NSE7_OTS-7.2 syllabus - Trustworthy for Fortinet Certified Solution Specialist (FCSS) Updated: 2024

A good way to minimize errors in investment is to align it with macrotrends. Cybersecurity is one such trend as it deals with protecting the vast amount of data generated globally on a daily basis. Fortinet (NASDAQ:FTNT) is a good way to gain exposure to this sector as it combines several aspects I appreciate in a high-quality business: a founder at the helm who is aligned, competitive advantages, strong margins and returns, and low debt. Despite the technical challenges in the sector, I believe we can approach the investment in Fortinet from a less technical and more qualitative perspective.

Business Model

Fortinet, Inc. is one of the leading companies in the cybersecurity sector. It is a technically challenging industry with constant disruption and change. The company provides multiple solutions in the form of software and hardware for its clients. In Q3, the management announced its sales segmentation into Secure Networking, Secure Operations, and Universal SASE. They indicated their intention to expedite the transition of the business to the latter two, as they are cloud-based components. To achieve this, Fortinet has invested significantly in Point of Presence (POPs) infrastructure. A POP is a physical location in a network where devices, users, or services can connect to access other points in the network. According to Barclays Global Technology, Media & Telecommunications Conference, over the past two years, Fortinet has built 30 POPs (with another 35 in progress). Through a partnership with Google, they now have access to 180 new POPs, enabling them to catch up with competitors who typically have between 100 and 200. POPs often refer to facilities that include data centers. Nevertheless, Fortinet's strategy of building their own POPs is beneficial for future cost savings and greater vertical integration, despite the higher current capital expenditure. Additionally, Fortinet manufactures its own ASICs (application-specific integrated circuits), chips created exclusively for Fortinet's hardware and software. This in-house production enhances performance and, in the long run, reduces costs.

Market

Fortinet's Total Addressable Market is enormous, standing at $125 billion. The company's billings in 2023 are projected to reach around $5.3 billion, indicating that Fortinet currently holds only a 4% market share. This is within a highly fragmented market that is experiencing annual growth rates of 10%.

Fortinet combines a business model that sells both software and hardware. Although the hardware segment experiences slower growth and lower margins, it contributes to building an ecosystem. Once a device is installed at a customer's site, cross-selling becomes much easier. They anticipate double-digit growth for the hardware segment in the coming years. Fortinet attributes this expected growth to their superior product in this area, positioning them to gain market share when it's time for competitors' hardware replacements, as they are the largest player in this domain. However, it is highly likely that the services segment will grow at a faster rate, and since it has higher margins, we can anticipate future operational leverage for the company. Within the subscription services, there is the AI product, along with customer support, training, and repairs services.

The slowdown experienced in the Secure Networking segment (which constitutes 70% of sales), especially in the Hardware division, follows an absolute boom post-COVID, during which customers made substantial purchases. Currently, customers are more cautious about their buying decisions, leading to inventory accumulation. However, there is an expectation that inventories will return to normal levels, allowing for the satisfaction of future demand. Given the technological nature of this product, the extent of obsolescence during inventory holding is uncertain. It's worth noting that this segment has still achieved a solid 9% growth, though it previously grew at a rapid pace of 40%. Despite facing a challenging comparison base, the company has managed to maintain a commendable growth rate.

Moreover, it's essential to consider that these cycles typically last two years, implying that we might be at the midpoint of the cycle, and the market could soon start factoring in its conclusion. As illustrated, sales are a lagging indicator, and attention should be directed towards Billings for a more timely assessment.

Management and Capital Allocation

If management by itself is one of the most important aspects of a company, in a sector as disruptive as cybersecurity, investing in a management team we can trust is extremely important. The founders, Ken Xie and Michael Xie, have been with the company since the year 2000, and together they control more than 15% of the outstanding shares. Their interests are fully aligned with the shareholders. Their extensive knowledge of the sector is significant, and their capital allocation strategy has been very effective.

