Cisco Systems, Inc. (CSCO) Earnings Call Transcript & Summary

Okay. We can start, right? Jeetu, thank you.

Thanks for having me.

Thanks for coming. We -- you hosted Cisco Live or you had Cisco Live just recently, and we listened to the presentations. And I'm going to ask you a little bit about your strategy long term. This is not meant to speak about the quarter. It's -- the session is about what's your kind of the high level? What's your strategy for security over the next few years? And I want to start from, I don't know who came to our CISO dinner last night, but we hosted 3 CISOs from small companies, relatively smaller companies. And we asked them about security and asked about who do they buy from. And one of the questions was Cisco, what do you -- and they described you as gold-plated solution that is very expensive. But then I asked them, when did you meet Cisco? And that's like a 5-year-old view. It's not a recent view. So talk -- if you don't mind, talk about, first of all, the high level of Cisco Security. How -- where do you want to see the company 3 years from now? What are the things you're investing in, things you're going after, the opportunities? What have you done to get -- take the time. It's -- we have plenty of time to speak about kind of deep into the strategy of where do you want to be. And then how do you change the perception of those CISOs that didn't meet you since you joined, right, didn't meet you in the last 24, 36 months? So...

Yes. I think if you think about the industry and what's happening in the industry, I think there's a move that's happening from point solutions to integrated platforms. That is not just my point of view, it is a fact. That's what's happening in the market right now. And the reason for that is because there's 3,500 vendors in the market. And on average, most customers have between 50 and 70 vendors in the cybersecurity stack. And that's no longer tenable because the complexity is too high. That's 70 different policy engines, that's 70 different places where policy contention can happen. And so I think you have to change from that to an integrated platform. And I think Cisco is going to be one of the prominent kind of platform providers in the market. So where I'd like to see us in 3 years, 5 years, 7 years, 10 years from now is continuing that journey of being one of the prominent platform providers for Cisco. If you think about our strategy and our differentiation and what it is, why is it that we have an advantage in the platform is because security is largely a data game. And the more telemetry that you have and the more signal you can extract, the better off you're going to be as a company to differentiate and keep safe against someone else. So if you assume for a moment that the attacker is already in the system and the name of the game is lateral movement and containing lateral movement, where does lateral movement happen? It happens on the network. Who is going to have the most amount of telemetry in every packet that actually traverses the network? Cisco. And so we actually have an inherent advantage in the kind of telemetry and data that we have. And so what we're trying to do is 3 things to differentiate, right? Number one, and we talked about this in Financial Analyst Day, is we're going to differentiate by being the most comprehensive end-to-end platform for security. Number two, I think the architecture for applications, especially in the AI era, is changing to be hyper-distributed. And as that happens, we need to make sure that we've actually got a corresponding security architecture movement that is also hyper-distributed. And so that's the second big area that we are doing a lot of innovation. We launched a product called Hypershield, which I believe is categorically the most consequential product that we have launched in the 40-year history in Cisco in cybersecurity, right? And then the third area is making sure that we can really help reimagine the future of the SOC or companies at any level of maturity. From the people that don't have a SOC to the people that have the most sophisticated SOC, we now have solutions for all of them between Splunk and Cisco XDR and what we can do together. So that's the 3-part strategy for differentiation. And the proof points that I'd urge you to look at because the common question that gets asked is, hey, how come you're not growing faster? Well, the reason you're not growing faster is we have to actually build out the platform. And if you look at what happened in last quarter's earnings, we actually indicated that our order growth was actually in high single digits. And so you are starting to see the leading indicators to be very, very positive. The thing that gets me most excited is when I talk to customers and when I talk to partners and when we actually talk about the new technologies, we launched 6 new products that we built from the ground up in the last 12 months. These are not new versions of products that we have. There's several of those. But these are new products that we've built from the ground up, right? So the innovation velocity at Cisco -- I've been in the business for about 30 years. I've actually worked for SaaS companies that were very high-velocity companies like Box. I have never seen a company execute at the velocity from a product standpoint as what I'm seeing right now within Cisco. The teams are doing a fantastic job. It just takes a while because a lot of our revenue is ratable. And so by the time that you actually have that flow through the revenue, it takes a while. Security is a long sales cycle. That takes a while. But overall, the combination of assets we have in networking plus security plus observability plus the data side all pulled together, I think, put us in a very unique position. And in fact, our competitors, they would not even acknowledge us as competitors 3 years ago. And now I don't think there's any doubt. I think it would not be intellectually honest to say that Cisco is not moving extremely fast on innovation at this point. Like it's not even a credible statement. You would have hurt your credibility by saying it. So that's kind of where we are from what we're doing on a strategy perspective. On the platform side, I think it's very important to understand that we -- one of the big challenges we had was we were -- we kind of looked like a holding company 4 years ago. There was a bunch of acquisitions. They weren't all tied together. They all kind of felt very different. Today, if you see our products, it is a fully integrated product, common telemetry, common design language, common policy constructs, common management plane. But most importantly, we actually have deep hooks into the infrastructure, where you could have enforcement points baked into the fabric of the network in security, and that's what we've got in place. And instead of having 31 products and thousands of SKUs, we can now sell a User Protection Suite, a Cloud Protection Suite, a Breach Protection Suite on the foundation of firewalls. That's all. And so it's a very simplified message. And I'm hoping that Gary taking over the go-to-market side is going to actually further help simplify our overall story. And given the fact that he's got a security and SaaS background also is super helpful. So I'm just super excited about the prospects for the future.

