Fortinet, Inc. (FTNT) Earnings Call Transcript & Summary

Great. Good afternoon, everyone. Thank you very much for joining us to this session. In this session, I'm hosting Fortinet's executives to discuss the company. Today with us, we have Keith Jensen, CFO; and we also have John Maddison, Chief Marketing Officer and EVP of Product. [Operator Instructions] So with no further ado, before we start, maybe I'll pass it back to Keith just to read some disclaimers for statement.

Yes. Thank you, Tal. I'll give you the safe harbor statement. I'd like to remind everyone that we may make forward-looking statements during today's fireside chat. These forward-looking statements are subject to risks and uncertainties that may cause actual results to differ materially from those projected in these statements. We refer to our SEC filings, in particular, the risk factors of our most recent Form 10-K and Form 10-Q and to other reports that we may file from time to time with the SEC for additional information on factors that may cause actual results to differ materially from our current expectations. All forward-looking statements reflect our opinions only as of the date of this presentation, and we undertake no obligation and specifically disclaim any obligation to update forward-looking statements. Back to you, Tal. Thank you.

Perfect. Thanks, Keith. So I'm going to throw the question to both and John, probably is also going to touch on technology, but in the last quarter, product revenues grew 25%, services grew 22%, billings grew 27%, I mean these are extremely high numbers. What is standing behind the continuous growth? We know the market is not growing that fast, meaning the traditional firewall market that you are part of it, although you do other things. So what is banning the growth? What is the differentiation that you bring to the market? How sustainable are these growth?

Yes. I think I'll just jump in, and John can supplement a little bit. We felt confident coming into the year that things were setting up nicely for us, and we certainly got affirmation of that in the first quarter. And the type of things that we saw was a very consistent level of execution across customer sizes, across geographies and across product suites. One thing that we've called out very recently is the non-FortiGate segment of our business. And we came into the year saying that we thought that, in 2022, it would be a $1 billion business. After looking at the results of the first quarter in our pipeline for the rest of the year, we've moved that milestone up to say that we expect non-FortiGate to be a $1 billion business. And I think it speaks to the affirmation of the platform strategy that we've been talking about. And that platform strategy is built on our common operating system, OS 7.0, and that's enabled by the ASA. And I think those are the 2 very high-level things that we see that are providing us and giving some differentiation to it. But John spends a ton of time talking to customers and doing ABCs and working with the team, so I suspect he has more to offer.

Yes. Thanks, Keith. So definitely, over the last 12 months, we've seen the -- there's 3 drivers of cybersecurity, it's the threat landscape, there is infrastructure change and there's regulatory. I'm going to leave the latter for now that really changes by our industry, geography, et cetera. So the first one, the threat landscape, if we go back 12 months, we saw the SolarWinds, which was a pretty particularly devastating attack on the supply chain, but also that gave access not only to that particular system, but that system had privileged access to everything else. And so you saw this ability to weaponized APTs that would come in. So then there was after effects where the ransomware groups would come in afterwards. You've seen more recently, the targeted attacks. So we truly believe, which are instigated a lot of ransom -- I think ransomwares have always 100% in the last 12 months. So the threat landscape certainly heated up. We do also believe that it's only a matter of time before we see a weaponized -- a more weaponized state-sponsored APTs. So that's that piece that has obviously have a lot -- has a lot of CISOs reporting -- having to report to the Board on where they stand and where their investments are. And then the other piece that changes the way you deploy security is more the infrastructure. And so the change at the cloud, which is being driven by the need to put digital in place. And that extends all the way from my retail store, to my factory, all the way through the network and 5G and then into the cloud. That change continued. And I think it's stopped a bit. If you go back a year, during that first kind of quarter of COVID, a lot of budgets were put on hold and they've started to ease them off now and even more so as we go forward in 2021 because they truly believe, having experienced COVID, that a digital infrastructure is essential to be competitive. And so these 2 things, the threat landscape, plus the ability to provide that security, cybersecurity across the entire infrastructure, endpoint, network and cloud, is driving a lot of business. And I do think we're in a great position in that we've always built -- we've always considered the platform to be very important across all 3 of those areas.

