Fortinet, Inc. (FTNT) Earnings Call Transcript & Summary

Okay, great. Why don't we get started? Thank you, everyone, for joining. I'm Melissa Franchi. I cover the cybersecurity space here at Morgan Stanley. I'm very happy today to have with me Ken Xie, CEO of Fortinet; and Peter Salkowski, VP of Investor Relations. Before we get started, we have a few safe harbor statements. Let me just start with mine, and then I'll pass it to Peter. So please note that all important disclosures, including personal holding disclosures and Morgan Stanley disclosures appear on the Morgan Stanley public website at www.morganstanley.com/researchdisclosures or at the registration desk. Pete, you want to go through yours?

Thank you, Melissa. Absolutely. I'd like to remind everyone that we may make forward-looking statements today during our fireside chat. These forward-looking statements are subject to risks and uncertainties that could cause actual results to differ materially from those projected in these statements. Please refer to our SEC filings, in particular, the risk factors in our most recent Form 10-K and Form 10-Q, and to other reports that we may file from time to time with the SEC for additional information on factors that may cause actual results to differ materially from those expectations. All forward-looking statements reflect our opinions only as of the date of this presentation, and we undertake no obligation and specifically disclaim any obligation to update forward-looking statements. Are we done yet? Is it over?

Yes. That's done. Okay. Well, thank you both for being here. You're just coming off of the back of RSA and kind of Q4 earnings, where you've been able to sustain really solid 20% plus top-line growth, whereas some of your peers have seen more inconsistent performance. To start, maybe we could just talk about what are the main drivers of that growth or outperformance relative, I guess, maybe to your peers or to the market. And if you could just kind of go through at a high level, to what extent is that overall market growth versus what you have going on in your product portfolio or is it execution-driven.

Yes. I see the keynote speech last week in RSA, talk about 3 trends in the cybersecurity space. So our growth there were actually matching these 3 trends quite well. So the first one, really, the traditional, we call the perimeter security, that's where the firewall, whether you talk about refresh and whatever. That market is still holding pretty stable. So not going down. And so we still see the refresh happening. Because the perimeter security is still there, they're just not growing that much, but also not decreasing. But what happened in the space where the perimeter security is no longer enough. You need to expand into the WAN side, like the SD-WAN, like the 5G. That's also grow rather fast, like almost 50% year-over-year growth, like SD-WAN. And then you also need to expand internally, go to the internal segmentation, go to the Wi-Fi security, go to the switch. That market is even much bigger than SD-WAN, we estimate maybe even 3 or 5x larger than SD-WAN security. So that's also just started. The challenge for internal is that internal LAN, local area networking nearly outdone by the switching is much faster than the WAN side, vis-a-vis, average about 10x faster than the wide area network connections. So you need to have the performance speed in order to deploy internally, whether it replace some switch or cover the Wi-Fi security up to the internal segmentation. So our new technology for the NP7 really helping to close the gap. And so that's the first part of growth drive. So really expanding beyond the traditional firewall on the WAN, LAN side. The second part also, the space starting to do some more consolidation, whether in the network secure space -- basically the network secure space, the biggest one in the whole cybersecurity space industry. The whole industry about $100 billion. Network security is a little bit over $20 billion is much -- like almost double compared to 10 years ago in endpoint security. So that's where the consolidation were started happening in the network security space in itself and also helping to consolidate some other important players. So that's -- I can say, in 10 years ago, you can look in the top 4 player in the network security space, Palo Alto and Juniper still come at top 4. They count less than 40% of our market share, that's 10 years ago. But today, the top 4 player come more than 60% of market share. And the other from like over 50% reduced to less than 30%. So if we do now security, there's consolidation. But we're also starting to consolidate some other parts. So the networking security, working with endpoint, working with a different application, e-mail, web and with our IoT security, other intrusion prevention sandbox, but we also consolidated some other parts, we call the -- a fabric. So there's only a few companies that has multiple-product platform kind of player. They also consolidate some other one. Because for enterprise customers, they have too many products, too many vendors to manage. And even they say, if you only cover 70% of the function, it's still preferred as to kind of integrate, consolidate solution, instead of the point solution, in order to reduce the management cost. And also, when you integrate together, you also can automate defense together. So that's make it more secure. And we do see the space also kind of consolidate. And even there's a lot of new players come in the space, but they have a -- after a certain point. And then once the bigger player has a similar function, they start to kind of slow down the growth. And then the third trend, also a lot of new things, we also invest heavily in a lot of new technology, whether the 5G security, the IoT security, the OT security. And we have a lot engineering focus, we also see a lot of growth there, connected car security, we have the chip to cover all that. So we do see there's a quite broad approach, long-term investment we have to help drive the 3 growth engine we have within network security, platform consolidated, overall space and also lead in a new security front.

