option, to answer your question,Mahendra, where we could have
sort of built that. We actuallyhad all the email security
underpinnings, and we could havebuilt this solution for micro
businesses that are servedthrough MSPs. In fact, we even
had a product line. But we sawwe didn't have a business.
You need a reach. You need aprogram. You need expertise to
(31:06):
be able to deal with partners ina certain way. You need
academies. You need communities.
So there is an aspect of thisfull value chain of everyone
from from distributors toecosystem to MSP providers and,
of course, end users. Andthere's a whole sort of needs
that come in for providing thatsolution when you're serving a
(31:27):
brand new market segment. So wedecided we were gonna play in
that market segment through anacquisition of a market leader
in that space, and we announcedthe acquisition of Hornet
Security, and we're really,really excited and waiting to
get that closed, hopefully,anytime soon. And then we
continue our journey in having,you know, this human centric
(31:48):
security now brought to everycustomer of every size. Okay?
That's that's our mission there.The second thing is we are quite
excited about well, I shouldn'tsay the word excited because
it's a pain for our customerseven though this the the era of
AI opens up a broad issue whendigital assistants and copilots
(32:10):
and agent agentic AI comes toshape. Last week, I hosted a
special meeting with six CIOsonly through the network. It was
not with CSOs on purpose. And Iwas amazed to sort of hear from
them how much and how fast andhow much AI they're adopting and
the pace at which their mandateis at this point in time to
(32:32):
adopt AgenTic.
And and that when I when Ishowed them, listen, the human
security problems extend tocopilots and agents, they were
like, we gotta solve them. Okay?Humans get socially engineered.
Agents get prompt engineered.Humans lose data.
(32:52):
Agents lose data. Humans getcredential fished. You know,
agents get certificate fished.But at the end of the day, there
is an intent of communicationthat's going to the agents. And
if that's not if that'smisunderstood, just like humans
misunderstand the intent, ifthat's misunderstood by agents,
that's vulnerability.
(33:14):
That's risk. So the good news isthere is some things we can use
from what we have. But there aremany things, Mahendra, we don't
know, and we are gonna belooking in the ecosystem to see
what's complementary that fitsinto our extension of providing
security for AI. Not AI securityis gonna be big, but what fits
in as a natural extension fromhumans to digital assistance to
(33:38):
humans.
Sid Trivedi (33:38):
You talked a little bit about the human factor and
and AI risks. I'm curious. Imean, even in email, we are
seeing a very different type ofattack. I think of it as zero
day phishing in that this is thefirst time when a when a, you
know, individual, an employeegets an email that is a phishing
attempt. Today, we are seeing,you know, these types of attacks
(33:59):
where it's the first time thatemail ID has ever been used.
It's a highly personalized emailto that individual, and it
doesn't have any links. Itdoesn't have any attachments.
It's, you know, trying to getthat individual to to
communicate back and forth.There's a lot of different ways
that attackers are leveragingthe new, you know, kind of
tooling that that has been builtby some of these large
(34:20):
foundation mall companies. I'mcurious.
Just in email security, how doyou think about that at
Proofpoint? How do you thinkabout how do we fight this new
type of AI attack?
Sumit Dhawan (34:30):
Yeah. It's a it's a great one. I think, first of
all, we weren't proud of it. Butwhat happened with us after the
advent of ChatGPT, and maybe itwas not attributed to ChatGPT,
even tools like Grammarly coulddo this. We saw, actually, for
the first time, our drop inefficacy was noticeable.
We take pride in number of sortof things we miss versus number
(34:54):
of things we block, and that'susually in 99.9 plus percent.
That's how we measure. And theseare advanced threats. These are
not simple spam. It droppedbelow 97, and it was all
attributed to a moresophisticated set of attacks
that were more conversationaland had an intent behind them
(35:14):
that was malicious, yet thecommunication was fine.
