Fortinet CEO Ken Xie Has Shaped The Cyber Security Landscape
Fortinet CEO Ken Xie Has Shaped The Cyber Security Landscape, by Peter High
As a gifted athlete who was also six feet and five inches tall, all Fortinet founder and CEO Ken Xie wanted to do was to become a professional volleyball player in his native China when he grew up. His parents who were academics at Tsinghua University had other plans for him: to get a PhD at Stanford University and then to return to China to become an academic like them. Ken Xie's life was transformed at Stanford, as he met fellow students who aspired to start businesses. He notes that the entrepreneurial culture was not something he had ever experienced growing up in China.
He started a company while he was a student to help small companies get online and do so securely. That company would become SIS. He founded a second company, NetScreen, which he would eventually sell to Juniper for $4 billion.
As Ken Xie defines it, these two companies represented the first generation of network security. In 2000, he founded Fortinet to offer the next generation security platform. As the company has grown, it has evolved along with the threat landscape. Fortinet now boasts revenue in excess of $1 billion. In this interview, Ken Xie describes his entrepreneurial path, the culture of innovation that he has fostered at Fortinet, the advantages of having started businesses with his brother Michael Xie, and a variety of other topics.
Peter High: Please describe Fortinet’s business.
Ken Xie: Fortinet was founded in 2000 with the goal of making an impactful change in the network security space. Fortinet is our third company in the same space. Our previous two companies, NetScreen and SIS, dealt with the first generation of network security. However, starting in 2000, this was no longer good enough. It is like air travel, where with the first generation, all you needed was a ticket to get on the airplane, but today, they x-ray your luggage. It is the same thing with the second generation of network security, we need to look inside the connection because most malware comes from permitted connections, whether it comes from the user, the partner, the customer, or from inside. That is how Fortinet started. Seventeen years later, we are nearly 5,000 people strong with over $1 billion in revenue, and growing quickly.
Peter High: You work in a field where you must think proactively, but also where an element of reactiveness is necessary because you need to adapt as the threat landscape evolves. How do you and the company remain current?
Ken Xie: Cyber security is a dynamic space. The user faces different challenges every year because there are always new applications and data. We estimate that in the last 10 years, data has grown more than 40 times. All the new data, applications, and e-commerce that are created have to be managed and protected. Additionally, when there is a new application, the old application is still there, and has to be protected. The key thing is being able to adapt to change quickly while at the same time continuing to improve the old functionality, especially performance. On the network side, the challenge is every two years the speed doubles. In addition to this, millions of applications are developed, and there is growth in mobile devices, cloud, and IoT. Without security, it would be impossible for a lot of applications and businesses to leverage the internet. This is why network infrastructure security is becoming more important. When I started Fortinet 17 years ago, around two to three percent of IT infrastructure spending was spent on Security. Now in the U.S., it is over 10 percent of IT’s budget. While spending on IT is growing 5 to 6 percent year-over-year, network security spending is growing over 10 percent, year-over-year. Security is a dynamic growth space, which is why innovation is important.
Peter High: There are five different stages of security Fortinet plays in. Please define the five and your activities in each.
Ken Xie: The five stages are detection, prevention, integration, performance, and value.
Detection: Every year, 100 to 200 new companies enter into the space, many focus on detecting malware or intrusion. Ninety percent of cyber security companies begin in the detection stage. The issue is there are so many applications and alarming messages it is difficult for the user or the administrator to manage.
Prevention: Prevention is an inline device that can take action automatically by shutting down the application and stopping the connection. Prevention is more difficult to master because devices have to take action, but cannot block the good traffic. This means false positives have to be low, otherwise the whole network will slow down. Only 5 to 10 percent of companies move to the second
Integration: This stage integrates multiple inline prevention devices into a single device. This is the area where Cisco and Juniper are acquiring companies; Juniper acquired my previous company NetScreen. Acquisitions are challenging because you need to integrate into a single device and lower the cost, while keeping performance. This is a significant challenge because there are different functions, architecture, teams, and locations. A company must own the technology in multiple functions so it can be integrated together and applied to a single device. Globally, less than five companies do integration well. Fortinet is strong on integration.
