 Welcome to this CUBE conversation with Fortinet. I'm Lisa Martin. John Madison joins me, the CMO and EVP of products. John, welcome back to the program. Thanks Lisa, good to be here. Good to see you. So so much has changed since I last saw you. The move to remote work caused by the pandemic led so many organizations to invest in modern networking and security technologies. And we see, you know, the rise in the threat landscape that protecting digital assets is becoming even more and more urgent because the threats are continuing to escalate. Talk to me about some of the things that you're seeing with this current threat landscape. Yeah, well, it keeps changing, that's for sure. You saw some recent surveys where, you know, now companies are saying in terms of where employees are located, you know, 25% expecting to be in the office, 25% expected to be permanently in the home, and then there's this big 50% of hybrid, which we think will move a bit more towards the office as people get back in the office, but that's going to take some time. We're actually starting to move back in the office here in Santa Clara, Sunnyvale, but it's very different in every region in the US and regulations and laws around the world. And so we think it's going to be very much work from anywhere. There's a bit of travel starting as well. And so this work from anywhere concept is going to be very important to customers going forward and the ability to change the dynamics of that ratio as they go forward. Right, yeah, this work from anywhere that last year overnight sort of became an absolute essential, but now as you said, we're going to have this hybrid model of some going back, some staying home and the security and the perimeter is dissolving. When you look at supporting customers and their new work from anywhere model, what are some of the things that are top of mind that you're hearing from customers? Well, you know, I sometimes hear this premise is disappearing. I think in some ways it's moving to the user and the devices. And this is concept called Zero Trust Network Access, which I've said in many occasions should be Zero Trust Application Access, but they named it that way, which is going to be important technology because as I said, it kind of moves that perimeter then to that user. And previous technology that we had, VPN technology was good technology. And in fact, a lot of companies, we go back to when the pandemic started last year, put a lot of people on the VPN technology as quickly as possible and it was reasonably robust. But as we go forward, all we're going to have to do is make sure that perimeter, at that perimeter, our users only get access to the applications they're using rather than the whole network. Eventually when they're on the network, need to make sure that it's segmented so they can't go everywhere as well. And so there's Zero Trust Network Access or Zero Trust or Zero Trust Access lots of kind of different versions of it. There's going to be very important concept for users. The other piece of it, I think, is also that it needs to be more intuitive to users. Anything you kind of have users do, like the VPN where you had to kind of dial in and bring up your connection and your connection, et cetera, et cetera, means that people tend not to use it. And so to make it intuitive and automatic is going to be really important. Intuitive and automatic. One of the things that we also saw was this massive rise in digital transformation last year, SaaS adoption, these SaaS applications keeping many of us in collaboration. So I'm thinking, in that sense, with the perimeter changing and the work from any work, this consistent secure internet connection among users at the branch or the branch of one has to be there to keep organizations productive and safe. How is the Fortinet enabling the ZTNA, this evolution of VPN? Yeah, that's another piece of it. So not only are users on and off the network or traveling, so the applications are moving. So a lot of them have moved from data centers to public cloud in the form of infrastructure or SaaS when I've seen customers actually move some applications towards the building or building compute or edge compute. So the applications keep moving, which also causes this problem. So another function of zero trust access or ZTNA is to not care where the application is. You rely on some technology, it's called proxy technology, which allows the proxy to track where the applications are. And for us, that sits inside our firewalls and that makes it very flexible. And so you've been able to kind of just ramp up that proxy against the policy engine, whether it be in the data center or in the cloud or even on your premise, even integrated inside a branch or something like that is going to be very important because as you just said, those applications will just keep moving into different areas and different zones as you go forward. And that's probably going to be permanent for a lot of organizations. So they haven't renamed it zero trust application access, like you think it should be, but when organizations are looking into zero trust network access, what are some of the key things that they need to be looking for and mindful of? Yes, and so it's probably the number one conversation I've had over the last six months. I think people initially just had to get something working. Now they're looking seriously at a longer term architecture for their access, their user access and device access. I think what I find is that something like zero trust network access is more of a use case across multiple components. And so if you look inside it, you need a client component endpoint. You need a proxy in front of the cloud capabilities. You need a policy engine. You need to use identity based systems. If you haven't got, if you can't get an agent on the device, you may need a NAC system. And so usually what customers find is I've got four or five current different vendors in those areas and cybersecurity vendors are not the best at working together, wish they were, because