Fortinet, Inc. (FTNT) Earnings Call Transcript & Summary

All right. I think we can go ahead and kick it off. Thank you for joining us in this afternoon at the Fortinet session. I'm Gabriela Borges. I lead the emerging software vertical here at Goldman, and I'm delighted to have the Fortinet team with me on stage. On my far right, Keith Jensen, CFO; and in the middle, John Maddison, Chief Marketing Officer and EVP of Product Strategy. Thank you, gentlemen, for being here. We appreciate it.

Thank you.

Thank you.

So John, I want to start on one of the themes that's consistently coming up, both in your conversations and in the broader industry, which is consolidation. And for the last decade, we've consistently heard that there is a trend towards consolidation. My question for you is, what's different today versus 10 years ago when you first joined Fortinet? Are you actually seeing a change in momentum? Or is it more of a continuation of a trend?

Yes, we're definitely seeing customers absolutely more interested in consolidation or platform approach. But I think it's different across the different marketplaces. So for network security, for example, there's definitely more convergence. The new name for that conversion is SASE, one of the popular buzz terms, and customers are definitely wanting that platform approach, there, for cybersecurity, it's more of a consolidation of vendors. They need individual components to work better together, so you can put automation. For OT security, for example, that you need to make sure your networking and IT systems are OT aware, operational technology aware. And then for the cloud, it's more about making sure your systems are cloud native versus just transporting stuff from the data center. So I think that consolidation is different depending on which marketplace you're in.

That makes sense. And I think one of the more interesting convergences is between classic networking security and class networking. And many investors, I think, have spent time understanding Fortinet's differentiation on the network security side. What I'd love to hear you talk about is why you are different on the networking side and some of the core networking IP that you've built that allow you to really be strongly positioned from a competitive standpoint as the networking TAM becomes the secure networking TAM?

Yes. So if you look at networking, that marketplace has already consolidated over the last 10 years, you could probably name 5 vendors where in cybersecurity, could probably name 100 vendors. For us, when the company was founded 23 years ago, the goal was to focus on secure networking and secure networking is all networking that's not just relying on the IP address or a Mac address to connect things. Like a next-gen firewall looks at content, it looks at the user, it looks at the application, the same with secure SD-WAN, the same with SASE and Zero Trust that looks at the posture of the end device, the same with secure wireless LAN. And so we believe -- if you look at those marketplaces right now, there are about 35% of the overall networking marketplace, secure networking. By 2030, secure networking will have overtaken what we call basic networking like routing or data center switching. So back 23 years ago when our founder didn't really know things about SASE and Zero Trust and things were coming, but definitely his vision about relying on more than just the IP connection to make a connection is very important to make that networking secure.

What is the barrier to entry for the Ciscos, the Aristas, the traditional networking companies on the access plane and switching and routing side? What is the barrier to entry for those companies to invest more in security because they do talk about it in their R&D road maps?

Yes. Well, I think you need to have it architected right into your systems. And I think you can acquire things and try and bolt it on, but that becomes very hard. And so even though we acquire small pieces of technology, most of our development is organic because you have to make sure it's built right in the ASIC, right in the security stack, right in the management console. And when you're trying to take 2 products and integrate all those things together, it becomes very hard, very hard indeed.

That makes sense. So I want to ask a little bit about how you think about the value creation in secure networking from software versus hardware. And the baseline that we have is when we think about the firewall market, you sell a hardware appliance and then you sell this really rich mix of attached subscriptions and services on top of the firewall. And that leads to the business model that you have today. If I think about the classic networking market, it's been much more hardware-based, but not the same type of service-as-a-software attach. As you see conversions, do you think or are you seeing evidence that you can actually sell a similar mix of software on top of things like SD-WAN and Securitas relative to the mix that you've already realized in firewalls?

Yes. I think long term, traditionally, I think a firewall marketplace has been very, very hardware-centric, then you add some services around support. Then you add some security services depending on the use case. If it's perimeter firewall, we may have more of a security stack versus the segmentation firewall, which is more staple firewalling. I think in the future that you'll add SaaS for that stack on top. And that SaaS could be management services or it could be SSE services, which is the kind of the Secure Web Gateway or CASB. And so in the future, that SASE, which consists of a cloud component or as a service component, it will consist of a hardware component. It consists of a software component. It will consist of an agent that sits at the endpoint to provide agents for Zero Trust for SSE, EPP and EDR going forward. So we believe it's a very hybrid world going forward of not just cloud, not just hardware, not just agents and not just Software-as-a-Service. It's going to be all these components brought together. So the mix of service and hardware will change as we go forward.