Performance: On average, network security is about 50 to 100 times slower than the networking device it is applied to. In routing and switching, companies can easily get to 400 GB or higher, however, in network security, few companies can get to 100 GB because a lot more computation is needed to handle the security function. Also, Moore’s Law applies every two years and the network speed doubles.
Value: The final stage includes cost, quality, and easy management. Security devices tend to be costlier. On average, based on our calculation for the same throughput, network security is 200 times more expensive than a networking device. The cost and performance prevents the big deployment of network security.
I recently attended a user conference where someone in the audience made an interesting analogy. German cars are famous for performance and that is where they usually win in the marketplace. The Japanese cars are good on value, which is where they win. It is the same in the security space. There are many competitors and each one is trying to develop a new function and integration. In the end, what matters is the user benefit. We have to provide strong value by applying network security broadly, but not slow down the infrastructure. The goals are easy management, better quality, and better cost.
Peter High: When I visited Fortinet’s headquarters, I saw your wall of patents. How many patents does the company have? How do you encourage innovation?
Ken Xie: Three words describe the culture at Fortinet: openness, teamwork, and innovation. We have over 400 patents and 300 pending patents; probably three to five times more than any competitor. We are an open organization, not just structurally, but also to ideas. It is important to stay on top of innovation. We have to learn about new applications and products and be able to quickly apply them to help our customers, as well as make sure they are secure.
When the internet was built 40 to 50 years ago, it employed a trust model between government and university entities. This is quite different from today’s global network where billions of individuals’ and organizations’ devices are connected to the internet, and is why it is important to apply innovation in this rapidly changing space.
Fortinet’s approach to security is different from that of our competitors. A unique aspect of our approach is the SPU – the security processor unit. We are the only network company that designed our own application-specific integrated circuit chip. Our ASIC chip can process the security function 10 to 100 times faster than a general purpose SPU. On average, it takes three years to build each chip, and around 10 years to see the benefit. We have always recognized the importance of this space and utilize a long-term strategy for investment and innovation.
Peter High: There is a dearth of security talent in the technology landscape. A lot of chief information security officers, technology companies, and enterprises in general have difficulty finding talent. What has Fortinet done to facilitate the growth of security talent?
Ken Xie: Fortinet has the largest training education program in the industry. We have trained and certified over 100,000 people as network security engineers. Globally, we work with 17 universities because the biggest issue in the cyber security space is the shortage of experts. This area is growing quickly and we need many more experts to make the space more secure. Training and innovation are important.
Peter High: You mentioned earlier that in a short period of time budgets for security have, on average, quintupled because of an increased emphasis on security at the board level and at the C-suite. This emphasis has led to the proliferation of the chief information security officer role. Having worked with many different companies across diverse industries, what are some of the best practices you have seen regarding the development and execution of the CISO role?
Ken Xie: Fortinet’s customer base is broad; we have Fortune 500, mid-sized enterprise, and small business clients. Each business has specific needs and requires a different approach to network security. A CISO’s role is to protect important data. This is difficult because data is no longer in the traditional server room on the company’s network in a trusted environment. Today, the data is in a borderless network; it is on mobile devices, in the cloud, and part of the IoT. Additionally, a CISO who manages network security can have 20, 30, or 40 different vendors on the network. CISOs have to protect the data from inside the company using what we refer to as “internal segmentation.” Fortinet’s fabric-based infrastructure helps integrate and automate different functions and devices to provide the best security.
Peter High: Another approach you have discussed is the need for an ecosystem of partnerships to help mitigate risk. What partnerships make up your ecosystem?