Okay. Since you spoke about consolidation, I think one trend we're also seeing is consolidation of networking and security. And so you're playing into that theme with the SD-WAN capabilities within your FortiGate products. Why do you think that is becoming a key differentiator for Fortinet? And can you also talk about why you think that differentiation is sustainable when you have others in the market? Obviously, Cisco plays in that market but also Palo Alto, trying to address that opportunity?

That's also in my keynote address. Some of that is because -- so if you look at the last 40-some years on Internet space, so the networking protocol -- switching protocols is the same after 40-some years, and still only deal with connectivity and speed. So when you connect internally in a company, switch, that means everything is the same. It's working quite well in the trust environment. That's where anything above that, whether different applications, different content, different user or device or even data come from a different region or country, that all has to be handled by security. But I do believe the next version of Internet networking, it will be delivered a traffic based on application or content or device or user, all this data come from or whatever. So that's where -- I see why the first networking protocol, they can read out the traffic based on application. They do have some CDN working for the web because web, they're always running efficient. So that's where the -- some CDN company based on the traffic is out on the web content. But SDN is more generic network traffic. The account-based application has a different way to handle that. So -- but for us, we put in the investment a long time ago, like 5, 6 years ago. So we started to develop investment in this technology. But for us, this is not the first one. We did it SD-WAN security more than 10 years ago. Maybe not quite a right timing or have a less impact, we do believe that product is taking off now. We also developed the SDN and -- in the data center with security, but that part also probably the performance gap is still pretty big. And we also spent a lot of time to develop the 5G, what can we solve with the carrier. So there's a lot of technology we're keeping invest and keeping develop. And SD-WAN, probably in the right timing, the right product. And also we're starting to become a leader in the space and also the customers see the benefit will come by SD-WAN with security. The only time read out traffic-based application, you're also actually using -- our product can read out product based on the content or based on a user, based on device. So there's a lot of benefit. For that, I do believe long-term wise -- I don't know how long would take maybe 10, 20 years, but networking traffic will be read out based on the application content and the data used or whatever for that. So that's where -- is the -- and the same time, we can also -- because one big issue with some players in the SD-WAN, if they're using whether they call it universal CPE or some general purpose CPU to do that, a performance gap is there. So it offers a large challenge to the added function. For the network security today, the gateway has easily 10 to 20 functions. That were much bigger compared to like 20 years ago when I started Fortinet, it's about 3 or 4 function. And then 30 years ago, a network security only have 1 function or 2 function for a VPN. And so there's more function being added in the network security gateway, they had to be in line compared with the [ alternate ] switching who's only running one single portal, single function, right? So that's where the gap, performance gap between networking and network security all of a sudden become bigger. So you have to solve the performance issue by keeping adding both security function and network function. That's where we do beat them, we've adding some networking function because security-driven networking is also the future trend.

Melissa, I'd add to that. I think on the fourth quarter call, we talked about -- we sort of sized the SD-WAN business a few different ways for folks, to give them a sense of how it really ramped in 2019. We started to see the pipeline ramp in the second half of 2018, but we really saw the business and deals close in 2019. We said for the full year that our SD-WAN business was mid- to high single digits of our billings for the entire year. You could just use 7.5% as sort of a midpoint on that. It's almost a $200 million billings business in 2019. And I think what's important in that and the question I get a lot from people is, I think, there's a misconception that that's just firewalls. Every firewall we sell has subscriptions attached to it. So there's product and there's FortiCare and FortiGuard, our maintenance subscription and our security subscription attached to every one of those firewall sales, just like any other firewall sales that we do, which is why we have a billings number because there's subscriptions attached to it. I think it's really important that we're not just selling a firewall, we're actually selling all of the same sort of subscriptions we sell with anything else. So it's been a very successful business for us.