Got it. Got it. So I'd like to drill on some parts of your answer. FortiGate. FortiGate platform grew 17%. Why are you succeedingly or consistently growing -- outgrowing the competition? What are the factors that drive the FortiGate platform to grow so much above the firewall market growth?

I would offer 2 quick comments. One is, I think the SD-WAN acceptance and the growth that we're seeing there, taking market share, going from basically a standing start in 2018 to double-digit market share as we exited the year. And that's a use case for the firewall. And I think if you step back and look at it, I think that's driven by just the pure performance advantage that we have. You can call it cost or performance, you can call it total cost of ownership. But at the end of the day, it's simply just that we offer a better equation to our customers in terms of the security performance for the price that they pay.

Yes. On the FortiGate side, there's some different use cases. Obviously, one of the core ones is firewall and network firewalling, which breaks into individual use cases in the data center or perimeter or segmentation. I think we are in the middle of rolling out some additional capability, both on the entry level for SD-WAN as well as a very hyperscale performance based on our Network Processor 7. And to be honest, we're running into competition because firewalls are 10-plus years old. There's no way they can compete. And so that's not always the case, but most of the times. And so we are taking market share there because our ability to even run at some of the speeds that people like 5G are requesting, our competitions just can't even get there. And then as I said, there's other use -- new use cases coming for the distributed enterprise, SD-WAN is the big one, where, again, we used our system on a chip to be able to supply performance on the SD-WAN side, but also you need to be able to provide that software capability, whether it be the SD-WAN itself, orchestration, SD branch. And so FortiGate can do a lot of things from firewalling to SD-WAN, to SD branch. But in all those areas, the underlying performance on ours is to start with a great advantage, and then we just put on top of that the convergence of networking and security and then our single management system provides us a really competitive offering in those individual markets.

Got it. What -- so FortiGate platform for other companies, I'm not talking about Fortinet, but for other companies, part of the growth was the mention of the platform, meaning you constantly add more and more modules to the platform. To begin with, you started with a bigger platform, meaning more modules. And then you added more, and we mentioned SD-WAN. Can you talk about the drivers for the kind of core business versus add-ons land and expand, if I can call it this way? And I'm not looking for numbers, but I want to understand if you're still growing the number of customers and expansion of the footprint versus whether you're growing with existing customers and selling more to existing customers?

I'm going to say [ valve ] and then I can see if John wants to go a little more deeper, if you don't want numbers. But we're clearly adding customers, I think in the neighborhood of 5,000 customers every quarter that we're adding, and the penetration opportunity, if you will, in those non-FortiGates and it's -- I don't want to say it's largely untapped, but it is extremely significant to us. John, do you want to talk more about non-number things?

Non-number things. Yes. Well...

I always say non-numbers just to be polite. I'd take the opportunity to speak about the numbers.

Yes, it's definitely both. And we still think that from a market segmentation perspective, whether it be small business, commercial, enterprise service provider across all of those segments, we are adding customers inside there. And then within those customers, we're expanding as well. And I think we're just barely tapping in to some of those customers and the ability to expand either the core firewall across into the cloud or the firewall back into the campus or into the branch. And then on top of that, it's actually another opportunity around services as well, whether they be vanilla, FortiCare support services or FortiGuard services or more advanced services, which look across the specific use case across multiple areas.

So if I look out a year, 2 years, 3 years, just look out into the future, what's the future for the FortiGate platform? Do you see continued growth in the platform? Or do you think it's going to decelerate and the focus will shift towards the non-FortiGate?

John?