The Net Income to Free Cash Flow conversion is over 100%, thanks to it being a subscription-based business. Most of the free cash flow has been allocated to share buybacks (reducing outstanding shares by -10% over the last 7 years) and some small acquisitions. Stock options represent 5% of sales and 14% of Operating Cash Flow, with a decreasing trend. This is quite favorable for a technology company. The company operates without debt and S&P Global rates Fortinet's credit category as BBB+. 90% of the capital allocated to "innovation" has been invested in research and development, with the remaining portion dedicated to merger and acquisition activities.

Competitive Advantages

In my opinion, the key strength of this company lies in its unified platform, FortiOS (Fortinet Investor Relations Presentation, slide 31), which integrates various products and services rather than creating standalone solutions that are difficult to integrate. This not only generates a network effect but also presents high switching costs for customers, potentially leading to pricing power. The ecosystem created by the company makes it indispensable for the customer.

Financials

Fortinet's financials are impeccable. It has experienced very high double-digit growth in all its figures. For example, sales have grown at a rate of 23.5% (6-year CAGR), while FCF/share has grown at a rate of 63.5% (6-year CAGR), driven by operational leverage and share buybacks. This operational leverage has been due to a significant expansion of margins; for instance, the EBIT margin has increased from 7% in 2017 to an estimated 27% for the fiscal year 2023, although I will provide further commentary on this below. The returns are impressive, with average ROICs exceeding 100% in recent years. They also maintain a net cash position, with only around $1 billion in debt. Lastly, they follow an asset-light business model, where maintenance CAPEX ranges from 2% to 3% of sales.

In the Barclays Conference, management also discussed something about the margins. In the long term, their target is 25%, but the senior vice president mentioned that he wanted the flexibility to invest in marketing, R&D, or whatever was necessary to grow the business without being constrained by the margin. In their models, a 25% margin is feasible, especially as the services segment is expected to grow more than hardware. The 27% margin from last year was attributed to the strength of the dollar, as they invoiced in dollars but paid 70% of their staff in their local currencies (which were depreciated at that time). I always appreciate a management team focused on the long-term sustainability of the business, even if it means impacting current accounting with investments that enhance their competitive advantages.

Valuation

To evaluate Fortinet, I will use a discounted cash flow model, incorporating a discount rate of 10%, a terminal growth rate of 3%, and a free cash flow growth of 15% (historically, it has been 60% CAGR in recent years). With these assumptions, the calculated fair value for Fortinet is $60 per share. If we consider a scenario with higher growth, such as 20%, the fair value would be $85 per share. However, to account for this increased growth, it might be more appropriate to raise the discount rate to 12%, in which case the fair value would be $63. In any case, I believe that Fortinet's stock is undervalued, and that's why I rate the stock as a buy.

Risks

It is worth noting that 57% of total sales come from only three distributors. In the FY21 annual report, it's mentioned that the Exclusive distributor accounted for 31% of sales. This significant concentration not only poses a risk in itself but also raises the consideration that these distributors might resell products from competitors and could be incentivized to favor these competitors in the future, potentially at the expense of Fortinet. Nevertheless, the risk of these distributors severing ties with Fortinet, one of the top companies in the sector, seems remote. It's akin to a sports channel specializing in football, breaking agreements with the Premier League and ceasing to broadcast it. Clearly, it's a lose-lose situation for both parties. Furthermore, another major client would likely seek to absorb this new volume and gain an advantage over others. The situation appears unlikely, despite the increasing customer concentration, as these dynamics are inherent to the sector. For example, Palo Alto Networks also has 50% of its sales with three clients (cybersecurity application providers).

Inventory Risks: The accumulation of hardware devices in inventories may not always be favorable. While it enables the company to meet growing demand when the cycle changes, there is a risk of obsolescence in a rapidly evolving sector. Furthermore, 88% of their hardware is produced in Taiwan, which could be impacted in the event of a future conflict with China. However, the company likely has contingency plans in place to address this potential issue if it arises.

