Cisco Systems, Inc. (CSCO) Earnings Call Transcript & Summary

Welcome, everybody. We're going to have Marilyn come up real quick to read the Cisco safe harbor, and then we'll jump into our conversation with Shaila from Cisco. Great.

Thanks, Meta. So I'd just like to remind the audience that we may be making forward-looking statements. So I refer you to our SEC filings, including the 10-K and 10-Q that were most recently filed on the Investor Relations website. I'll now turn it back over to you, Meta.

Great. Perfect. Welcome, everybody. We're delighted to have Cisco here today. For those of you, I'm Meta Marshall. I cover the networking space here at Morgan Stanley. We're delighted to have Shaila Shankar, SVP of the Security Group and General Manager of the Security Group.Very topical right now, just given everything we have with the geopolitical environment. So maybe just starting with, security continues to be ex-geopolitical, a huge investment area not only standalone but a catalyst for networking purchases. Just how have you seen security needs evolve over the past couple of years as employees become more distributed and you move to a hybrid work environment.

First off, thanks for having me here. This is my first time at this event. So I really appreciate the opportunity. Security is definitely top of mind, top to bottom in the organization at this point, just given the geopolitical issues that you just talked about, like speaking for right now in the last few weeks. Beyond that, over the last couple of years, for sure, with employees becoming remote, work becoming remote, it has changed the paradigm for how employer has to be thinking about security. On top of workforce being remote, we also have seen workloads moving to the cloud. The combination of workforce changing, workplace changing, workloads moving to a different location, all 3 meant that organizations had to increase their investment in Security. Is it me, or am I too loud?

No, I think you're perfect.

Okay. Okay.

We all sound like we have an echo right now, but we're good.

Okay. Sounds good. So what we have seen is the spend on security has significantly gone up along with rapid movement to the cloud, faster digitization and just managing the perimeter.

Okay. Got it. I mean, maybe just in terms of adding in kind of a Russia-Ukraine or just more topical geopolitical environment, just separate from everybody becoming a little bit more distributed, how have you seen kind of geopolitical play into recent security trends?

Yes. So we have a phenomenal threat research organization as part of the Security Group at Cisco. It's called Talus. We have been at the forefront of seeing a lot of things happen in the world way before they actually become public news, as you can imagine. We work with over 40 different government agencies globally, which means there is a lot of intelligence that we have that we're actually sharing proactively to make sure that the world is a better place. Our concern right now at Cisco is making sure that the intelligence is getting to the right agency, right organization, right customer, so they are protected. But starting from DDoS type of activity to breaches, we're seeing all kinds of activity in the cyberspace now.

Got it. That's helpful. I think another area people grapple with in security is just we're talking about a lot of new security approaches all the time, whether it be cloud, SASE, Zero Trust. One, what do you think that people miss about how Cisco can participate against all these pure-play security vendors?

Yes. The scale at which we operate, I think, is not well understood by the world. The scale of Cisco Security means that we look for -- just on MFA alone, for example, over 1 billion authentications a day, over 500 DNS -- 500 million DNS lookups in half a day. So the scale is what I think the world misses. And also the breadth of our portfolio, I think, is not well recognized, too. We have security on all control points. It's on the endpoint. It's in the cloud. It's in the network, and also embedded in data and application security. So the breadth of portfolio is what gives us the broadest and deepest visibility, and visibility is key when you're trying to protect a new organization. So we have -- as far as the solutions go to your point, we have an XDR offering, we have a SASE offering, we have Zero Trust offering, for sure. And we feel -- individually, all of them are better because of the scale at which we operate, and one feeds into the other.

Yes. Perfect. Where do you think customers are in evaluating some of these architectural decisions? I think we hear from VARs that we're moving past kind of catch-up spend and moving towards greater architectural changes. But are people -- are you seeing real traction of some of these new architectural approaches to security?

Absolutely. We are seeing more investments going into architectures and lesser investment actually going into the catch-up investment, as you talked about it. Architecture investment is also key because we are in this hybrid world. As much as we all talk about workloads moving to the cloud, what you find is only 15% to 20% of the workloads are moving to the cloud. Only 5% of IT spend is actually in the cloud. So customer environment is multi-IT. It's on-prem. It's in the cloud. It's in the data center. So every customer is looking for a Security Reference Architecture, and we invest a lot of time in making sure that we meet the customer where they are as opposed to prescribing a solution. It's not about ease of deployment and ease of manageability or simplicity of a solution. What is important to us is depth of efficacy. That's what we focus on.

Got it. Are you seeing one particular catalyst for change or step that people are taking? Or does it tend to be hybrid work is what is kind of catalyzed one move? Just trying to see, is there one particular change that you're seeing that is generally like the first step into some of these new architectures?

Even before the hybrid work happened, organizations were moving to the cloud. So what I think is the hybrid work accelerated it, ascended a little further. But that alone is not a catalyst. It is enabling greater efficiency on the IT side of the organization. That is what has driven this migration. What I would also say is the scarcity of resources is another factor in the SOC side that is making this adoption of the cloud and focus on implementation of architecture like an XDR take off faster, being able to detect what's happening in a customer environment and being able to remediate it at a faster scale requires that you have people that understand that space. And with 4 million-odd jobs that are unfilled, people are looking for greater automation, and an architecture like XDR, for example, delivers that.

