CRN Exclusive: Fortinet CEO Xie And CISO Quade On How The Company's Mid-Enterprise Push Creates Channel Opportunities

More Markets, More Money

Fortinet has grown beyond its traditional SMB, Fortune 100 and telecom carrier customer base, extending into the mid-enterprise through superior technology and increased marketing spend, according to founder, Chairman and CEO Ken Xie and Chief Information Security Officer Phil Quade.

The company has therefore boosted its marketing efforts, particularly in the U.S. and Europe, to help capture more of that mid-enterprise market, Xie told CRN exclusively during the company's Accelerate 18 partner and user conference.

Xie assured the channel that Fortinet will continue working with partners when supporting the mid-enterprise. Even in direct touch instances where Fortinet personnel are directly working with the end customer, Xie said solution providers will be responsible for fulfillment and providing services and support.

Here's what Xie and Quade said channel partners should be watching for as Fortinet accelerates its presence in the midmarket.

Why is now the right time to make the push into larger markets?

Xie: Traditionally, we do much more with SMB because a lot of channel partners actually help us with that. But with the new trends in network security, we see the fabric approach more benefiting a lot of enterprises. That's just one part of it. First, we were very successful in the Fortune 100 big enterprise because they are a very technical buyer, and same for the carrier service provider. With less marketing in comparison to some of our competitors, the technical buyer loved the product. That's where we feel if we can invest a little bit more in enterprise, eventually we can also do much better than some of our competitors.

What are the key differences between Fortune 100 and mid-enterprise buyers?

Xie: The Fortune 100 companies are all technical buyers, just like the telecom companies. They do their own evaluation testing. They're less influenced by the marketing message compared to the mid-enterprise because they don't have the time, resources or expertise to do the testing and evaluation themselves. They tend to depend on the marketing message. That's why to get into the mid-enterprise, we feel we need to keep enhancing marketing and also closely work with channel partners.

Will Fortinet do more direct business as a result of its push into the mid-enterprise?

Xie: Channel is very important. Even though sometimes we'll have direct touch – that means some of our sales SEs are directly working with the customer, but we always go through the channel partner to really fulfill and really include the service and support in there. The channel partner is still very, very important because we understand it's an ecosystem, and each party needs to do their own kind of a job and add value there. We see the channel partner help us open the door a lot. They work closely with the customer because they have the trust of some of the customers there. So we want to keep working closely with the channel partner.

What's the interplay between the internal Fortinet rep and channel partner in direct touch scenarios?

Xie: We kind of help the channel partner understand the problem, and how to provide a better solution. At the same time, we're also helping the channel partner build their own internal resource, and also give them some better support. In the end, fulfilling through the channel partners and supporting them in growing their own business is also very, very important.

How significant do you see the mid-enterprise being to Fortinet's business going forward?

Xie: Mid-enterprise is probably the biggest market segment. You have the Fortune 100 and carriers at the top, and the SMB at the bottom, but mid-enterprise is also pretty big. We feel we'll keep investing more in marketing on the channel with partners together. That's why this event [Accelerate 18] keeps getting bigger and bigger. We're in the fourth or fifth year of that. And each year, we try to improve and do better. We also started inviting some customers this time. They also get this benefit from all the technology, and the new products. At the same time, we are committed to going through the channel and we want to work closely with channel partners so they can provide the best support to customers.

What does increased investment in the mid-enterprise mean for Fortinet's channel partners?

Xie: The mid-enterprise is more dependent on its own internal resource. They're not as technical as the carrier or the big enterprise, but they do have their own IT people there. At the same time, we're working with partners to approach and to open the door, and do all of this through marketing efforts, including transitioning from second-generation firewall to the third-generation infrastructure security. A lot of enterprises are saying this is the biggest issue for them today. And I believe that's where we'll have success going forward.

What are the key differences between working with the SMB versus mid-enterprise customers?

Xie: Each channel partner will have their own focus. Definitely, the SMB channel partners do a lot of supporting services themselves. They also need to be technical enough to know which product is better and won't cause an issue from a support standpoint. Traditionally, this is where they've been more successful because a Fortune 100 company or telecom company has to be in the middle to be involved.

