Fortinet, Inc. (FTNT) Earnings Call Transcript & Summary

Welcome back. I'm Rob Owens with Piper Sandler. Pleased to be joined by my colleague, Jim Fish, for our next session. We are happy to welcome Fortinet to the discussion here, relative to SD-WAN and SASE and kind of the future of these 2 categories. From the company, we're joined by John Maddison, who is the CMO and EVP of Products; and familiar to most of you folks, Keith Jensen, who is the CFO. So gentlemen, welcome.

Thank you.

Today is Friday and thank God it's Friday.

It really is Friday.

Yes. So John, maybe you could start for us just by a quick introduction. I think you're familiar to some but probably not all who are on the webcast today. Just relative to your role at Fortinet, maybe a little bit about your background.

Sure. Yes. So John Maddison, I've been at Fortinet about 8.5 years and Head of Marketing, CMO. But I also look at all the product information, so I work very closely, obviously, with our CEO, Ken Xie, but also his brother, Michael Xie, on the product side. Before Fortinet, I was at a company called Trend Micro, another cybersecurity company, focused on endpoint software. I was actually the General Manager of their Cloud division. We started that in 2008, can you believe. And then before that, about 10 years at Lucent Technologies, working on wireless networks, networking and fiber optics. So -- yes, so about 18 years' worth of cybersecurity experience.

Great.

And also -- I also, in my spare time, run our training program, which, over the last 2 months, has absolutely exploded. It's called the Network Security Expert.

Sure. So I guess diving in, and stealing from Mark Twain a little bit, reports of your death have been greatly exaggerated, I think, over the years. And I've been a security analyst for, I hate to say, but 23 years at this point and I can -- and Jim, I'm making sure you're on mute right now, so you can't comment. And the death of the firewall has been predicted since about 2010, 2012, I think depending on which network world article you pull up. And the evolution of the firewall has been greatly contested, I think, over the years and what its role has become. And I just want to put this in perspective around your recent success. And if I look at the trailing 12 months, you've amassed $820 million of product revenue that would be tied to those physical appliances that everybody said is going away. And that $820 million has actually grown at 18% year-over-year, which is probably twice the growth rate of security, if not 50% greater than where security is growing, depending on your perspective on the industry. And in the most recent quarter, I think the stat Keith gave was that there was 30% unit growth actually for FortiGate as well. And so in this world that is going virtual, is going cloud, we'll never have another need for an on-premise solution or an appliance, it seems like Fortinet is doing very well here. And I think that relative to this topic, you've made a very unique perspective around convergence of SD-WAN and security to the market. You were early into the game from a vision perspective of bringing the 2 technologies together and, obviously, have gained share in the marketplace. So maybe share with us kind of some of the vision, your thoughts around the convergence of these 2 areas and why you've been able to drive some success.

