Fortinet, Inc. (FTNT) Earnings Call Transcript & Summary

Okay. Welcome back. I'm still Brad Zelnick, and we are live here for the third day of the Crédit Suisse 34th Annual Tech Conference. This year, a special year, not in sunny Scottsdale, but instead streaming live to you in your office and your home. And for this particular session, we are truly delighted to be joined by the folks from Fortinet. We have with us here today, Co-Founder, Chairman, CEO, Mr. Ken Xie; Keith Jensen, CFO; and Peter Salkowski, all things investor relations and events. The format of today's session is going to be a fireside chat. But before we kick off the festivities, Peter, I think you wanted to chime in and read a safe harbor to keep us all safe. So please.

Thank you, Brad. I'd like to remind everyone that we may be making forward-looking statements during today's fireside chat. These forward-looking statements are subject to risks and uncertainties that could cause actual results to differ materially from those projected in these statements. Please refer to our SEC filings, in particular, the risk factors in our most recent Form 10-K and Form 10-Q and the other reports that we may file from time to time with the SEC for additional information on factors that may cause actual results to differ materially from our current expectations. All forward-looking statements reflect our opinions only as of the date of this presentation, that we undertake no obligation and specifically disclaim any obligation to update forward-looking statements. And with that, Brad, I'll turn it back to you.

Excellent. Thank you so much. And again, welcome, guys. The format is a fireside chat. I've got a bunch of topics that I look forward to going through. And with that, why don't we maybe just let it rip?

I'm going to ask you maybe to start, Ken, a question that I'm sure nobody has asked you ever, but it's about COVID-19, which it seems it's my job talking to all management teams this week just to make sure it's almost as if I'm getting paid by the reference to COVID-19. But it seemingly changed how we are all living our lives. And with that has come even more cybersecurity challenges than we've seen in the past. How do you think COVID has shaped the industry? And what are the areas that you're focused on now to help your customers as you think about ensuring business continuity going forward?

Yes. Thanks, Brad. Definitely, COVID starting March, ending some of the way we're working or we [ due diligence ]. So it's more like a remote like how we're doing today here for the conference. But that's also increased a lot of tech service and also need to protect more kind of this kind of remote connection. So on the other side, they also added quite some burden to the IT team and which they have to support in all these kind of different from a networking angle, from security angle, from all the other things. That's where we see better than NOC and SOC, network security operating center or security operating center, kind of starting -- more working together. And we also see big demand actually for the secure-driven networking, including like SD-WAN combined with security, 5G security, even internal company, internal data center, how to secure this together and also need to secure much broad infrastructure, including from the mobile, from a cloud, from all this branch and the headquarter, work from home. So that's where we see quite some big change in certain acceleration need to be more -- the infrastructure need to be more protected. [indiscernible] other things from different angle.

Maybe, Keith, from your perspective, can you walk us through the challenges COVID brought in terms of how you manage your supply chain, ensure demand was met? And maybe staying with you, Keith, as well, how should investors think about the potential pull forward of demand from future periods given the dynamics that we're talking about here?

Brad, thanks for narrowing the scope of has COVID been a challenge to just 2 topics because otherwise, we'd be here for quite a while, I think. So yes, I think as it relates to supply chain, one of the very -- one of the things that we did very early on was increase our on-hand inventory just to mitigate supply chain risk. Not big numbers, but we did that starting as early as late January and February, and we pretty much carried it through the rest of the year. I think we thought we were in a position and do think with a very strong balance sheet that we could leverage the balance sheet for not only our own company but also for our customers and for our partners. And we did that once we carry more inventory, but also in some areas geographically, particularly Latin America, providing capital into our channel partners, and that was in the form of extended payment terms. And so you saw the inventory come up a little bit. You saw the DSO come up a bit. But I don't think any of those -- and I don't know that our business model really lends itself to pull forward. I don't think we saw that much to speak of in the first quarter, going into the second quarter, and we certainly don't see it now. And if you look at the diversification of our business, with a 1/3 of it in the SMB and 1/3 of it in the mid-enterprise and enterprise, et cetera, in the international footprint, it's in an area or an era when capital was so precious in cash. It's not intuitive that people will be buying things early, at least from our customer base, if you will.

