FireEye, Inc. (FEYE) CEO Kevin Mandia at Morgan Stanley Technology, Media and Telecom Conference (Transcript)

FireEye, Inc. (FEYE) Morgan Stanley Technology, Media and Telecom Conference March 2, 2021 1:15 PM ET

Company Participants

Kevin Mandia - CEO

Frank Verdecanna - CFO

Conference Call Participants

Hamza Fodderwala - Morgan Stanley

Hamza Fodderwala

All right, good afternoon, everybody. My name is Hamza Fodderwala. I'm the Cyber Security Analyst here at Morgan Stanley. And we have the pleasure of hosting the team from FireEye. Kevin Mandia, the CEO; and Frank Verdecanna, the CFO of the company. So we're really looking forward to the chat there. Before I begin, just very brief programming note for important disclosures. Please see the Morgan Stanley research disclosure Web site at www.mortgage.com/researchdisclosures.

With that, we'll kick it off. Frank, Kevin, thank you so much for joining us.

Kevin Mandia

Thanks Hamza.

Hamza Fodderwala

Well, I think the first question that's on everyone's mind is obviously, coming out of the recent SolarWinds, Sunburst breach, FireEye has been at the forefront of this event. Right, you were the first company to report the incident and really alert the industry about it. I'm curious, since then, before we get into the spending environment, I'm curious on any updated view you can give us around the scope of this attack, right? It seems like it's something that seems to be developing every day. Do you think that we're majority of the way there in terms of knowing how sort of deep the threat was, or do you think it's still very early innings?

Kevin Mandia

Well, I think, Hamza, great question. One of the challenges we have as this is a threat group that's been hacking for the last 25, 30 years. And SolarWinds implant was one means by which it gained access. So it's hard to even separate the campaigns it did prior to the implant, the campaigns it doing post the implant. But what we discovered was the fact that this threat actor compromised the third party supplier of SolarWinds, and it was just unbelievably clandestine. There is no magic wand that detects an imprint in software that we all use, we all trust. I mean, all of us use Apple products and use trust that when you got them, if you even use your iPhone, that no one's able to listen to your phone calls, period. But somebody got into that supply chain and put that in.

And answer to your question directly now, in that I think we know the scope of who was impacted by the SolarWinds’ implant. And I think the US government knows. I think other governments know. I think that some of the cloud providers have a good sense like Microsoft. I think what's going to take months to figure out and we may never figure it out, is across the government organizations and several of the companies that were compromised, they just lacked the data to do what we call the damage assessment, what was taken and what could happen because it was taken. Upside, this was not an attack against the American consumer or other nation’s consumers. This was cyber espionage, old school rules applied, constraint was followed by the attacker. And they seem to have collection requirements that were primarily targeting software, or government assets.

Hamza Fodderwala

And then just from a spending perspective, right, I mean, FireEye has, obviously, been at the forefront of a lot of major breaches, right, from Sony, to Target, to Equifax. I'm curious, I know last quarter, you mentioned the Q4 call that you had a record services backlog, hard to know exactly how much of that was SolarWinds related. But how have customer conversations trended since then, or pipeline trends even? And how would you compare this from a spending standpoint through other major regions we've seen in the past, whether it’d be Target or otherwise?

Kevin Mandia

Well, I think there's three things that are really contributing to Cybersecurity Awareness right now, which means spend probably isn't going down, it's either going to be the same or up. And it's going to be the smarter spend. Three things, A, when you have a pandemic and everybody goes to work from home, you have a whole shift change, now you got to protect your cloud and you got to protect remote workers. So that's one forcing factor to, hey, we got to do cybersecurity different. Second 2020 was without a doubt, and I've been in cybersecurity since 1993. And without a doubt, the worst year to be a security professional defending a network, because of more ransomware attacks, that there's just not one technology you can buy where you just go, wow, thank God, I'll never get hit with ransomware because I bought that. We've seen billions of dollars in extortion payments and ransomware payments, just in 2020.