Disruption Risk: Given the rapid emergence and evolution of new threats today, Fortinet has a dedicated department responsible for identifying these emerging threats. They investigate these threats using AI and subsequently develop corresponding mitigations to distribute to subscribed customers. It's noteworthy that customers pay for subscriptions to benefit from these services for a period ranging from 1 to 5 years. Furthermore, thanks to its scale, Fortinet has a very high R&D budget in absolute terms, as well as an extensive customer distribution. All of this is complemented by founders at the helm with deep knowledge of the industry.

Conclusion

In conclusion, I believe Fortinet is a great company for having exposure to the cybersecurity sector. The lack of expertise can be mitigated by placing trust in a well-aligned management team with expertise in the field. Additionally, the fantastic fundamentals and scale provide protection against disruptive threats. The company can also defend itself through the ecosystem it creates by combining software and hardware, even as it increasingly focuses on the more profitable segments of services. Overall, I find the price attractive, and I anticipate satisfactory long-term results.

Zero-trust security architecture is the new norm for safeguarding federal agencies and their data. However, challenges loom large in aligning with the Administration’s zero-trust mandates, especially as it sets ambitious targets for 2024.

Dan Daly, deputy director for information assurance and cybersecurity for the Transportation Security Administration, and Felipe Fernandez, CTO for Fortinet Federal, recently joined FedScoop to share their insights on the government’s zero trust journey.

One of the primary obstacles Daly highlighted is the intricate process of transitioning from existing legacy environments to the new zero-trust architecture. The federal government’s budgeting process, spanning over five years, poses a significant hurdle, making it challenging to swiftly adjust security postures and budgets to align with the comprehensive zero-trust framework. Despite the executive order allowing a few years for compliance, the practicality of executing this transition within budgetary constraints remains a substantial concern for agencies.

Fernandez emphasized the importance of a cultural shift within federal agencies to ensure successful zero-trust implementation. Executive adoption of zero-trust principles and a collective commitment at all levels are crucial for overcoming inertia and achieving a unified approach to security. The complexity of agency networks, characterized by multiple enclaves with varying degrees of intricacy, further complicates the implementation of a centralized zero-trust approach.

“There’s not just one technical solution for an entire zero-trust principle or set of principles. At times, you’re going to have to get two different solutions, three different solutions, or accept risk in various elements. And that’s just the challenge of where we are,” Fernandez said.

Daly highlighted how TSA has made significant strides in zero-trust initiatives. “Fortunately, our administrator was fully supportive from the beginning, allowing us to secure approval for a resource allocation…This approval gave us the necessary resources to dedicate a team to zero trust, unlike many other agencies that had to divert existing personnel from ongoing cybersecurity responsibilities to adopt this new paradigm.”

Learn more about evolving government security architectures.

This video panel discussion was produced by Scoop News Group, for FedScoop and underwritten by Fortinet Federal.

Artificial Intelligence (AI) could be the next technological revolution to follow cloud computing, and we're just scratching the surface of its capabilities. While there are countless scenarios where AI will create advancements throughout society, there is no doubt that it will also be used in nefarious ways. Cybercrime has been on the rise, and whether you're an individual or a major corporation, everyone is a potential target. In 2022 the Federal Bureau of Investigation (FBI) received more than 800,000 cybercrime related complaints with losses exceeding $10 billion. This is just what came into the FBI, as the estimated cost of cybercrime globally in 2022 was $7.08 trillion. As advancements in AI occur, cyberattacks will become more sophisticated, and the need for cybersecurity will continue to increase. In September 2023, Cisco Systems (CSCO) announced that they would acquire cybersecurity company Splunk (SPLK) in a $28 billion all-cash deal. The cybersecurity industry is expected to grow significantly in the coming years, and after looking into the top companies, I am getting very interested in Fortinet (NASDAQ:FTNT). FTNT is trading at an inexpensive valuation compared to its peers, the underlying financials are strong, and its growth should continue as the total addressable market (TAM) for its products expands. I feel that FTNT is a long-term opportunity and could potentially be acquired if consolidation continues in the cybersecurity industry.