Sure. The death of the firewall reminds me of the statement back in 2010 with the death of endpoint. I think endpoint security is now $8 billion. Network security is $13 billion. So we actually referred to it as security-driven networking. And it's the premise the company was founded on back in 2000 by Ken Xie and Michael Xie, was that networking and security were coming together. And to enable this, you couldn't use off-the-shelf type technologies, you had to build something to enable that speed. Because if you think about firewalling, it's come a long way. If you compare it to networking, routers and switches, that's pretty much stayed the same functionality, but what's changed is the speeds and feeds. Network security is different. You've added firewall and UTM, Next-Gen Firewall, SSL inspection, now SD-WAN, and you really need to be able to kind of provide that performance across those things. I think from a market perspective, I'm not going to go through digital innovation and sophisticated threats and ecosystem. Everyone kind of knows this. This is what's driving the marketplace. It's making it, to my mind, very challenging for customers but also very challenging for vendors because you need to invest a lot of money to keep up. I also think that sometimes people forget why we're here, we're here to stop breaches. We're here to stop ransomware. And sometimes we get overly concerned, I'd say, about infrastructure buzz terms. I think the latest is SASE. We'll see how long that one lasts. I remember the conversation back in 2012 and '13 around UTM versus Next-Gen Firewall. It was the same thing. People just decided that Next-Gen Firewall was a better-sounding term probably, and that's what went out that day. So the acronym soup that gets spewed out here and the vendors take it and adjust it and align it to whatever they've got, this kind of reminds me of the data sheets. Everyone aligns their data sheets to how their product works. I always tell customers don't believe the data sheets. Look at your own information, look at your own requirements, look at your own traffics, et cetera. But again, I think from a threat perspective, you need to be careful. You need to make sure you can look at the huge volumes we see right now. You need to be able to cover the different threat vectors coming outside there. You need to be able to kind of look at the whole life cycle, whether it be social engineering, whether it be exploits, whether it be insider threats. For cloud, it's more misconfiguration. The only way we think to do this, and this is how our vision has evolved a bit, is a platform approach. A platform that covers the attack surface. A platform that can stretch from hardening to protection, detection and response. Because otherwise, you're going to miss something. The sophistication of the threats, the life cycle, they have multiple attack vectors, multiple ways of spreading. And so I think our vision has gone from, yes, we need to be able to bring networking and security together to more of we need to build a platform. I also -- when you look at the infrastructure piece, though, I think people will get overly focused on the human application piece. Yes, absolutely, people are moving applications from data centers to the cloud. But there's all different types of cloud. There is obviously some SaaS applications. There's infrastructure. I -- we still speak to customers who are building their own hyperscale data centers. And we're speaking to customers on manufacturing and building edge compute. And of course, we've got vendors who want to deliver the security via the cloud, security from the cloud, security for the cloud. And so this compute world is very hybrid. On the other end, you've got devices and users, trusted and known, managed, unmanaged. You've got all sorts of different -- but this network piece, people forget, it's the critical piece that connects users and devices to the applications and data. And this isn't going away. This isn't moving into the cloud. This is something that enables your quality of experience. And whether it be 5G that's coming, whether it be, hey, I've got to get on the network somehow through access like switches and access points. Obviously, I've got to make sure I've got core segmentation. And probably the latest and greatest, of course, is SD-WAN, which gives you more flexibility. And SD-WAN, in our mind, is very, very critical technology because it guides your users and devices to the right application in the long term. And SD-WAN, in my mind, is not just a branch office technology. In fact, I'm broadcasting today with SD-WAN in my home on my FortiGate. And we believe it's home. We believe it's the branch. We believe it's for your campus, for your data center. It will connect distributed clouds together. And that's why we took SD-WAN technology and built it inside our product. It's much harder to do it that way. We've built it inside there, so you can switch it on at any point across the network.

So quite a bit to unpack there. And one of your first comments in terms of hybrid architectures and what end customers are doing, and I know you spend a lot of your time with those end customers and their intentions of building out hyperscale data centers. Have these things changed in the current work-from-home environment? And we hear about digital transformation, "I'll never build anything on-prem again." Where are customers from your perspective? And where have those discussions been over the last few months?

Well, they're [ probably ] across all these areas. It's not just like I'm building -- putting things inside the cloud. I still need a very high-quality network. A lot of the -- as you say, a lot of the restaurants had -- I mean, they suddenly woke up, they were kind of waking up, but they suddenly woke up, "It's absolutely critical to have high-quality connectivity to my retail offices." And then, of course, work from home, a lot of people -- a lot of companies probably had gone to maybe 5% to 10% of work-from-home secure connectivity. And all of a sudden, they has to go to 100% and so they expanded that. But we're also seeing people like expand their work-from-home experience in terms of almost installing kind of a mini enterprise network in the home for power users. The same for people -- the devices for factories where they're IP enabling. So to us, it's not just one specific point product in a specific area like cloud, it's across the end-to-end area, whether it be users and devices, OT, IoT, whether it be the network, we see 5G being a big technology next year for connectivity and inside their network and all the different compute models. Our long-term vision is that this end-to-end platform long term will be AI-based for both security and operations, enabling securities to go where it needs to go quickly, whether it be detection or protection or response, and pre-enabling operations to make Zero-trust provisioning, to predict failures inside the network in an AI methodology. But again, you need to build that, in our minds, organically because it's very, very difficult to just keep buying products and then bolt them together with a management console on top.