How do you get to that high-single-digit billings as a percentage of the mix for SD-WAN? Because -- and I guess my question is, kind of, could you go through how you sell SD-WAN currently? Because it is included with FortiGate, right, and my understanding is that it's included as just part of the features of FortiGate. And so is the strategy around SD-WAN really about selling more FortiGates versus independently monetizing SD-WAN as a stand-alone market opportunity?

Yes. Actually it's a little bit both. Like I said, SD-WAN function is a part of the FortiOS within FortiGate. We don't charge extra for [ hour ]. But in order to better SD-WAN function, you also better apply the additional service. So that's actually have extra percentage. And then also when we track into the field, half the SD-WAN customer acts like a new customer, so they don't have the FortiGate or whatever before. So that's also helping driving into a lot of enterprise, a lot of new customers for us.

And I do get asked a lot, like how do you know that was an SD-WAN deal not just the FortiGate sale? One way to do that, well, certainly, we've told our sales force as you go out and pitch SD-WAN to customers and you -- and based on the way in which they're going to deploy those FortiGates, it's pretty clear from the deployment that they're using it as an SD-WAN implementation. It's also when you start looking at the competitors and who we're competing with in that particular deal, that is an SD-WAN deal. You're dealing with no security vendors. It's a couple of different SD-WAN vendors that are pure-play SD-WAN players that's who we would then be competing in. So it's clear. It's an easy use case so to track because of those kinds of scenarios, the deployment as well as who you're competing with. So we've been able to track it even though, as Ken said, there's a feature built into the operating system we're not charging separately for it. But they're getting the firewall and the security capabilities of that firewall, along with the SD-WAN functionality. And the advantage there is they're getting both of those things in one single box, where none of our competitors at this point can do that.

Along that vein, I want to talk about what's happening in the branch in terms of security. So one of the themes that we talked about in the past few years is really direct-to-the-cloud within -- particularly within branch locations, with vendors like Zscaler really touting that approach. Your SD-WAN capabilities would certainly benefit from a direct-to-cloud approach moving into -- in the branch locations. But on the other hand, perhaps you don't need a physical appliance at the branch and you all have a strong presence there. Can you maybe talk about those dynamics and whether you think that new architecture is the benefit of Fortinet or if it potentially could be a challenge?

Yes, that's probably the SASE architecture, Gartner referred to, more like the Zscaler model. We are very consistent for the message in the last 3 or 4 years as -- we do watch more closely, there's a lot of service provider carrier, so we're kind of more dominant space. So if you look back in 10 years ago, they launched, they called it clean pipe strategy, so they're helping customers to clean up the traffic before they reached to the enterprise. So with the Zscaler model, SASE model, they try to resolve some of the traffic, whether in the enterprise or in the mobile traffic system, their data center through the cleaning in the -- within their data center, then they'll drop it back. So it's very similar to some of the service provider to the clean pipe. Even in the RSA, we made quite a few service provider carriers these days, that's probably -- and [ that's what we keep seeing ] the total care service provider in the best position to offer same service, it's just not as aggressive as the scale that some other are marketing on other parts. But we do working more closely with them. We have a technology product to help them position that way. And I do believe, even in a branch, you still need to have the physical route of traffic, that we need some appliance, whether it's -- and all this SASE competitor or SASE company, they don't have SD-WAN technology, you do need a networking parts or something. And also, a lot of time if you can process the security locally, it's probably more secure. And also even some carrier, they're starting to do their own kind of SASE. They did some [ type ] in launching their kind of own security evaluation. They kind of evaluate how the data now to some SASE data center, how they go through the security screening compared to how this carrier used the old product. They come up our solution out there, carrier solution is much more secure. So you still have to go through, you have to bring the traffic, whether there's an intrusion, there's a virus or perhaps an encounter, you still have to do the same. So in the end, you can see who can do better job to clean up the traffic in a most efficient and fast way to do that, right? So that's why local do have like a lot of advantage on latency, on convenient power process compared to other traffic, you actually add a traffic cost. So that's where -- but I do upgrade the SASE to kind of lower the management cost, because I see that area is no longer my problem for the traffic or whatever. The other people, it's their problem anymore. It's similar like how this carrier helping a lot of branch office enterprise, they sort of [ implied ] the strategy. So that's why I keep on saying, Zscaler is a partner, more like -- we partner with a lot of other carrier/service providers, it's the same thing. So we do view that as one of the service provider, we can offer whatever easy for a customer, whether on the management side or more security side. And it's the same strategy.