then we'd be better for customers. And so trying to get two vendors to work is hard enough trying to get five or six is really hard. And so what they're looking at over time is to say, maybe I'll get the minimum basic ZTNA working. And then as I go forward, for example, what they really want is this continuing posture assessment. Well, you can do that with some EDR technology, but is that EDR technology integrated into your policy engine? No. So I think what customers are saying is, let me start with the base ZTNA with maybe two vendors. And then as I go forward, implement a fabric or a platform approach to get everything working together because it's just too hard with five or six vendors. Right. Is there, I'm curious if there's a shared responsibility model with customers working with different vendors. What actions and security responsibilities fall on the customer that they need to be aware of? Well, and it also comes back to this, this convergence of networking and security. And I've said a few times, I've definitely seen CIOs and CISOs, security teams and networking teams working much more closely. And especially when you've got a use case now that goes across security items and networking items, the proxy's always been in the control of the networking team. Endpoints security's always been the security team. It's just forcing this convergence, not just of the technologies itself, but of the organizations inside enterprises. Well, and that's a challenging one for every organization is getting, if you're talking about it in general, the business folks, the IT folks. Now this is not just a security problem. This is a problem for the entire corporation as we just saw with the colonial pipeline. Ransomware is now becoming a household name. These are business critical board level discussions, I imagine, on the security side. How are, is Fortinet helping customers kind of bridge that gap between the biz folks and the IT folks where security is concerned? Yeah, I know Ransomware's been around quite a while. I think two years ago, we saw a lot of it in the schools, K-12 schools in the U.S. I think they're picking some richer targets now. The colonial one, I think there was a four million ransom. I think that they managed to get some of that money back, but instead of demanding 5,000 or 10,000 from a small business or a school, they obviously demanding millions from these larger companies. And one of the problems with Ransomware is, it still relies heavily on social engineering. I don't think you can eliminate that people clicking on stuff, you know, a very small percentage still. I think what it means is you have to put some more proactive things in place, like the zero trust, like micro segmentation, like web application file walling, all these capabilities to try and make your systems as strong as possible to then put in detection and response systems to assume that someone's clicking on something somewhere, just to help, but it's definitely the environment, you know, the threat environment. It's not really got more sophisticated. Yes, there are still advanced threats. I fear more about those weaponized APTs and state sponsored, but there's definitely a huge volume of ransomware now going after, you know, not only, you know, meat processing factories, but pipelines and critical infrastructures we go forward. That's the more worrying. Right, you bring up a good point about sort of people being one of the biggest challenges from a security perspective, clicking on links, not checking to see if a link is bogus or legitimate. So, Helmi, I'll understand a little bit more. How is zero trust can help maybe take some of that human error out of the equation? Well, because I think before, you know, when you got access, when you were off the network and you got access to the network, you got access to everything. Okay, so once you're on the network, and I think the Colonial Pipeline was a good example where traditionally operational technology networks, physical networks were separate from the IT network, and they had something called an air gap. And that air gap meant you really couldn't get to it. Now, when people had to be remote because of the pandemic, they started taking these air gaps in it. And so now you had remote access. And so again, when they got that remote access and they got into the network, the network was very flat and you could see everything, you can go anywhere. And so that's what zero trust does. It kind of says, I kind of did the zero trust approach to you that I'm only going to allow you access to this application. And I'm going to keep checking on you to make sure you are who you say you are on a continuous basis. And that really provides a bit more safety. Now I still, we still think you need to put things like segmentation in place and some other capabilities and monitoring and everything else, but it just narrows the attack surface down from this giant network approach to a specific application. Narrowing that is the right direction. How do organizations, when you're working with customers, how do they go, how do they evolve from a traditional VPN to zero trust? What are some of the steps involved in that? Well, I think it's, you know, what's interesting is customers still have data centers. In fact, you know, some of the customers who have legacy applications will have a data center for a long time. And in fact, what I find is even if you've implemented zero trust to a certain, you know, population, employee population, they still have VPNs in place. And sometimes they use them for the IT folks. Sometimes they use them for specialized developers and stuff like that. And so I think it's going to be like everything, everything goes a hundred percent this way and it all stays this way. And so it's going to be hybrid for a while where we see VPN technology and zero trust together. Now we look, you know, our approach is that you can add both together and it's both on the same platform. And it'll just have gradually evolve as you go forward. What are some of