Fortinet, Inc. (FTNT) Earnings Call Transcript & Summary

Yes. We're going to segue over to our next panel. And welcome to the program, Rocco Grillo, Susan Whittemore, Jonathan Nguyen, Jay Gonzalez and Gerald Beuchelt. Welcome. And Rocco, why don't you take it away? Hopefully, everyone knows Rocco. He's an amazing individual.

Hunter, can you hear me okay?

Yes. I can hear you. Can't see you that well, but jump in. Go.

Give me just 1 second. I want to update that. Apologies there. We're good. Okay. Hi, everyone. Rocco Grillo, I've spoken at a number of HMG's events and appreciate being able to moderate this one today. We've got a number of esteemed panelists here today that represent cybersecurity an evolving network -- evolving enterprise. And given what we're going on through COVID and just the whole -- we've said a lot throughout the presentation and just in the industry work from home, work from anywhere. There's been a lot on the cyber side as far as embracing what are the things that we should do to make sure we're secure. But at the same time, a lot of the things we're seeing with clients, companies, just in general, the industry at large, the companies that are able to accelerate are really embracing this and looking at this, not so much as a positive, but the next level, the next innovation as we evolve as businesses, as enterprises, industries. What we'd like to do is just go around to our panelist with them, introduce themselves, give a little bit about their background, and then we have some questions lined up for them. Jonathan, would you like to kick us off?

Hi. Many thanks for allowing me to have this opportunity to meet with you all. My name is Jonathan Nguyen. I'm the Vice President and Field CISO at Fortinet. Been involved in cybersecurity for 25-odd years now. Prior to my time at Fortinet, I was at Verizon, where I was working in the MSSP practice in the Data Breach Investigations Report. I'm looking forward sharing thoughts. I think the biggest challenge we've got today is that we've got 2 major tectonics just happening simultaneously. And previously, we've had that yin and yang between distributed and centralized computing. And now we have both forces occurring simultaneously, evidenced by the movement to cloud and adoption of cloud and the simultaneous movement to the edge in terms of remote working and all things smart platform and connected platforms. So I think it's an unprecedented stage for technology and security specifically.

Great. Thank you, Jonathan. Susan?

Thanks for having me. I appreciate the opportunity to be on. I'm Susan Whittemore. I'm the founder and CEO of Tiffin Cyber. We're a company that helps smaller businesses improve or build their cybersecurity programs. And I've got about 20-some-odd, like Jonathan, maybe 25 years of working in this business, mostly in large financial or enterprise settings. Spent some time with a retailer who had just announced a breach some number of years ago. So I've been from working in this industry, everything from mainframe technologies, right up until blockchain and all of this COVID work, so never a dull moment. But my company is really focused on the underserved market right now and having a lot of activity and fun in that realm.

I'm sure. Thank you, Susan. Jerry, over to you.

Thank you so much, Gerry Beuchelt. I'm a CISO and VP for LogMeIn. We do products such as LastPass, Rescue, GoToMeeting, GoToWebinar, those kind of remote working products. And we've been actually very much interested in seeing how other companies have been adopting to the current lockdown situation. For us, it was actually a fairly interested -- fairly simple to move forward just because we had a remote workforce about 40% prior to this and then moving from 40% to 100%. It did come with its challenges, but it was actually relatively smooth. But often, a lot of the smaller companies on the way here, our customers, was important to us. Prior to LogMeIn, it was a CISO Demandware, now part of Salesforce. So we did a web retail essentially running the retail stores. And I had a bunch of other things before including some government work and way back in the day, some microsystems.

Fantastic. Thanks, Jerry. And I know Jay Gonzalez was going to join us. I don't believe -- I believe he had a matter that had come up. He's not going to be able to join us. But with that, we're going to jump in. And for myself, personally, or just even our firm, we're about 5,000-plus people across 4 continents we're in week 10, remote. And for me, I mean, even just -- not just with the HMG session has been able to participate across the country but just the whole travel and going from office settings or a client settings to remote. Everyone is going through this. So it's not so much -- this is new in a lot of instances, the new normal. And I know -- and preparing for this, many of our panelists have had examples or experiences not only at their companies or as well as with partners and clients that they're working with.