Okay. That's helpful. Maybe I'll take a step back and just ask about -- ask a macro question before we get into details on the product. So obviously, there's a lot of focus on the coronavirus. You have both a supply chain potential implication as well as maybe some implication from a business activity perspective. Can you just update us on whether you see any disruption in either of those components?

Sure. First, from the sell side, we just finished the 2 months, the quarter -- the previous quarter and current quarter is the same. So we're on track for first 2 months, so we don't see any issue or problem there. And -- but do -- the third month should account almost 50% of the business. So that's where there it is still risk. We're not changing the guidance so far. And also from the supply chain from other manufacturer side, we have over 90% manufacturers outside China and it come down like a single-digit of our manufacturing. And also a lot of low end. Because we more manufacture with them directly, a lot of low-end actually already manufactured because we also care that the overall cost, including shipping cost, is a lot of low-end is shipping by sea are already manufactured a few months ago. And so we -- so far, we don't change any of the guidelines and so everything is on track. But I do believe there's a [ bold ] dynamic, and there's still the risk, so...

Yes. I think the way to put it, it's a very dynamic situation that we're looking at. As Ken pointed out, we're -- the third quarter of any -- the third month of any quarter tends to be about 50% of our billings. This quarter is no different. But the first 2 quarters have been defined. This is one of those advantages of having a really long SKU list because we can swap out one FortiGate for another if there's a shortage in one versus the other, in terms of that. So we're looking at all those sort of dynamics if we need to be able to do that. But at this point, it doesn't seem to be an issue.

Okay. And did you factor in some caution. I mean, beyond the coronavirus, is there some degree of caution in terms of the global macro environment in the guide for 2020? And what are you seeing in terms of just overall demand, particularly in areas like EMEA, where we've seen more inconsistency?

We don't see much impact, at least it's not quite mature. We do see certain industry like whether it's the cruise line or is it certain airline, maybe a little bit slowdown. But we are still broad and cover different vertical, and also still broad and cover a large [ traffic diversified, ] so we don't see that as much as the results or impact it.

Yes. It really goes back to -- at the Analyst Day and starting in the third quarter call, we started talking a lot more about the diversification in our business. And in 3 different ways, and I'm probably going to forget 1 of the 3. But a lot of them is geographic diversification. The fact that 50% of our billings come from 80 countries. And those 80 countries, not one of them is more than 3% of our billings. The other 50% comes from 6 countries, one of which is the U.S., so call that 25% to make the math easy. That gives you 5 countries in 25% of my billings. Those 5 countries are the U.K., France, Germany, Canada and Japan. Thank God, I remembered all 5 of them. So no real concentrate in any particular country, other than the U.S. with the 25%. We have vertical diversification in the sense that we talk about our top 5 verticals. I know about 2 years ago, we stopped giving all 5. I promise every quarter, I say all 5 add up to 65%, just like they have for the last 14 quarters, which is why I stopped giving it. So we have diversification by vertical. And then we have the diversification by product. Not just the extensive SKU list that we have but also our fabric products and our cloud products, which we haven't talked about yet but I'm sure you're going to get there, are growing faster than our overall FortiGate business, right, and our non -- call it, our non-FortiGate stuff. So we have a variety of different levers we can push in different ways.

Speaking of products, can you -- you've discussed the new NP7 word processor, it delivers a lot of performance improvements and you continue to iterate on your ASIC based chips and you'll be coming out with new products based on that new network processor. But one recent appliance launch that you came to market with is the FortiGate 1800F NextGen Firewall. Can you just talk about meaningful this new product potentially could be? Is it something that investors should pay attention to in terms of whether it could impact the top line growth? And is there any -- maybe, Peter, is there any gross margin impact that investors should be aware of as these new products are released?

