Fortinet, Inc. (FTNT) Earnings Call Transcript & Summary

Excellent. I think we are back live. Sorry for anyone on the line that are having some technical difficulties with our video cast. But we're pleased to be here. We're just going to start from the beginning again. Pleased to be here with Fortinet, both CTO, Michael Xie; and Keith Jensen, the CFO, to talk to us about Zero Trust architectures and to dive into the Fortinet story. I'm joined by Hamza Fodderwala, on my team, who's our new security analyst. He's going to dig into the story with us.

And maybe to start out, we can start out with Michael. I'd love to get your perspective on Zero Trust architectures. It's a phrase that we're hearing a lot more about. It's -- we're hearing about it at the RSA conferences, vendors are talking more about it. But I'd like to hear sort of the Fortinet perspective. What does it mean to Fortinet? And how does your solution portfolio kind of solve that sort of -- or fit into that Zero Trust architecture for your customers?

Sure. My pleasure. So the Zero Trust architecture, I think the -- there's a problem statement. Basically, it states that today, on the typical enterprise network, because the parameter has disappeared, so any host cannot assume a safety parameter that they can trust the host, even just on the peer network or like within its own subnet. So the cybersecurity protection has to be applied to almost every single host to be effective. So I think the -- I think it has described the reality today pretty accurately in terms of cybersecurity. And there are quite a few technologies that are very promising. And I think working together, it could help to solve this problem. So from Fortinet's perspective, I think the things that are relevant, so #1 would be an endpoint agent-based technology. For us, particularly, we like -- something like FortiClient. So normally, what it does is it helps to get the security posture of the endpoint, identify because a lot of time, like from admin perspective, you want to know like who owns this host? Or it could be an IoT device, a printer, a fridge, what have you, a camera, accurately pinpoint, identify the device, the ownership, label that and getting a security posture. Second piece of that, I think it's more related to the host, like in the virtual format, like whether it's on the on-prem private cloud or public cloud, it's -- some people call it micro segmentation. It's basically an architecture can keep track of individual instances or even in the container world would be Docker, like a Kubernetes sort of the containers, like smaller instances. And I think the third technology that's very relevant to solve the Zero Trust problem is related to the -- I think it's old technology, but it's getting harder these days. It's NAC, it's network access control. And particularly, this one, should work together with the agent technology, the endpoint agent discovers the security posture or the vulnerability. The NAC technology can help to -- putting the more vulnerable hosts into different segments, different VLANs, quarantine or apply a different firewall policy. Very flexible to solve that problem. Last, but not the least, something promising is, I think Gartner call it SASE. It's a secure edge technology that essentially every host is considered. So I think it's another form of micro segmentation down to the host. It's VPN to the cloud and letting the cloud do the security cleansing piece. So essentially, it removes the peer-to-peer between the hosts. And like every host, go direct to the cloud and then goes to the Internet from there. So I think all these technology, more or less, trying to address that Zero Trust problem. So Fortinet is actually deeply invested in all of these areas.

Got it. Excellent. Can you talk to us a little bit about from a customer, number one, are customers asking you guys about Zero Trust architecture? Is this something that's on their mind? Or is this just a way like vendors are presenting their technologies? And two, when they do move towards these Zero Trust architectures, how does that adoption occur? Is it a replacement of existing technologies? Or is it -- does it tend to be an extension of what people have already?

So I think I can only speak to that with my limited customer contacts and my impression. So this is highly opinionated. I think for a lot of the enterprise customer, they approach the Zero Trust topic because they realized -- and I think the concept resonate with them, like because they're seeing the breaches day in and day out. And then it's just something that they thought was fairly secure, very -- in a sense, part of their network getting breached. So I think the problem resonates with a lot of them. And then the -- when they talk to us and ask him about it, it's, I think, partially is basically what solution makes sense and how we put together something to address that. I think if you look at the very broad customer base, I mean, this is still a topic that they're -- I think today, they're talking about, and then they wanted to try different solutions. And also, I see a lot of vendors who are pitching even cost at that -- it's kind of margin related to the -- solving that problem. But because the concept is getting mentioned everywhere, it's becoming a trend. So it's kind of still in that early stage of the curve, the high curve, if you will.