So we we determined thatsemantic analysis is no longer
sufficient. K? We've always hadall kinds of models that are
deep learning models thatcontinue to enhance rapidly
after you learn about apotential threat and you improve
the semantics. But we ended upbuilding then for the first time
(35:37):
intent based models. Intentbased models use language
models.
Okay? So they are languagemodels based models that at this
point in time are defending andprotecting our customers. And
these models are detecting theintent of communication. And you
can't rewrite a message. Youcan't as long as the intent is
the same, our models will scorethem to be high risk and then
(36:00):
you can, you know, you can do abunch of things, quarantine to
warn, etcetera etcetera.
And we and our efficacy has goneup back to 99.9 something
percent. And so, you know, wefeel like this is not gonna be
the end of the race. There is aconstant investment that we make
in new model creation and threatresearch, and the two work
(36:22):
closely together. And and we areseeing more sophistication, not
less sophistication. We areseeing compromises across not
just an attacker to anindividual, but compromise to an
individual's ecosystem ofcollaborators, and then regular
communication starts beforesomething nefarious comes in.
(36:44):
We see we are seeing, you know,channels of communications to be
more than one, more than email,you know, sending through teams
and whatnot. So so our threatprotection now platform is
expanding to cover this any toany protection, you know, where
more than just an attacker toperson, you're protecting all
(37:05):
the ecosystem of an individualby building a communication
graph and then checking anymaliciousness or abnormality in
that, as well as doing so acrossmultiple communication channels.
And I believe over a period oftime, email security will become
a feature of that kind of asystem that protects from these
future generation of attacksthat are gonna be
multidimensional.
Ross Haleliuk (37:25):
Sumit, there are many conversations about how AI
is changing the threatlandscape, like what is
happening, how it is enablingthe defenders to offer better
types of defenses. I'm curious,from your vantage point, you
have thousands of customers.You're seeing the kind of things
that most startups out there donot have the visibility into.
(37:47):
What is like, what are youseeing, when it comes to AI? How
is AI being used in the wild?
What are some of the novelattacks or attack methods? You
mentioned some. I'm curious ifthere is if there is others that
you haven't seen being talkedabout publicly. And what does
the actual customer adoptionlook like?
Sumit Dhawan (38:05):
Yeah. Firstly, I would say the even though it's
very difficult to technicallyattribute every attack to
generative technologies. Wetried that first, we were like,
what's it's we will only bewrong, and we can be wrong by
several percentages. So we wesort of stopped that exercise.
But what we see is clearpatterns.
(38:27):
The volume of advanced threatshave gone up significantly. It's
a big, big jump that we are atthis point of time seeing.
Second, the places and the typeof customers that are getting
attacked is changed drastically.We are seeing attacks in Japan,
Korea, Middle East. You know,where there is money but
(38:47):
language had been a barrier,language is no longer a barrier.
Okay. Clearly, we know thatattackers didn't go out and
learn Japanese and Arabic. Know,they this is clearly the the
generative technologies that arecoming into play. And then what
we are starting to see isattacks being made on Copilots.
(39:09):
We're starting to seecommunications with white text
in email that is nonhumanreadable to build asymmetry in
context between copilots andhumans so that at some point in
time, a prompt come can comeinto humans with asymmetry in
context that leads to potentialfraud or malware.
So we're starting to see thosekinds of sophisticated attacks.
(39:30):
We see them now in our systems.We're detecting these. And it's
hard for us to what do you whatdo you do with those? Right?
So we are also in ourengineering labs and working
with customers figuring out howdo you score them. Because it's
it's it's got nothing in it.There's no link in it. There's
nothing it's just got some whitetext, which you can clearly tell
is text to train a model. It'slanguage.
(39:51):
It's not like pixels. Okay? Sothere's clearly something that's
intended to happen with the withthat communication and is
nonhuman readable. So those arethe kinds of issues our threat
research and our modelers aredealing with at this point of
time. And, you know, this is thegross AI defending or competing
(40:12):
against AI.