The cost of cybercrime continues to grow and Fortinet is at the heart of mitigating cyber risk

The ramifications of cybercrime continue to increase at a staggering rate. The estimated annualized cost of cybercrime worldwide from the close of 2017 through 2022 increased by roughly 911%. In 2017, there was roughly $700 billion of damages related to cybercrime, which will increase to $7.2 trillion in 2022. The global impacts of cybercrime are projected to increase from $7.08 trillion in 2022 to $13.82 trillion in 2028 as YoY growth is expected to continue. According to Forbes, cybercriminals can penetrate 93% of company networks, and in 2021 businesses suffered 50% more cyberattack attempts compared to 2020 on a weekly basis. Roughly 43% of all data breaches involve small and medium-sized businesses, while 83% of these businesses are not financially prepared to recover from a cyberattack. Roughly 20% of small companies do not utilize endpoint security, and 52% do not have in-house IT security experts.

There are many cybersecurity companies that operate on the hardware and software side. Gartner has recognized FTNT in 9 market quadrants, including SD-WAN, network firewall, single vendor SASE, SIEM, endpoint security, WLAN LAN, SSE, WAAP, and access man. FTNT was recognized as a leader in network firewalls, SD-WAN, and Enterprise firewalls. More than 70 analyst reports, including Gartner, IDC, and Forrester rank FTNT as one of the most validated cybersecurity companies globally. FTNT is a global leader in cybersecurity and networking solutions for organizations, including enterprises, communication service providers, security service providers, government organizations, and small businesses. FTNT focuses its enterprise solutions on secure networking, cloud security, AI-driven security operations, FortiGuard Security Services, and support and professional services.

FTNT operates in both the product and service side of cybersecurity as they have their own line of networking products and cloud services. FTNT's core products include their Core Platform firewall product family, which includes firewall, intrusion prevention, anti-malware, VPN, application control, web filtering, anti-spam, and WAN acceleration. On the service side, FTNT has its FortiGuard security subscription services which are designed to deliver threat detection and prevention capabilities to end-customers worldwide. In Q3 of 2023 FTNT generated $465.9 million of revenue from its products and $868.7 million from services. This was a 0.6% decline YoY in products but an increase of 21.63% increase YoY in services. For the first 9-months of 2023, FTNT has seen its product revenue grow 16.03% YoY to $1.44 billion and its Services revenue increase 29.38% to $2.45 billion.

I am getting interested in Fortinet because of its financials, growth, TAM, and valuation

The total addressable market for FTNT currently sits at $125 billion, with secure networking representing $62 billion, security operations at $46 billion, and universal SASE at $17 billion. This is expected to grow to $199 billion over the next 3-years to $199 billion by 2027 as secure networking grows at a 9% CAGR, security operations grows at a 14% CAGR, and universal SASE grows at a 20% CAGR. There is a large opportunity for FTNT over the next several years, especially as cybercrime becomes more proficient through the utilization of AI. FTNT is at the forefront of utilizing AI-driven technologies to strengthen its product offerings through its security processers, FortiOS, and global cloud network.

After going through FTNT's financials, I am impressed. FTNT has been growing its top-line YoY and producing profitability on an annualized basis over the past decade before Free Cash Flow (FCF) became a buzzword in 2022. In the trailing twelve months (TTM), FTNT has increased its revenue by $755.3 million (17.1%) on a YoY basis. This has allowed its gross profit to expand 18.65% to $3.95 billion, its net income to increase 34.22% to $1.15 billion, and its FCF to grow 42.39% to $2.06 billion. FTNT is operating a highly profitable business as its gross profit margin is 76.44%, its profit margin is 22.25%, and its FCF yield is 38.9%. Over the past 3-years since the close of 2020, FTNT has grown its annualized revenue by $2.58 billion (99.38%), its gross profit by $1.93 billion (95.32%), its net income by $622 million (135.56%), and its FCF by $1.11 billion (115.47%).