All right. So I think of the -- when we say FortiGate platform, I always think of the platform as being FortiGate OS, which is our operating system, which runs on FortiGate appliances, it runs on FortiGate 02 machines, it runs in the cloud, it runs in the data center, into the ability to provide SD-WAN or WiFi controls, all of these capabilities. That's the platform. And that platform will always be a mix of appliances, virtual machine, SaaS derivatives, ambient container. And so in my mind, it's just a question that maybe that kind of split very slightly. But the platform will be there across all those edges, providing all that functionality. I don't see any change to that.

Got it. Well, I spoke earlier today with the CEO of Palo Alto and he spoke about the cloud, and the opportunity of the cloud. When you talk about the way you see Fortinet evolving in the market between corporate, private data center deployments or campus deployments versus cloud deployments and migration to cloud and how is Fortinet positioned there?

Yes. I think people kind of bundle everything together I say cloud and what does that mean? Well, there is definitely security for the cloud and security from the cloud, which in our minds are kind of very different. So security for the cloud, definitely, we provide security. That's a good opportunity there because people are moving applications to the cloud. And so the ability to secure the network -- the cloud networking, to secure the platforms themselves like AWS and GCP and Azure and the ability to secure the applications like e-mail or WAF, or cloud portfolio across cloud, that also looks back into the data center. So that's definitely a big opportunity. And also the ability to provide that segmentation on the way back. And then there's the other piece of cloud is cloud delivery, security from the cloud, which is sometimes is a form factor, sometimes it's the ability to provide that kind of SaaS, whether it be a management system or whether it be actually taking traffic like SASE or e-mail security. So we see big opportunities in both, but we do kind of split them out as being separate in the way you kind of go to market and the way you deliver those platforms.

You touched on SASE. You made announcements pretty recently about your entry to the market. Can you discuss the opportunity you're seeing there? And can you discuss the angle in which you would like to participate in the market?

Yes. Well, unfortunately, or fortunately, these acronyms come out. And like SASE, and everyone takes a view of what it is to them. What we see right now is mostly when the customers talks SASE, they're talking about secure web gateway in the cloud, moving a proxy from the data center to the cloud. And I'll talk about a road map of adding in some CASB and some sandboxing and some other capabilities. And that's definitely something we started rolling out and we continue to roll out. SASE or secure a gateway as a component of global platform. It's an important one, but it is a component. And so for us, the SD-WAN is the foundation of SASE and rolling out secure gateway, either as a cloud component, rolling out Zero Trust as you go back in to the campus environment [ important ]. So it's an important piece, and we're rolling it out. We've already rolled that out, but it's a component of the overall architecture and the use cases that customers are requesting.

Got it. And where do you see yourself playing in SASE, meaning building data centers or using public data centers rolling out service? How do you plan to participate in the market?

Well, we definitely are building our own capabilities -- or have built around capabilities, but we also are a very partner-driven company. Whether it be the smallest resellers to the largest service provider, we announced some alliances or some agreements with SASE and SD-WAN with AT&T and British Telecom recently. There are others out there. And so we've seen service providers playing a very important role that they own the infrastructure. They own the transport. And so we see a combination of building our own, plus working very closely with service providers to enable them to have that capability.

So John, where -- like what's the outlook for your product business or service? When I say product, I don't mean the client, I mean product in -- as you defined it, FortiGate OS, basically. What's the outlook for the FortiGate OS? How do you see it evolving over the next few years? What are the points? What are the areas that will slow down? What are the areas that will accelerate and the areas that you're focusing on?

Yes. Is there a background noise? I keep hearing a background noise. I know what you said now, but is that -- can you hear that?

I don't know where it's coming from.

Just stopped.

Yes.

So it's me for some reason. I don't know. I'll go back on mute.