Yes. We don't see there's any gross margin impact because it's the same cost for the ASIC chip but performs 5x better than the NP6, and at the same time more function compared with NP6. And so that, we feel, is the first part of our technology we can leverage go internal -- for the internal segmentation We keep on saying internal, local air network is the 10x faster than the WAN connection. In order to deploy internally, whether target the internal segmentation, replacing some of the switch or to this Wi-Fi security, you need to have a fast enough product. You don't want to slow down the whole local air network in there. So that's where 1800F with NP7, the first time we can do that we place internally. And at the same time, also the perimeter security is still there. So that's where we refresh still going in. We also feel that's also the one to replace some of the legacy product there, both our competitors. So that's what we feel with the -- but we do take -- like every quarter come out 1 or 2 products will take probably like a couple of years to gradually refresh in the product lines, especially the middle/high end of the NP7. And -- but we do see that market for the internal segmentation, the internal replacements, some are switch, we call the secure-driven networking and also the Wi-Fi security will take a few years. And also, the market is much bigger than SD-WAN over the WAN side. You have a lot of advantage. So we're keeping you less into this product technology because there is still a huge gap between how fast network can grow -- I mean, how fast network inside compared to network security. And network security has so many functions and has to be in line, and then -- but it's kind of very costly and a lot of difficult to manage. So we try to still stop that problem.

I think previously, you all have said that you're not necessarily tied to the "refresh cycle" within the industry as maybe some of your other peers are. But what is enabling the solid product revenue growth? Is it these new use cases, like micro segmentation? Or is it the new -- well, probably related, the need for greater performance requirements, so you're upgrading the box? Can you just talk about some of the drivers of the products on the product side?

Yes. The refresh more like referred to the traditional, we call, perimeter security. And because it's really is a gateway, connect to outside Internet the internal company network. And networking keeping those who follow more slow, every 18 months, they double the speed or whatever. But somehow just like any networking gear, after 4, 5 years, it needs to be replaced, right? So that was still keeping going. But overall, perimeter security now growing almost flat. They're also not dropping. Internal security is still more secure than outside, and so that still need a perimeter security. So that's where we are. Whether a little bit less market share in enterprise in the past, 5 years ago, compared to some of our competitor, and that's why we keep saying the refresh and whatnot, have much impact to us. But we also see a lot of new opportunity, like SD-WAN, like a [ hub ] or SD-WAN customer, the new customers come to us, they're never using FortiGate before. And also, we're starting to see the kicking off of the internal segmentation, internal Wi-Fi security, we bring in some of the switching. I do believe that market probably much bigger than the SD-WAN security market. Just somehow the current technology, not be able to serve that market in a secured angle. And we do believe the NP7 with the 1800F is pretty much a first product fast enough to do that. So that's where we're keeping using we call the secure computing region. So that will compute what any other competitor compared to the industry average, doing the same security function and the same cost, how much faster we are. On average, we are 4x to 20x faster depending on different functions. So that's where -- it's the same cost, the same security function covert deep in a security without a screening, but we are like 4x to 20x to faster. So that we can be able to deploy internally [ through the ] internal segmentation. Because so far, we are getting the company passing the perimeter gateway internal, connect that switch. It's all in a trust environment, even you bring your own compromised device, whatever, that's where the networking protocol, they cannot differentiate the application, the content, the use or the device, everything all connect the same. It's working well in the Trust environment. But with today, majority or even most attack come from the internal, whether compromised device or agent-based attack or internal other issue, is we had to be internally differentiated or secured. But with the switching technology, you cannot do that. It had to be -- depend on network technology. And now with security technology, we -- the speed also is a huge issue.

I think it's important to point out that, Melissa, I think one of your questions was kind of backward-looking of why we've done so well in the last couple of years. I think investments that the company has made, whether that's investments in new technology, which is now driving SD-WAN and going to drive internal segmentation with the NP7; investments in marketing, that gets Fortinet -- the name out there more in terms of the -- and moving into that enterprise space, so call it a new TAM, if you will, for the company; taking advantage of enterprise firewalls that are being refreshed from -- that were bought several years ago that weren't Fortinet product and now going to be replaced, so we can take advantage of that. Investments in the sense of getting our products recognized by third parties, whether that's NSS Labs or Gartner Magic Quadrants, to make sure that we're sort of checking that box when we go out and sell. And you're starting to see the benefits of some of that today. You're starting to see it in greater recognition in the enterprise side. You're starting to see it in SD-WAN sales in 2019. You're going to start seeing it in the NP7 and the 1800F and products that follow. That being said, I think the 1800F, when we go back to your macro question and our guidance question, when we built up the guidance for 2020, we looked at a lot of different factors for the quarter and for the full year, I wouldn't say that the NP7 or the 1800F were big in that number because the chip just came out and the new product just came out a couple of weeks ago, and that's a high-end product. So you've got RFPs that have to become proof of concepts, which have to become sales. And so we're not building a lot into that in terms of 2020 guidance. But I think the investments the company has made over the last couple of years is driving the success that we did.