While the income and cash flow statement shows sustainable growth, profitability, and strong margins, I needed to look through the balance sheet to see if there are any red flags. FTNT has a clean balance sheet, with its largest liability being deferred revenue. FTNT has $991.8 million in long-term debt on the books with $3.17 billion in cash and short-term investments on hand. FTNT is also buying back shares, and since the close of 2019, they have repurchased 94.7 million shares or 10.98% of their outstanding shares. This company is unlevered as their liquidity exceeds their total debt by $2.1 billion and is buying back shares. This is the type of balance sheet I love to see from a company that is still in growth mode.

CSCO agreed to acquire SPLK for $157 per share or $28 billion. SPLK is one of FTNT's peers, and it is currently trading at just under the acquisition price that CSCO agreed to. When I look at SPLK at its current valuation and the valuation CSCO is paying, FTNT looks grossly undervalued. It doesn't matter what I think is the correct number, and something is only worth what someone is willing to pay for it. This is why I am looking at what CSCO is willing to pay for SPLK compared to where FTNT is trading. SPLK is trading at 30.22x its TTM FCF, and based on the $28 billion price CSCO agreed to, they are paying 32.96x for SPLK's FCF. FTNT generated an additional $1.21 billion in FCF compared to SPLK in the TTM and is trading at 21.78x its FCF. This looks extremely cheap as CSCO was willing to pay more than 30x for one of its peers. When I looked at their forward earnings estimates, FTNT and SPLK trade at similar forward P/E levels, and both are expected to grow their EPS between 25-30% over the next 2 years. SPLK looks a bit cheaper on an EPS level, but as FTNT buys back shares, this metric can certainly change.

FTNT's peers which have a larger market cap, are CrowdStrike (CRWD) and Palo Alto Networks (PANW). What's interesting is that CRWD has a market cap of $61.31 billion, yet it only generates $913.1 million in FCF, placing FCF multiple at 67.15x. PANW has the largest market cap of $92.97 billion and generates $2.92 billion in FCF, placing its multiple at 31.81x. Based on the FCF multiple that PANW and CRWD trade at and the FCF multiple that CSCO is paying for SPLK, I believe there is no reason why FTNT shouldn't trade for at least 30x its FCF.

Risks to investing in Fortinet

While FTNT looks like a promising investment, its results have varied from time to time due to macroeconomic and regional economic challenges. When recessions or other economic downturns occur, companies are less inclined to spend, and factors such as inflation and higher interest rates can deter companies from making large capital investments. We have also incurred supply chain shortages that impacted technological hardware, and with geopolitical conflicts on the rise, there is no telling what impacts global supply chains incur in the future. FTNT also faces risks of not protecting against future threats and having its reputation as a leader in the industry tarnished.

Conclusion

Shares of FTNT have traded sideways for the past 2 years and have just started to rebound off their 52-week lows. Shares of FTNT are still off their 52-week highs by 27.95%, and I think shares can close the gap in 2024 as this is a company that is still growing and operates in an industry with a growing TAM. FTNT is a high-margin business with a strong balance sheet and trades at a low valuation compared to its peers. I wouldn't be surprised if further consolidation occurs and if a larger company acquires FTNT or if FTNT gets back to its all-time highs. I am not a shareholder, but I plan on starting a position as I see a lot of value in FTNT's current valuation.

‘Adding Opaq allows us to be more flexible in terms of where and how customers want to apply security,’ says Fortinet’s John Maddison. ‘We already had the most complete SASE offering, but this gives us more flexible consumption options.’

Fortinet has purchased Opaq Networks to strengthen distributed network protection everywhere from data centers and branch offices to remote users and Internet of Things devices.