And to your earlier comments about the integration of the networking layer. And I think if I go back through my career, historically, there's always been this conversation of networking versus security and one versus the other. And networking has always been perceived as strategic, at least historically, given the scale of the business; versus security, which has been only layer 4 through 7, and it's been very tiny relative to that networking opportunity. Now Jim Fish and I might argue about this and might agree that, historically, if you look at the networking guys and as they've moved into security, there's been limited success. There's been some very good successes. There's been other things where it's been almost a least common denominator type of model, where they just start to subsume base layer functionality and technology, and occasionally get it right but mostly they get it wrong. But a security company coming back into networking, why is this working? Why are you becoming kind of a strategic focal point and beachhead relative to that customer set?

Well, it's very different skill sets. And about 5 years ago, when we first started seeing SD-WAN appear -- and by the way, SD-WAN technology was -- came in about because the routing technologies weren't changing the methodology. This hub and spoke was changing, and they weren't changing. So all these SD-WAN vendors popped up. But they're all networking vendors. They started on-premise of networking. Well, we came from it in that we had a lot of customers on UTM or Next-Gen Firewall for the distributed enterprise or the retail kind of marketplace. And these marketplaces came together. I remember talking to some of our executives and saying, "If we can get -- from a security perspective, if we can get to SD-WAN before the SD-WAN vendors can get to security, and I think we have a really good chance in this marketplace." Now I don't think the SD-WAN vendors have actually taken on that challenge. They still remain mostly networking vendors and they've kind of offloaded the security to some -- maybe some cloud model. For us, it was very important to build it inside there. It's not easy to do. One of our competitors recently kind of gave up and acquired something. But our heritage has always been on the networking plus security side. Our networking stack is very powerful. We're just as comfortable going up in a pure networking head-to-head with Cisco as we are on a security head-to-head with Palo Alto Networks, and that's kind of unique in the marketplace. But it's very important to us that we can do both equally well, and then we bring it together and then we accelerate it through some of our ASIC technology. Or we can accelerate in the cloud, it doesn't -- you can do it in different places, brings a really good value proposition to the customer.

I just kind of want to interject there. Fortinet always had a strong presence with understanding the network. And you just alluded to one of your competitors just buying a more application-centric SD-WAN solution. I guess, why is the more network-centric approach better than that application-centric SD-WAN approach? Or how should we think about it for Fortinet?

Well, think about SD-WAN as the dynamic path selection. That's what's really important. And you transpose -- yes, the networking stack still -- routing, there's wide area of controllers inside there. But really what the transformation is that you understand the user, you understand the application quickly. So you're doing application routing versus IP routing. And so you're using both in a way. Don't think of it as separate. You do still need to do some of that networking stuff. We still, for example, have some customers who want to implement BGP or OSPF or whatever kind of networking stack, NAT, all those networking technologies. But it's simple for them to decide on a QoS or a path selection by the application, okay? So think of them as both things. And then think about the long term. The long-term goal is that, that application router, as I call it, or dynamic path selector will know more about where you need to go and how you need to get there. Is this particular service in a different location? Is there an easier path there? Is that path down? Is it a particular QoS? And so long-term SDRAM -- sorry, SD-WAN becomes the cloud on-ramp. And the intelligence between the orchestration systems inside the SD-WAN architecture becomes ultra-important in knowing on how and where to get there. So I don't think they're kind of one or the other. They're kind combined and integrated, and you need both.