So you launched many platforms, 5 or 6 platforms in the last 12 months. Are the platforms...

I would say we launched product, 5 or 6 products and capabilities that are -- we have one platform in security, Cisco Security Cloud.

Yes. I know I'm going to make a mistake.

No, that's okay. That's okay.

So you launched 5 or 6 products. The question I have is, are the products...

5 or 6 products from 0 to 1. There's probably several tens of products that we launched new versions of them.

Right. Yes. Are the products that are addressing big opportunities, right, XDR, SASE, I mean, big opportunities. Are these products are at the point of being ready to the market, meaning you have the features that you want to have that enables you to get -- go to the market and get meaningful revenues, et cetera? Or is this still a work in process? Where are we on the stage of the life cycle of the product?

So I'll give you a 2-part answer to that. One is the traction that we are seeing tells us that these products are extremely successful in the market. XDR, just a few quarters in the market, I think a couple of quarters, and it's already got over 300 customers. In my mind, a product is always in only 1 of 2 states. It's either incomplete or obsolete, right? You're either continuing to innovate on the product and build it, we keep enhancing it, which we will keep doing or you've actually given up on the product and you're just cash cow-ing it. Our products, the way we think about them, there is a fair amount of kind of work that we will continue to do to keep enhancing and expanding markets for. But there is a tremendous amount of growth opportunity of the products the way that they are right now. And we are enhancing this from a very regular cadence. I think like last quarter in our Secure Access product, we had like 56 different enhancements. So like there's a fair amount of momentum and innovation velocity, and that will continue for the next foreseeable future.

What do you need to do with go-to-market with educating customers? What -- how do you change the perception of those that -- even your distributors and resellers, et cetera, how do you change the perception in the market of those that don't know the changes done, are not familiar with the changes that went through the company in the last few quarters?

Yes. I think there's -- when you have a completely revised architecture and a new product that's been built and a new platform that's been built that you're taking out to market, it just takes a while for the market to get the take rate. I'll just give you an example on the kind of feet on the ground work that we are doing. I personally participated in keynote at about 11 to 12 major events with thousands of people every year. I'll just give you a few examples: Cisco Live in the U.S., Cisco Live in EMEA, Cisco Live in APJC, RSA Conference, you've got a partner conference, These are just some off the top of my head. So I think what we're doing is we're getting out with our customers in the field in a pretty aggressive way. And from a year ago to now, if I were to measure success, if you talk to our partner ecosystem and you talk to customers, there is a palpable shift in perception in those customers where our people have gotten in front of them. Now we have not gotten in front of everyone, right? And so we recently, for example, I'll give you an example. You mentioned the CISOs. We had a CISO event in the St. Regis Hotel over here like probably like 2 months ago, 2.5 months ago, 41 CISOs, major companies that were all there. And a lot of them the night before were talking to me like, I'm not really sure about Cisco. I've got a lot of other players that I'm looking at." 100% of them at the end of them said, "Not only was this a great use of our time, this was game-changing. Cisco is a disruptor in the market. In fact, you make some of your competitors look like legacy companies. And we want to make sure that we work with you." And we were oversubscribed on the product that we had talked about over there, which was Hypershield. And we don't actually have any more early access customers we can take until the GA happens in August. And I told Chuck, I'm like, "Hey, I got good news and bad news. The good news is 41 customers completely changed their mind. Bad news is we have to do this more and more, and we have to just get in front of customers. So I think that's just -- it just takes a while to get the word out. But I think the way that the word spreads is not just by us doing it, it's word of mouth. You get the first 100 customers successful, they get the next 100 customers, and they get the next 100 customers. So I think the virality is starting to pick up right now. And you start to see it because we are winning deals with customers against competitors at a very, very different tempo now than what we were doing before.