Okay. Perfect. We'll dive into XDR in a little bit. I guess one of the questions that we often get around the platforms is just that security has very much been kind of a best-of-breed market. Or just you want to have the most solutions so that nothing slips through the cracks. How do you get over a natural resistance of people having all of their eggs kind of in the Cisco basket or taking a greater kind of portfolio approach?

I can see some customers might be having concerns around the kind of scenario you laid out. But when you invest in an architecture, you want to choose an architecture that is open and extensible. A vendor may not be able to deliver all the solution that you're looking for, but you have to invest with one that is open and extensible. So we focus a lot on how do we coexist with the other security vendors that are in a customer environment. How can we open up our APIs so that we help enable the security of the other providers that are in the environment as well as we enrich our solutions with integrations that we do. So architectures is where we want to see the investment. Architectures is where we are seeing more of the investments go as well.

Okay. Perfect. I think another question that we get is just, are you seeing a change in the anchor device of security? I think for so long, it's been the firewall. Is SD-WAN kind of becoming more central to the security decision? Just what are you seeing as kind of that anchor device?

Firewall, we are seeing a lot of strength, and our firewall business is growing, and we are pleased with our customers extending with key people that are with firewall are extending and buying other solutions from us as well with the credibility that we have built on the firewall side. Definitely, the SD-WAN migration is allowing for cloud security also be pulled through in that experience by the customers. But I would believe firewall is here to stay. Endpoint is here to stay. And cloud extension security of the application and data is additional layers of security and extension security that we just have to secure.

Perfect. Another great question that we get is just the competitiveness of traditional hardware vendors as more SASE functionality moves to the cloud. Just how are you seeing that kind of physical cloud appliance discussion and just where you're seeing kind of that evolution of the discussion go?

Yes. When you think about the presence of firewall or presence of SD-WAN, you're talking about the network edge, you're talking about the data center edge, you're talking about the enterprise edge. It is the enterprise edge that is also pulling through to the SASE opportunity. Our SD-WAN implementation integrated with our Umbrella offering, the cloud security offering. You're seeing a lot of uptick because of that enterprise edge movement that we are seeing.

Okay. Perfect. Circling back to XDR. This is a market that we've written about kind of being a $28 billion opportunity, the security analytics and then observability converge. What moves has Cisco made to kind of converge those capabilities acquired from kind of your security and observability portfolios to kind of present your product to the market?

Yes. That's right. XDR, as I mentioned, makes it easy for a SOC analyst to make sure that they have the greater visibility into the environment, they understand the risk, and they're able to remediate it quickly. We're always thinking about how do we deliver value? There are 2 metrics we focus on, mean time to detect and mean time to remediate. That's the purpose of XDR as an offer. And in our world, we get intelligence from every product that we have that's feeding into our SecureX platform, from e-mail, from endpoint, from network analytics, the entire portfolio feeds into XDR. And XDR is also an open platform. And so far, we have done about 400-odd integrations so that we are helping a customer environment protected. And the recent acquisition that we have done with Kenna, we're also able to bring in the context of risk where our intent is to focus not just on alerts, but actually make it context-sensitive. And risk-based XDR is how we are thinking about it as a problem that we want to solve.

Got it. I mean does that open platform almost make it easier for you to incorporate a lot of the Cisco pieces that you have acquired over the years or are trying to integrate as well?

That's correct. And we want to actually pull in the data from other products that are in a customer environment even beyond Cisco's own products.

Got it. Similar to the question on SASE and some of the new architectures, where do you think customers are kind of in the adoption or knowledge of what is going to be their XDR approach?

So right now, for all those conversations we are having, only 5% of the customers have actually implemented XDR in their environment. They're still on the journey from EDR to XDR, the endpoint detection response to XDR. So the opportunity is still quite a big [indiscernible] that we can go after. But as the value gets realized by customers, I would expect over the next 4, 5 years, at least 40% to 50% of the customers are opting an XDR solution.

Okay. That's a pretty quick transition but a lot of value to be added. What would kind of lead to that is what you mentioned, the security organizations need to automate more. There's just too many open job filling spaces. But where do you think there is in that comfort with the increased automation or getting people over the idea that there needs to be this human to be that last line of defense?

It's interesting you use the word comfort. When we are thinking about security, we're always thinking about the paranoid people. We want people to be paranoid. We're never thinking about the comfort because you never know when that next threat enters your organization, and you want to be ready. You have preventative technologies, but you also want to be ready to react when that incident happens. As you know, in the security industry, we always say it's not a matter of if, it's a matter of when. Every organization has the potential to be impacted. So back to your comment about comfort. We look for people to be investing in the right architecture, have yet acknowledged that protecting an environment is always a combination of machine and human intelligence coming together because there is always that incident that happens for the first time. There is a patient 0 that you have to be ready for.