The Sunnyvale, Calif.-based platform security giant said its acquisition of Herndon, Va.-based cloud security startup Opaq will allow Fortinet to deliver the most complete Secure Access Service Edge (SASE) platform on the market. Fortinet said the deal will combine its existing SASE offering with the industry’s only trust Zero Trust access and security.

Fortinet has historically delivered its SASE technology on-premise or in the data center, and said Opaq’s technology will make it possible to deliver those same capabilities in the cloud, said John Maddison, executive vice president of products. COVID-19 has driven customer interest in having these capabilities delivered in the cloud since the pandemic has complicated some on-premise installation efforts, he said.

[Related: Opaq: Replacing MPLS With SD-WAN Helps Save Money, Boost Security]

“Adding Opaq allows us to be more flexible in terms of where and how customers want to apply security,” Maddison told CRN. “We already had the most complete SASE offering, but this gives us more flexible consumption options.”

Customers have been most proactive about shifting their Zero Trust networking and web filtering applications into the cloud since the later is very pertinent for protecting public cloud platforms, he said. Opaq has been offering Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) in the cloud, and he said the deal will allow Fortinet to facilitate cloud or hybrid delivery models for existing clients.

“Opaq gives us the flexibility to run security anywhere,” Maddison said. “This adds another dimension to our SASE solutions. It’s great for our partner ecosystem to have another component in the Security Fabric.”

Fortinet’s stock is unchanged at $134.79 per share in after-hours trading. Terms of the Opaq acquisition, which was announced after the market closed Monday, weren’t disclosed.

Opaq was founded in 2016, employs 50 people, and has raised $43.5 million in two rounds of outside funding, according to Fortinet and Crunchbase. The company closed a $22.5 million Series B funding round led by Greenspring Associates in April 2018 to support its go-to-market initiatives for delivering security-as-a-service to midsize enterprises via its partners.

Opaq has been led by CEO Glenn Hazard and Chief Strategy Officer Ken Ammon since January 2017, both of whom held the same roles at privileged identity management vendor Xceedium prior to its acquisition by CA Technologies in August 2015. Maddison said he wasn’t sure which Opaq executives would be joining Fortinet.

The company’s Zero Trust cloud platform features: a software-defined network optimized for security and performance; integrated security capabilities; and the Opaq 360 single cloud console for customers and service providers to centrally manage network and security. Opaq secures Fortune 1000 and midsize enterprises across a variety of vertical markets, and has regional offices in eight states, Fortinet said.

Often cloud security providers are missing a strong security backbone or a scalable, high performant cloud architecture or - in some cases – both, Fortinet said. But unlike other Zero Trust Network Access (ZTNA) providers who leave many unprotected gaps in the attack surface, Fortinet said its combination with Opaq will provide a broad integrated suite of cloud security tools providing true Zero Trust security.

Fortinet said Opaq’s platform is purpose-built to be partner friendly, enabling MSSPs, carriers and high value-add partners to easily integrate the SASE multi-tenant platform into their own offering. And advanced professional services and Network Operations Center (NOC) and Security Operations Center (SOC) expertise will allow partners to add value for business and government organization customers.

By joining forces, Fortinet and Opaq will be able to deliver industry-leading next-generation firewall (NGFW) and SD-WAN capabilities, web security, sandboxing, advanced endpoint, identity/multi factor authentication, multi-cloud workload protection, cloud application security broker (CASB), browser isolation, and web application firewalling capabilities

The Opaq deal comes just seven months after Fortinet purchased Security Orchestration, Automation and Response (SOAR) provider CyberSponse to make security operations teams more efficient and bolster incident response. Two months earlier, Fortinet bought endpoint security startup enSilo to strengthen its real-time automated detection and response capabilities around endpoint and edge data.

In 2018, Fortinet purchased threat analytics company ZoneFox for $18 million and IoT-focused security firm Bradford Networks for $17 million. All told, Fortinet has acquired 14 companies since its founding in 2000, according to Crunchbase.