Fortinet CEO Ken Xie On Leading The Charge In SD-WAN And Facing Off Against Palo Alto Networks In The Cloud
Primed For Success
Fortinet founder, Chairman and CEO Ken Xie sees customer choice as the key to cloud success, which is why is said the company is pursuing a more horizontal approach to cloud than some of its competitors. Fortinet's cloud portfolio includes nine different services and an array of technology partnerships. He contrasted Fortinet's approach to some of its rivals, such as Palo Alto Networks and Check Point Software Technologies, which he said are more focused on acquiring deep expertise in specific areas of cloud computing. Palo Alto Networks, for example, bought Demisto, a leader in SOAR (security operations, analytics and reporting) for $560 million last month, while Check Point purchased public cloud security player Dome9 for $175 million in October.
Xie also touted Fortinet's ability to compete and win against dozens of networking players in the SD-WAN space thanks in part to the computing power advantage the company enjoys from building its own ASIC chip. The computing power edge allows Fortinet to deliver SD-WAN at a lower cost than its networking competitors while still delivering excellent quality, Xie said.
Here’s what Xie has to say about Fortinet's position around 5G, investments in partner training and enablement, and the benefits of cross-selling multiple pieces of the Fortinet Security Fabric.
How do customers benefit from Fortinet taking a more horizontal approach to the cloud?
We feel it's important to let customers select what's best for them, because whether it's a different cloud provider or a different application, it may not be equal. Some customers with certain applications may, from time to time, change the [cloud] provider. So if we are able to work with all the cloud providers, then customers can more easily select what's best for them instead of if they [the security provider] is deep with one, the switching cost can be very high. So from the customer's angle, that's the best for them.
How does Palo Alto Networks' acquisition of Demisto affect Fortinet from a competitive standpoint?
We're more working closely with some of our [technology] partners, like a Splunk, which does all of this analysis like FireEye does with sourcing and response. It's pretty interesting—we like we're the best to design the network security, whether it's at the chip level or elsewhere. And there's other companies and other players that that already have a customer base in some other fields For us, the approach is really to more partner together. I think it will be interesting to see, but we do get quite a good response from our partnerships in working together. That's a different strategy from a different company. Palo Alto [Networks] probably more wants to acquire, and get into some other areas. For us, we're more focused on the networking and infrastructure level. At the same time, partnering for other parts of the solution is our approach. There's so much attack surface. There's so much connectivity and infrastructure between 5G and SD-WAN that requires a different approach. It's interesting. We do collect a lot of data, and also we have probably 10X to 20X the number of deployments compared to Palo Alto [Networks]. So we do collect a lot of data. Sometimes we look through parts of the data working with a partner like Splunk to analyze the data, compared to Palo Alto [Networks], who may try to do something themselves. It's just a different approach.
Do you feel like you're at a disadvantage partnering around SOAR rather than owning it yourself?
It's not a disadvantage. We do network security the best. And we believe some other companies also do their part the best. And also sometimes, they already have the customer base. Just like Palo Alto [Networks] acquired an endpoint security company, [Secdo], and we would rather partner with Symantec. So that's a little bit different approach.
Do you feel like Palo Alto Networks does that there's a market for a referral-based model in parts of your business?
The service provider partner is our biggest vertical, and we want to keep investing, keep driving, and keep partners doing all of this SaaS. We want to provide better tools, better service, and a better model to support them instead of competing with them. We'd rather partner with them, because each vendor has their own advantage, and each channel or system integrator has what they're good at. So that's where we'll all partner together. It'll be a better model, and just be more focused on what we do best, and then provide better service and support into them.
How is Fortinet positioned competitively in the cloud following Check Point's acquisition of Dome9 and Palo Alto Networks’ purchase of Demisto?
Our approach to the cloud is a more horizontal approach. We do work with pretty much all of the cloud providers. And also, if you look at the cloud functions we provide, we're much broader than Check Point or Palo Alto [Networks]. We offer nine different services in the cloud environment. Not just network security, but also email security, web security and FortiAnalyzer, and FortiManager, and FortiSIEM and sandboxing. So that's where we give customers more choice. They have all the flexibility to select a different application service or a different cloud provider instead of being more vertical and trying to go deep into one. Like Palo Alto [Networks] is probably working more with Google because their CEO and some others all come from that background. The other cloud providers view them as more of a competitor. And Check Point tries to acquire some and also go deep. We would rather take more of a horizontal approach and treat everybody as a partner instead of go deep with one or two.
What opportunity does Palo Alto Networks’ ties with Google create for Fortinet around Microsoft Azure and AWS?