Okay. That's helpful. So it's clear that you have the performance advantage with your ASIC-based chips, and you have the new network processor that's coming up. I'd like to talk about the broader kind of platform strategy and the subscription offerings that you have through your Security Fabric. Ken, you talked about you're seeing a trend towards consolidation within network security, but you have other players in the market, obviously, Palo Alto, Cisco, that do also talk about their platform as well. Can you just talk about how you're differentiated with the Security Fabric? And is there a broader portfolio starting to resonate with larger enterprises?

Yes. I see there's 2 consolidation. One is within our security, right? So that's where like compared to 10 years ago, the top players starting more consolidated than other smaller players, gaining more market share. So that's happening because network securities are interesting. You have to deploy in line to stop the bad traffic and then you need to keep adding more function there. So the more function is added, the more company empowered. So the smaller player, whether they cannot keep up adding new function or they cannot do integration or consolidate all these functions. So that's happening in the network security space. But also, network security is the biggest part for the whole cybersecurity space. They're also starting to consolidate some other players. So now you can see a few network security player. I know endpoint security company tried 10, 20 years ago, whereas the [indiscernible] they try to consolidate some. But it's not quite happening. Not only network security become a biggest player in the whole cybersecurity space, they also try to get endpoint together, they tried to get some other like e-mail or web or some other sandboxes, some other -- all these together. And because we consolidate or integrate or automate what the -- to lower the management cost and also can be more secure, like how endpoint can working with networking, working with a different e-mail, web, all these kind of things. That's also suddenly happening. That's why, for us, so we do see the fabric growth rate almost double compared to the network security. In network security, we already gaining market share, we grow faster than the whole space. But it's the Fabric part, which is really the platform including endpoint, including e-mail security, FortiMail, FortiWeb, like a [ FortiAP, ADC ] and some other ones. So everything is under Forti, so it's very safe to deal with. And it's also kind of consolidates them. So that's what the feedback from a lot of our customer, even you only have 70% of the function because you integrate, you automate together, we still prefer yours compared to the point solution. That's also starting happening in that space. So we do believe we have a leveraged position compared to competitor and the issues relate to integration and automation. So if you keeping acquire company, whether the bigger networking company or some other cybersecurity company, if you come for acquisition, the integration of its products, whether in the product level or some other like architecture strategy level, so that's where some bigger companies have difficult time for integrating to a single product. The network security product has to be a single part demand to have multiple function, or they have to make a different piece working together. So our fabric product is a [ some ] product right now, mostly the internally developed. They integrate ultimate from day 1 to [ resend ] our way. And we do acquire some other company. And before we acquire, we also make sure they are already on what we call a FortiPartner. They can integrate, automate together first. So we cut the integration part first before acquiring them. And make sure after 1 quarter, they can all working together. So that's the strategy we have.

And the company he's talking about Security Fabric, I think I looked back at press releases, might have been in 2016, 2015 time frame. If you look at it today, for 2019, it was over $0.5 billion business. And that's anything that's non-FortiGate. It's anything that's not a firewall. So that means for the client, for the [ system ], for the sandbox, for everything else, including the services they get attached to that. I think at -- some people forget that there's a product there, but there's also the same FortiCare and FortiGuard that gets attached to that. And that also includes our cloud business. So anything that we virtualized and have on our platform in the cloud would be anything that's -- including our virtual firewalls, will be part of that non-FortiGate bucket, which is over $0.5 billion in business. And growing faster than the overall business.