Jonathan, I'm going to throw it over to you and this widely used term, the new normal, what is that going to mean for us as we continue to evolve? Because I think even if you go back a couple of months ago, nobody would have anticipated. Here we are, 3 months in plus, not to be U.S.-centric but, at the same time, the new, new. We're in the middle of it, and it's going to continue to evolve. What are your thoughts on that?

So I think the "new normal" is basically an acceleration of those macro trends in digital transformation that we've seen over the last 3 years. I think it's going to be much more hybrid. It's much -- going to be much more distributed. And I think the operational model is going to be termed contactless commerce and communications. And so what you're going to see are huge spikes in data flows. And at the same time, as more and more work is being done remotely, the business objectives, the security objectives, the compliance objectives, the privacy objectives don't go away. In fact, the main challenge moving forward is how will you replicate those previous sort of face-to-face transactions, things like doctors visits, professional services, things that have high confidentiality, integrity and availability. But now you're going to be trying to do things like that remotely where you'll have millions of connections and request for network access simultaneously, all of which, 90% of which probably will involve encrypted traffic. And then how will you ensure the application of things like zero trust principles across millions and hundreds of millions of sessions simultaneously, right? I think the main challenge is going to be how do we scale the architecture to deliver all those outcomes at speed and scale because no matter what happens, our customers, our employees, our stakeholders all expect really heightened user experiences. And every CISO, every CIO I've spoken with over the last 2 weeks have said, "Look, it's still the same requirements. We have to deliver on our business objectives, and we have to deliver an enhanced customer end-user experience." The challenge is now because, for the first time, the vast majority of our staffs are working outside the "perimeter" is that zero trust is no longer just a buzz term but now a practical reality that they're all trying to implement. So I think that's going to be the new normal, much more highly distributed, much more hybrid. And the modern enterprise architecture is going to look very distributed. It's going to look like elements that are SOHO, elements that are retail, elements that are branch offices, elements that are traditional enterprise networks and then elements that are cloud and enterprise. And that's going to be -- raises the level of complexity. And so faster, broader and far more complex.

Without question. Thanks for that, Jonathan. And I know, Gerry, when we were prepping and talking about some of the areas that have evolved, we looked at a lot of things, how companies had jumped out and trying to make our employees aware. Almost commendable job, by and large, for companies. They even, if you heard from some of our CIOs on the panel earlier where, in a blink of an eye, we've gone from working in office arenas to our homes overnight. Awareness has been enforced to the tenth degree. But in terms of business continuity planning and resiliency, Gerry, you had some thoughts when we were preparing. Can you expand on that a little bit?

Yes. I think what was really interesting to see how our own business continuity plans ultimately worked out. I think it's not a big secret that until recently, we really -- a lot of companies did not necessarily take all so seriously. It's like, yes, sure, we have a BCP plan. Yes, we practice that. We do the tabletop. We just want to do all those things because you know what, the auditors make us, right? At the end of the day, however, it's like there's sometimes what I've seen in, not just 1 company, not just any sector, generally, a somewhat lackadaisical approach to business continuity and disaster recovery in certain kind of areas. I think what we've definitely seen is like as we were looking at the -- our own plans and it's like -- then making sure that we can adopt them to the current situation, there's always something to be learned. It's like they're never straightforward. It's like even if you have a tabletop, they did talk about a massive work-from-home kind of situation, maybe not necessarily in the context of a pandemic. You always learn more things, especially as you go through those kind of events. And what we found to be extremely effective is that as we are now going through this and as we are recording pretty much every meeting that is topical to this thing, we have to update our plans on the go. And we have to really get those kind of learnings in place in order to be able to be prepared for another situation. I think this kind of agile approach to making sure that we have the understanding of the learnings from these kind of events really will help us down in the future. And it's like it's something that I can really only encourage every company to do. A key element of this was really around our awareness kind of programs, and it's like reaching out to employees. We've been doing that on a regular basis, and we've been very lucky to really reach everyone within an extremely short period of time, days, literally, from an IT perspective, from a security perspective as well. And from a what do I do now? And it's like I've been providing the kind of tools to our employees because we have been planning for a work-from-home scenario. It was actually more of like what happens if a major [ new cases ] strikes in Boston. That could happen, right? So it's like transferring this over is like -- it's something that was critically important and really helps companies drive forward. And I think that is one of the big learnings from this whole exercise that we've been doing right now. BCPs and BAU plans are going to be significantly more important in playing a bigger role in terms of like driving your business and making it more resilient.