I want to ask about all the new stuff because it's exciting, but I want to start with firewalls. And the first question is general market question. It's -- we had here multiple speakers, and every speaker comes from a different angle. Zscaler says, "You don't need a firewall. It's going to be Zero Trust SASE. Everything goes to the cloud. No firewall." And then the firewall company, Palo Alto, says the opposite. "There's no way. You have to have a firewall." So what is your view on the future of firewall? Kind of high level, before we get Cisco, is there -- this is -- it's a big part of your security. Do you think that the underlying demand stays for the long term? And what are -- how does it change? And then how do you use your leading firewall position as a way -- as a stepping stone to sell other things?

Yes. Look, I think it's -- every time you have a company who has a point solution in an area, they will always try to say, "You don't need the other stuff. Everything can be done with a point solution." That's just like you just have to give competitors accolades for their enthusiasm that's misplaced. You're going to need a firewall. I think we have to make sure that we actually invest in every form factor of the firewall because the goal over here is you have to make sure that you have multiple enforcement points for security in your network. And so for the firewall, we think there's going to be a very, very good demand for virtual firewalls, virtualized firewalls. There's going to be a very good demand for appliances. But there's also a very good demand for cloud-based firewalls. There's very good demand for firewalls being part of the SASE stack. And there's very good demand for Hypershield, which is going to be a completely hyper-distributed way of going out and enforcing security. And what we are doing is we're not seeing customers make a choice of one versus the other. We're saying that you've got them all, and you could have a single policy that can apply across all of those enforcement points. When you build a policy, you can build it once, and you can apply it across all those enforcement points. That's what we announced at Cisco Live with Security Cloud Control. That seems like a much better way to give customers value and take them from where they are to something else rather than say you don't need X and you need Y, and now move everything to X -- from X to Y. It's like-- and by the way, on SASE, we actually have one of the best offerings in SSE because what it allows you to do is you don't -- you have a single stack for private access and public access. You actually have identity graph data that actually is getting in -- that is enriching SSE. You've got this tremendous amount of ease of use in the -- for the end user where -- because we've got a secure client that's already installed. We've got 250 million endpoints. And so that can actually really help with what's happening from an SSE standpoint. So I actually do feel like in the long run, we've got a very differentiated strategy. And one of the -- I will acknowledge this, we relate to the market with SSE, absolutely categorically relate. It actually helped us out because we were able to build a better architecture, whereas if you look at some of our competitors, they have a private access application that's a very different stack from a public access application. And what we have is one experience. You could be an employee or a contractor, one experience. You can be at home or in the office, one experience. You can be using a private application or public application, one experience. Our competitors don't do that. And so we're able to go out and take a much broader view of the end-to-end platform, which is why I think you can think about us as a very, very credible platform in the market.

You speak about Hypershields. And we spoke multiple times in the last few months, and you always mentioned Hypershields. Can you explain what it is in simple terms?

