Cisco Systems, Inc. (CSCO) Earnings Call Transcript & Summary

Well, folks, thanks for joining us. This is Simon Leopold, Raymond James data infrastructure analyst, here at our tech conference held virtually in the cloud. For our next session, we'll have Cisco, and presenting in the fireside discussion will be Gee Rittenhouse. We also have Emily Hunt from the IR department. So before we dig into our discussion, Emily, I think you had some disclaimers to open up with.

Yes. Thanks, Simon. So before we begin, please note that we may be making forward-looking statements. Actual results may differ materially from those forward-looking statements, and they are subject to the risks and uncertainties found in our filings and, in particular, our most recently filed 10-K and 10-Q. So with that, I will hand it back to you, Simon.

Thank you, Emily. So I've gone through -- I prepared some questions I'd like to go through with Gee. But maybe it's important to set context because Cisco is such a big company. You are running the security business. Maybe give us a little bit of information about your background and your responsibilities at Cisco.

Yes. So I come at the business from a technology perspective. The security business is very innovative as a market. So I graduated with a PhD from MIT in electrical engineering and computer science; spent my early career at Bell Laboratories, another deep research organization; and joined Cisco about 7 years ago to help lead the cloud effort. Since then, about 4 years ago, I joined the security business, and I've led it ever since.

And so maybe put this in a little bit of context because security is a relatively small part of the Cisco reported revenue, but it touches on so many aspects in each of the business units. Could you help us understand how security fits into the corporate strategy and the business overall?

So Simon, I think that's a great point because the security business is both a vertical, we participate in a large number of security markets, and we go after them with a strategy of being competitive in all of the large TAMs in security and integrate our portfolio together; but we also are horizontal inside of Cisco, and so we integrate well beyond our portfolio into networking and data center and collaboration and AppDynamics. And so we have both vertical components, which is the majority, but very much today, particularly all of our customers have security top of mind. And so whether it's networking, data center or collab, it's always secure networking, secure data center, secure collab, et cetera.

So maybe before we try to unpack this business a little bit, maybe could you think about, at a high level, what you see as the big trends, the growth opportunities and your vision for the business unit?

So the big trends are obviously the migration to cloud. We've seen this trend accelerate with the recent COVID-19 pandemic. But that's just accelerating a trend that was happening anyway. So -- but what that does is it enables from our customers and enterprises to really work from anywhere on any device on any network to any application. And from a security perspective, this really creates a large amount of complexity for the industry and our customers. It used to be traditionally that users, devices and applications were all in the same spot on your corporate network, and you'd go on there and you'd log into the network and you'd have your corporate-managed device and all of these things. Now when we're working from home and our applications are both on-prem as well as in the cloud and things like that, it makes security much more complicated. Historically, the industry has responded to this by developing specific technologies for each new security issue. So you may have started off with devices and then you get antivirus or networks and you get firewalls and on and on and on. And today, as we do this in this kind of general way, our customers and the industry has found themselves having collected like 100 security vendors and technologies in their environment. And so the complexity itself of managing all of these things in a dynamic environment like we find ourselves today, that complexity itself is now a vulnerability to the enterprise. And so our strategy has been to have offers in all of the major security market. So whether it's endpoints or e-mail or firewalls or cloud, all of these things, we have products in those spaces, but we pre-integrated them together to make it very, very simple for our customers. And so they immediately see the value of these products instead of having to integrate them together themselves and try to extract that value out after a lot of hard work.

And maybe it'd be helpful to kind of take this one step further and hear how do you segment the market. You've mentioned a couple of things, endpoint and firewall. I tend to find the debate that we have with investors is often -- we talk about security as if it's one thing. And clearly, it's not. So could you educate us on what are the sort of big buckets? How big are they?

So the largest TAMs are around the network piece, identity, devices. Those are the big 3. I would segment the market, and as you could in any market, several different ways. But I think one of the most interesting ways of segmenting the market is around the criticality of the offers you -- that you provide. So when someone is talking about firewalls or e-mail or endpoints, these are absolutely critical fundamental elements of any security posture. Then you have a lot of little things that you can go around as well. That certainly helped the enterprise and certainly broadened their perspective, but they're not like of that foundational level. So given that we're Cisco and we have deep relationships with our customers and are already a trusted partner in the networking space and in data center and in collab, we tend to segment the market in those foundational elements so that we can be a trusted security partner deeply embedded with our customers versus the kind of smaller, perhaps more niche markets that are yet evolving.