Right. Okay. Perfect. Another question that we've gotten is just what part is -- or what is the role of identity as part of the security purchase and just your kind of portfolio that addresses the identity market?

Yes. So Zero Trust is born out of the need to make sure identity is the first line of defense for any organization. If you think -- talk to customers, they think of Internet as the new network, and identity, that's the first thing that needs to be protected, identity being the new perimeter that need to be protected. Our Duo acquisition, we have done really well. That is the franchise that we have taken on to extend it to the Zero Trust construct as well. We have actually contributed as Cisco to the NIST standard definition. And we've also partnered with the CSPs with Amazon, with Google, with Microsoft to -- we have some exciting announcements to come.

Marilyn is giving you the thumbs up, so we're good. Identity is an exciting area of development. We got it.

That's right.

Supply chain has clearly been a headwind for much of Cisco's business but clearly the firewall business as well. Is any of the cloud software growth you're seeing in the security portfolio driven by that temporary election of I need a firewall, just move it to the virtual substitute? Or just what is kind of leading to some of the underlying traction you're seeing on the cloud side?

Yes. We have -- I will acknowledge the supply chain challenges that we have seen. We have seen improvement from where we were last year to now. And I would see some challenges to continue until the end of the fiscal year '22 and it gets better from there on. Customers are adopting to the -- moving to the cloud and adopting the virtualized and continuous solutions. That is also a use-case-based migration and need-based migration, not just because there's a challenge on the supply chain side. As I mentioned earlier, we're seeing good traction on our firewall business.

Right. I mean, how much of that -- another question that we get is just the impact of a refresh cycle on the firewall business and just whether -- where you're seeing where you are kind of in that refresh cycle.

I would not -- no, I would not attribute that to the refresh cycle now.

Okay. Perfect. You've mentioned kind of a number of acquisitions that have helped bolster the portfolio. But just how do you see the need for continued M&A to kind of advance that portfolio?

Yes. For any organization, when you're thinking about innovation, you have a strategy of build, you have a strategy of buy and you have a strategy of partner. Cisco, like every other company, we're all constantly looking at what makes sense for us. So we are looking for strategic fits. And we'll do the right thing for our shareholders, what is right for the shareholders, for our employees, our customers. But we are more guided by what the market needs are, what we are hearing from our customers, and of course, what is the right financial decision as we make it. But yes, it's part of our strategy.

Yes. Obviously, Cisco has always had M&A as part of the strategy. I guess kind of circling up as we conclude this discussion. It's just a -- there's a lot of different approaches. And so I guess what I'm trying to get to is, how holistic is this decision being made in terms of an architecture versus, okay, I need to think about Zero Trust, and I need to think about SASE, and I need to think about XDR? Like where are you seeing customers kind of take a higher-level view of their security architecture?

XDR is definitely one place where we are seeing convergence of strategy that is being realized, granted in a small portion of the customers as we are seeing it today. Zero Trust is definitely emerging as an end-to-end security architecture philosophy as customers are thinking about it. And for us, for Cisco, I actually think that our unique value proposition is that we -- because we have a presence on all critical control points, because our SASE connects to our XDR, and our Zero Trust connects to our SASE and XDR, we are able to bring all these 3 architectures together into a singular platform and making it easy to deploy and easy to consume for our customers. And a lot of investments that we are making at this point are going into that platform.

Got it. Another question that I had is just in terms of maybe ramping it down to kind of Russia and Ukraine again and just concerns around kind of the cyber environment. I know we touched on this at the beginning. But just what does Cisco kind of proactively do to let customers know that they're kind of helping address a more active cyber threat environment?

Yes. We have certain -- just like other companies, we also have incident response teams. We also have an incident response as a service, managed detection and response also available as a service. Several of our large customers are subscribers to that service. So whether there's subscription service or not, obviously, if you see something, we will proactively reach out to the customers and let them know. If you see something even if they're not our customers, we will let them know under the new construct of them having to become our customers, for sure. But the incident response is one way our customers meet that commitment to make sure that they're kept abreast of it.

Got it. And then maybe final question. It comes up a lot in our reseller checks about security pulling through additional networking purchases. We've spent a lot of time kind of talking about the security portfolio, obviously, being your expertise. But just how often are you kind of getting pulled into a conversation where it's leading to a larger sale or you're getting pulled into I need to refresh my campus, which is -- and then kind of thinking overall on the overall security purchase?

Definitely, at Cisco, networking is a core franchise for us. Security is a unique value proposition that we have. When you are an expert in one and then you have a big presence on the networking side, you will see a lot of combined transactions happening. And there are times the networking is pulling security through. Other times, security is pulling the network inside through as well. But if you think about SASE, the reason we're all excited about that is how it is actually bringing the integrated security into the networking side, and a better security value proposition overall, it's making it easy to be delivered.

Okay. Perfect. Well, on that, I think that, that's perfect to end it with kind of the networking and security kind of combined discussions. So Shaila, thank you so much for being here today and walking us through the security portfolio.

Well, thanks for having me.

Perfect. Thank you.