To some extent, Google, Azure and AWS are all competing. For us, we are working with all [of them] together as a partner. [Palo Alto Networks’] CEO and also their president come from [Google], and then even a board member [Sridhar Ramaswamy, formerly Google's senior vice president of ads and commerce]. … If one [security company] is very deep with one of the cloud providers, presumably the other cloud providers will be more close to the rest [of the security companies].
Have you deepened your relationship with Azure and AWS a result of Palo Alto Networks being seen as more Google-focused?
Yeah, that's definitely happening from both sides. From our side as well as from other cloud providers, they see that's the way. Because [Palo Alto Networks is] more of a competitor, so that's making things pretty interesting today, I have to say.
Do you feel there's a customer expectation for self-service procurement around cloud and SaaS?
We'd probably more let the customer select or decide, instead of trying to push them in one direction or another. That's how the entire company operates. We have a customer advisory council, and we want to ask the customer what's best for them, and how we can provide better support on both the portal and service for them. I know for some customers, certain applications are good on the cloud, but for some others—even 5G—they more push to traditional computing. We also try to leverage our advantage, whether from the ASIC or from our combined security infrastructure to help them. We try not to push them in a particular direction based on our acquisitions or some other consideration. We more or less leave the overall approach to the customer. If a customer says, 'Hey, this also is a good way,' then we will help in supporting them, but if they ask us to be more flexible and open, we also want to be that way.
Do you anticipate adopting a referral model for any of your business?
I prefer more the traditional [way of] working with channel partners. Because that way, the channel partner does what they do best, working closely with the customer. We do what we do best to build the best product.
What is the most important technology investment Fortinet is making in 2019?
We do invest a lot in technology which we target for five to 10 years later. The biggest impact for us today is probably SD-WAN. That's one of the major growth drivers we have, making security combined with SD-WAN. That makes security no longer just a cost, but also an enabler for connectivity, faster speed, and more efficient networking, all with security built in. In the past, security was always an additional cost to whatever infrastructure was being built, but this is also a part of the infrastructure, so we see a big drive from this. We're the only company with built-in security [for SD-WAN], and also we have the lowest cost. We even have a better growth margin than anybody else because the ASIC chip we're using has such high computing power. So when we designed SD-WAN from the top down, from the security level down to the network level, it's much easier. Security has much more computing power to process the traffic compared to the network. All of the other 50 SD-WAN companies come from inside networking. They don't have enough computing power to process security. But when security goes down to networking, it's much easier because security already has a computing power advantage.
Why have so few security companies moved into SD-WAN?
Just like 10 years when we were building the Wi-Fi for security, we're the only company. And even today, we're still the only company building our own ASIC chip for security. Because after you address all of the security issues, you also need to address the performance and the cost. So that's where the chip is important. Once you have computing power around security, adding networking is relatively easy. Most other security companies are all using software pieces in the server to handle security. Just like today, you look at an SD-WAN company, they're not designing their own hardware. They're just using the smaller PC parts or server to do their SD-WAN instead of building to the chip level, which takes more investment and a bigger amount of time. But once you have it, it's a huge advantage just like how GPU and TPU are changing AI and graphic processing.
What does building your own chip allow you to do around SD-WAN?
We've always had the vision that, if you want it secure, you need to build with infrastructure instead of adding it on top of infrastructure as an additional cost. So if you commit infrastructure, the design is more secure from the very beginning. I call it security-driven networking. SDN is more famous for software-defined networking, but I call it security-driven networking. This new approach can become a new enabler and a new value-added promoting both better infrastructure and better security. Because if you look in the past, the job of the CIO and CSO could be in conflict. The CIO helps get better infrastructure, faster connections, and everything more digitized, while the CSO tries to make everything more secure. Sometimes when you get a faster connection or get more data digitized, you probably get less secure. That's the trade-off of everything getting connected and going to the internet is that sometimes it's less secure. But if we can design the new infrastructure and new communications with security designed in from the beginning—what we call security-driven networking—that's helping solve everything all together at the same time. That's the reason we designed SD-WAN with security, and why we did W-iFi with security 10 years ago. Even going forward to 5G, we designed it with security in mind.
What obstacles and challenges do coming into SD-WAN with a security background present?
A lot of the infrastructure doesn't quite have the security there, how to educate and make sure SD-WAN and security are working together at the same time. Together, security is on average 5 percent of IT spending. A lot of IT spending is still about connectivity and the speed. Certain applications really need security, though. In the SD-WAN environment, sometimes some CIOs care more about connectivity and speed. They think about security later when they start applying the applications. But if they can do some actual investment of SD-WAN and security together, eventually their total cost savings will be much bigger than two separate steps. We try to educate the market that when you design the new infrastructure, obviously have security in mind first.