I don't want to make this all about COVID, like you said, we can harp on and on. And the one thing we know for sure is we hope everybody, this time next year is going to be embracing in-person activities and that we, hopefully, one day with all the promise on the horizon that we get past it. But -- so for the purposes of this conversation, let's move forward. Maybe, Ken, since you founded Fortinet, you've only -- you've taken a differentiated approach, a hardware-based approach with your own proprietary chipsets. And I'll be very frank and tell you that years ago, I thought with the world shifting to cloud, I thought that was maybe a risk to the business. And I personally come around to appreciate the many ways in which it's an advantage, but I would love to hear your perspective. Everything going back to the original philosophy that you had and how that differentiation over time has served you? And even through to today and looking forward, how it positions you well in the future, where most people would say that the future of security is increasingly in the cloud?

Actually, the ASIC is really helping increase the computing power. Like if you're using Google's data, they say they developed also the TPU to increase their computing power in the cloud. It's about 7- to 10-year advantage. That's about like 100x more computing power compared to the current general purpose CPU for certain application. That's where -- why Google and like Amazon and Apple, whatever, they are all starting to develop their own ASIC chip to accelerate or lower the cost of certain computation, whether it's in cloud on edge, right? So I agree cloud is always part of infrastructure. So that's where you can see the last 10, 20 years, the cloud replace the traditional PC and server architecture now is called the mobile. But also going forward, that's the quarters also in the next 5 years, so the edge and also emerging technology also replaced called the mobile. So that you no longer need to hold a mobile phone is because what they were and what all this will study which will display everywhere. And same thing the edge computing like your auto drive the car or some other things and home appliance will all kind of have all these supersmart computing since in there. And that's how the future is keeping changing and going. So that's why we feel is how to kind of invest in the long term, definitely, the ASICs really need a much bigger long-term investment to see the benefit of that because you need hundreds of millions and also take like easily like 5 to 10 years to see the benefit of that. And -- but once you have the technology, you can always be able much broader like a better solution, whether like we combine ASIC with FortiGate also part of SD-WAN solution, the cost is much lower and it has more function because computing power is basically about 100x bigger than the general purpose CPU can do for the security for the networking function. So that's why you see, we call secure computing region. So every product we release, so we are see -- compared to the same cost product on the industry for the same function, what's the cost advantage, what's the performance advantage we have. So that's where ASIC is just additional technology, additional -- since we kind of invest, which benefit us right now, both from the FortiGate device or some other infrastructure and also even working with the cloud provider. And so they also see the benefit of that. So that's why we view cloud as obvious part of the infrastructure, whether the cloud or edge or on-premise or the software virtual version. So in order to address the security, you need to address the whole infrastructure together. And we also have very, very solid good cost solution there. And -- but it is a part of whatever customers need or whatever the new application or new tech surface need, then we just offer the protection.

And that makes a lot of sense. And I mean I suppose just over the last several years where you hear about so much within computing various workloads, network function virtualization, just different things being virtualized. Is it fair to say that if the solution criteria, if your #1 criteria is price performance when we're thinking about, for example, the function of a secure network connection, a firewall, what have you, when that is top priority, what you're solving for a solution like yours makes sense versus in other cases where if you need the flexibility of being able to dynamically reconfigure a network architecture or move workloads in -- server workloads, for example, from one place to another dynamically, then maybe a virtualization approach makes more sense. Am I close to thinking about this the right way?

Yes, I think that's the right thinking. And that by same time, also, I say that the additional computing power, which help enable a lot of additional application, additional service, as how you can see how the GPU changing, how the TPU change in the AI space. Now you can have auto drive car. You can have all the other things drive by the AI. The for -- with security. Once we can have this actual computing power, you also can enable a lot of other machine learning, a lot of AI and a lot of other things and also combine networking security together because network is still much faster and cost much lower. So security is still very expensive, very slow, difficult to manage. So with additional computing power, so like we combine SD-WAN with security together, and the 5G with security and then even the internal security, go to internal segmentation, we switch with the Wi-Fi with AP. So that's also enable quite a lot of for like a 5G OT, right? You can embed all these things into the IoT device, that also can help protect more service and protect the whole infrastructure.