Hypershield in simple terms is a highly distributed architecture for security where you take security and move it to the workload rather than moving the workload to security. What does that mean in practical terms? In practical terms, there are 3 big problems we're solving. There is a big problem in the market right now around segmentation. Segmentation is really hard, especially in a hyper-distributed environment with multiple microservices. You have thousands of microservices running on hundreds of Kubernetes containers and clusters, very hard to go out and do segmentation. We've solved the problem through autonomous segmentation. You never have to write a segmentation rule ever again in your life, right? Number two, patching is really hard. The time that it takes from when you announce a vulnerability in the market to when you actually have an exploit that happens, low single-digit days going down to hours and minutes. We will be able to do this, but the amount of time it takes to patch a vulnerability is about 22 to 49 days. So you've got this kind of time window where you're exposed as a company. You remember some of the recent pharmaceutical breaches that have happened and all of that, those breaches happened in 3 days from the time that the vulnerability was announced. If they had Hypershield, you would have not had the breach because within 9 minutes to 15 minutes, we would have had a compensating control that shields a vulnerability and protects you while you're testing and deploying the patch. It's the second problem. So segmentation, first problem. Patching, second problem. Third problem, updates. Dated infrastructure getting updated, very, very hard to do, right? You have 2 change control windows in a year. One is during Christmas usually, one is during Fourth of July. If you missed that change control window, you have to wait for 6 more months. You have to bring down your system. You have to have a sandbox. You have to test the environment, then you have to bring down the system and upload the environment. Super cumbersome, right? We don't do any of that anymore. We can actually inline while you're in production, have a second parallel packet pipeline that's going on live so that you can test between your main production version and your shadow version. The primary data path and the shadow data path can be compared simultaneously for every packet that gets forwarded through the network, right? When you find that they're both performing at acceptable pace, you actually -- automatically, the system can upgrade from version 1 to version 2. This is something that's unknown, like no one else does this in the industry. We are pioneers in this right now. And so this is something that we've been able to build out. And so those 3 problems allow us to basically melt security and infuse it into the core fabric of the network. I can now have security enforcement points in software right next to the kernel. I can have a security enforcement point on a server, on a DPU or I can have an enforcement point on a top-of-rack switch. Why is Hypershield so strategic for us? Because in the long term, we will have top-of-rack switches with DPUs, which will then allow us to create a switch refresh opportunity for an organization. So we're not just selling security, we'd also be able to sell more networking into an organization [ if we do it ].

Got it. Cisco Security Cloud, what is it and what opportunities are you going after?

It is an integrated AI-powered global cloud-delivered service that solves 3 problems. How do I protect a user? How do I protect cloud and cloud infrastructure? And how do I protect against the breach? All built on a foundation of the firewall with the core fabric that has AI and Identity Intelligence in it, right? It is one single integrated platform for security end-to-end, one common management plane, common set of telemetry, common design language, common policy objects and most importantly, deep hooks into the infrastructure into the networking infrastructure that you might have. So that's the difference. It's a global cloud-delivered service. I can acquire and steer any and all traffic to any other cloud providers. And when I move my workload from one cloud provider to the other, I can persist policy. Why is this important? Because every cloud provider today has further exacerbated the problem by having their own security stack, which then locks you in. And what customers want is they want to make sure that they can have the public cloud economics without the public cloud lock-in. So if you abstract security from the public cloud providers, you can say, I'm going to have a layer from a neutral party. I can acquire and steer any and all traffic to any other cloud providers. And I can persist policy that actually gives you an integrated platform that works in a multi-cloud environment.

And I have a follow-up, but you talk about end-to-end big platforms. I mean tons of capabilities, and we spoke about multiple things. Is -- does it mean a lengthier deployment process? Does it mean a lengthier sales cycle? Does it mean that it's more complex to convince the customers to switch from whatever they have to Cisco?

The way that we're doing it to avoid that problem is we will have multiple insertion points that have been defined that can actually have -- but look, the sales cycle in security is long. There's no way to avoid that sales cycle. People go through their POCs. They have to do all of that stuff. Enterprise sales cycles aren't short. You have to make -- part of the reason a lot of you asked sometimes saying, "Hey, Jeetu, all of this is so wonderful, but you're not growing faster." Well, the reason you're not growing faster is because our order growth is actually getting faster, but it takes a while for that order growth to show up in the revenue. Sales cycles are long, and we've got a lot of our revenue that's ratable. And so the ratability of the revenue also takes a little bit more of an elongation. But if you start to think about it, we have insertion points in every single one of the suites on the Security Cloud. So think about what we talked about, the User Protection Suite, our lead anchor product, the User Protection Suite to Secure Access. Secure Access is something that can actually be inserted in. And we'll compete with the Zscalers and the Palo Altos handily every single day of the week. And we'll be happy to compete with them, and may the best product win. In Breach Protection Suite, we will compete by going out and inserting XDR. In Cloud Protection Suite, we will compete by inserting the lead anchor product will be Hypershield. And so what that will do is give us very focused sales plays that we can go after in the margin. But there will be lengthy sales cycles, but this is one way to actually compress the sales cycles. And I'm really excited about Gary taking on our go-to-market because he's got a SaaS background, he's got a software background, he's got a security background. And like many of us, he's got this mentality of how do we make sure that we simplify the sales motion so that we can go after customers with a consultative sale with a very, very defined sales play that we can go after. And each one of those become sales plays. You want to protect the user, go after Secure Access, that becomes a sales play.

