Wake up call: An Open Letter to Gil Shwed, CEO of Check Point Software

Dear Gil:

This letter is meant to be a wake up call. While it points to many missed opportunities and wrong turns that I believe Check Point Software has made I hope you will understand that it is a call to action rather than a criticism of past blunders.

I have been perplexed by Check Point’s actions, or rather lack of actions, for the last seven years. Do you not see that there are opportunities in network security that surpass the existing size of the market? Do you not understand that your current customers are less well protected from outside threats than they were when they first became your customers? Do you not see the warning signs when you lose your major accounts to competitors? Do you not watch the network security start up activity in Silicon Valley? Have you not noticed that Cisco is pulling off a marketing coup with its mis-begotten Network Admission Control scheme?

What do you think? Discuss Stiennon's open letter.

By way of reminder I should recount my connection to Check Point. When you were first trying to get a foot hold in the United States with your revolutionary stateful inspection Firewall-1 product I was director of business development for a reseller in Detroit. I sold the first enterprise firewalls to much of the automotive industry. I also introduced your co-founder, Shlomo Kramer, to Bob Moskowitz who was both heading the Automotive Industry Action Group’s (AIAG) effort to standardize VPN technologies on IPSec and coordinating the IETF’s IPSec efforts. You may recall that Check Point had settled on S-WAN for encrypted communications until that introduction. I accompanied two of your young engineers to MCI’s lab in Plano, Texas, later that year for the first ever IPSec interoperability bake-off hosted by the AIAG and the IETF.

Several years later found me the analyst at Gartner responsible for creating the Firewall Magic Quadrant. Remember when I took all of the firewall vendors out of the leader’s quadrant for lack of vision? That was the time frame that NetScreen managed to carve out a huge segment of the firewall industry through innovation in technology, business model and marketing. How was it possible for a new firewall vendor to enter your space so late and establish a market valuation of $4 billion by the time they sold to Juniper Networks?

Your recent failed attempt to acquire an entity that is commercializing SNORT, the freeware Intrusion Detection System(IDS), was the final sign I needed that you do not understand the network security market, the gaping holes in defenses yet to be filled, the rising tide of cybercrime, or the big picture. This is not a time to copy RSA, IBM, Symantec and McAfee by acquiring multiple pieces of the security pie and hope to meet Wall Street’s appetite for improved numbers quarter over quarter. This is a time to dominate the network security space and leverage that dominance in the network; not the desktop, not the data, not physical security, not the server, not the data center- the network.

Here is my unsolicited advice. To be heeded only if you have the goal of dramatically increasing Check Point’s presence within the enterprise, doubling revenue in less than five years, and opening market opportunities measurable in the billions of dollars.

First and foremost, the operations and corporate administration of CheckPoint Software must move to the United States. That may be tough to swallow but the location of a corporate headquarters location is not a lifestyle decision, it is a business decision. Strategy and operations must be guided from this headquarters. While your current office location in Northern California is ideal the ultimate location of your headquarters could be influenced by acting on my next piece of advice.

Check Point firewalls must be hardware appliances. The current model of giving away half the revenue of a firewall sale and most of the support revenue has been demonstrated to be a market share loser. Yes, you enjoy enviable margins as a software-only company but it has been at the expense of giving up market share. It may not be too late to develop your own hardware platform but I would advise that this market cannot wait. Check Point should acquire an existing platform that is already successful in supporting FW-1, your flag ship product. Check Point must own the platform in order to execute on the rest of my advice.

After investing the capital in a hardware acquisition there is work to be done. You have to maintain your existing channel while you cut prices, increase partner margins, and introduce new product configurations and support. There are four segments in the network security arena: enterprise gateway, enterprise core, SME and carriers. Across all of these segments your products need a major overhaul. They must be capable of processing entire packets and even sessions at speeds that exceed what your current products do with just packet headers. You will have to OEM your technology to other manufacturers in a tactical move to curtail the number of companies eroding your share in the small office/home office.

The two biggest opportunities in network security are within the enterprise and within the cloud. The enterprise opportunity is identified by the quick response the market has had to Cisco’s marketing of its so-called Network Admission Control. While I do not believe that quarantine of laptops is the driver here I do believe that granular access control is driving market demand for new internal security measures. With Check Point’s existing VPN expertise this is an easy innovation to introduce with little additional investment. The strategic importance is that executing on an access control strategy opens the interior of the enterprise, a market that is bigger than the gateway market.

Carriers are clamoring to offer security-in-the-cloud services. Check Point must be in a position to deliver virtualized firewall, VPN, and other security services in carrier equipment.

The best way to sum up my advice is that Check Point still has an opportunity to regain its dominance in network security. The big picture goal should be to reach that exalted state where the Check Point brand becomes so powerful that someday in the not too distant future you can introduce competitive network devices to instant acceptance. Just as Cisco introduced the PIX line of firewalls by leveraging their unequaled support and product functionality in the network, Check Point will be able to expand its share of the network equipment space by leveraging your future reputation for delivering secure, reliable and innovative products based on carrier-class platforms with best-of-breed support coupled with a world class distribution channel.

Gil, these are just one analyst’s opinions but that analyst is an outsider and I perceive that Check Point needs a good dose of outside perspective at this critical juncture. The network has grown a thousand fold since the ‘90s, the threats we see today were not even on the horizon when FW-1 got its toe-hold in the market thanks to Sun putting it in their “book” of products. Everything else is changing. Why shouldn’t Check Point remake itself to profit from this change? It is time for Check Point 2.0.

Best regards

Richard Stiennon

Chief Research Analyst


Stiennon is chief research analyst at IT-Harvest and publisher of the Data Protection Weekly newsletter. He can be reached at richard@it-harvest.com

Learn more about this topic

Forum: Discuss Stiennon's open letter to Check Point.

Check Point rounds out security plan


Check Point, Sourcefire call off merger


Check Point claims to double firewall speed when running on Intel Woodcrest


20 people who changed the industry


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2006 IDG Communications, Inc.