That makes sense to me. Maybe when we then think about the different ways of leveraging this platform to solve the various different problems and some of the things that you've already mentioned. And you talked about this notion of the edge. And from security delivery at the edge, you now have this wonderful phrase, all we need is an industry analyst to go out and invent a category and will it into existence. But we now have Secure Access Service Edge, or SASE. And if we take a step back and maybe frame this conversation through that lens, how well do you think Fortinet is positioned? And how does your recent acquisition of OPAQ Networks complement your existing SASE investments that you have?

Yes. SASE, we also started to invest in this area quite a long time ago. We have our own what we call FortiCloud SASE and OPAQ definitely help enhance that and eventually will be integrated together. On the other side, we're also keeping a few -- we need working with our partner with our service provider because that's also one of the top vertical for us. And we also believe long-term wise, a lot of our service provider and the carrier, even the cloud provider, they also have some kind of advantage themselves, whether they own the infrastructure or they work across the customer or they have the resource, the team can handle some of that. Just right now, they're probably a little bit behind on some technology or some service there. But that's why we're also working with them closely to build some of that. So we have our own. So if customer needs SASE now, we can offer that. But we also prefer to working with our service provider partner and supporting them behind and build out this for the customer long term. I think the SASE, the benefit that we do talk to a lot of customer, I think most of them, we see the SASE is really -- they're kind of shorthand on how to support in like certainly, a lot of people who they're supporting work from home all since. And then the mobile device and a lot of other things also kind of need a little help. So that's where the SASE definitely gives the additional service supporting offload their kind of pretty heavy job right now. And -- but I think service provider definitely also see some of that. They're also starting -- building their own kind of SASE approach. Because I do believe long-term securities, the management costs need to be lower. So a lot of service provider can help in some of that and also because it's very dynamic, fast-changing environment space need a lot of expertise. So definitely, the service provider can play a more important role. They are helping the customer. So that's kind of our strategy, working with a lot of service provider, try to build their SASE. And even some top customers also thinking building their own SASE right now. But it's a good model, which can help in using like whether the service provider or third-party to manage some of the traditional since customers manage themself. But also, yes, what we see as a service provider, even cloud provider can also see the growth potential from there.

Got it. That makes a lot of sense. Maybe if we could tilt the conversation towards SD-WAN and the market opportunity there, security-driven networking. And I appreciate that that's the founding notion of the company since years ago. And it's really, I think, come to light most recently in helping drive the success that you're seeing through the most recent data that I've seen, you guys correct me if I'm wrong, but Fortinet is a top 2 or top 3 player in the entire SD-WAN market, correct?

Yes, we also try to target to be the #1 next year or whatever -- 1 to 2 years. So because we feel we do have quite some advantage like we talk about ASIC give us a quite competing power and also lower the cost of SD-WAN, which is one of the benefit of SD-WAN. And the other side is it also gave a much more broad function. And we also have very strong R&D behind that to keeping up the innovation change compared to most larger company the SD-WAN come from different acquisitions. And at the same time, it also takes a ton of effort to integrate with their current security solution. And -- but it's -- we also see probably going forward, even the 5G OT because 5G is really connecting more device in the IoT space. That also will be additional drive, both leverage our technology and ASIC and another working with carrier infrastructure. So that's also a big potential for us.

I would have thought OT security would be further along. Just going back 5 years ago, even hearing about some of the investments that many companies have made, I'd be curious on your perspective, on why now or if and why now? I mean I think 5G, like you said, is definitely an enabler. But even just back to SD-WAN, I'd love to know -- it's great to hear that you strive to be #1 as you should. And I think you've got the technology differentiation and unique architecture that should enable you to be super competitive. But I'd be curious in your sense of the overall market opportunity, where are we? As a market, what does the market growth look like? And then additionally, you've got a number of acquisitions in the space. You're not the only network security company to now also have SD-WAN capabilities. I think I understand your differentiation on why you would have an advantage. But competitively, even if it's -- as you know, it's not always about the best technology if you have somebody that is able to make a lot of noise and it has a large channel presence and a voice that people listen to, let's just say that. How would you describe the competitive dynamic and the noise out there with some of these moves that other folks are making?