That's what's happening. And soin terms of adoption, the good
news for our customers is, youknow, at the end of the day, we
take pride in 85 out of Fortune100, and 30% of enterprise sort
of email is secured by us. So atthis point, this is global
number. So to me, at this pointin time, when we enable a new
(40:35):
model, it gets activated for ourcustomers within a matter of
days. So we just roll it outwith any rollout practices you
would see in the cloud.
It's a very modern tech stack.It sort of gets enabled rapidly,
which is both good and bad. Itprotects the customers, but many
times the customers don't evenknow that they got additional
protection. So sometimes we haveto sort of keep telling them,
(40:56):
no. No.
Trust us. We we added a bunch ofthese models that without us,
you you would have probably seenbad stuff come in. So but that's
what's happening. It's AI AIdefending against AI every day
in our labs today.
Sid Trivedi (41:09):
Let's talk a little bit about kind of the changes in
the email security landscape. Imean, certainly, Proofpoint and
Mimecast have been the clearleaders, and Proofpoint well
above Mimecast if you just lookat pure numbers. And and both of
you focused on the secure emailgateway approach. And then we
saw kind of the secondgeneration of email security
players and, you know, let'sjust highlight two of them,
(41:31):
abnormal and material. And theirfocus was on this API based
approach.
Instead of, you know, using thesecure email gateway, let's use
API to, you know, provide thesame level of capability but
with a little less kind ofemphasis on being in line. Now
we're seeing kind of a net newgeneration of players. Many of
them are stealth, which are kindof the AI native startups, the
(41:52):
ones who are going to use AIagents instead of the
traditional regex based model.I'm curious as you see kind of
the the new generations playout, how do you think about
changing where areas where youthink Proofpoint should change
its approach and areas where youwanna stick to the core secure
email gateway approach that hasallowed Proofpoint to be the
(42:12):
significant leader that it hasbeen for well over twenty years.
Sumit Dhawan (42:15):
You know what we have learned? This is not an
either or. It's a market segmentissue. That's what we learned.
Will there be customers thatthat'll go from one segment to
the other?
Yes. But broadly speaking, thisis a market segmentation aspect.
If you look at all of oursuccess, all of our market
share, it is typically in largerenterprises. Let's call it 5,000
(42:36):
and above, you know, and maybethose numbers can change based
on the geographies and what. Andthen so what we found out when
we did an assessment of speakingwith customers and just trying
to understand what was happeningwas larger enterprises, they
have teams.
You know, when they went toOffice March, they didn't get
rid of their teams that operatethe infrastructure for
(42:56):
protecting office. So they havethe team, and they actually
prefer a solution that doesmultistage defense of
predelivery, post delivery, andclick time. That's sort of how
our system works, which isgateway is a foundation, which
is predelivery. But we keepprotecting all the way. There is
a after the fact API that'sbuilt into it, but it it
(43:17):
required a gateway.
But when we spoke with customersthat were a little smaller, they
said they have cyber teams. Theyhave a CISO. But once they went
to Office '3 65, they lost allthe teams that managed,
operated, and secured exchange.They didn't need them. Okay?
So there there was no one tooperate a gateway. There's
nothing wrong with the tech.Just no one could operate it. So
(43:38):
there were too many knobs thatsomeone had to make a decision
on, and there was no one to makea decision on it. Okay?
So that's the fundamental issue.There's no other issue, really.
So we said, okay. That makessense. There's, like, this team
that needs a set it and forgetit and let the configurations as
defined by their gateway inOffice '3 65 play all the
(43:59):
gateway centric things.
And after that, you clean upanything that comes in after the
fact. So that's why we acquireda company called Tessian. We
waited for that product to haveexact same detection stack as
our enterprise product. And thatshipped in March, and we're
seeing now great traction withthat product in that segment
that we didn't really play.Okay?