No doubt, Gerry. You're spot on there. We continue to say we play like we practice. We don't take the team the day of the game, whether it's a simulated cyber attack, business disruption or pandemic. We're never going to have the crystal ball but having those measures in place. And I know, Susan, when we were preparing as well, we look -- more and more we're continuing to hear that vision has spiked as much as in a blink of an eye, as I said earlier. We're in that whole work-from-home mode or work from anywhere for that matter. There's a number of considerations that have to be taken into place. And I know you had a lot of good thoughts on that. If you could share some of those, that would be great.

Yes. I mean just to tap into the awareness in phishing realm, I think that's vitally important. The criminals are taking advantage of this new situation, right? There are scams abound. And just having that constant contact with employees to have them understand what threats are out there, right? There's always that angle of looking at threats, making sure they're really diligent about looking at e-mails and clicking, making sure that staff is now aware of their surroundings, too, in the home, making sure that their own networks is secure, making sure that their own IoT devices are taken care of. The larger enterprises will have lots of mechanisms on a person's laptop, may need to have some additional data loss prevention controls, right? Because all of a sudden, we've had to open up print, things like that. The analysis and monitoring that a SOC might do that entails behavioral analysis, right? Behaviors now change. Working longer hours, working different hours, working differently, right? So it kind of turns on its head some of those monitoring aspects. So I think there's a lot of things. CISOs and security organizations are -- have to be agile anyway to accommodate threats, to accommodate new controls. But lots has happened all at once. The business strategies changed. Tech, the threat landscape has changed. The technology landscape has changed. Big adjustment all at once. But there's a suite of controls that the enterprise has that can be tweaked to accommodate. But I think the employee aspect is really most important, staying in touch with the employee. That's where the biggest weakness is going to lie in this new model. And the vigilance will be key.

Fantastic. Thanks for those points, Susan. And you mentioned one on the employee. They're the Achilles heel of any security program or even enterprise security. You could have all the technology in the world, all the professionals like we have on this panel and all the process but, at the same time, all you need is that proverbial click on the link and it can come down like a house of cards. We've seen still ransomware attacks that we're helping companies with. You mentioned the phishing. Another point, you look at BYOD or even, a lot of times, companies are -- have had controls in place for situations where you can insert a USB stick. You mentioned data loss prevention or you've got controls in place that an employee can't print over the WiFi to their home printer. And we've seen situations where an employee will just e-mail it to their personal account then print it, and they just -- they take a step back and say, okay, that wasn't the intention of that control. But Jonathan, I know we were -- when we were speaking, some of the things you threw out, what CISOs -- we're stabilized right now. We're operating. What are a couple of 2 or 3 things that CISOs can do as we continue to move forward through this? We're stabilized. But now that the criminals know what's going on, we're remote workforce and reliant on limited teams and so forth. What are some things that CISOs can do as we move forward?