First, talk about the whole space. And I do believe like long term, probably 5 to 10 years, majority of the one connection like routing, whatever will be moved to the SD-WAN. And then among SD-WAN, probably majority will be combined by security together, we call it secured SD-WAN. So that's where -- so right now, the market down like there $1 billion to $2 billion grow about 50% year-over-year. So we grew over 100% year-over-year and keeping gaining market share like I say is #2, #3, but we target to be the #1 pretty soon. On the other side, compared to the competitors, I think so far, most other SD-WAN vendor, they're using the universal CPU is the most software loading in the general purpose, low-end of the box, right, offer SD-WAN. So we have this company with securities ASIC approach has huge computing power cost advantage. But also going forward, it's also -- it's important both in the SD-WAN space is where you need to keep up the innovation, keep up the development, not only you need to get in early, you also need to run faster than others. So that's always very, very important because if we can secure the space, they're so dynamic so much since changing going on, right? So that's where you see a few company can reach to the $1 billion level. And then after that one, a lot of the studies slow down or depend on acquisition for their growth. That's happened to do whatever Cisco, Symantec or even like a Palo Alto a little bit right now. So once you depend on acquisition growth, you can only last for a few years. And because after acquisition, you have a modern product, how you can integrate together, how you can -- otherwise if you cannot keep up with internal, organic development, innovation and growth, then you have to depend on additional acquisition to keep up the growth. So that's what happened to the cybersecurity space. There's a over $100 billion space, but none of the top players can over a few billion dollars because once they reach certain size, they lost a path for internal growth, internal innovation. And that's what we want to drive really how we keep up the internal innovation and organic growth instead of going for acquisition, which will be well faced in the challenge going forward after a few years, and we see so many model there. And so SD-WAN is the same thing, and we'll keep up the internal development R&D innovation, and we have a great platform and a lot of our customer base. Even in the market position, working very closely with a service provider right now and a lot of them starting to ramp-up the SD-WAN security service, including the SASE together. So that's what we see is a huge potential going forward.

Really great to hear that perspective. Keith, maybe just a follow-up for you as it relates to SD-WAN. If I'm not mistaken, SD-WAN billings have been doubling to now represent, I think, 13% of total billings in Q3. How are you thinking about the near- to medium-term impact that SD-WAN should have on growth going forward?

Very good question. We've been very -- Ken's been a very clear about his goal of being #1 in the market. The way I kind of frame it up is 18 months ago, we were probably about 5% or so of total billings for SD-WAN. At that point in time, Ken set a goal saying we need to get to 10% of total billings. And as we approached 10%, he quickly moved out the goalpost on us to 15%. And I think now as we're approaching 15%, I think a lot of us have an expectation about what the next e-mail is going to say from Ken that we see.

So Ken, are we going to look back and Fortinet is going to be the SD-WAN company that also does security?

We call the security-driven network and that's where we feel these 2 need to be combined together, right? Whether SD-WAN or 5G or internal Wi-Fi, internal switch segmentation so that's where -- but SD-WAN happened to be taken out very quickly and grow 50% year-over-year. It's still in the early stage to ramp up.

It's great and it's quite impressive. Maybe just to shift to a slightly different topic. Ken, when we think of SD-WAN strategies, there's this concept of a thin versus a thick branch approach, and we had the pleasure of actually chatting with John Maddison on a call a couple of weeks back and asked him about this as well. But from your perspective, what are the pros and cons of each? And do you provide customers with the ability to architect a thin branch approach as well?

I think we want to support in both, but what's amazing really, we can use the same product to supporting both because some of our customers, they probably initially get a FortiGate just for the SD-WAN function. And then later, they can turn on other -- these securities, some other function there they needed process locally. And some other from -- were beginning try to design all this together because the ASIC, the cost advantage, we can do both in the same device. And also because they also depend on service provider, right, some service provider tend to be process some traffic within their [ CO ], their pop all their data center. Some other tend to be -- want to manage device remotely. And -- but for us, we want to keep in the flexibility, supporting both architecture and also whatever the service provider or customer prefer. With ASIC, we can do both on the same device.