And I think what John is suggesting is that you may see the hardware mix actually start to decline and the services mix actually increase when you look at the entire book of business. But maybe John can also talk a little bit about maybe clarifying in terms of the type of use case where you would see Fortinet selling a switch or selling an access point as opposed to a traditional switch company. Do you see it's going toe to toe with the large switch companies on big deployments? Or should we talk more about secure SD-WAN and things of that nature?

Well I think we define secure connectivity, which is wireless LAN and LAN, but only in the campus and in the branch, in the factories or OT environments. In the data center, it's still going to be that large switching. So secure connectivity for us is any wireless LAN or LAN that you can make secure by making sure that every port, every wireless LAN has the ability to apply security to it, which is becoming really important inside operational technology environments, where you can't put software, you can't put agents on controllers. All you can do is make sure the switch and the WiFi and the firewall have the OT visibility and capability. And so again, for us, secure networking means that security is totally integrated inside the switch, either the SASE in the cloud or the firewall.

It's a nice segue into some of the product development that you're doing on the SASE side. So when we met about a year ago, we talked a little bit about the room for integration to be truly outstanding on single vendor SASE. And Gartner came out recently and named Fortinet as a challenger in the single vendor SASE Magic Quadrant. So help us understand from a technical standpoint, what are the next big or minor improvements that you need to achieve in your SASE solution to get to the next stage of integration?

Yes. Again, I think it's -- we had acquired a SASE vendor maybe 4 years ago, and we found out how hard it is to integrate a completely different platform from an existing platform. And so we kind of almost rebuilt it maybe 3 years ago, 2.5 years ago to make sure we build it organically by taking the same software and security stack that's in our appliance and building it out as a service in the cloud that's available also as cloud native. And once you have that foundation in place, it's much easier to integrate. For example, inside our FortiSASE console, we're able to connect our SD-WAN by a click of a button. That's almost impossible with any other solution, especially with different solutions. So the long term for SASE, and that's why Gartner called it publicly, single vendor SASE because you needed all the components yourself and they needed to be integrated. They give highest marks in that Magic Quadrant to the integration of the 2. And so yes, we're still building out -- there's always going to be features that's needed on SD-WAN, single secure services edge. But the most development will be making sure it's integrated under a single console, another ability for us to apply the same security stack in the cloud, in the data center or on the SD-WAN Edge is also very important. So integration between the 2 is the most important thing going forward.

So what are some examples of 1 or 2 of the features that are next on the road map that will get you further up the Magic Quadrant?

Well, they want a Zero Trust. Okay. Everyone talks about ZTNA or Zero Trust. Everyone has apparently Zero Trust. This is another era, I think Gartner will try and sort out in the future because right now, everyone's Zero Trust is remote access, replacing VPNs. That's all they've done. And they give mostly Internet access. A few try private access, but it's very hard. In the future, Universal ZTNA means your ZTNA works off the network, on the network and for all your devices in IoT across any application. And by the way, as a company, we've been rolling out with ZTNA for the last 1.5 years internally, and it takes a lot of time, a lot of dedication to each user and each application. So we feel once that integration is there and ready from a SASE perspective, the ability to then add things like ZTNA, Zero Trust, the ability to add digital experience monitoring, which will be critical for the digital realm going forward is much easier versus again, trying to just add on point products into point solutions.

Absolutely. I want to ask about SASE as a product cycle. And when you think about where you're spending time with customers today, is it fair to say that next-generation or more advanced SASE architectural adoption is happening more in a large customers? Give us a sense for if you were to think about your installed base, where are you seeing the most traction with SASE today?