(44:21):
And that and we are not the Iwould not say we are the market
leader in that segment. We are achallenger at this point in
time, and and our team ischallenging. Now we are in the
market. We are competing withsome of the names you mentioned,
and we'll see how we fare. Okay?
It's we're proud of what webring to the market in terms of
efficacy and the quality ofefficacy and now a product that
(44:42):
integrates with Office threesixty five. And then this new
generation of agentic agenticone, I think at the end of the
day, there is a lot of modelsthat are already very
sophisticated in our solutionsand and maybe even the second
era solutions. I won't speak forthem. But in our solution, these
(45:03):
are as sophisticated as theyget, and they're only getting
better. We're gonna bring someagentic technologies on top,
agents that can help end users,agents that help the SOC, and
sort of it's our belief isunless you're going to micro
customers who really don't wantany technologies and they don't
have any cyber team, purelyproviding an agentic solution,
(45:25):
It's not just premature, but maynot ever be desired.
We're gonna closely watch. Okay?We we have been wrong in the
past. We may be wrong in thefuture, and we're not gonna hold
a firm opinion on this. Andwe'll be nimble and agile as the
customers respond, but we'regonna bring that agentic
solutions here at our upcomingconference in September.
(45:46):
I encourage all the audiencehere to attend. It's called
Proofpoint Protect, but weintend to bring those solutions
as something all our customerswill be able to avail day one.
Ross Haleliuk (45:56):
Many of our listeners are founders or
aspiring founders incybersecurity who are maybe
going through some ideationjourneys. Maybe they're
validating the the ideas thatthey would like to pursue. Given
your experience buildingproducts at scale and now and
also previously leading astartup, what advice would you
give to cybersecurityentrepreneurs that are starting
(46:18):
out today? Are there areas thatthey should focus on to avoid
some well known pitfalls? Ormaybe if they're looking to
innovate in a domain withestablished giants, is there
anything else they should bedoing?
Sumit Dhawan (46:30):
Yeah. I mean, I think there are gonna be three
three types of startups in thecyber world. Unfortunately, the
first one, which is a gap, aproblem, and a solution that has
tended to be the biggest volumeof startups. Okay? I would say
be very thoughtful and cautiousin that space because you're
(46:53):
talking about potentially, youknow, the other two being more
interesting that I'll gothrough.
Second is any aspect of securingAI. I feel like that is an area
where enterprises are enterprisearchitectures are not
established. So startups whohave the ability to pivot faster
(47:16):
and are able to sort of, youknow, build solutions at maybe a
higher velocity rate of velocityhave possibly a leg up just in
terms of how they find theirwedges in terms of various
issues that will exist. Okay? SoI think that becomes probably a
(47:38):
fairly good area for startups ifyou are investing in protecting
AI.
I think it will have a verysimilar dynamic as cloud did for
emerging, you know, the wholesort of security space that
emerged from it. I think thelast one is disruption, which is
disrupting the incumbentarchitectures. You know, SOC,
(48:00):
like x t disrupting XDR ordisrupting SASE or disrupting
Proofpoint, you know, major sortof stents. If you're really one
that can take that on, it's nota bad area. You can obviously, a
disruption is always a goodthing for a startup.
Obviously, it's the highest riskbut highest reward situation,
(48:21):
which is what startups sort oftend to get optimized for mostly
because of the investmentframework from the venture
capitalist. So I'd say those arethe three broad categories. My
only recommendation to theentrepreneurs would be that in
the past, the first category wasrewarded. It's hard. It's hard
in the first category all theway from investors to
(48:45):
potentially even at the end ofthe day, if you wanna be a be a
part of a company, it's a littleharder.
The other two just seeminstinctively at this point of
time, even though I'm not aventure capitalist, a better
place is for for entrepreneur.
Mahendra Ramsinghani (49:00):
Sumit, as we wrap up, you mentioned early
on in our conversation todaythat your internal goal is five
by 30, you know, getting to5,000,000,000 in revenues by
02/1930. Clearly, a veryambitious goal. If you widen the
aperture a little bit and lookout into the next five years,
(49:21):
what are some areas where youfeel like large swathes of
opportunity lie for a companylike yours?