Wasn't -- you mentioned virtual firewalls, I guess, maybe we can pivot into the opportunity for securing the cloud. If we look across the network security vendors, virtual firewalls is still such a small piece of overall network security spending. But we see workloads continuing to move to the cloud. Enterprises are adopting it, not 100% cloud. It's certainly a very robust hybrid mix. And so why do you think virtual firewalls are still fairly small relative to the overall market? And then a related question is, how does Fortinet play just given your differentiation really doesn't turn around the [ edge-based ] test?

From many years ago, we always believe you need to have a balance about cloud and edge. And there's some application market for cloud. But when you deal with network security, you deal with all the applications. You also have to balance and manage, too. Because if you look at the data, that's where network security to try to protect. 98% of data comes from edge, not come from cloud. And also that's, by Gartner, 80% data generally on edge never go to the cloud. A lot of application like whether automate-drive the car, whatever, you have the process data locally in more of our real-time vision, low-latency way. And that's where -- Gartner also presented last week in a keynote already, they also say in the next few years, 3 to 5 years, edge would lead the cloud. That's like how cloud and mobile, either server or PC. So either an immersion technology where either cloud mobile. So maybe a few years later, we don't have to carry a mobile phone, it's our immersive wearable device will be enough or whatever. So last, we do believe you need to cover both the cloud and edge and the security technology there. And at the same time, even for the cloud player there, you probably will not be down one cloud provider, you need to make sure -- what I'm pointing out is enterprise customer, they tend to choose a multiple cloud provider. So you need to cover all of them. And at the same time, making customers who are easy to switch between the cloud provider. So that's the strategy we have when we were beginning a few years ago. So even within the cloud, make sure multiple cloud providers, and at the same time, balanced amount cloud and edge security together.

And I'd say our sales motion is more about what is the solution we're trying to provide to our customer, and therefore, what is the best way to resolve that problem. And if it's a cloud solution grade, if it's a physical solution, that's fine too. So it's not trying to drive them in one way or the other, but it's more about what is best for the customer in that scenario. And we find that the hybrid cloud scenario, whether it's compliance-driven or regulatory-driven or even IP-driven, there's a lot of stuff that's sitting on-prem in terms of regular protection sort of scenario.

Right. Yes. Okay. Let's shift to the service providers' piece of your business. It's still very much a material piece of the mix, your most important vertical. But we did see a slowdown in service provider growth in 2019, I think just against the difficult comp-ing. Can you just go through what's the dynamics of what's happening in the service provider space, both from your selling directly into the service provider for their own internal use as well as their -- selling for their MSSP business?

Yes. I think for the service provider, probably like 30%, 40%, they do internal use, and other like 60%, 70% come from the asset like a channel partner, whatever, down to their customer base. They're a little bit slowed down in the last 1 or 2 years. But since they didn't recover right now, whether in the last 1 or 2 years, they try to evaluate whether the 5G strategy or the cloud strategy, some other parts. And even the SD-WAN in the beginning, they're a little bit resistant on the SD-WAN because they have a traditional MPLS working well for them. But now they have started changing that. So especially, they're very interested in what we call a Secure SD-WAN. Even they're losing some business from MPLS, but they can make up from the security part of our additional security services, have more money of that. So we do see the service providers -- and also we do believe long-term service provider play a very important role to cover the network security. Because network security is a lot of technical and a lot of different areas and need to be real-time updates for service provider on the infrastructure, whether the data center of the pipe, they have the best position to offer some like a SASE or some other part. So we're working more closer to them. We do see the service providers having a comeback right now.

I think it also goes back to my comment earlier about vertical diversification in the sense that if you look at, again, the top 5 being 65% of our billings, service provider being one of those top 5. But government, retail, financial have all picked up to offset any sort of decline that you've seen in the space. And in 2019, specifically, and I'm sure everybody tracks it because we give the numbers, we saw a decline on a year-over-year basis in terms of the growth rates in billings for the service providers, specifically in the back half of last year. And that was off of really strong growth rates in 2018, where they were spending a lot of money. So I think they were going through a little bit of a cycle in terms of whether it's the tax breaks or whatever was driving their CapEx spending and they're spending in general in 2018 that they took a little time in 2019 to digest that. And as Ken pointed out, trying to figure out their 5G strategy and what they were going to be doing there. And we would expect that to cycle back on a going-forward basis.