So you got pandemic, work from home shift change, you have an unbelievable rise in ransomware, which probably, at this point, could be the number one profiting method for organized crime in the countries that harbor those people and let them operate. And then third, then you get hit with SolarWinds that we went public with on December 8th, and you recognize you've got to be kidding me. Now I've got to worry about the 1,000 different programs that I use as a business. Do I have to worry about my finance system? Do I have to worry about this operating system? Do I have to worry about this? Because a foreign nation changed the software we rely and depend on. So those three things are all forcing functions for greater attention to security. And I'll give you one more, Hamza, just it's we all rely on our networks more. It's how we communicate. So intrusions have more impact now. And every security professional and every business leader is recognizing we got to trust our data. We got to trust our applications. And most businesses do not function too well if they, A, come off the Internet or B, start losing functionality of their systems. So cyber attacks can shut a business down, and people don't want that to happen. So a lot of forcing functions that are keeping cybersecurity top of mind right now.

Hamza Fodderwala

Yes, for sure. I mean that’s something that we've been picking up in our own work is that even prior to the SolarWind breach, it was you know you saw that, the shift to cloud and more distributed workforces, have been raising the priority of security throughout 2020. And you mentioned a record breach environment. I think that's contributing as well. And it seems like security is still largely playing catch up. I'm wondering, you mentioned there's not one technology that could have solved this or can solve this. It seems like there's a broader sort of shift in architecture, those types of discussions, right? How do you change your security architecture from a more modern threat environment? Are you starting to see that more and more from the customer that you work with, maybe those that were maybe hesitant to make that transition are now even doing so more?

Kevin Mandia

Yes, there's no doubt with crisis comes change, period. So whether it's a government saying, hey, it's time to do something different, force sprints within organizations. People are reading the headlines and they're recognizing, I don't want to be the next headline. So what do we do about it? We're seeing that all the time in our consulting. And we get hired, transform from point A to point B, and you immediately recognize we've got to see what you have. And then we got to start thinking, how do you get a 100% visibility, how do you operationalize great security on top of that visibility, how do you get the zero trust. And almost all these transitions, Hamza, they don't happen in three months, they don't happen in nine months. I don't know who said the quote, but it is absolutely true. You don't just win in cybersecurity, wars have to be fought. Cyber security has to be fought. It's constant effort to do it. But it takes, in a lot of places, you're looking at a multiyear strategy just to get to better security. And it will cover identity, endpoint, logging, operationalizing your processes. There's just a lot of steps a lot of companies have to do and then validating or testing your whole security apparatus to make sure, hey, we arrived at the threat, I mean, at the risk profile we want to get at. So absolutely feeling that status quo is not tolerable at many organizations. They want to improve.

Hamza Fodderwala

Got it. Just one last macro question. FireEye is obviously a leading vendor serving the federal vertical. You've had new Biden administration talk about increasing cyber spending. I believe the proposal was increasing by $10 billion. Curious, do you think that's enough? Obviously, you're in the industry, so maybe not. And how do you see that kind of spending translating throughout the year?

Kevin Mandia

Hey, it's funny, I had a conversation like this two hours ago. First thing you have to do if you’re a president, pick someone to figure out how to spend it. I think if you distribute that everywhere, you're going to get what you always get, is a hodgepodge of good results and a hodgepodge of bad results amongst the government. They need to have a more unified strategy and they'll have to sort that out, and that's why they have, at least in law, they’ll have a National Cyber Director, that's a cabinet level position as far as I understand. And that might be the right person that starts commanding that budget and having a little bit more, almost proponing control. Because when you distribute control and security, you know having to respond to thousands and thousands of breaches. A lot of times I get the question, when do you see good and when do you see suboptimal response. Good response has the clear identified leader, period. And if you have distributed leadership on a problem, a lot of times, you get inconsistent results. So that's first and foremost. Second, it's a lot of money. $10 billion if spent right can definitely lift the ocean and start safeguarding the federal government in better ways than it safeguarded today.