Sumit Dhawan (49:29):
Honestly, I feel like it's not ambitious enough.
But so I I think I think listen.But to answer your question, the
markets we are in, we haveestablished ourselves as
technology leadership, marketleadership, ability to execute
and win customers, make themsuccessful with our technology,
make them fans of our products.And even in the markets we are
(49:52):
in, if I look at just sustainingour growth rate and market and
of course, growing our marketshare because we are growing
much faster than the market, wethink we, you know, we we have
we have ways to to grow and go.K?
Secondly, I'd say the and that'sthe reason I say that is
because, like I mentioned, we'rea challenger in this mid
(50:15):
enterprise space through thesolution we launched. We've just
opened up our sovereignsolutions in India, Singapore,
Middle East, Japan. These arejust new markets. We haven't
even we don't have any kind ofmarket presence as we do in The
US, for example. So there aresort of significant opportunity
for us there.
(50:36):
Second, I think I see a naturaladjacency and growth in the two
areas I mentioned. Inparticular, in going into micro
businesses and MSP, we have a wehave a great start. Yesterday
and day before, we had our topmanaged service providers hosted
as an advisory council. I thinkthey feel a lot of pain right
(50:59):
now in terms of providing highsecurity at high service levels
through a standardizedarchitecture, and we think we
can be the one complementingtheir XDR solution as that's it.
It's us and XDR that canpossibly provide the foundation
of all MSPs.
And then lastly, I think theworld of digital assistance and
(51:21):
agentic security, which is justa natural extension of human
security, that's an area wherewe are setting up a we're
calling it horizon three in thewhole horizon one, horizon two,
horizon three framework as anarea of investment for us, and
we are gonna invest that bothorganically and look at
landscape of potential m and aopportunities. You know, we the
(51:44):
the one thing on this five by 30is one thing we can lose track
of when you're just looking atit through the lens of numbers
is who we are. And you sort ofstart diluting yourself and your
focus into many things or littlethings that are not necessarily
related to your mission andpurpose at hand and your sort of
(52:05):
right to play and right to win.So we have we have used that as
a mechanism to define the scopealong these three areas I
mentioned. K?
Tons and tons of opportunity togrow by addressable market
growth that's happening in thecore markets. This MSP space and
agentic security. Have youfigured out answers in all of
those three? No. But that's whyI said it's 2030 and not 2025 or
(52:28):
'26.
Mahendra Ramsinghani (52:28):
Thank you, Sumit. Thank you. You know, your
background coming from the worldof infrastructure and having
worked with companies likeCitrix and VMware brings a very
unique perspective to the worldof cybersecurity. And most
importantly for our audience,you laid out the three types of
companies that founders shouldfocus on, you know, filling
gaps, securing AI, as well asdisrupting incumbents. You know?
(52:51):
I feel like this has been a veryproductive conversation for us
today, and I sure hope that ouraudience will benefit from this.
So thank you so much.
Sumit Dhawan (52:58):
Yeah. Thank you for having me. And, the more the
cyber ecosystem develops throughthe investments, the more we
benefit. We obviously love topartner and acquire the
technologies that get built. Soany of the startup founders, do
think about us, talk to us asyou're thinking about your
(53:18):
growth plans and potentiallytaking the technologies that
you've built to the nextheights.
Maybe we can help.
Sid Trivedi (53:25):
Thank you for joining us inside the network.
Ross Haleliuk (53:28):
If you like this episode, please leave us a
review and share it with others.
Mahendra Ramsinghani (53:33):
If you really, really liked it and you
have some feedback for us, wrapit on a bottle of Yamazaki and
send it to me first.
Sid Trivedi (53:43):
No. Don't do that. Mahendra gets too many gifts
already. Please reach out byemail or LinkedIn.
Popular Podcasts
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com