Well, if you look at SASE, if you go back maybe even a couple of years, you would have 5 vendors there. You would have somebody who does SD-WAN, maybe back then, it was even a router still. You would have somebody doing the CASB, you would have somebody doing the secure gateway, sometimes in the data center, and you would have somebody doing a VPN that then or ZTNA. And so those 5 vendors, I think, initially will turn into 2 vendors. They'll turn into the SSE vendor and the SD-WAN vendor, then eventually they'll turn into the SASE vendor. But I think that SASE vendor will start in the mid-market, small enterprise and then work its way up into a large enterprise over the next 5 years. As always, these very large companies have very solid approaches. And again, the single vendor SASE Magic Quadrant from Gartner was actually the first time I'm seeing Gartner take 2 Magic Quadrants and try and merge into one. The first time I've seen them take 2 [ buying ] centers, CISO and CIO completely different and try and merge them into one. So it's going to be very interesting to in the very, very large enterprise, what their belief in single vendor SASE and how fast they get down the track. Mid-market, convinced already.

So maybe we then talk about the go-to-market piece of it. So the success that you're having or that it sounds like you're having with the mid-market today. Does that involve building champions across more than just the classic network security champion?

Yes, it does, but it also involves us training ourselves to people to make sure they can sell across both. So I think sales enablement is absolutely critical function for the large platform vendors, the consolidators. I don't want to talk about Gartner too much, but we're in 9 Gartner Magic Quadrants. That's a lot of different markets across a lot of different buying centers. So we have to make sure that all our salespeople are then able to sell across all those different buying centers, but it does involve building champions that are okay with convergence and consolidation. Like some customers, they just want to carry on what they're doing because that's easier. But I think they'll get forced by sometimes economics to push it and convert it together.

So then similar question for Keith, please.

I was just going to add to John's comment. I think the internal champions when we talk to customers now, whether it's a CIO or CISO, I think the one logical place we're seeing the champions evolve is from the success in the SD-WAN implementations. The MPLS savings, the ROI is so attractive. It's clearly I talked about inside of organizations across the CIO and the CISO. And I think the success in SD-WAN then gives us the opportunity to come in and have the conversation about how to move that to SSE and how to move that to SASE.

Okay. So interesting. So is it fair to say that as you move up to larger customers, you'll have already made progress or already have a playbook for engaging with both the CIO and the CISO?

Yes, because we also have a secured operations portfolio that we've been selling as well as our secure networking portfolio as well as our OT portfolio. And so we already have those contacts. But then for the customer I think what I'm seeing right now is that starting to make more platform decisions, which are a bit longer term because they have to say I'm taking 4 or 5 vendors and making a platform of it, and they have to get the timing correct, but they want to architect that platform.

So it also leads into a third piece of security, which is cloud. Maybe help contextualize cloud security for us in the context of SASE and network. Is there -- how do you cross-sell cloud into your existing installed base? Do you feel like you already have the relationships and the buying motion to be able to do that?

Yes. So far as we differentiate security for the cloud versus security from the cloud. So security from the cloud, we have obviously SASE, but we have 15 other products which we take from the cloud. Our EDR product is cloud-based, our new network detection and response is cloud-based. So there's all the security from the cloud, which in our mind is a bit different in security for the cloud, where you're taking your products and putting them in the cloud to protect cloud workloads. We think long term that that's -- we've got to be close to the cloud and the hyperscalers because they -- some of them definitely want to own them. They own that platform and they want to own more than the platform. And so we've got to be careful and work with them closely to see what they're really focused on, what value we can bring. I think long term, a lot of the cloud security or security for the cloud today is just like the things that have been taken out of the data center and just planted in there. But it doesn't seem any good, it's not as efficient as it should be. So long term, you need to make those cloud native, but also across all the clouds so that they work just the same, but within those environments. To differentiate, to be cloud native, you need to be as easy to operate as the native cloud, say, firewall or WAF, but be able to work just as well in the other clouds as well. So that, to me, is going to be a battlefront. A lot of people are saying, well, maybe I should be the platform vendor inside the cloud. Well, good luck.

When you look at your cloud portfolio today, is there a way to think about how the mix evolves between something like virtual firewall versus cloud workload protection or cloud security posture management? Are there pieces that you feel are missing today and other pieces that you feel are particularly strong?