Got it. Okay. Well, that's good and clearly opens up the aperture of the market. Just on another topic, and this may be a silly investor question, but I think it would help to hear your perspective and maybe to dispel some of the misunderstanding that's out there. When most folks think about the shift to cloud security and the shift to zero trust architecture, which seems to go hand-in-hand with SASE. It's easy to get into this debate of whether or not a cloud proxy is the right approach, such as like a company Zscaler, which by the way, reported earnings and overachieved very nicely, stock seems to be up, which some would say is more appropriate for distributed access, at least for HTTP traffic, which I think is only increasing as a percentage of total traffic when we think about distributed apps versus putting a virtualized firewall stack in the cloud. Is there, in your mind, even a debate? Like what's your perspective on that view?

I think cloud as a part of our infrastructure is also a very important part of it. And we do see -- there's a lot of application more fit in the cloud. But it's -- you need to secure the whole infrastructure and cover both the cloud and the edge side. On the same time, I have to say during the pandemic right now, probably a little bit more easy to deploy something in the cloud. And -- but on the other side, cloud tend to be more expensive. On average, we -- from our calculation, probably about 3x more expensive to process the same traffic, same amount of data compared to on-premise and on appliance base. Even some of the data, go into the cloud, got into the pop, the SASE pop, it still goes to the same process to be processed as how you do on the [ Howard ] appliance side. And on the other side, we do working with a lot of cloud provider, whether Azure or Amazon, some other. They also kind of setting offer some of their version of security service. And it's pretty interesting how different vendor, how different service provider to position. They do see the big market, the big need from the customer and also special security for them, it's really how to manage it easily because the challenge with customer-facing, that's one of the major reason for a lot of SASEs really help me lower my management costs, right? So that's where some call provider, we also work with them to address some of that issue. But in the end, they also will see who can offer a better service and a lower cost and at the same time, kind of well, more broad coverage protection. So that's -- since we're working. And we do see cloud as a very important part of it. We also see some good growth, including SASE, we have all the components of SASE, including SD-WAN, or the other web or CASB and the firewall service. But on the other side, we also see there's other like -- now cloud, probably a little bit less than 10% of the total network security. So you need to cover both the infrastructure side and also the cloud side. So that's the approach to be had.

We're almost out of time. I think this was fantastic. There was a lot more ground that I won't get to, but maybe a question, if you'll answer it. I'm curious to know what you would say, Ken, but maybe one last one for you. If you were to take all of your experience and blink your eyes and tomorrow leave Fortinet and start a new cybersecurity company, what opportunity would you pursue?

That's a more interesting question because no one asked me about this one, yes. I have to say, I definitely want to leverage all the available technology, also a little bit more long-term focus. ASIC definitely is a very long-term focus and -- because like when we built Fortinet, [indiscernible] from the chip ASIC level, the system-level, from the infrastructure, like how to the [indiscernible] infrastructure and how to service all this things, you need to leverage all the technology infrastructure to play. And on other side, security is quite dynamic, fast changing. So you need to have the capability to keep in, I mean, the innovation and also the development capability there. And we see a lot of companies starting from some point solution. And then once the market shift, they cannot keep up the change or they cannot integrate with other. So that's where security need to target a whole bigger attack and surface, whether the 5G. We also like them, 2 years ago, to connect the car security and some other like even like cryptocurrency or content computing, there's a lot of exciting things going on. We're starting with one point and then keep expanding beyond that one because security is a very dynamic, fast-changing. And the company wants to get bigger. If they slow down the innovation R&D, then they're starting kind of -- cannot be the leader anymore. So that we see happening in the space. That's why the space is so fragmented, and there's so many new start-up coming up every year. And they initially are doing well. But if they cannot expand beyond what's the point solution and then to keeping -- address the bigger market, integrate to get automate together, then they probably cannot maintain the long-term growth. So that's where we want to keep up the change and keep up the innovation.

Excellent. Well, Ken, thank you. It's really been an honor. I truly appreciate the time, and it's always nice to see you all, but even better to see you at the CS Tech Conference. And with that, we're out of time, and I appreciate it, and we'll hope to see you soon.

Yes. Thank you. It's a great conference, and thank you, Brad, for all the very, very good questions.

Excellent. And thanks for your responses.

Thanks, Brad.

Okay. Thank you.