How do you compare with the legacy networking players around SD-WAN speed and connectivity?
A lot of networking is still driven more by the cost, the speed, and also how easy it is for the employee to manage. From a security angle, the more security you put in, the more cost there is and the more difficult it is to manage. How to trade off between these two is important, especially for the large enterprise. They're starting to see the security as a very important part, as a must-have, because all of the traffic and all of the data they deal with today, they pretty much all need security. Gartner found that 80 percent of SD-WAN traffic needs to be handled with security. So that's making security become a very important part of the new infrastructure.
How difficult was it to develop the networking capabilities needed to be successful in SD-WAN?
We started a few years ago. It was relatively easy. If you look today at testing from NSS Labs of the top 10 SD-WAN players, it all comes from acquisition. Cisco acquired a company. VMware acquired a company. We're one of the three 'recommended' among the top 10, and you can look at the costs per Megabit second, and we're $5. The next lowest one is VMware at $77. The average is about $200 per Megabit second, because of the computing power we have in this security chip. We call it SPU—security processing unit—just like GPU and TPU. It's so powerful they can lower the cost and also even have better gross margin. So that's why I say have a top-down approach. Once you have the security and then the networking, if you have enough computing power, it will be easier. Because to process the security traffic, you need many times more computing power compared to processing network traffic. So that's where we have this advantage. We have an SPU and are able to do this. If we were just like all the others using a software approach, we probably don't have the performance advantage. Going down from security to SD-WAN is easier, I think, compared to a networking company going up to handle security.
Are you expecting other security players to enter the SD-WAN space?
If they don't have the chip, they'll probably end up with all of the other SD-WAN players because they're competing on the CPU computing power. So they don't have a special acceleration to process this traffic. Networking is still, on average, 100 times faster than security. Because security needs more computing power to process it. Networking deals with structured data—you're looking at the package header to figure out where it's going next. So the package header is all a fixed field. But with security, you're going inside the package and looking at content. Whether there's a bad intrusion or malware is all unstructured data. There's millions of different types of bad content there. So it needs much more computing power, and is much slower and more costly to handle that. If they only have a software approach using a CPU, they don't get this advantage.
What's the benefit of building SD-WAN capabilities organically rather than through acquisition?
If you build organically, the integration will be much easier. In the network security space, only three companies can achieve to the $1 billion level. It's all come from internally built functions to integrate together. It's very interesting because in the network security field, almost no customer likes to have multiple boxes. Because in the network security field, in order to stop the traffic, you have to be in line to take action, to block the bad traffic whether it's a virus, or an intrusion, or malware, or a spam email or this bad content. So if you cannot be in line, you cannot stop all of this bad traffic. But if you cannot really integrate different functions from a traditional firewall to intrusion prevention to the anti-spam to the web content scanning to the sandboxing, you end up having multiple boxes. That's where a networking company, if they depend on acquisition, it's very difficult for them to integrate different products into a single box solution. So that's where, when you can internally build all of the solution, your target to make it fully integrated from day one will be relatively easy. And in the end, the customer gets the benefit that comes from a single box solution compared to a multi-box solution.
Who's the target Fortinet customer for SD-WAN, and how have you gone after them?
Because we're building SD-WAN as part of FortiOS and FortiGate, that's where the current customer we have will benefit because right now we have close to 30 percent global deployment. And then the new customer, when they try to expand into the new infrastructure and SD-WAN, they also see there's a huge benefit from considering security and SD-WAN together. And even just with SD-WAN alone, they get a constant benefit, and they can enable security later. That's our reason for making security part of the infrastructure. You see security-driven networking. Eventually, you'll see a huge cost savings and a benefit as compared to adding security later after SD-WAN, which adds additional boxes and additional costs.
Where does SD-WAN fit into your overall Security Fabric strategy?