How does that differ from what occurs with at the mid-enterprise level?

Xie: The mid-enterprise is a little bit different. They do have their own IT people. Sometimes, they make decisions themselves. Certain channel partners will help them do the integration. Certain channel partners will also do the fulfillment. It's a little bit different approach compared to the SMB or compared to the bigger companies that only go directly with the vendor. That's why we're closely working with the channel partner to see what's their part in the game. At the same time, helping them convince the customer is also kind of important. That's where the new marketing team and new sales team are starting to do a pretty good job right now and grow faster. But it's a little bit of a different approach.

Why is marketing so important in the mid-enterprise?

Xie: It was my theory a few years ago, and I still feel that cybersecurity is kind of over-marketed. It's more like 100 years ago in the drug health industry before FDA, certain third parties or even the government got involved to help customers judge which is better. The mid-enterprise I feel today is still getting confused by so many different marketing messages because there are so many different vendors trying to promote themselves.

What aside from marketing factors goes into the buying decisions of midsize companies?

Quade: The midsize folks, because they can't do any of their own independent testing, they're going to turn more and more to what the Gartners are going to say, what the NSS Labs are going to say. They're going to rely on independent, trusted experts to make some statements about the goodness of anyone's products. That's where having a good core of how good you really are works to our advantage, because these independent folks are going to go out and test this and they're going to publish their results. And that's very little marketing on our part. It's the independent, third-party entities speaking on our behalf. And I think the midsize folks will rely more and more on that in the future.

How does your marketing footprint compare by geography?

Xie: We're number one in APAC [Asia-Pacific] and Latin America because their local partners work very closely with us to do the marketing. We've always had a much better product. Even if we match the same amount on marketing, we'll see an output that's much more successful. They may have a different language for the marketing part. That's why we started focusing more both in the U.S. and Europe, which traditionally we probably did less marketing as compared with some of our competitors. Now with additional marketing investment, we see the growth is coming very, very fast.

How do you go about crafting a marketing message that cuts across geographies?

Xie: We did more in APAC and Latin America because our partners did more, because they have to do it themselves. And even if they spend the same money, because we have a better product, the core is better, that makes it much easier. We can be number one much quicker there in that region. But now with additional marketing effort there, we do believe we'll be gaining share from competitors because the base is much better, and then you add additional marketing efforts, and that's really going to help us gain share quicker.

Are you working with different types of channel partners in the mid-enterprise versus the SMB?

Xie: It's a little bit different channel partner, I would say. Optiv and some other companies traditionally supported the enterprise, as compared to some SMBs and other ones that also do additional servicing and support themselves. You need to have the partner understand the mid-enterprise. At the same time, they have the channel, they have the approach, and they have the relationship there. So we're working closely with them and trying to see how we can do better there.

How does the procurement cycle differ based on the size of the customer?

Xie: Probably the longest procurement selling is really the carrier service provider, and sometimes even certain governments, because once they select the product, then they can use it for five, 10 or 20 years. But they also take a long time, usually two or three years, to do the evaluation testing and make sure they've made the right decision there. And then the Fortune 100 companies also do their own evaluation testing, which also takes some time. For SMB, because they are more dependent on some service provider, and the service provider wants to make sure that once they start offering product for their customer base, they also can support it. And that also may take more time.

What about for mid-enterprise?

Xie: In the mid-enterprise, sometimes the market message, the branding, some other research firm or NSS Labs testing can help, but it's also about how to reach to them. If they've never heard of the name of the company or product, it's going to be difficult for them to make the decision. There's where we have fallout from the branding stage to how they know us and then how to compare us to with competitors eventually. It's kind of a technical effort.

Why has Fortinet historically enjoyed so much success in the SMB segment?

Xie: We definitely are working together with them. The reason we're more successful in SMB is because, for a lot of channel partners or service providers, if you don't have a solid product, the supporting costs can be very high, can break their business model there. Because our product is very solid and very good on quality, performance and security, that makes us more successful for a lot of SMBs. A lot of SMBs depend on the service provider channel partner to offer additional service. So you need to have a solid product, otherwise the supporting costs will be too high for the service provider, for the channel. We will keep working closely with them, even though we're already very dominant in that area.