And I guess some of this brings me to this question around your competitors may have point products. Cisco has a portfolio. And we've often picked up on this debate as to what's the buying motion. Do customers come with a particular problem to solve e-mail or network or the customers basically say to Cisco I have a security problem? What's the buying motion?

We actually have both. So as the customers are thinking through their digital transformation, Cisco is engaged as part of that transformation narrative. So they are radically changing their network architecture to, let's say, a software-defined WAN architecture, and they want security built in. They're changing their data center architecture into a virtualized data center, and security is built in. So there, we definitely have these transformation discussions, but the purchasing motion is really about kind of like single products because no one is going to rip out their entire security framework and all of the money that they spent into that and then just replace it as a greenfield motion. So our security portfolio has to be open. It has to have open interfaces, being able to act in part of a broader ecosystem. And we slowly kind of migrate our way through our customers' journey as certain things come up for replacement, and we've been having these transactional conversations. They replace it with Cisco as we can demonstrate the value of doing so.

So I think it was pretty recent that you announced and launched SecureX as a platform. I think of this, and please correct me if I'm getting this wrong, but as a unifying platform to bring the pieces together. And so if you have a customer that has a mixture of suppliers and they're bringing Cisco in, how does SecureX work in an environment that's not all Cisco?

So first of all, I'm pleased to announce that, today, CRN, our partners or the broader partner community has announced SecureX as the winner of their cloud platforms. So that's quite an accomplishment. Particularly since we launched SecureX last June, we've been seeing a monthly adoption rate of about 1,000 customers using it every day per month. And so the -- there's been a pent-up demand in the market around a simplified portfolio -- simplified platform view of security. There's been many attempts at this. And what tends to happen is the industry says, here, I'll simplify your security environment but if you just buy our platform. And then you go through a 2-year IT integration of that platform, and you're finally there and you realize that the industry has changed. We're unique in that the platform, SecureX, is built into every offer that we have. So if you buy a firewall, you get SecureX for free with it. If you buy e-mail, you get SecureX built in to that offer. All of them, you get SecureX because we want that adoption of the platform to be very, very easy and seamless. Then as you purchase more Cisco, you immediately get the value of that because you already have the platform and you're using it. So you see the value immediately. That attracts a lot of customers. And with that, comes how customers are using the platform. And with that additional insight, we can then apply artificial intelligence and machine learning to further automate, to further simplify our customers' experience with security. And as a result, that attracts more customers where we gain more insight. And so in a very frictionless way, we get a virtuous cycle around simplifying security, which is the most complicated problems our customers have in IT today.

I guess what I'm still struggling with, though, is when they've got a mixed environment that's not all Cisco. They're not getting the full benefit.

They do. So our customers can integrate -- it's an open platform. So they can integrate SIMs. They integrate point products and whatnot of our competitors. And they do see a value of that because it is a single pane of glass where they can get all of these benefits. But unlike Cisco, which is deeply integrated, because we're committed to this -- to a platform-type environment, many of the competitors are not fully committed to that. And so while they're open through APIs, the information that they share and the ability to actually activate their devices remotely depends on the vendor. So you don't get the complete kind of benefits that you would with all Cisco, but you certainly get a benefit of a single pane of glass, and we see customers integrating in hundreds of different vendors already today.

So I want to transition the line of questioning towards the aspects within Cisco of transitioning to more software content, more recurring revenue. And your business unit was probably the test case, the first portion of Cisco to really change and transform. I remember the metric of being 50-50 software to hardware. So could you help us understand where you are today in that transformation as a business unit and what the targets are?

Sure. So we were one of the early businesses to transform because, quite frankly, that's what our customers wanted from security. Security is always changing. It's a dynamic environment. So you can almost think about our business as a content business. You have an appliance, whether on-prem or in the cloud, and it's the content that is given to those cloud platforms or appliances that make security valuable. It's the latest kind of threats and the latest things you're protecting that you see in the industry and in the wild. And so it's not a static thing that you just buy and kind of walk away from. So because of that market dynamic, we were an early adopter of subscriptions. And so for us, the software part of our business is 100% subscriptions today. So we don't have anything further beyond that. What we are seeing though is that customers are further migrating from subscriptions into consumption models, into pure SaaS in our cloud-native, fully cloud-scale platforms like SecureX, like Umbrella, like Duo. And about 25% of our business now is pure SaaS. And so we don't have targets for that, but we do see the market really kind of moving in that direction. And so we encourage that transformation and continue to develop the portfolio to support this kind of -- whether it's on-prem or in the cloud, our customers are on this journey, and we're going to support them along that journey regardless of where they are today or tomorrow.