No, we clearly want to be very strong in firewall because the whole firewall marketplace has become more distributed. So what used to be a very defined use case in the data center or a perimeter firewall, in the segmentation firewall is now probably 12 use cases. And one of the use cases I think everyone missed was the distributed firewall that sits at the edge, sits at the branch, sits at the campus, now sits in the factory, which is also the platform we use for SD-WAN. But there's also other types of -- and all those, by the way, are hardware firewalls, perimeter of the branch and the perimeter of the data centers is no different. You are not taking a piece of software to do that. And then there's other kind of smaller marketplaces, firewall-as-a-service, there is -- it's more of a SaaS delivery. There is a virtual firewall. There is container firewall, native firewall, ruggedized firewall, I mean it goes on. So the final marketplace has become more distributed across more of the infrastructure. And so for us, the kind of cloud firewall and the native cloud -- native firewall is a very important part of our overall final structure, but we want a single console across so you have a single control point, a single policy. And so that, along with web application firewall and some of the other components are important to us because it's not just the cloud piece, it's something that sits across all the infrastructure. I was speaking to a customer and we were trying to work out how many firewall vendors they had. They ended up with 8 when I went through all the use cases. And they -- this was -- that's not going to work for them. They want 2 or 3 of the most preferably 1 across the main areas.

And so is there any reason Fortinet can't consolidate those 8 firewalls?

No reason at all.

I think also the question was about other cloud products and services. And we defaulted into was the logical place, which is cloud VMs, pardon me firewall VMs and John did a very good job of going beyond that. But John, if you look at the other pillars, what are some of the other software or cloud products that stand out to you in terms of the growth opportunities and the growth that we've seen to date?

Well, again, it's a security for the cloud. So I'm not talking about our SaaS stuff, okay? So there's a lot of that -- I could be here all day talking about those things. But security for the cloud is mainly focused on protecting access into the cloud through the firewall, is then focused on making sure we protect the applications through our web application firewall, and that's mainly focused on our workload protection through our EDR product. Those are the 3 areas we really focused on.

It's a good opportunity for me to ask on virtual firewall in particular, which is what are the logical use cases that you're seeing for virtual firewall today? And how do customers use Fortinet virtual firewall alongside perhaps firewall functionality provided by the hyperscaler provider that's inbuilt?

The initial application of virtual firewall was east-west in the data center. It then expanded to just being inside the marketplace as a virtual firewall inside the cloud. I do think long term, that's going to make its way into more of a native installation or a native product. But also I think some of these things lend themselves better to also on-demand capabilities. So flex -- what we call flex capability where you can consume different products as a service, as you go, because that's the way they do it inside the cloud. So it's not just the product itself, it's everything around it, whether it be sitting in marketplace or the application or to be able to switch it on and office or as much capacity as we want. So again, I think as we go forward, more and more people, either you deliver that cloud native functionality, whatever product it may be as the same as the cloud-native functionality inside the cloud or I'm going to use the cloud as simple as that.

So I want to come back to the product questions. We're going to change gears for a few minutes and talk about the model and the demand environment into that cost. So Keith, when we've looked at periods on our security normalization in the past, it typically takes more than 1 quarter to level set. And so help us understand some of the changes you're making to your assumptions for forecasting in the back half. And help us understand why seasonal 3Q billings guidance makes sense in the context of some of the volatility that you saw in the back half of June and having to potentially make changes to how you're sanitizing the pipeline and some of the sales force productivity metrics?

Yes. I think that we had spent several years developing a set of KPIs and metrics that we use to help set guidance. And until the second quarter of this year, I was very proud of the results that we had. Obviously, that wasn't the case in the second quarter because things shifted on us. We saw contract duration become somewhat different. We saw our close rates become different. We saw the pipeline coverage take on a different level of importance perhaps on the quality of the pipeline. And there's some hygiene things on our side in terms of how we go about deal inspection and predicting things. And so I think the answer to your question is clearly what basically we did was take everything that we've done up until the second quarter of this year, all that -- all those data points and metrics and said they're no longer views to us in the current environment. Rather, what we're looking at is what we saw in the second quarter for those KPIs around close rates, around pushes, et cetera, and saying we expect for guidance setting purposes that, that will repeat itself in the third quarter. We'll get the same characteristics in the third quarter as we got in the second quarter, and we'll continue with that until we see something that changes. I think a way of sanity checking the results of that approach, if you look at the seasonality from the second quarter to the third quarter, typically, our growth between the 2 quarters is low to mid-single digits. And if you look at from Q2 to Q3 this year, you'll see that that's exactly where we ended up. And embedded in that is a couple of points of benefit from the backlog. So I think from a sanity check viewpoint, what that really means is the guidance for the third quarter does indeed reflect the same characteristics that we saw in the third quarter. We then carried that on into the fourth quarter with the same methodology with one additional adjustment, which was to take down any sort of backlog or pardon me, any sort of budgetary flush that we might see in the fourth quarter. So I think in terms of where we've gone for the second half of this year in terms of the key metrics that are used for our guidance setting process. I think we've taken a prudent approach to it.