So I think you're right. What surprised me most during this pandemic was what didn't happen. The carriers and the service providers are able to scale. The large part of the enterprises were able to maintain continuity. What did surprise me was the failure rate and security awareness training. And so everyone scaled up their awareness training as more folks move remotely, and there are a couple of security vendors who released their results of their employees. And the failure was on the rate of 1 and 5. Now going into the pandemic, the failure rate was at 4%, 4 out of 100. And so we've seen more and more people being phished, even security professionals being phished. And what that tells you is as we go through a more remote working strategy is that what we used to call enterprise-grade features and functions now need to be extended to wherever the data and the users are. So in the case of what Fortinet calls the Uber users, the higher privileged users, the leadership teams, they may need SD-WAN at their home. Our CMO has stated publicly he's got SD-WAN in his home. He's got 2 ISPs because he needs to ensure application awareness, application and WAN optimization, along with security functions, right? And so I think 1 of the things that CISO need to do is to review their data and process classification plans, make sure they did account for everything. Do they need to tweak anything? Did they find any new dependencies that they haven't accounted for before? How do they address that? They need to ramp up their security for the remote users. And they need to think about platform consolidation because, yes, there's more and more technologies and more complexity. One of the best ways of doing that as we move forward is to consolidate platforms around the idea of hyperscale operations, millions of simultaneous request for access in sessions and transactions that all need to be logged and monitored and analyzed for anomalous behavior, which Susan said so rightly. How do you account for anomalous behavior when everything is anomalous in the first 6 weeks, right? And then finally, I think as we move out of this pandemic, CISOs really need to think about what we said in week 2, which is that we now operate in a hostile multidimensional operating environment called cyberspace. And the presumption is that your network has been compromised. Your devices have been compromised. And you're actively being attacked by elements that you own. So as a CISO trying to implement a reasonable level of care, yes, I have identified and managed risk. You also need to account for the risk that you likely have already been owned. So those are the top 3 things.

Thanks [indiscernible] Thanks, Jonathan. And I know we're short on time. Just a closing point. I want to throw it out to Gerry on some of the pieces. One of the points Hugo made earlier about embracing this with the business as much as, for the most part, you hear about all these different things, whether it's the ransomware that we talked earlier, the employees to think that phishing is spiking. But I think from what we're seeing is the companies that are going to embrace this, the companies that embrace new technologies 20, 10 years ago, the cloud and so forth, the companies that are going to accelerate their digital transformation. The companies are going to embrace the remote workforce are the ones that are going to excel. Gerry, with what your company does and the background and things that -- what's one thing, as we wrap it up, that you see going forward?

I think what we're going to be definitely seeing going forward is that the traditional office networks are going to crumble. It's like I think the whole idea that's like I am in a special place and, as such, I have the certain types of access rights or not. That is truly a thing of the past and the zero trust kind of model is going to be absolutely prevailing across the board. It's like you've definitely seen this before already. It's like there's a lot of people have already been starting to roll this out in different kind of ways. But I think this whole thing is really going to accelerate this significantly and drive the notion of no longer trusting endpoints, no longer trusting networks, no longer trusting anything, really, right now, when it comes to access to your critical resources. I think what this also will do down the road is like, as we are deemphasizing certain type of technological controls, is that people are going to be more at the center of what the security is truly about. And this is how it should have been like from the first go. It's not the latest mousetrap that you install or the coolest new toy that you put up somewhere that actually provides with reasonable security is really a consensus across all the participants in your networks, in your organization, that security is a significant part of what needs to be done and is part of the foundation, truly, of any kind of successful enterprise. So from that perspective, I think these 2 things together is like are really going to be -- they're actually going to be co-constituent, in some ways, in order to help us take off for the next wave.

And Gerald, great.

Fantastic.

Thank you very much. Rocco, great job. I want to thank the panelists: Jay, Jonathan, Susan. Awesome. And just invite all of the participants that -- speakers that were here today back to the program. If you want to turn your cameras on, you're welcome to do that. A big thanks, guys. What a great successful summit, the 2020 Virtual Boston CIO -- CISO and CIO Executive Leadership Summit: Reimagining the Business and the Future of Work. Big thanks to our speakers and our partners: Nutanix, Illumio, Zoom, Adobe and Fortinet. Really appreciate your support of the network. Nicky's got some results from the poll. I think Nicky, you're going to jump back in. Nicky? There we go. Thank you, Nick. So 54% would be very distributed. 70-30 split between remote and office. That's an interesting dynamic. So hey, look, again, thanks, everyone, for your engagement, support. Please spread the word. I think that we have a different angle, a different space that we're carving out here: lead, reimagine, and reinvent the whole customer experience, the whole business model, the whole workforce stack, to reimagine, reinvent the whole workplace. That's where you want to come to us for that space. We'll be publishing more research and talking more about it into the future. Again, thanks so much. Really appreciate it, everyone. Have a great day, and stay safe.

Thank you.