Cisco Live, just 2 days ago, you gave guidance for -- not guidance, you gave indication of expected growth for both security and observability together. And if you remove the observability part, it means that security can grow double digits. If you -- because we have expectations for Splunk separately, we have expectations for observability. So that's not -- that's '26, '27. That's not tomorrow. Does it make -- I'll ask it differently. What do you think could drive a double-digit growth, meaning you look at the portfolio, where are you getting the most excitement out of your portfolio, meaning that it could be meaningful. It could drive growth for overall. It's a big business here, security business is a big business. Where do you put most of your focus on?

I want to make one point on the 15% to 17% and taking it out and making sure that you segment those pieces. I think as you integrate Splunk and security closer and closer and observability closer and closer, it's going to get very hard for us to distinguish between growth of Splunk and growth of the core security business. So I think that's just -- Gary had mentioned this at the Analyst Day as well. I think that is a real thing. It's going to be harder and harder for us to decipher where the growth came from. What gets us excited is the move to the platform. Look, why do people buy security? They buy for 3 reasons. They buy it because they want to improve their efficacy, they buy it because they want to improve their experience from a management standpoint and reduce the complexity or they buy it because of economics, right? And we will provide favorable conditions in all 3 of those. And what gets me really excited about this is we have built a world-class platform over the past 2.5 to 3 years, and we've built a world-class team that's been completely overall. We -- our Head of Security came -- you know Tom Gillis? He came from VMware, ran networking and security at VMware. Our Head of Products came from Netskope, built out Netskope and actually was at Proofpoint. Our Head of Splunk R&D came from Microsoft. Our Head of XDR came from Palo Alto Networks. And so we've actually got a lot of people that have a startup-based mentality but understand scale and have actually built out -- like the pace at which we built this stuff out is nothing short of remarkable. In my 30-year career, I have never seen anything like this. I mean think about it, 6 products from 0 to 1 from the ground up built within 12 months. That's insane. That's just a very, very exciting time to be here. And the tempo is high. The energy is high. The customers are seeing the progress, and you will see that flow through. We will gain share. We will actually grow revenues. It just is what's going to happen first is you'll see the order growth, and then you'll see it flow through the revenues. But you will see a very, very different Cisco because of this. And this is also going to drive, most importantly, networking revenue for us because of the fact that top-of-rack switch refreshes will happen as a result of this because you will actually have Hypershield that runs on a DPU.

Yes. We have less than a minute left. Is there any question from the audience? Yes?

So what about -- you're talking a lot about workloads, networking. What about the application itself? What about the [ focus ]? What about presenting the reason for being deployed into your cloud?

Yes. It's a great point. So we built a product called Panoptica. And Panoptica is actually much more the shift left side where there's a movement that's going on that says, even before the code gets into production, you've got to make sure that you can bake security into it. Panoptica is going to be part of the Cisco Security Cloud. It's part of the Cloud Protection Suite. And it is a product that also included a few acquisitions that we had made of companies like Lightspin. And so that's all under the Cisco Security Cloud. We started that in the incubation team, and we're moving it over into our team over here shortly, right?

You bet.

But that's a very important area, and I think it's a pretty high focus area [indiscernible] for us as we move forward. And you should expect a lot of innovation there from us.

Jeetu is one of our analysts. He's talking his own book. He's the founder of a start-up of application security.

Well, we should welcome partner as well.

Great. Thank you. We ran out of time. Thank you, Jeetu, so much. I only got to 4 questions and I have...

Is it quite long, my answers?

No. No, no, no. It's great to have a discussion rather than a -- it's actually great. Thank you so much.

Thank you so much.