Hamza Fodderwala

Got it. So maybe shifting to FireEye, right? So the product portfolio has evolved pretty significantly in the last few years. Initially, there was a focus on Helix, which brought together a lot of different pieces of FireEye functionality. And now, you had this new initiative around Mandiant Advantage, right, which is essentially bringing in FireEye sort of best of breed threat intelligence and response essentially delivering that in a box, and that's a SaaS offering by the way, not an actual box. I'm curious, kind of do you think Mandiant Advantage is kind of the evolution of what Helix started at, and how do they kind of play into one another?

Kevin Mandia

Yes, absolutely. Helix is -- a lot of times, what Helix is the brain. But realize five years ago FireEye had eight products and 11 interfaces. We had to consolidate and integrate. And one of the biggest things about Helix was let's have an interface for our control products, endpoint, e-mail, networks. So now we're in four products. Helix, the consolidator, and SEIM and network endpoint and e-mail. Smaller, simpler story and we're ultimately making Helix the capability to manage all of FireEye controls, and at the same timeframe, take the capabilities of Mandiant Advantage and pop them into Helix, so it can operate there. But we recognized what our customers want, is they want to be able to do what we do, threat hunting with experts. They want to know what we know. And Mandiant Advantage provides you the ability to answer, have we been compromised or could we be compromised. But you can overlay it on SEIMs, on your data lake, not just FireEye’s.

And that's the big difference is we started pulling some of the tremendous IP we have of analytics, machine learning models and really automating our experts, so that we can find the needle in the haystack and all your data, we pulled it out of Helix, which is also a data store. And we said you can also get all that capability and Mandiant Advantage overlay it on Splunk, overlay on ArcSight, overlay it on your custom data store. And what that'll give you is the constant threat hunting done by machine, because I still believe computers automate human tasks, that's what they do. And we have over 500 consultants right now finding needle in the haystack all over the planet. And so we're going to automate the security operator with Mandiant Advantage. We're going to automate the security operator with Helix. The biggest difference, Helix stores all the data, and is the SEIM. Mandiant Advantage is controls agnostic, period. Lay it on top of other endpoints, lay it on top of other SEIMs and get the value out of it.

Hamza Fodderwala

I'm curious -- so the thought process on making the platform more agnostic. Is that like where you see the industry going, is that you just can't have like, everything within your own ecosystem anymore, and something that customers are demanding more and more?

Kevin Mandia

I think people want to know that your stuff integrates and works with other products, so it absolutely have to be able to do that. It cuts both ways. You have the platform purchase, we're going to buy all our stuff from one company. But what I'm seeing in security is most of the 1A enterprises, they are still best of breed, they're not looking for the economical, let's just buy it all from one. So they're still going to buy from best of breed. We're the best in the world at threat intel. I'm wholly unaware of any company with 225 threat analysts that speak 34 languages in over 20 countries. I don't think anyone responds even half as many security breaches as we do. If you want to operationalize security, right now, at any 1A enterprise, you're not just going to have FireEye tech, you're going to have a lot of other technologies there. We want all those technologies to work for you, not just FireEye’s technology. And that's why Mandiant, that brand is seen as agnostic.

When our consultants go out and solve problems, a lot of times it's a security event, what happened, what to do about it. They don't say, hey, you need to buy more FireEye tech to solve the problem, they genuinely offer whatever answers are necessary for that company. And you can't expect every company throw everything out and just come with our stuff. And so we've recognized taking the Mandate Advantage and going agnostic, just allows us to be far more relevant to more security operation centers than we are today if it just works with FireEye products.

Hamza Fodderwala

And I believe you launched the Mandiant Advantage product in Q2 of last year. Just wondering kind of any updated views and give us around customer traction, conversations, pipeline trends. And do you also think that this will allow you to expand your customer base to maybe the not very large enterprises who might be resource constrained?