So we experienced this dynamic across broader software companies last year, where as the buying environment got more challenging, it became -- or they became more dispersion in sales force productivity and sales force performance where companies have to do more to help their salespeople navigate a tougher buying environment. What are some of the things that you're working with the sales force on today to help them navigate a tougher buying environment?

Yes. I think -- well, John can talk about training for SASE in a moment, but I think you've seen -- inside of our organization, I think you've seen the management team become much more engaged with the end user. It's not the channel partners so much as -- or the resellers, but rather than being on the road and actually spending time with our large enterprise customers and prospects to provide support to the sales team and being very clear to them that we will support them. We've also been very clear with the sales team that in areas of extended payment terms, we have a very strong balance sheet. In the areas of discounting, again, we have a very strong balance sheet, very strong margins. There's opportunities there that they can leverage, arrows in their quiver if you will, that they can use as they need to get deals across the finish line. We've also offered up some more targeted incentives for our channel team. We think that incenting the channel team can have a fairly quick return, if you will, if done successfully, whereas making large changes to the sales organization, maybe is a longer-term project that you'd probably have to be more patient with. But maybe John can talk about some of the training.

Yes, definitely training for the sales and definitely the channel as well. I remember maybe 18 months ago, and I was in a sales meeting like this and I asked how many people know what SASE stands for okay? If I ask the same question here, how many people know what SASE stands for. Similar reaction. So I think for us, the training is very important because it's hard when you want of our salespeople going up against CrowdStrike for EDR solution and going up against maybe Cisco for SD-WAN, maybe Zscalers for SSE, you're going across a lot of different marketplaces. So you have to change the sales enablement. They haven't got weeks and weeks of weeks to spend off-line training. And so we developed some new sales enablement tools which allowed our salespeople to kind of quickly onboard the most important parameters. And so one -- and one of the tests wasn't -- they ticked box, they've taken the training. It wants to do the pitch back to us on the video and then actually grade the video to see if they passed or not. So because there are so many areas, you have to change some of your sales enablement techniques in the channel, a lot of demand there was for the channel to be able to do some hands-on. And so we had to introduce some capabilities where they could do some hands-on training. Again, the channel didn't have a week to send them up to training on the product, but they wanted a high-level view of the consoles and other places. And so it definitely made us change a bit the way we do sales enablement and channel training because of the extent of the product, but also the depth you need to train them on in each of these areas.

Keith, I'm hoping you can comment on some of the industry headlines on some of the near-term changes you've made in realignment in your sales force around a reduction in force?

Yes. I think the -- we have probably looking at the sales organization, you'll probably see something in the order of 2% or 3% of the organization will make some sort of career move during the second -- pardon me, during the third quarter of this year. For context, I think that everybody is aware that, say, 2022 and maybe part of '21 were very strong periods of time. It was difficult to hire. There was a lot of success in the sales organization, a lot of growth in the organization. And in that environment, maybe you don't go through the normal hygiene that you normally do in terms of looking at bottom performers because it's so difficult to replace. If you fast forward to where we are today in terms of 2023, this seems like the appropriate time for us to be looking at the people that are having more performance challenges, if you will, working with them where appropriate, perhaps providing some additional support. But in other cases, perhaps it's more appropriate that they exit the business. And I think that's what you're referring here. And that's why I would say that's probably impacting something on the order of 2% to 3% of the sales force.