The third generation of network security is really more data infrastructure because the trust border has disappeared. Everything is more like a zero-trust model. You need to allow for a lot of infrastructure security—secure the data, secure the server, secure different departments and users at this level. Ten years ago, we started building Wi-Fi with security so that every FortiGate was also Wi-Fi-controlled, because today most enterprises’ networks are no longer through the wires. It's all wireless, so if you're using our solution, the Wi-Fi is always secure. And then the same thing for SD-WAN. SD-WAN gives you additional efficiencies—speed, connectivity, dynamic traffic based on application. So if you can have a security-designed mind, you can route the traffic to go through the lowest risk. Don't go through any networking point where [there is] more of a high risk. So that's where you can design the networking based on those security risks to route the traffic and route the data. And the same thing with 5G. It's better to have 5G connect a lot of different IoT devices. And when you combine the network and security together, you can have a top-down-driven approach based on your application, your content, your different use driving how the traffic is being routed, instead of today having it be driven from the bottom up. Everything gets connected first and gets the speed first, and then later deal with security to block all of this bad content. And that's two different approaches. Today, all of the network security is about blocking the bad traffic because all of these things are already connected. But when we have the top-down approach, you can really design the way your network can avoid all of this additional high-risk routing and you can select the way the traffic flows. In today's networking, you just go to the fixed road.
Is security following the user devices?
You'd be able to, based on application or based on different devices in the middle, that's how SD-WAN is different than the MPLS before, where everything was fixed. You have to go through this route—it doesn't matter if there's a traffic jam or not. But if you're able to software-define it, you can say, 'Hey, there's already traffic in this route. Let's go to the next. It's lower and it's faster that we go through that way.'
How much customer interest and adoption have you seen in your SD-WAN offering?
It'll grow [industrywide] 50 percent year over year in the next four to five years. It was a little over $1 billion last year. We do see this as one of the main growth drivers for us, which none of the other security companies have. We don't want to give specific numbers because my CFO will kill me, but that's one of the major drivers for growth. I cannot give you the forecast data. We've been designing SD-WAN for a few years already because we're always looking ahead for what's the technological impact to the communications infrastructure in the next five to 10 years. So that's where we do have some other plans to acquire. Even today, we do use a lot of AI and machine learning, and also we have a group that's searching quantum computing, the 5G, and all the standard-driven items for whatever the future infrastructure might look like. That's a little bit of a different way compared to some other companies when they have what I call the 'professional management' running the company. They're more looking at the next quarter, the next year, the next few quarters. But I'm the founder. This is already my third company in the cybersecurity space. I'm more one to impact the space in five to 10 years, how long term we may change the landscape and grow. So it's more the long-term strategic planning and how to make some of the investments, because with some of the investments, like ASIC chips, every chip you need three to four years to design. Sometimes, you need two to three generations to make a big difference. So if we don't plan for the next five to 10 years, then why would we invest in that chip, or some other technology like quantum computing which will probably not impact us for a few years? So that's how we're thinking.
What are the biggest opportunities for Fortinet around 5G?
They definitely look at it most as connectivity and a much higher speed, and also get into a lot of new applications and areas. But that also includes a lot of security risks, which we've experienced from Wi-Fi or SD-WAN and SDN Security. We feel we're well-positioned for 5G with security. We've been working with pretty much all of the carrier service providers to plan their 5G structured deployment. And I have to say, the first one to two years in 5G are probably more using the commercial space instead of the consumer. It's more like a B2B, whether it could be in health care or transportation or the energy field or manufacturing. More like IoT or OT connections. This data is very important to be secured. So that's where we need to make sure all this variable information data is handled securely. You can get a higher speed and more connectivity, but also how to secure it also very important. IoT security and OT security also have a very big issue. A couple of years ago in New York, the biggest DDoS attacks came from a camcorder. They could launch an attack from a camcorder to attack of all these web servers and data centers. And it's all because IoT is much less secure compared to the computer.
How does the acquisition of Bradford Networks in 2018 help position you for a 5G world?
That's one of the acquisitions where we see the technology as being more important going forward. What we call the Network Access Control, and also some other IoT security, is really helping for 5G, for the new infrastructure. But the Fabric approach is really needed. Today, security is no longer just one part handled, because there are so many different ways you can access the data. There are also so many different applications. Sometimes they are moving around and going to the cloud or to the mobile device. The biggest challenge that IT people are facing today is really they're having to deal with so many different parts of the infrastructure and make sure they can integrate, they can automate, they can all work together. All of these different parts of the infrastructure all come from different vendors, different products. For Bradford Networks—what we call the FortiNAC—we partnered for three years, and then we saw how they could be part of the security infrastructure, what we call the Fabric. That's part of the Fabric approach. But we're also working with partners. We have 53 partners, we announced during earnings that we're working very closely with Symantec. They are leading on the endpoint side, we are more on the network security side. The two sides need to be working together to make infrastructure more secure.
What are the biggest security risks 5G injects into the ecosystem?