Kevin Mandia

I think I've been talking for 15 minutes and I've been watching Frank, listening to you. Frank, I’d love for you to jump in here and kind of share your view on it…

Frank Verdecanna

Sure. So the Mandiant Advantage that launched at the end of 2020, had our threat expanded threat intel offering in it. As from a roadmap perspective, we've talked about, in the near term actually launching the validation module within Mandiant Advantage and then incorporating the Respond XDR technology into Mandiant Advantage and into Managed Defense as well. Later in the year, we will be adding the Managed Defense module into Mandiant Advantage. But so far out of the gate, we've seen a lot of uptick in customers, adopting the premium version to get a sense of what Mandiant Advantage can do for them. And then we are seeing, prior to Mandiant Advantage, even being launched, our threat intel offering was an above market grower. And so adding it into Mandiant Advantage, right out of the gate, we're still seeing a lot of really nice traction there on a standalone basis. But as we continue to add modules throughout the year, I think we're going to see kind of a step function increase there in the impact for Mandiant Advantage.

And the one area that we're really excited about is when we built Mandiant Advantage, we really did build it to have an easier demo, easier deployment, easier consumption process. So customers could demo it a lot easier, could actually deploy it a lot easier. And so that should really help us get into the mid market, which is an area that we've been very successful in the large enterprises and governments. But because most of our products have been built for the security experts, it hasn't translated as well from a channel leverage perspective. But as we look at Mandiant Advantage and a lot of work that we're doing on our cloud endpoint, we think that both of those will be big drivers in our future growth, but also fit the mid market and the channel very well.

Hamza Fodderwala

Got it. And just to clarify, the validation module, that's going to be integrated into Mandiant Advantage at some point. I don’t know if you've given any timeline there?

Frank Verdecanna

It should be within the next 90-days, I believe it -- we're still selling it on a standalone basis. So it hasn't heard us from a validation perspective yet. But there will be obviously more synergies when you can actually buy it within the platform.

Hamza Fodderwala

Got it. And if Mandiant Advantage does become more successful, I'm curious, in which segments should we see these results, right, when we're looking at all the disclosures you guys give every quarter?

Frank Verdecanna

Yes, the entire Mandiant Advantage platform, in every module within it, will be in the platform, cloud subscription and managed services bucket. So that'll be a big driver of the growth and the continued growth in that category.

Hamza Fodderwala

Got it. Just shifting towards the EDR and the XDR side. So you recently acquired Respond to bolster that Mandiant Advantage offering, you've talked a lot more about your own XDR solution and you have other companies as well coming at this market, some of them are coming at it from a network standpoint, some of them endpoint standpoint. I'm curious what differentiates FireEye? You talk a lot about having the Threat Intelligence. But what's really differentiating FireEye beyond that versus some of these other competitors?

Kevin Mandia

Yes, I can tell you, right now, when I always talk about XDR and we've been talking about something like this inside security, since like 2008. We just didn't use XDR for Extended Detection and Response. We always said you need endpoint tech, you need network tech, you need e-mail security, you need to know what to look for. XDR is just bringing all that together into a single platform, single pane and glass over time.What will differentiate us is the means to say we have all the controls you need. If you need endpoint, we have it, we have e-mail, we have network and we can bring it all together into a single platform. Or when we bought Respond, we just broadened how much more tech we can work with in bringing that capability to you. Maybe we're none of the controls.

But with Respond coming on board, what people want is our intel detect what we know about, our machine learning detect what we don't know yet, but help us figure it out. And oh, and there's a button in there anyway, so we can always be your second line of defense, if you need an expert, go to Expertise On Demand and click a button and get help.Most XDRs, it's just going to be technology only. And they're not going to get the phone call when there's a strange alert and they want to get triage done. The big difference is we're going to stand behind your technology with experts. You can click a button and we're going to send that expertise right into the product. What do you need? We will make, with our XDR platform, the ability for every single company that embraces it to operate like a Fortune 50 security operation center, if that's what they want to do.

Question-and-Answer Session

Q - Hamza Fodderwala

And just a question from the audience, I think, for Frank. Just what is sort of the typical ASP uplift that you see when migrating certain customers to Mandiant Advantage/cloud platform?