the things that you're looking forward to in the next year as this hybrid environment continues that hopefully things start to open up more? What are some of the things that we can expect to hear and see from Fortinet? Well, I'm looking forward to getting out my home office. That's for sure. It's like I've been imprisoned here for... I agree with you on that. So we'll try that. And, you know, I always thought I traveled too much before and now I'm contemplating on the travel piece, but from, you know, Fortinet's perspective, you know, our goal is to make sure that, you know, our customers can increase or make sure they can protect themselves. And so we want to help them and keep working with them such that they put best practices in place and they start architecting longer term to implement things like Zero Trust or Sassi or some of these other capabilities. And so, you know, I think we've had a lot of interest with customers on these virtual sessions. I'm really looking forward to getting them back in our new building, our new executive briefing center, which we're opening up in the next few weeks. You may have more of those face-to-face and whiteboarding conversations with customers. Oh, that sounds so exciting. I agree with you on the travel front, but going from traveling a ton to none was a big challenge. But also I mentioned it'll be great to actually get to collaborate with customers and partners, you know, you can only do so much by Zoom. Talk to me a little bit about some of the things on the partnership front that we might be seeing. Yeah, our partners, you know, we're 100% partner-driven company and partners are very important to us. And, you know, that's why we always, when we introduce new technology, we work with the partners to make sure they understand it. So for example, we provide free, what we call NSC training to all our partners. And then we also work with them very closely to put systems in their labs and then demos and make sure they can architect. And so partners are really important to us. And, you know, making sure that they can provide value as part of the solution set to our customers, because customers trust them. And so we want to make sure that we work with our partners closely so they can help the customer implement and architect the solutions as they go forward. That trust is critical, right? I mean, we can talk about that at every event, every cube conversation, the trust that a customer has in you, the trust that you have in a partner and vice versa. That whole trust circle kind of goes along the lines with what we're talking about in terms of being able to establish that trust so that that threat landscape, that's probably only going to continue to get bigger is in the trusted hands of folks like Fortinet and your partners to be able to enable those customers to narrow that threat landscape. Yeah, yeah. And so it could be the smallest partner to the largest service provider. We don't mind. We want to make sure that we're walking with them to provide that implementation for the customers. And again, the word trust is sometimes overused, but that's what customers are looking for. So John, point me to, when our audience has some of the information that they can find on dot com about zero trust, what are some of the things that you think are a great cost to action for the audience? Yeah, I mean, it depends on what level you want to get into. We have a bunch of assets, videos and training that start at the very highest level. Why is zero trust something you need to implement? And then it goes down into more details and then even the architecture long-term architecture and connectivity and implementation. So there's a lot of assets on foodnet.com. If you go in our training sessions, we all are trainings free to our customers. And so you can go in all those NSE levels and look at the capabilities. So yeah, definitely it's an area of high interest from our customers. But as I say to them, it's more of a journey. Yes, you can implement something today really quickly, but will that work for you over the long-term in making sure you can take all the information from the, like I said, what is the posture of that device? What is the device of that agent doing? Is my contextual engine integrated as well? So it's a journey for customers. But you can start with something simple, but you need to have that plan for that journey in place. I imagine though, John, it's a journey that is either accelerating or with the threat landscape and some of the things that we've already talked about is becoming an absolutely board critical conversation. So on that journey, just supporting network with customers to accelerate certain parts of it because these businesses have been pivoting so much in the last year and they've got to not just survive but now thrive in this new landscape, this new hybrid work from home, work from anywhere environment and also with more threats. Yeah, no, it's a good point. And so even those internally are implementing it, starting with the most critical assets first. So let's say, I've got somebody working on source code, they should be the first ones to get the zero trust implementation. I've got somebody asking for the internet to search for stuff, maybe they're okay for now. But yeah, so you kind of prioritize your assets and users against the threat and then implement that's why I'm saying you can roll it out across everyone as a certain version of it, but I think it's better to prioritize first the most important assets and IP and then roll it out that way. Great advice. A lot of those, because a lot of those assets are still sitting in the data center. Right. So they're not sitting in the cloud. Right. John, great advice. Thank you so much for joining me. Good to see you, glad all as well and that you will be able to get out of your home office. You're just days away from that. I'm sure that's going to feel great. Certainly, yes. And thank you, Lisa. Nice to see you. For John Madison, I'm Lisa Martin. You're watching this CUBE conversation.