Ken Xie: Our Fabric-Ready program includes 30 of the biggest networking, server, operation systems, and internet companies. The organizations work together to ensure different technologies, whether they are security products, networking, or applications, integrate to secure the whole infrastructure. We work together even when we are competitors.
The Cyber Threat Alliance is another partnership; Fortinet is a founding member. Although the members compete in the marketplace, we are open to each other and share intelligence. The alliance lowers management costs because the biggest issue with security is not who has a better device, it is who can manage better.
Peter High: Across your entrepreneurial experiences, you have worked extensively with your brother, Michael Xie. What factors have made this a fruitful partnership?
Ken Xie: Michael and I enjoy working together. Part of why we partner well is because we are both engineers; engineers are trained to work together regardless of what is being built. We also complement each other. Michael works deep within the technology and I work on a broader, more dynamic level. He is my only sibling, so it is nice to work with him.
Peter High: You were raised in China where your parents are academics. However, you chose to come to the United States for university and then stayed. What was it about the business culture and ecosystem in the U.S. that made it attractive to you, not only to come initially, but also to stay?
Ken Xie: My parents are both professors at one of the best universities in China, Tsinghua University. They dreamed I would become a professor. When they saw I was interested in networks, they sent me to Stanford because it has a strong program. They hoped I would earn a Ph.D. and then go back to China to teach. That was not my dream. From when I was a child, I wanted to be a professional volleyball player and spent many years training, but my parents insisted I go to college instead of playing professionally. Stanford is connected to industries and organizations; the university is not just about finishing your studies and staying in that academic area. Stanford is connected to companies in the Bay Area like Google, Yahoo, and Sun Microsystems. When I got to Stanford, I learned about entrepreneurship, which was not something I had been exposed to in China in college. I found it exciting. I also kind of accidentally started a company while I was still a student. Initially, I helped some friends and companies build out and set up internet connections. Then, once I had acquired some customers, I found it interesting so I started a business that did internet set up and firewall security. Eventually, I started to build a product. With your first company, there are always mistakes. I developed and ran the company for about four years. We made some money but were not as successful as some bigger companies that were able to ramp up quickly.
My second company was NetScreen. It was much more successful than the first company, eventually we sold it for $4 billion. We used what we learned from NetScreen to start Fortinet. This is a model we continue to use. Every time we learn something new we improve it to create a better idea, product, or business model. It keeps it interesting. In 10 or 20 years I might go back to teaching, but right now I am still excited by the business.
Peter High: If you were to fulfill their dreams of becoming an academic, would you foresee doing it here or in China?
Ken Xie: In the United States. All of my family is here. Also, this space is cutting edge, it is the best area to do internet business including internet security.
Peter High: If I am interpreting your answer correctly, you were an accidental entrepreneur, at first. It was not necessarily due to your deep ambition, but through your collaboration with fellow students, that you developed a business and discovered you enjoyed and had a proclivity for it. What aspects do you feel you had in you or learned that are well suited to being an entrepreneur?
Ken Xie: I probably never dreamed of being an entrepreneur because I was not in an environment that encouraged it. The environment and the entrepreneurship of Stanford changed that and I discovered I liked entrepreneurship. You have to learn things quickly on the technology side, the business side, the operations side, and all of the other parts of it. At the same time, you work with many other players in the industry. It is a dynamic fast-growing industry. Being an entrepreneur fits me because I like learning something new every day. I also enjoy the areas of network security and internet security, which is why all three of my companies have been in this space. Each time we try to do better. An entrepreneur has to be persistent and dedicated to being successful long-term.
For Forbes, by Peter High, CONTRIBUTOR. Opinions expressed by Forbes Contributors are their own.
Peter High is President of Metis Strategy, a business and IT advisory firm. His latest book is Implementing World Class IT Strategy. He is also the author of World Class IT: Why Businesses Succeed When IT Triumphs. Peter moderates the Forum on World Class IT podcast series. He speaks at conferences around the world. Follow him on Twitter @PeterAHigh.