Frank Verdecanna

Yes. So from -- because out of the gate, Mandiant Advantage is really, just in our expanded threat offering, we've already moved our threat intel customers over to Mandiant Advantage. And there isn't necessarily any uptick on that alone, because they're getting a little bit of expanded offering. Where the uplift will come is when we add additional modules to it. And as of now, if you look at Validation being the first module added beyond the Threat Intelligence, that should be at roughly a similar ASP. So you can think of kind of double of the existing subscription spend.

Hamza Fodderwala

Okay. Got it. So it seems like right now, you're really focusing on the delivery, the breadth of the product, right, and addressing this problem. And then, eventually, you'll get more into depth as you layer on more modules, because it is a SaaS offering. So we should expect sort of the benefits to be more long tailed in nature. Is that a fair way to assess that?

Frank Verdecanna

Well, I think, because it's coupling together a lot of the growth areas that we're already seeing on a stand alone basis, I think we'll continue to see that above market growth in that category. But once we do get multiple modules in there, you'll get the synergy of having it all in one platform and one dashboard.And so I think, similar to today and what we saw in the fourth quarter is we're selling a lot of kind of bundled deals where you have multiple products and solutions and a platform together. We think once Mandiant Advantage has multiple modules, we're going to get that kind of platform and multiplier effect.

Hamza Fodderwala

And just from a go to market perspective, how is this new Mandiant Advantage platform being sold? Correct me if I'm wrong. Is it inside sales? And what are some of the incentives that you're putting in place to really push the sales force to drive adoption here?

Frank Verdecanna

Yes. So our traditional go to market approach still is intact. One of the things I mentioned a little bit earlier was we do believe that Mandiant Advantage will fit in the channel better than some of our more mature products. And so that has the ability to open up a new market for us.And then from a methodology and go to market and incentive comp plan, we've treated, in 2021, every dollar is not created equally. We actually incent the sales force to sell Mandiant Advantage more than any other product. There's also gates in there and so specific things that making sure the sales force is very focused on selling the growth areas of the products. And it also happens to be the product that should be the most differentiated in the market because of its taking advantage of our kind of leadership position in threat intel and expertise.

Hamza Fodderwala

Got it. I want to shift gears a little bit on the professional services side of the business. Can you maybe talk a little bit about the strategic value there, right, as it relates to selling some of your newer SaaS products? And I think the other thing that gets maybe the misconception among investors is that it's not like a traditional services business, right?So it seems to be more repeatable, right, not necessarily just something that sees a bump post every major breach. So I'm wondering if you could talk a little bit about the repeatability of that business, and perhaps kind of where you are in terms of the contribution margins?

Kevin Mandia

Got it. I'll take the first part, Frank, and you can go to the contribution margin. First and foremost, this is a business that's been growing steadily since 2004. So 16 years indicates repeatability. We already have that. Second, why is it strategically important? If you are nothing but a product company, you have no idea when your products fail, because people -- here's how it will materialize.If you have no means, if you're not on the front lines of cyber defense, responding to every breach that matters to figure out how other devices were circumvented, whether it's misconfiguration or the product simply don't detect it. If you're not close to the adversarial behavior, and most pure product companies are not, the interchange with customers isn't as valuable. Because every single customer and security wants one thing, stop intrusions. And pure product companies that aren't responding to them all the time don't know how to stop them.

We did over 600 red teams last year. I'm wholly unaware of a firewall stopping any of our red team endeavors, period. And there's a lot of people out there that believe, wow, if I've got a firewall, I'm good to go. I've read the literature, they stop everything. And that's why you saw plans can get into expertise in the business. They have to. They recognize, you know what, it is a bad learning model. If we missed something, and the only way we found out we missed something is our customers somehow found it. Because here's the unvarnished truth, your customers actually don't find it. That's ridiculous for you to rely on your customers to find your product failures. You need to.And that's what we do at FireEye. We have that learning system. I don't know how to do it with just software. You have to also have the people on the front lines actively investigating and learning. And that's the innovation cycle that we built. It is strategically important to know how the adversary is beating us in cyberspace so you know what products to build.