Got it. Got it. And in this day and age, it's hard to have a discussion that doesn't include COVID-19. One of the premises that we talked about in our presentation earlier this morning, but also in our note last week, is the potential for what we're seeing is COVID-19 accelerating sort of cloud adoption. You have a more distributed environment in terms of where your workers and users are working. And that probably helps accelerate the shift towards more sort of cloud-based security architectures. Do you agree with that underlying premise? Do you see COVID-19 acting as a positive catalyst towards this shift towards more cloud-based security architectures or a shift towards adopting more Zero Trust-type security architecture?

I do agree with that. And I think my observation is, like any new concept, usually, especially larger enterprises, they're kind of suspicious at first that they wanted to make POCs and they try to put some trials first and then watch me move in. And usually, for something like this, they tend not to like replace everything they've got like within a day or something. But with the COVID-19, just like you said, there are all of a sudden, a lot of the people who are like myself are working from home. So basically, my home computer now becomes part of the enterprise network. And then there's no reason that my, let's say, up here should trust my home computer more than you can trust any other internet host. So I think there is quite a bit of acceleration into this concept during this COVID-19 period, particularly accelerated by work from home, distributed network, distributed cybersecurity problem and remote access.

Got it. One more kind of broad question for me, then I'm going to hand it off to my colleague, Hamza, to dig into the Fortinet-specific questions. But as companies move toward more Zero Trust architectures, as more stuff moves to the cloud, more security comes from the cloud, what does that mean for the traditional firewalls, for the on-premise firewalls? How do you guys see the future of the typical firewalls going forward? Are they going to stay an important part of the security architecture on a going-forward basis? Or does that have to shift to a more virtual cloud-based delivery model on a go-forward basis?

I think -- I mean, again, this is my observation and my opinion, because I think in the past, like if you should take a longer view over the past 10 or 20 years, the computing sort of shifted between the cloud and edge, kind of the underlying -- the propeller of that is the computing technology, computing innovation, like the CPU power, is it more powerful in the cloud, aggregate them together? Or is it like very powerful in the edge? You can put like single chip, which is like a tiny PCB and be able to power up, like a lot of things in the office. And it's being -- shifting back and forth every 5 or 6 years. So I think my -- like in my opinion, that this trend is going to continue. That is going to be a combination of the cloud and the edge, but then the percentage may change, shift like one way or another over the years, but it's going to be a combination of both. Because I think, for example, you can move a lot of the workload from your own on-prem to the cloud or like data center will be sort of like a customer-owned kind of like a cloud -- private cloud. But the basic access stays within the people like whether it's a phone or your laptop or iPad. When they have the need to access those workloads, they still have to go through WiFi or local network. So those cannot all move to the cloud. So I think in my mind, the firewall, although the form may change from physical appliances to virtualized VM in different ways to deploy, I think it still has -- it still is a central piece for the cybersecurity. And that's true, especially for the enterprise network, where the main -- I guess the main goal is -- one thing is to remove the malware, but the second, also equally important thing, is the -- I mean means to have that control on who can access what, at what time and from what host. And that will not be like all centralized to the cloud because we have IoT and all the million things on the edge. It needs to have some gateway to be able to execute our policy to maintain that level of control. So I think it's maybe -- over the last couple of years, we have seen a very fast shift from the on-prem appliances to cloud. But still, I think, the virtualized firewall is still kind of like -- I think maybe I'll have to -- that keeps out on the numbers. I think it's maybe mid or to low teens in terms of the firewall, the total revenue. And I think it may still go up a little bit higher with them. I don't think it's going to be like 90%, 100%. It's going to be maybe perhaps going to start to come down at 20% or something. And then because of innovation happening on the edge, we're going to see a lot of more interesting stuff on the edge as well.

[ Connected ] to the next question. So for Fortinet, how is Zero Trust extending sort of this path to security component, right? What are the specific synergies when it comes on networking side with SD-WAN? Is that more of a priority with Zero Trust? And how are you guys thinking about how that market evolves over the next few years?