And did I catch a comment right. Did you say that there is a potential for larger changes to the sales force over the long term?

No, I don't think that was -- no, I did not mean to say that.

Okay. Thank you for clarifying. Okay. The months of July, August and beginning of September, any color on what you're hearing on the ground and particularly on trends on willingness to invest and to close deal pipeline relative to what you saw in the last 2 weeks of June?

I think the -- we're still a tech company, the third month of the quarter is still the make or break month. So we'll see at the things that we've put in place really paid the dividends that we want and we expect them to pay as we go forward.

Fair enough. Okay. I'm going to pause for a moment, questions from the audience. Please. I can repeat your question.

Okay. John, I actually wanted to kind of go back to a previous comment you made around how the mid-market is convinced the convergence of SD-WAN or SASE is kind of where to go. I'm curious to see what proof points you guys have to kind of give you conviction around that statement? And maybe help me understand why Fortinet as some other converged vendor will be best suited there?

Yes. And so I'll still see today Fortune 100 large enterprises still making individual point product decisions. Even though they understand that the platform is the -- where they want to go, they still make decisions. But I'll see mid-market kind of smaller enterprises, not making a decision and waiting until they can get a platform in place. And so they'll renew some part of it for a year until they get to the point where they can replace everything. So I just see just a different behavior, but I also see it becoming more products and moving upmarket as you go forward.

John, I'd welcome your thoughts on how you see Microsoft as a competitor over the long term.

Yes. So Microsoft obviously stated they want to be in the security business. And every quarter, they seem to have another $5 billion for the revenue. I think it's -- I think the -- shows they're a competitor and a partner at the same time. And so I mentioned those 9 Gartner Magic Quadrants we're in, they're in 6 Gartner Magic Quadrants. But they're in -- yes, they're in endpoints and they're in SIM. But otherwise, they're different Magic Quadrants. And so like our networking -- core networking there not inside there. And so we see them as the ability to partner with them. We've got, I don't know, 25 different integrations with Defender or Active Directory or Sentinel or whatever. We're very aware that they want to try and own as much as they can. I remember in a previous company, they completely destroyed the antivirus marketplace or endpoint because they own the platform, and that's what they can do when they've got power. That's why I kind of look at saying, well, you really want to be the platform vendor inside Azure? Good luck. Okay? So you have to understand where they're going to be strong off their platform but nowhere near as powerful, like they announced their SSE, which I don't think really sits on the platform. It's kind of a bridge into their platform, but there's going to be nowhere near as powerful there because they haven't got the platform leverage. Yes, they can do big EAs and things like that. But we definitely see them as a competitor and our partner as we go forward. I think some of their SSE announcement was overhyped. What is it? It's something that's -- they're all product they kind of reenable to provide access, but there's no SD-WAN capability, there's no digital monitoring, all these capabilities that you need to be a network vendor. So until they announce, we're going to be a secure networking vendor, I see them mainly as a partner/competitor.

How do you think about the strategic importance of network versus identity? And the reason I ask is, in a more distributed world where IP addresses are less helpful, do you see policy being enforced more from the identity layer versus the classic network infrastructure layer?

Well, it goes back to that SASE question where a lot of identity vendors say, oh, we're SASE. And so we have our own identity systems. We have our authentication, token systems, privilege and access management. We also will work with all the identity vendors as well. So having a platform is great. But I think a platform that's open and integrated with not only alliance partners, but our competitors is also very important because we know our customers make decisions. If they made a decision about an endpoint vendor, EDR and it's the biggest decision for them, they're not going to change and rip it out just because you come along on the platform. So we have to make sure, one of the most important integrations going forward is the integration to the EDR vendor and the ZTNA policy engine. It's absolutely critical. So we're not the endpoint vendor. We need to make sure we can integrate into the EDR vendor. And I think a lot of people kind of mistake that. There's a lot of platform vendors out there. Yes, we can do everything, just use everything from us. We know that's not going to be true long term, okay? People make other decisions as well. And we've got over 500 integrations into our platform over 350 integration partners, including our competition.

Good stuff. John, thank you for the technical detail. Keith, thank you for the color on the model, and we appreciate your time. Thanks, everyone, for joining us.

Thanks.

Thank you.