Frank Verdecanna

And then from a gross margin perspective, the gross margins are higher than traditional service offerings, but they are lower than our overall gross margins. But the main point there is that, from a contribution margin perspective, because there isn't nearly as much of a sales and marketing and R&D load on services from a contribution and operating margin perspective, it's pretty similar to the overall business.

Hamza Fodderwala

Got it. Maybe just another model question for Frank. So you reached a milestone this year, where over 50% of the business is now the newer stuff, right, the cloud and managed services business. I'm curious, going forward, how you think about sort of overall top line growth? Are you managing the business now to be a sustainable double digit grower? And what metrics should we look at? I mean I imagine it's still going to be ARR. But at what point do you think you'll be done with the transition or the transition will be behind you, and we can look at more standard metrics like reported revenue?

Frank Verdecanna

Yes. I think from an inflection standpoint, I think our fourth quarter kind of validated that we are at that inflection point. We got to -- if you look at our billings in the fourth quarter, 66% of it were in the high growth areas of platform, cloud subscription, managed services and services, if you look at the leverage in the model that translated into double digit operating margin that we ended the year at.So I think, as we look forward, our focus is on absolutely growing the top line but also being very cognizant of increasing leverage and making sure that we continue to improve cash flows and operating leverage. But the focus absolutely is put our foot on the gas in the growth areas of the business. The good thing is the more mature areas that are stabilized are driving significant cash flow to the business. So I think we're in a pretty good spot right now. I think we've gone past that inflection point, and now we'll start seeing that acceleration on the top line and additional leverage in the model.

Hamza Fodderwala

And just from a cost structure standpoint. So you made a lot of changes to the cost structure last year that led to the improved margins. And obviously, this is a question we've been asking a lot of companies is that COVID drove some benefits from an OpEx standpoint. I'm curious, what are some of the benefits you expect to be longer lasting, right?Obviously, you had some restructuring efforts. And sort of how much of them are going to be more temporary in nature, right? So I'm thinking things like remote selling, right, maybe moving more towards an inside sales model. So how are you thinking about some of those longer term efficiencies in your model?

Frank Verdecanna

Yes. So obviously, the transformation activities we did in the first half of 2020 are permanent. There are savings that will last going forward. And it really gave us the opportunity to invest heavily in the growth areas without increasing our overall OpEx. We did get some benefits from lower travel, lower facility spend in 2020. And in the early part of 2021, we'd expect similar benefits.Longer term, more travel will come back into the model, more facilities expense will come back into the model. But I don't think it'll ever get to kind of the pre-pandemic levels. I think a lot of the learnings that a lot of companies and a lot of the peers I've talked to, we don't believe we need to get back to kind of the pre-pandemic travel levels and facilities expense, because we've proven that we can be very successful in a remote environment.

So if you used to have 10 large in person events a year, you could probably get away with doing five virtual and five in person. I think we're all excited to get back to some level of face to face and in person, but we're also now understanding that we can do this remotely at a high level as well. So I think, going back, the environment is going to be a little bit different. It's probably going to be more of a hybrid. I think more facilities will be -- use hoteling concepts. And so you won't necessarily need a desk for every single person, every single day. So I think there's going to be some of those savings that will be ultimately permanent, probably not at the exact same savings levels that we saw in 2020, but I think we will have permanent savings going forward.

Hamza Fodderwala

Got it. And just maybe one last question from the audience around sort of cost. How should we think about normalized operating and free cash flow margins three to five years out, or maybe longer term, right, when we're looking at FireEye?

Frank Verdecanna

Yes. So we haven't updated our long term model yet. But when we gave our last Analyst Day, we thought 20% operating margin, 25% cash flow margin, were all very achievable. I think this year was a great step forward from a free cash flow and operating margin perspective, and I think we'll continue to show improvement there.

Hamza Fodderwala

Okay. Great. Well, I think we're a little over. Kevin, Frank, thank you so much for your time. Really appreciate it, and best of luck with everything else.

Kevin Mandia

Thank you, Hamza.

Frank Verdecanna

Thanks, Hamza.