And maybe my follow-on question is actually, I think, sort of stepping from that as the enterprise commercial customers are embracing hybrid cloud, public cloud, suddenly, it's not just a matter of protecting their facilities but protecting their applications. Could you talk about how hybrid and public cloud adoption has changed your business?

Yes. So what we have done, it's changed it in kind of 2 ways. Initially, the users, the devices and the applications were all located in one place. Now, of course, users and applications are in different places. It's no longer all located on the enterprise. They're different, and so we end up protecting them in different ways. We protect the users now with our cloud platforms. But the applications, we actually have moved the protection into the applications themselves. And this has allowed us to simplify the overall security architecture. Remember, like take a firewall, for example, that was protecting the applications. But it was also protecting the enterprise, the infrastructure, the users, et cetera. Now that it's moved into the cloud, you can really reduce its footprint and make it much, much simpler to do. So it's changed our kind of architectural approach from that perspective. The second way it's changed is the buying motion for security on-prem was really centered around IT, the CIO, the chief information and security officer. But as they moved into the cloud, those applications have to be protected with the developer community who is now developing those applications and the lines of business that are pushing applications into the cloud, which means it's a different buying center and a different user experience. And so we also have expanded the security portfolio to include AppDynamics, which is used to monitoring those applications and is well versed in how developers deploy applications and push applications to the cloud. We're now building security into our AppD portfolio to now expand beyond the IT, CIO and CISO into the developers themselves.

And that would be an example of working across other business units then. Is that right?

Exactly, Simon. Yes.

So I want to touch on what the pandemic has meant for your line of business. I think, in the investment community, the thinking has been that pandemic has actually pulled forward security spending, that it became a higher priority area, an area where organizations could invest. And so the next line of questioning is, well, did we steal from the future? Does that mean less spending in a recovery? So could you reflect on what you saw changing due to the pandemic? What surprised you? And then are there ramifications for that in the future?

So I think there's 2 things that perhaps not surprised us but -- from a strategy perspective but surprised us from an execution perspective. There's one class of the economy that were on their way through a digital transformation to the cloud. And what we did -- what happened in the pandemic for that class of the marketplace was an acceleration to the cloud. And we were surprised by the speed that, that occurred. Like overnight, you went from 5% or 10% of your employee base working from home to 100%. That brief business continuity piece of it is largely behind us. So that has been pulled forward, in your vernacular. But the broader digital transformation is still yet ahead of us. So yes, they have their VPN capacity now, but they're now on a Zero Trust transformation or these other kind of transformations. So this has been an accelerant in the cloud adoption digitalization journey but one that will continue going forward. We don't see enterprises going back necessarily and not adopting cloud anymore or going backwards in their digital transformation in that way. The second part is around new verticals that perhaps were initially resistant to digitalization because of business models or regulatory issues and things like that. Health care is a classic one where it was very difficult, even just from the mechanics of insurance, to have remote medicine. And now, of course, we're very, very familiar with that. So you've kind of -- they weren't on a cloud or a digitalization journey. And now they are, and we want to see how far they can go. And these have opened up new markets for us. And so what I've seen is that there is a shift in the security kind of landscape, the transformation that I told you about. But also, to your earlier point around spend, we did see some slowdown in the traditional IT spend around, let's say, data center security or kind of more traditional things. And as people go back to work and go back into the branches, go back into the enterprise, we expect that part to come back up again.

And what about the trend of work from home? I think there's some conventional wisdom that some portion of the population may be working from home for months, maybe years, well into 2021, even after a vaccine is available. That has to be something that IT professionals, managers didn't contemplate before the pandemic. How is that affecting your business? And what changes come about because of the increased use of work-from-home?