So SD-WAN has been a good accelerator for our business in the past couple of years, and still is, I think, one of the main drivers since we were growing very rapidly. So it's basically -- I think the primary drive in the past is because it provides a very reliable WAN connection for enterprises that you have to pay 10x or sometimes 100x cost on the MPLS network. But as the SD-WAN is becoming more popular, I think people start to realize the security is also needed on SD-WAN. And then particularly, SD-WAN requires a lot of the complex central management and monitoring capabilities and merging that with security seems to be like a very easy way to kind of like kill 2 birds with 1 stone. And then Fortinet is, in fact, I think the probably only vendor on the market that provides that integrated solution instead of like 2 different boxes kind of bolted together. So with regards to the Zero Trust, I think it's kind of related in the way that the customer -- the same customer wanted security through that SD-WAN kind like a virtual pipe, and they wanted to maintain that with SD-WAN, but it's not the back one causing another, in my opinion.

Got it. And if I could shift to the other parts of the portfolio. Could you give us an update on Fortinet's cloud strategy? So obviously, there's a lot of different cloud security solutions out there. And we spoke about a few of them in our presentation this morning. You've got CASB, you've got this new category with cloud security posture management, virtual firewall. But it's still a small portion of overall security spend, right, when you look at the market. So do you think that it accelerates coming out of the COVID crisis and there will be more demand for that? And how do you guys feel you're positioned?

I do see there are a lot of demand on the cloud security, especially during this COVID-19 period. So I think there are a couple of aspects being asked the most by our customers. I think one thing is kind of related to this Zero Trust is like how people can secure the workload on the cloud, it's whether public cloud or private cloud. [indiscernible] and they cannot be trusted even though they're on the cloud. So that's one area that we're kind of trying to do a lot of innovation and use our product services like the CASB. We also have the CWP, the cloud workload protection. We -- I think we launched earlier this year, the security. We have the security posturing-related technology. It can go onto the workload or the endpoint. So I think these are towards protecting the cloud workload area. And I think another area to look at that is because the cloud, due to its -- whether it's cost or it's convenience, it becomes part of that enterprise portfolio. How do the traditional firewall participate at the same -- we got the same pane of -- a single pane of glass management and monitoring. So if you have 20% of your workload in the cloud, the enterprise wanted to -- they don't want a separate management and monitoring security for those cloud workers. They wanted to have the same capability regardless this is your laptop, your server in the data center or the cloud. I think that's another area that we are doing a lot of innovation and development. And last but not the least is the, I think, the SASE model, where, especially for the remote mobile workers, they just -- and I think this particularly related to the Zero Trust, they just wanted everything go to the cloud directly, get it clean and screen and then -- so removing any peer-to-peer communication between the host. Like your laptop and my laptop, we won't be able to connect to each other even if, for example, in the same company. But then we go to the Internet, cleanse them and then go through the server [indiscernible]. So that's -- I think that's another new innovation in the cloud.

Got it. And I know we're just about out of time, but just one final question. You mentioned single pane of glass. It seems like a lot of network security vendors are trying to offer a consolidated platform. How is Fortinet's fabric platform, right? How is that taking a differentiated approach versus some of the other competitors who have been traditionally firewall vendors? And then what are you seeing play out in the marketplace from a cost standpoint, from a functionality standpoint?

I think one thing that we may be doing differently from some of our competitors is we don't go out and acquire a company because they are market leaders. Because usually, what we do is we speak to our customers. We have the solution. We have a market out there. And then basically, this is how we think that would address the problem, how we think these are different pieces in the map. And if we can build it, we build it. And then if there's a -- we can find the companies that fit into the map and acquiring them makes sense, help us to accelerate and then we go with the acquisition approach. So if you look at our security fabric offerings, I think what our customer tells us is, our solution is much more integrated than most of our competitors because some of them go out and acquire maybe bigger companies with maybe bigger price tag, but the -- I think when it comes to the integration and have a like sort of integrated solution, it's hard to piece them together to offer a nice user experience. So we kind of take a different approach. We try to have this solution laptop first before we decide to build a virtual wire.

That actually leads into my next question because it was about Fortinet's philosophy on build versus buy. Could you...

Somehow I lost him. I can't hear him.