Maybe when you pulled the computer close, that's what it was. Well, that's better. Okay. That's a really good question, Tal. I think it's hard to totally predict, but I will say that FortiOS sits in the center of a lot of critical use cases, okay? So for us, I dimensioned SD-WAN, that's FortiOS driven. I also mentioned SASE, FortiOS driven. I also mentioned SD branch with our WiFi LAN OS driven, new 5G connectivity, OS driven. And I think one of the most important applications right now is Zero Trust Network Access. We're not going back to everyone in the office, it's going to be work from anywhere. So the ability to drive that Zero Trust access and eventually Zero Trust segmentation or a Zero Trust networking portfolio against FortiOS driven. So we just see a lot of use cases that has FortiOS in the central rig. That FortiOS may exist in the WAN Edge, SASE, Data Center Edge, OT Edge, WAN Edge, LAN Edge. So it's in different places, but it has the ability to provide that enterprise-class networking with a converge enterprise security stack on top. So you have a single policy that you can supply those edges, but you're able to, most importantly, is build out automation across the use case because that's the most critical thing in responding to some of these threats.

Are you there from a product perspective, for example, you mentioned automation? Are you already there? Or these are capabilities you plan on having?

It's always a journey. We have capabilities right now, which can be driven by components in our management systems. Those management systems have APIs that can be driven by external automation systems, like Ansible, or TerraForm, or some of the cloud components. And so the key is, even though we're building a platform and it's very important to that platform is built organically, so it works together and it can build the automation and the sharing of the policy, the ability to apply AI and the ability to apply AI Ops, which we announced today on the WiFi side, or digital experience monitoring end-to-end, it's also important because customers have made investments in other parts of the infrastructure, whether it be the cloud or whether it be networks, et cetera. And so we have to make sure that our platform will work with the customer's decision on other vendors, other infrastructure, even if it's a competitive vendor. I think the cybersecurity industry needs to do a lot better in working together to share policy and threat intelligence. But we need to make sure we work inside the customer's environment. Our goal is to make sure they can get their use cases working for their business.

Got it. We spoke a lot about the FortiGate side. Let's talk about the non-FortiGate side. Can you first define what's included there? And FortiGate, it's -- by the way, there's a thunderstorm here that is really bad. If for whatever reason I lose power because it does happen, just wait 30 seconds, I'll reconnect. I have a generator. I'm just saying it in general. So can you -- when we spoke about FortiGate, I understood the FortiGate OS, I understood the silver lining and the connection between the products. When we talk about non-FortiGate, can you define first what's included? And then where is the synergy between one product to another?

Yes. So again, I'll come back to being FortiOS. So FortiOS, 6 of those edges, WAN Edge, Data Center Edge, Cloud Edge, OT Edge, and that's -- could be a FortiGate appliance. It can be FortiGate DM, it could be a SASE-delivered FortiOS. So that's the kind of the core if you think about it. Then there's the endpoint, the endpoint marketplace, which consists -- is also evolving itself into a platform. It's evolving from EPP, to EDR, to XDR. There's also the capabilities around NAC and identity that all fit into this kind of -- so I think this whole component of device and use security is evolving into this Zero Trust networking, which consists of Zero Trust Access and Zero Trust segmentation. So that's a big component for customers as they can go to this work from anywhere. Then you've got the network edges, which we just talked about with FortiOS. Again, it could be FortiGate, it could be SaaS delivery. Then you've got the cloud and data center components, SaaS components inside there. So there's products that protect workloads, cloud networking, there's products that protect e-mail systems, there's web application firewall, there's all those components. There's a network operations line, and I talked about us announcing our FortiMonitor today, which is actually from the Panopta acquisition a few months ago, providing this network operations piece. And then, of course, there's the CISO and everything that CISO cares about, the security operations portfolio, whether that be SOC itself, the SIM store capabilities, whether it be some of the more advanced EER AI capabilities. So those are all the components that work around that kind of edge FortiOS network, but they're all connected. For example, our clients can talk to our network already. So things like XDR was second nature to us. We already had that capability because our FortiOS can see all the policy and the components around it from the devices and users, into the applications in cloud, into the security operations area as well.

Got it.