Okay. Great. Let's shift to maybe just some model-related questions, and then I'm going to ask the audience if they have any additional questions. So get ready for that. So just thinking about your guide for next year, you're assuming maybe a little bit more of a modest slowdown in revenue growth compared to guidance that we've seen in previous years, 18% next year -- or this year in 2020 versus 20% last year. Based on what you're seeing in the pipeline, what gives you confidence in this level of growth? And do you feel like -- and kind of related to what we were discussing before, do you feel like there is some cushion just given the level of macro uncertainty happening right now?

Yes. I mean, I think as we talked about earlier, I mean, we go through a whole process of sort of looking at what are sort of some of the industry growth rates, whether that's for network security or SD-WAN, which has its own TAM according to Gartner, and then sort of our expectations of how we're going to grow relative to that. We have been able to outgrow the market for many years in a row. We would expect that to continue. And we take sort of a bottom-up approach from that direction. We then talk to our head of sales and who's talked to all of his regional people and kind of a top-down approach to see what they're hearing. And I think, in general, kind of come to a consensus number. Keeping in mind that we now get services revenue growth because we know probably 60% to 70% of the services revenue number coming into a year because it's coming off the balance sheet. So we give that, you back into a product revenue growth, and that's really where the variable is going to be, right, in terms of in-period sales of product that's going to have an impact on the full year number that you're seeing as a guidance number. So we're going to be able to back into a services number of revenue per -- number pretty confidently and then have a little bit of a cushion in terms of what we think the product revenue growth is going to be.

Okay. Got it. All right. We have a few minutes left, so let me just see if there's any questions in the audience. Does anyone have anything? Otherwise, I'll keep going. Okay. I'll keep going. Shifting to margins. A few questions. The first is just thinking about FY '20, you do have a little bit of an impact from M&A. But if you're excluding that M&A impact, you're expecting margins to be up slightly on an organic basis. Can you just talk about what are the main investment priorities this year and where we could potentially see more operating leverage?

Yes. Just to level-set, we guided to 24% at the midpoint for 2020. We ended 2019 at 24.5%. We said there was about 100 basis point impact from some acquisitions we did in the fourth quarter, which were very headcount heavy, about 135 heads added in the fourth quarter that are impacting the 2020 margins. I'd say from a 2020 and ongoing basis, we're investing from a -- what I would consider a position of strength in terms of our sales and our marketing. We're seeing good traction in SD-WAN. So we're going to continue to go after that. We're seeing good traction in our overall business. And so we think it's important to continue to focus on that on a going-forward basis. We guided at the Analyst Day back in November to a 3-year average margin of 25% over that 3-year period for '20, '21 and '22. And we're in line with that guidance, with what we said for full year 2020. Keeping in mind also, we also guided that back in November that we would grow revenue and billings at 15% or more. And we guided full year this year to 17%. So we're above that in terms of the 15% threshold. It really comes down to a rule of 40%. If you look back in the history of Fortinet over the last 10 years, we've achieved a revenue growth plus operating -- non-GAAP operating margin of at least 40%, when you add those 2 together, 8 of the last 10 years, the only time we didn't was 2013 and 2017. And our guidance for the next 3 years is really to achieve that over the next -- each of the next 3 years.

The 15% plus guidance in billings and revenue growth, what does that imply in terms of FortiGate growth versus the non-FortiGate Security Fabric growth?

Yes. I think as Ken pointed, the network security business -- the network security TAM is probably going to be flat to maybe up a little bit in terms of growth rates. We think we can grow better than that. Part of that is going to be accelerated by SD-WAN because we're selling FortiGates into that opportunity. But -- so that's part of it. And then we have to look at our non-FortiGate business in terms of all the fabric products, the cloud products that we have in that and sort of how the other platform is helping to -- as Ken pointed out earlier, one of the growth drivers is really starting to consolidate the industry. And the industry consolidation...

Yes. Well, the network security, and as I said, the traditional network security, I mean, traditional perimeter firewall relatively flat. Not counting the SD-WAN, not counting the internal segmentation and the internal Wi-Fi SD-WAN.

Internal segmentation is an additional thing that gets -- could be another growth driver, but going forward.

Right. Okay. Well, we're all out of time, so we'll wrap it up there. But thank you so much, Ken and Peter. It's been great. Thank you. Thank you, everyone.

Thank you.

Thank you.