And maybe pushing the conversation to this new SASE category because people paid for acronyms in this industry. On the last call, Ken commented that there's a fundamental difference between how you should process traffic for a home user and one who's sitting in a branch office due to underlying security requirements, network latency and cost. Maybe you can elaborate on Fortinet's position. Because I believe the true definition of SASE is all cloud-based. So you guys have a little bit of differing opinions and tons of success here. So maybe you can weigh in, John.

This is the problem. I mean the thing is, if you look at the acronym Zero-trust Network Access, EPP, EDR, CARTA, SASE, the list goes on. And no one knows what the definition. So what I've done is taken the definition from Gartner, this is Gartner's paper, Gartner emerging technologies, SASE poised to create evolution. I've taken that exact definition, which is bringing network security and why they're networking together. Then what I've done, and I said, "Hey, we don't totally agree with everything they're saying." So I put a little one there against where we think it's slightly different. But this is the fundamental premise of SASE, is bringing these network security components together with wider area. Now what we're seeing is that, basically, yes, you can do some of this in the cloud, but you can also do a bunch of this via ASICs on-premise because 99% of SD-WAN installations are appliances, okay? And the SD-WAN is the fundamental technology of SASE in some ways. We also believe you've got to get on the network in a secure way. So secure wireless LAN, and LAN should also be part of this definition. That's the fundamental definition of SASE. And then when you look at this and take it further, the reason why I think people are able to take SASE and implement -- take it and put it inside the messaging, it's very broad. It's a very broad definition and a lot of different technologies. So if you look at -- I'm not going -- this is coming straight from Gartner. This is not our definition, this is Gartner's definition, that really, there's 3 levels of SASE. One is core, second is recommended and the third is optional. Now most people are implementing the core right now with maybe a couple of recommended items such as network sandboxing or browser isolation. But the core functionality is SD-WAN. That sits right at the center of SASE. So in our opinion, unless you've got SD-WAN capabilities, you're missing the foundation of SASE completely. As you go from there, then you decide, "Do I do some of these things in the cloud?" That's okay. We're okay with that. Do you do some things on the premise still? And then how do you implement that kind of user and device security through Zero-trust Network Access. So that's why I think I've seen everybody have a different definition of SASE because you can take this and anybody out there, even a VPN vendor, can take it and massage into how they want to position their product line.

So maybe then we can transition into the competitive environment and what you see from a competitive perspective. You have some of Jim's companies, and maybe he can follow on, in that traditional SD-WAN space. And then you've got Palo Alto has made acquisitions, done some different things. Zscaler, who, I guess, somewhat lacks the on-ramp and chooses to partner with some of the SD-WAN vendors. So maybe you could lay out the competitive side of things for us.

Yes. We're actually in 6 Gartner Magic Quadrants, and we're in 8 Market Guides, and so we have a pretty broad platform of portfolio. And there's -- we see different competitors. So if we're in the network firewall marketplace, we're obviously head-to-head against Palo Alto a lot of the times. We've seen Cisco and Check Point probably move backwards a bit here. If we're in the SD-WAN marketplace, we're up against VMware and Cisco, but with different products. We're the only vendor to have the same OS, same product in both of these Magic Quadrants. If we're in the web gateway, obviously, versus Zscaler, that's where their marketplace is. If we're in CASB, a different set of vendors. So depending on the marketplace for us, we'll see a different set of competitors. Endpoint, well, there's 60 endpoint vendors starting off it, so that's an open marketplace. If you look at Zero-trust Network Access for VPN, then sometimes we'll come up against the Zscaler again there. So I think it's very different, our competitive -- our competitors depending on the marketplace. But again, I will say that this has been fundamental to us going forward, and now there's SD-WAN being right at the center. And the reason for this, I see these slides sometimes with people saying, "Oh, you've got 10 boxes you need these days." We're just on one chip. Hello? It's just one chip, it's not 10 boxes. It's one chip that costs 1/10 of the lowest-end box. So our competitive advantage here is that we can produce pure SD-WAN technology or a full stack of security at a price point that's 10x faster or 1/10 of the price of our competition. But this technology is very important to be on the customer edge, whether it be the branch campus, data center, et cetera, OT, edge compute going forward, because then the customer can decide where they go. If you're already in the cloud, you've got no decision to make, you're already in the cloud. If you want to make a decision, I want to use this service provider or I want to use 5G in the future, then you need to put that technology on the edge of your network and implement it with full orchestration, with full operations. And then as I said, going forward, what you'll see is these cloud on-ramps develop, not only to traditional cloud but also to some of the SASE vendors themselves who SASE [ just ] connect.