We're in 8 Gartner Magic Quadrants, by the way. So you can see the breadth of our portfolio. We're in 10 market guides, which are precursors to Magic Quadrants. So you can see the extent of our portfolio across cybersecurity.

Fortinet went through a tremendous evolution over the last few years, from a FortiGate-based solution to FortiOS-based solution, if I can call it this way, with multiple products and multiple addressable markets, et cetera. What changes did you make to the organization, especially sales and go-to-market in order to go after the new opportunities? Is it the same buyer? Or did you have to address different buyers within the organization?

It's definitely we've expanded. I would say, if you go -- I don't know how far you want to go back, but Fortinet play was very much in that commercial zone, commercial. And yes, we had an SMB business, not as big as [ people ], but we had a very, very good commercial sales force. And what we've had to do is expand from a channel perspective onto the SMB side and then from an enterprise side and very large enterprise side into that as well. The marketing teams had to start segmenting the way we went to marketplace, making sure that we are building pipeline for those individual markets, making sure we're working much more closely with the channel. And then, of course, we had to make sure that our sales enablement teams were able to grasp what used to be a very simple -- this is a file, always is what it does. So this is a platform working across these many different areas. So yes, there's been not only -- it's not only a product thing, but over the last 4 or 5 years, we've had to change a lot of the organization to understand the different market segments to understand more than just a firewalling product to understand that it's more than just an agent or an appliance or a SASE delivery or agent delivery. So yes, a lot of change.

Got it. You mentioned fabric before in previous quarters. What is it? And how does it help you to dominate the edge environment or the environment altogether?

We turned -- people use platform. We use fabric also. We think fabric is a tighter integration. Definitely, you can -- there's 2 ways of building a platform. And by the way there's also endpoint platforms and network security platforms and cloud platforms. So there's individual platforms. We treat the platform as being endpoint, network and cloud. And we treat it -- we just call it a fabric because one way of building that is to go and buy 10 or -- 10 or 12 vendors and say, hey, let's bolt it together. The PowerPoint looks good. At some point, we'll make it work together, all right? That's one way. I don't think that worked previously for the endpoint vendors. They tried the same, look at where they are today. Our goal would be is to build it organically, because we can make it work together that way. Now we do acquisitions. I just mentioned Panopta is one of them. We also acquired a micro segmentation company. Sometimes, we'll say, let's bring that in and update it and change it and then release it, maybe, 7 months later as part of the fabric. Sometimes, we release it in parallels while doing the integration. But our goal, whenever we do that acquisition of that IP, our goal is to have it fully integrated as quickly as possible, whether that be a stand-alone plus integration or pure integration. And so the fabric is this ability to apply policy and see everything from the most distant IoT object all the way across the campus and the network all the way through into the cloud and the workload and the application and the data, the database is running there and everything in between.

Got it. Product cycles, NP7 and the product refresh that it introduces. How big of a factor is it?

I think it's not as much as people think. And there's obviously a time frame around that. When we introduced our NP7, you start with one product, one of the actual firewalls and then you kind of start to build it out. And we just released our largest system in Q1, which is our 7121F, which is a 2 terabit per second firewall. It runs 500 gigabits a second of next-gen firewall. It has 400 gigabit interfaces. I mean this system, even 3 years ago, would just been unheard of. That's a router. That's a very high-speed router, not a firewall. And so we continue to -- we usually start at the midrange and then we build off and we build down to make sure we encompass that. But that cycle is usually 2 to 3 years as we go through it. But as we introduced those products, they just make a big wave inside that particular price band because the performance is so much higher. And as I said, I think there's quite a few file vendors who's products are a bit long in the tooth to say the least. And it's even more startling when they see something that's based on our NP7 system.