The high speed and more connectivity do bring more risks for the data and information transferring to 5G. Today, if you have some attack, when you detect it, you can react. But if they're taking information, it only takes a few seconds to cause damage, or even less than that. There's where human-based reaction is probably no longer quick enough. It has to be more automated, whether it's machine-learning or AI or some other base. It needs to be more automated defense. 5G is a huge global infrastructure, but from the application or the content or the user side, it's sometimes still not quite global. Different applications in different countries are subject to different laws, different ways to do business, different cultures. That's the danger of when you have additional speed or connectivity—you can access data much faster. It gives you some efficiency in productivity and enables some new business, but on the other side, if you're not designing with security from the beginning, it can also bring a lot of risks, whether it's financial services or health care or some other application.
What is the most important investment Fortinet is making around channel partners this year?
A lot of our channel partners deploy and sell multiple products, not just network security. With the Fortinet partner program, they can work more closely with different parts of the solution infrastructure, or even our combined SD-WAN and security or combined Wi-Fi and security. We should make our partners feel that it's easier for them to help the customer lower the total cost of ownership. If you don't have different pieces working together, whether from different kinds of partner solutions or among different products, then the management cost—which really is the highest cost for security or infrastructure and also the IT solution—becomes a bigger issue. So we can help them lower the management costs, and also make different parts work together. Because for the channel, they want to support the customer with the best solution and help them lower the management costs. How they'll make different parts and pieces work together is very, very important for them.
Are you seeing more partners focus on multiple pieces of the Fortinet Security Fabric?
Pretty much all the time, close to 100 percent. All of the systems integrators are the ones leveraging their knowledge and their relationship to help the customer. And security is becoming a bigger and more and more important part of the overall infrastructure solution. Security will grow from maybe 5 percent of IT spending today to probably 10 percent in the next few years. So they will become a more important part. But even within security, there are so many different vendors. And when you look in other parts of infrastructure, there are quite a lot of vendors. Pretty much every time we talk to systems integrators, they say making all of these different pieces work together is always the challenge. That's also their value-add—how to make the different pieces work together. Because sometimes, the enterprise IT is always so busy. And that's where we see the channel and the systems integrators—their value-add is really making the different pieces working together. So if we can help them make the different pieces work together or even design together, they like it a lot.
What would you like to see channel partners invest in to make them more valuable to Fortinet?
If they can make security not just an additional cost, but also an enabler, like how SD-WAN and security are designing together or how Wi-Fi and security are designing together, and going forward, how 5G and SDN with security are designing together. And also a little bit of long-term planning. Not just getting connectivity today, and dealing with other issues later. And that's why we're hoping both short term and long term to build better, safer infrastructure.
What are the most important things partners should be watching for from Fortinet in 2019?
We do have a few new products. During earnings, we announced four products, and each new generation of product will keep improving the function and performance, and we're also working with channel partners. The other thing really is we need to train the partner for different parts of the Fabric solution. Today, still less than half of our channel partners are able to sell multiple products as part of the Fabric solution. So that's where additional channel programs and training will be very important. There will be more working with channel partners for both the new product training and also the multiple solutions and products together. So that's the other part. Both the channel partners themselves and also customers get a lot of benefit. The other new technology whether SD-WAN or some other part are also important. It's an enabler for the partner and the customer to get better infrastructure faster in a low-cost solution compared to the traditional MPLS solution they have today. Especially for fast-growing partners, they can leverage this as an additional opportunity to grow themselves.
What have been the biggest challenges in getting channel partners trained across the entire Fabric?
We probably will try to keep investing in both the coverage and also the training program. Also, we started offering some good incentives to the channel, including on the program side. We've also enhanced the training a lot, both in the partner training and also in higher education. There's over 100 universities working with us training students. Because there's still some shortage in the space of training for the professionals around security.
What's been inhibiting partners until now from getting more training across the Fabric?
Partners need to acquire different knowledge. Because in the past, some people dealt more with network security, others dealt more with endpoint security, whether they're both in the partner network or in some enterprise customer's network. So they probably need to see how this can be working together. And also the same thing—some people only deal with networking. So SD-WAN can be different people compared to security. If they see the importance of the whole infrastructure needing to be security-designed and driven together, it'll be much easier for them to learn. Because you have to cross the traditional fields to learn the new stuff. But the space is changing the way. The whole infrastructure needs to be addressed together. So that's where we keep pushing and keep promoting.
Is there anything else you want partners to know about Fortinet that we haven't discussed?
We will just keep investing more with the channel partners. We still feel they are the best at working closely with the customer. And then we'll provide more training, and also additional incentives to working with the partner. Even though I come from an engineering background, the security space probably will be putting more money into marketing itself and, in some ways, the channel. But I still believe working with channel partner will be the best way to get customers to see the benefit of the product.