Palo Alto Networks is the culprit behind Cisco's -8.4% FY11 security sales decline
Fri, 8/12/11 - 2:25pm View comments
Network World confirms Dual CCIE #18532 Security/R&S - George Morton was correct in his assessment that Palo Alto Networks is the culprit behind Cisco's security sales decline:
"Palo Alto Networks has injected excitement and innovation into the firewall market with its 'next-generation' appliances that combine traditional firewalls, threat mitigation technologies such as anti-malware and intrusion prevention, and the new magic dust of application identification."
Cisco reported a respectable +7.9% net sales increase for FY11.
Additionally, 6 of Cisco's 9 sales product reporting categories had robust average FY11 sales increases of +22.9%.
Anxiously though, 2 of those 9 product categories, switches and video connected home (representing 41% of Cisco's total FY11 net sales), had slight to negligible sales declines of less than -1%.
However, what really caught my attention was the unusual -8.4% drop in Cisco's FY11 security sales.
So why would that specifically catch my attention?
Well, mostly because 25-days ago, security vendor Check Point Software Technologies reported a 2nd Quarter Y/Y (Year-over-Year) sales increase of +15%.
Meanwhile by comparison this week, Cisco reported that its 4th Quarter Y/Y (Year-over-Year) security sales dropped a worrisome -21%.
Wow I thought, so I put in a call to my Cisco security expert, Dual CCIE #18532 Security/R&S - George Morton, to find out why Cisco's security sales were in such a steep decline.
Naturally, I expected Morton to blame the well known Check Point as the "culprit" in Cisco's security sales misfortune, but I was quite surprised to learn that according to Morton it was tiny little-known firewall vendor Palo Alto Networks causing the Cisco security sales decline.
Although marketed otherwise, Cisco security products do not require Cisco networking equipment to be present, nor does having Cisco networking equipment mandate Cisco security products.
Through its acquisition of IronPort, Cisco has strong product offerings across the network security, Web security and email security tiers. Cisco has continued to consolidate its security products into a single business unit. Gartner believes that Cisco is in a strong position to launce "security as a service" and data-center-specific security offerings.
Cisco firewalls have not seen any noteworthy changes in 2009; however, Gartner forecasts that changes within the Cisco security unit will be realized with increased competitiveness from 2H10 through 2011.
Cisco is assessed as a challenger for enterprises because we do not see it continuously displacing leaders based on vision or feature, but instead through sales/channel execution or aggressive discounting for large Cisco networks when firewall features are not in high demand.
Gartner's cautions about Cisco:
Where Cisco firewalls were shortlisted, but not selected, quality and usability of the management console, Cisco Security Manager (CSM), were consistently the factors most often cited.
Cisco firewall and security products continue to have one of the highest rates of published product vulnerabilities. Although Cisco is a high-profile target, security products must have a higher level of assurance than general-pupose products.
The ASA line is becoming somewhat dated and, although Gartner expects Cisco to introduce new models. Cisco often is excluded from placements with high throughput. Cisco's Firewall Services Module (FWSM) and ISR have been on a separate firewall development stream (closer to the PIX code base) and haven't benefited from ASA advances.
The requirement to add a hardware module (the AIP-SSM) to add IPS capability to the ASA firewall appliance remains a barrier to deployment and a competitive disadvantage for branch-office deployments. The add-in module does, however, provide processing help with the deep inspection load. If the SSM module is used for IPS, then it cannot be used for other content inspection.
Cisco remains elusive on competitive firewall shortlists by Gartner customers. Cisco firewall products are selected more often when security offerings are added to Cisco's infrastructure, rather than when there is a shortlist with competing firewall appliances. Cisco was listed by competitors as the product they most replace. This is likely to change as the PIX replacement cycle ebbs. This is not a strong caution, given Cisco's market share.
The integration of reputation features across Cisco security products is a highly significant feature differentiator that is often missed in enterprise selections.
Its Adaptive Security Appliance (ASA) has the option to add an IPS module (AIP-SSM) to replace a stand-alone IPS. The ASA is available in four editions, which clearly define what safeguards are being purchased.
Cisco has significant market share in security (including having the largest market share for firewall appliances), has wide geographic support and is viewed as a significant (second-highest)enterprise competitive threat by the vendors we surveyed.
Gartner's take on Palo Alto Networks:
Palo Alto Networks has been selling firewalls since approximately 2007. Although essentially a startup, Palo Alto Networks is not a typical startup, because the company is well backed, including first-tier venture capitalists; the founders are alumni from other firewall companies; and the CTO invented stateful protocol inspection. The company's application ID feature was one of the first in the firewall market to categorize applications within HTTP/HTTPS.
The firewall and IPS are closely integrated, with App ID implemented within the firewall, obviating unnecessary IPS deep inspection.
Palo Alto Networks often enters enterprises via URL-filtering selections, where its per-box charge does better than most competitors that charge a per-user fee.
The company has also linked the Application ID feature to Active Directory, meaning that reporting and setting the application policy can be by name and organization, rather than by IP address alone.
Palo Alto Networks was early to introduce effective application identification (App ID), allowing for categorizing, blocking and rate-shaping of applications, primarily within HTTP and HTTPS, and it generally leads in application categorization.