No. I want to -- I just want to understand kind of the change. I'm trying to compare Fortinet to the other players. And some are growing -- like Check Point is hardly growing. Palo Alto also is growing because they're going to another area basically and building another platform. And you're growing in a different way. You're growing by expanding your existing footprint. You're still growing within the legacy market versus the others. Do you envision any change of your focus of your strategy? Do you see the same differences between you and the other vendors in terms of market focus? Or do you think it's just all the same? I'm trying to understand your view of the market because in the back of my mind, I have this concern that legacy hardware firewall, over time, the growth will go down quite substantially.

There's definitely big differences in the network security vendors I know there's 4 right now, I think you would say. There's Palo Alto, Check Point, Cisco and ourselves. There's big differences between the companies. I think if you look at -- I should say, with Palo Alto, they want -- are going to build a cloud business, which is fine. I still think they're very reliant on the appliances and things like that. Check Point, I think, has taken their approach of trying to protect their installed base, fair enough for them. That's what they want to do. And Cisco is trying to acquire a lot of components and try to -- I'm not going to say it bolt it together because that's -- they have engineers there who try and build things and integrate things. I think from our perspective, it's not so much the appliance piece, although that it's very important to our business. Again, it comes back to the operating system that can work in those different scenarios and the different edges. And so that -- our goal -- I think our goal is much more of a broader platform approach. So not just the cloud, but network is very important. I think a lot of -- I hear a lot of the cloud-only vendors say all the networks going away, don't worry about the network. which doesn't -- that doesn't seem right to us. And that if you're trying to make it about digital experience, you've got to understand what the network is doing. And then, of course, you've got some endpoint vendors who don't play in the network. So I think our goal is to make sure that we can play a cybersecurity platform that works across endpoint, network and cloud. that works across SMB, commercial, enterprise and service providers that can be deployed as an appliance, a virtual machine, as a SaaS delivery, as an agent. And then within those components, we want to be able to provide the best performance and the best networking capability.

Got it. So a question for Keith also. Operating margin, you hit 24.5% level last quarter, which is close to basically next year target. What's the outlook? What are the pluses and minuses in your margin evolution?

Yes. I think probably 3 things I would call out. One is, you've seen a steady improvement in the gross margin, most particularly in the product line, I think that's been very pleasing over the last couple of years almost. Also, I think you're seeing the whipsaw effect a little bit on sales and marketing. You know that the first quarter last year, there really wasn't that much of a benefit because of COVID, but certainly as you got into the second quarter and third quarter throughout the year. So we called out probably about 150 basis points. And we also expect about 150 basis points of headwind for FX this year on top of it. So to be able to kind of build a model, keep to our framework of averaging 25% operating margin, while continuing to push on the growth lever, I think that meets our definition of balanced growth and profitability and tilting towards growth in the current period.

Got it. Where do you think -- and that's my last question for today, we're running out of time. Where do you think are the areas -- I want to ask you about concerns, about risks for next year. What are the areas where you need to watch out or areas where the company is focusing on when it comes to potential challenges for the company over the next year?

Yes. I think we're very good about worrying about what comes next and maybe that's why you see the consistent performance because we're in front of issues. I can't say that I foresaw a pandemic last year nor that I foresaw the chip shortages that other companies are working their way through. I'm sure there'll be something next year. But I think we've shown a fairly decent ability to be in front of issues and execute our way through them.

Got it. And John, any areas of concern you would like to highlight or things you are focusing on for next year?

Yes. We like to protect our customers. So we've got to be looking out as far as possible. We would like to be able to see some of these campaigns in the wild so we can give our customers a heads up, so it's a security aspect. Concerns-wise, we've got to make sure that we continue to execute on our development and road maps and deliver that to our customers and continue to take that feedback. I think those are the 2 big things we're really focused on.

Great. So we ran out of time, and I don't have any questions from the audience. So we can power it off for the day. Thank you so much, Keith and John. And to the investors, if you have any questions, please don't hesitate to e-mail me directly. If I don't know the answer, I'll approach the company for answers. Thank you.

Thank you, Tal.

Thank you, Tal.

Sure.