What becomes the role of the service provider longer term? And Jim had a slide in our preview this morning talking about the MPLS market and the declines there. And obviously, that's revenue lost for those service providers. So what is their response? And what do you think their role becomes?

I think it's a very important role. I think they probably need to work a bit faster. Because here's the point, if everywhere -- if it goes like everyone's in the cloud and we're just an endpoint agent and there's no network, that's not going to happen. But if you're just -- if the customer decides on the SD-WAN here and you're just transport here, you become commodity very quickly. And so I think the service providers, I mean, they've got the presence of the network, they've got -- they own the transport, they own data centers. They've still got a very, I think, trusted brand with enterprises and businesses and consumers. And to me, they need to kind of start building a bit more of those value-added services and security services inside the network versus just shunting everything over to some of the clouds on the right-hand side here. I think they have a big part to play. And from our perspective, we've always been very, very partner-focused, and we want to make sure our service provider partners can build what they need to build. And I think some of these security services and things like SASE is ideal for them.

And I guess shifting gears, and probably our last question relative to time. And as our audience is sitting at home consuming this content, the thought of when will we go back into the office is obviously on everyone's mind, and we're seeing the anticipated second spike in terms of COVID cases right now. And if I peel back the onion on your last quarter, I don't know, Keith, if you want to weigh in or not, but your branch was incredibly strong. And so Keith, any metrics you might want to share. Or John, from your perspective, those customer conversations that you guys are having right now relative to what are folks anticipating. What does the future of work look like to some degree? Because your branch numbers were very strong.

Yes. I'll let Keith comment. But from a technology perspective, this is the reason why it's so strong. We have a platform that not only consists of something that's 10x faster than anything out there from an appliance perspective. It has full networking stack. It has a full SD-WAN enterprise stack. It has any amount of security you can add in. And by the way, even if you do a bunch of security in the cloud, you're still going to need application control, you're still going to need exploit protection because you've got the LAN site to deal with. We can expand that by add -- we've got fully in-built controllers for Wi-Fi and switching and 4G and 5G going forward. And then it can get all orchestrated here in the way into the cloud. And so this, to me, is a solution that's totally integrated into a chip, not [ mined ] in appliance, it's right inside a chip, and then we have the software in the cloud to enable that. So from our perspective, customers see this and they can invest in a technology that's going to enable them to provide LAN security, Wi-Fi, device security, SD-WAN, cloud security, all in a single chip that's orchestrated into those clouds.

Yes. I'd probably just add to John's comments in terms of how you look at that product suite. I think what you saw, particularly in the U.S., as we moved through March and into April was getting application stood up as fast as possible, right? There was a clear demand for that. And if you look what the activities now outside of IT organizations with the CIO and the CISO is now coming back and looking at their security architecture and where are the gaps, right, and where are the gaps that we need to fill. Talking to some people on our sales team recently, I think the conversations in the second half of this year will be more about those other platform products and where is the customer missing an application or a piece of it that they need to secure.

All right. Well, gentlemen, as we run out of time here, I just want to thank you both. And cheers.

Thanks.

Thank you.

Thanks, guys.