When did you start focusing on larger markets?

Xie: We started building our enterprise team a few years ago, and they're growing very, very fast. Another new trend is the change from network security, security internal trust zone to infrastructure security, which is really the biggest concern enterprises face. They have too many products to manage. And most of them don't talk to each other. It's very difficult to defend against the latest attack. So they see the benefit of it. That's why we decided to add additional investment in the enterprise. That's made it grow faster in the last few years.

How has the regulatory environment changed what enterprises are doing around security?

Quade: One of the things that's driving demand for these more simple and more robust solutions is the need to meet compliance standards. Financially, companies have been meeting compliance standards for a long time. But now, if I want to do business with your mid- or large-size company, I have to show you essentially my credentials, that I'm compliant with ISO 27001, or some type of U.S. domestic-oriented framework. The large and midsize companies have to up their game in demonstrating their ability to do serious cybersecurity. So that creates an opportunity for us.

How does the security fabric and 6000F series of firewalls help Fortinet play in the mid-enterprise?

Xie: The 6000 actually targets big enterprise, and it's appliance-based. And also, there's a refresh cycle coming up now. The last buying cycle was starting more like 2013 and '14. Now, we're starting to see some of the bigger opportunities come up. But this time – unlike last time – they're not just replacing first-generation network security, where you saw the next-generation firewall or UTM [unified threat management] replacing the traditional firewall VPN. This time, especially for enterprise, the infrastructure security is starting to get more important.

What are enterprises looking for around infrastructure security?

Xie: Making the network security work with the endpoint, with the email, web security, sandbox, Wi-Fi access, and the cloud. And that's starting to become more important. And there's a huge benefit to making all of these different pieces work together. So it's a huge opportunity. We also have the best position, including the 6000 and the FortiOS 6.0 we announced that will connect all of these different pieces together. The traditional network security is still there, and it keeps growing. But the other fabric part has a bigger growth potential. That's growing faster than the FortiGate piece.

Why are enterprises turning to Fortinet rather than working with their existing security vendors?

Xie: The management cost is very, very high, and there's a shortage of expertise to manage all of the different pieces together. As the attack surface gets larger, the response time gets shorter and shorter. Nowadays, if they get into the network inside the company, within a few seconds, they're starting to take some valuable information out. There has to be a more automated response. So if you don't have the endpoint working together with the network side, and working together with the email server, web server, internal server, and down to the internal segmentation, it's very difficult to respond to all of these new attacks there.

Are your new endpoint customers coming from multi-vendor security environments?

Xie: They mostly see FortiClient [next-generation endpoint security] as an add-on approach. They may still have some traditional endpoint software there, even though we also have pretty much all of the functions. They often do the overlap, add-on approach to start with, and eventually, gradually replace and take some of the other software off. It's more like the early days when we had the UTM-managed firewall. They still had some other point solution systems in the network, even though FortiGate already covers intrusions and other parts of it. They still had a separate system for their traditional usage. But once they feel confident, then they gradually take some of that away.

What investments has Fortinet made around training?

Xie: The training is also very important. Most of the training we did for the NSE [Network Security Expert program], and eventually those people were also the administrators of the mid-enterprise. … NSE is really for the industry. We don't have Fortinet named there. They have eight different levels, and it's dependent on which level you are. It's like sports or a game in that the higher levels are more difficult to achieve. At the same time, you need to also not just have the knowledge part. The hands-on experience is very important, because there's a big shortage in this space of experts who really know security. That also involves working with a lot of universities and educational institutes. It's also very helpful to train the people that eventually want to get into this space.

When did Fortinet become more focused on training?

Xie: We started about two or three years ago, and it's become a big training program in the industry, and also with a lot of universities. There's about 100 universities now that have been working with us to train their students. It's a very successful program. The training is also, I feel, the best marketing, even if it takes a longer time as compared to the traditional marketing or the other advertising. But in the end, it lends real knowledge and becomes a career path.

What advice would you have for the channel community this year?

Xie: That's the new trend. It started changing from traditional network security to more of an infrastructure approach with the fabric. This is really a good opportunity for them to stay ahead of game, lead the change, and also take the opportunity to benefit from it.