Yes. I think we're going to be in a hybrid environment for a long time. I think the public benefits or the benefits of work from home and the detriments of working from home are very public. And we've kind of seen this pendulum go back and forth in the narrative. But what we have demonstrated over the last 9 months or so is the fact that you can do it in certain industries. And so I think there's going to be a willingness in many industries to have this kind of hybrid model. I think, from a security perspective, it raises some interesting challenges. It still is -- because anybody can work from home in this hybrid environment, you still have all the complexities that I mentioned before. There's very little difference between 100% of your workforce working from home and 50%, particularly when you don't know who the 50% is in any given day. So from a security perspective, that exists. The second thing is we're going to find ourselves still with a lot of video. So even when you are sitting there, you wouldn't be meeting in a conference room. If 50% are remote, that means there's a lot of video going in and out of the enterprise, which means that we're still going to have a large on-premises component to security that has to be prepared for this increased data rate going in and out. So I think there are some structural technical shifts that will happen that really do force us on the security side to have a robust on-prem component of security to handle these bandwidth but yet flexible and easy to be highly dynamic in this new world.

And I guess kind of if we just think about it, security has remained a priority. It hasn't suffered during the pandemic. Is it fair to say that in a recovery, it would not have an accelerated growth that you might see in other areas of the business?

I think security is now top of mind with every CEO and every Board conversation. And I think the importance of security will remain because, of course, just the importance of the assets that is core to the enterprise and the protection of those assets, either deliberately or just through a compliance. I think what will happen, though, is security will be as much a part of other business transactions. So it's almost going to be implied that when you're talking about, let's say, supply chain optimization or manufacturing transformation, those may be the topics. But underneath, you're implying it's secure manufacturing, it is secure supply chain management. It's now just part of everyday business.

I want to talk a little bit now about acquisitions. So anybody who follows Cisco, we know the company does lots of acquisitions. I think that is a core competency. So let's bring this to your business unit. How do acquisitions fit into your strategy?

So traditionally, acquisitions have played a key role particularly in foundational elements of security, whether they're new markets or broad security trends. And so we saw this with the firewall, getting into threats, with the cloud motion, and so we bought OpenDNS; Zero Trust, we bought Duo. These are strong foundational elements of the portfolio. And security is always dynamic as an industry. So we expect to see kind of more foundational elements over time. But what we have been able to kind of rethink with our SecureX platform -- introduction of SecureX as a platform is we can now start to fill in some of the portfolio with smaller assets that we wouldn't have considered before because it just added complexity to the buying motion in the portfolio. But by -- here, we can tuck them in into a common narrative and provide immediate benefit for our customers as a result, and they see the value of that. And so I think our acquisition strategy will continuing in these kind of foundational elements but expand into these kind of smaller opportunities that provide immediate value to our customers.

So maybe let's reflect on some of the deals that you've done. What do you consider your most successful acquisition and why?

So we see the kind of foundational ones: Sourcefire for our firewall, OpenDNS for SASE, Duo for Zero Trust. These are big core foundational acquisitions that are highly successful and really kind of define the business for us today. But from a financial performance perspective, even smaller ones like Cloudlock or like our Stealthwatch acquisitions in analytics, these provide real, tangible benefit because more and more security is around the data and the data analytics of it. So being able to consume that data, have access to it and then process it is also very successful. So as you said, being able to both innovate organically as well as inorganically is our core competency, and we see that continuing going forward.

So did I just ask you to tell me which is your favorite child?

I tried to avoid saying that. They're all my favorite. And the great thing about security is that it's always building on top of each other. So like even some of the, let's say, children who've gone through college, like IronPort and ScanSafe, like, they're still providing real value to our customers. Because you don't take things out, you build upon it in security. So I have lots of children, and of course, they're all my favorites.

So I wanted to ask you specifically around the product area of SASE or SD-WAN category. And Cisco is, I think, well regarded as the market share leader. But we continue to hear debate, I think philosophical debate, about architecture and fit. So you've got companies like Fortinet coming at it from a firewall perspective and Check Point with its own view and HP recently acquiring Silver Point (sic) [ Silver Peak ], so WAN optimization angle. And I unfortunately see value to each one of these, but what's your take on the best approach?