I lost Hamza there. So I think the question was on just kind of elaborating on the philosophy of kind of buy versus build. Fortinet has been acquisitive in the past. How do you decide sort of which functionality should be bought versus which ones are -- should be sort of organically developed?

I mean there's no single formula, but I think it's -- in general, is we -- I think we have several stakeholders. For me, from the technology perspective, we try to put together the solution that kind of solve the customer's problem. For example, we talk about the Zero Trust. We need pieces on the endpoint -- on the agent on the endpoint. We need pieces that can enforce that layer 2 switch and access points and the NAC devices. We need the solutions on the virtualized platform to be running on cloud or like a VM infrastructure. And then once we have that, we decide what's missing. A lot of time describing something like that to a customer is exciting. And they say, hey, can I have that tomorrow? Unfortunately, no. And then here are the missing pieces, and then we really sit down together with my colleagues and then we talk about what our options to be able to look to buy. So that's kind of our process.

I'm back. Sorry about that. I wanted to ask about another area that's been getting a lot of more attention and investment in that IoT security. How does that become more important with Zero Trust when you think about securing devices? And is this an area where you're seeing, at least from a customer standpoint, that they're willing to spend more? Obviously, a lot of ransomware attacks have come from IoT devices. So I'm wondering if this is an area where that you're actually seeing customers starting to demand the solutions more.

I see that IoT topic getting brought up more and more, I won't say every meeting, but it's like a lot of meetings. It's probably more than half the customer meetings. So it's definitely on their mind. But one interesting thing is, I think a lot of them tend to think that this is a problem that the traditional firewall or VPN technology should solve, like they were more looking at us to expanding our capability to give them, for example, visibility or like in the NAC space will be more control over the IoT devices. And there are only a few customers think that is a problem that would need a separate dedicated -- like total different solutions. So that's my observation on this.

Yes. That's something that we've been seeing as well. So another area that's getting a lot of investment and seeing a lot of growth is security, orchestration, automation, response or SOAR for short. How effective are these solutions actually automating tasks and by security professionals today? Or is it going to take time for these solutions to actually ramp and really be that automation offering that it's sort of marketed to be?

I am a big proponent of the SOAR technology platform. In fact, our company, we acquired a SOAR company just earlier this year, CyberSponse, I think. We -- so I think my observation is the -- most of the top tier, really large enterprise has a very good cybersecurity practice, usually are very good at leveraging the SOAR or sometimes the compliance software to have a very good process to track and monitor, having playbooks to resolve things. But the problem is these needs a lot of training. And so not every company are used to that, right, because a lot of the companies came from the background where these cybersecurity was a side business for running by a much smaller team. So I think this is a really good product and service. And I hope more and more companies take it more serious adopting it. For those who have adopted it, I think the result really speaks for itself. But the -- maybe the only thing preventing it from being like wildly popular is just that the learning curve. It requires a lot of the learning and the discipline to enforce a good cybersecurity process.

And maybe just one final question from the audience. So maybe you came across the Palo Alto Network that's released their new machine learning powered OS 10.0 appliance series. Is this something that you've come across? What you think about it as a change in the competitive dynamic between you guys? Or is it mostly, I guess, just marketing at this point, and you're not really sure to make of it?

I haven't spent too much time on that. I think I did read that machine learning. But I think these days, machine learning and AI isn't really rocket science anymore. I mean it could be rocket science 10 years ago. So most of our key products were like the services, for example, like FortiGuard that are now where analysis service have been running on the machine learning probably over a good part of the decade, and we also have products. In fact, we call FortiAI. So I think it's definitely a good tool to solve problems. I don't see, parallel to having AI in their products, being a like major disrupter to an industry because I think, frankly, not just us, I think, more or less, most of the bigger cybersecurity companies have some sort of AI capabilities or machine learning in probably quite a few of their product portfolio and services already.

Got it. That's really helpful color. Well, Michael, thank you so much for your time and for your patience today. Really, really appreciate you joining our virtual conference, and we look forward to hearing from you again. Thank you to Peter and Keith as well.

Thank you. It's a great pressure. Thanks for having me.

Thank you.

Bye.