So when we talk about SASE, or secure access service edge, you can -- it's like talking about cloud or something. It's so broad, so comprehensive, you're going to include everything. And so from that view, you can start to take kind of different lines of thought through that topic and see real value in many different ways. The way we view SASE is really kind of in 2 components. You have this -- you have the SD-WAN component. And like, without SD-WAN, it's very hard to imagine SASE. That's really kind of the first step in your SASE journey because you have to be able to steer the traffic dynamically and in a programmatic way. But you can also come at it from the security perspective that says like, look, I'm coming from an on-prem appliance into a cloud-native platform. And I want to just have people steer the traffic into my cloud-based platform, and then I do the security processing and extend it on. So with SASE, you really do see this intimate integration of security and networking. Those 2 have historically been very separate and distinct. And now for the first time really in our industry, we see this very tight integration. That integration can occur on a box, like you mentioned, Fortinet, for example. It could start to go into the cloud like we have with Umbrella and integrated the security portfolio. Where I think Cisco benefits is we have a market leader in the cloud side and market leader in the SD-WAN side. By integrating those things together, we bring real value to our customers. Our customers, when they take an SD-WAN and try to couple it to, let's say, competitive clouds, that's a 6- to 9-month journey to get that right and get all those tunnels right. We can do that with a few mouse clicks in Viptela or Meraki. So like there's real benefit of integrating these together. And I think you're going to see, over time, a further integration across Cisco of networking, network functions into the cloud platform of Umbrella and security.

And is the SD-WAN platform within your business unit? Or is this a collaborative effort across BUs?

It's a collaborative effort across BUs. But -- and by the way, it started probably maybe a year ago, where you can take a Meraki box or a Viptela box and then access the security functions in our Umbrella cloud. Now on the road map, we're taking some of that functionality itself and putting it into the cloud. So you have true tunneled SD-WAN experience with the cloud being a native component of the SD-WAN architecture. And so you don't just have like SD-WAN components with a gateway going out. It's now integrated all together. And I think when that gets released over the next 12 months, that will be a very, very powerful solution for the marketplace.

So I've got a question you on identity. And in the spirit of transparency, this actually comes from my colleague who specifically focuses on security companies. And so within this, you had acquired Duo, which is focused on identity access management, and the impression he's had is that Okta seems to be winning mind share and market share. And there seems to be a bit of a zero-sum game that if Okta's winning, therefore, Duo must be losing. How do you see the marketplace evolving? Does Duo -- is it able to succeed an Okta? Is it a rising tide floats all boats? Or is it a competitive zero-sum game as many see?

Let me just start by saying Okta, Microsoft, these are some of our largest partners with Duo. So it certainly isn't a zero-sum game. I think what ends up happening in this market is, putting aside the access management part of it, there is another transformation that is happening around the directory and having an Active Directory move from on-prem into the cloud. And as part of that directory transformation, there's a lot of competition in that space. And -- but there's a kind of separate transformation happening that's all about security and what we call Zero Trust or being able to really make sure that you are who you say you are. And today, hackers don't hack into networks. They log into networks with stolen credentials. So the first step of Zero Trust is around getting multifactor authentication with device posture stood up. Duo is, by far, the easiest in the market to do that because you can do that without a directory transformation. So anybody could do that today. It doesn't have to be part of a big transformation motion. But for those customers who are going through a transformation, Duo still is very highly valued because it's a market leader with the endpoint experience. And we focused a lot of time and attention on that user experience. We have an NPS score that is higher than Apple in this space. So like, we spend a lot of time there. And so for those undergoing a directory transformation, they still buy Duo in addition. And those, like I said, are our biggest partners as well.

So maybe if we think about this, we started out talking about the breadth of the security portfolio. When you look at this business, who do you see as your closest competitors? Who are you fighting day to day?

I think the way I look at it is, in each of these markets that we serve, e-mail, endpoint, firewalls, SASE, all the ones that we described, there are serious competitors in every category, and these are highly dynamic markets that have large TAMs and so attract a lot of venture capital as well as competitors into the market. I think there's a broader narrative though, around these digital transformations. And in those conversations, Cisco is a trusted partner around collaboration, networking, et cetera, and as well as security. I think there's only a handful of companies that are really trusted -- have those trusted partner relationships with our customers. And like, a classic one would be Microsoft, for example, for the applications. And so while they're our biggest partner, perhaps in some cases, we also compete with them as they enter more the security market. And so those are the ones that I think are probably kind of the future competitors that we see, although we'll always have a partner/competition kind of ecosystem, I think, with quite a few of them.

Gee, we're just about out of time. So I want to close with the question I always like to close with is, what do you think is the least appreciated aspect of Cisco's security story? So if there's some point you don't think the investment community is following and you want to just bring it home, what would that be?

It's bigger than you think because we only report the product revenue. But you can imagine there's a considerable service revenue as well. So it's bigger than you think.

Great. Well, thank you very much for joining us today. Emily, thank you as well. Folks, thanks for joining Cisco in this deep dive into the security business. This is Simon Leopold from Raymond James. Thanks.

Thank you.

Thank you.