Well, you sit on the left, I'll sit on the way right, and Ken will sit in the middle.
Perfect.
Sound good?
Got it. When you say left, stage left?
Yeah, stage left, so facing the audience. I'll be right here.
Got it. Thank you.
Yeah, sorry. That stage left?
No, I don't think so, but I don't know the answer either. I don't know why I asked that question that way.
Okay. All right. We're rolling. All right, good afternoon, everybody. Thank you for joining us. My name is Hamza. I'm the cybersecurity analyst here at Morgan Stanley, and with me, I'm really excited to have the team from Fortinet here. We have Ken Xie, Founder, Chairman, and CEO, and we have Keith Jensen, CFO, as well. Before we begin, a brief programming note, first from me. For important disclosures, please see the Morgan Stanley Research Disclosure website at www.morganstanley.com/researchdisclosures. And I believe, Keith, you had a statement yourself.
Something equally important, yes. Okay. I'd like to remind everyone that we may make forward-looking statements during today's fireside chat. These forward-looking statements are subject to risks and uncertainties that could cause actual results to differ materially from those projected in these statements. Please refer to our SEC filings, and particularly the risk factors in our most recent Form 10-K and Form 10-Q, and to other reports that we may file from time to time with the SEC for additional information on factors that may cause actual results to differ materially from our current expectations. All forward-looking statements reflect our opinions only as of the date of this presentation, and we undertake no obligation and specifically disclaim any obligation to update forward-looking statements. Thank you.
All right, great. Well, thank you again, gentlemen, for joining us. Ken, I'll start with you. A lot of changes going around the cybersecurity market today. When I think about the Fortinet platform, a big part of it has been around the convergence between networking and security. Talk a little bit about that, how that is progressing, and then a little bit about how you're expanding beyond traditional network security into areas like SASE and SecOps.
Yeah. So the network security give customer to manage the content, application, the data which networking don't have. So networking just connects it together, but in order to manage the higher layer from user, device, content, application, you do need network security. So that's also Gartner say in the next, like, five, six years, by 2030, so the network security market will be bigger than network market. There will be a lot of new use case beyond the traditional enterprise firewall, so you can go inside enterprise do the internal segmentation, replace some of the switch there. You also can secure within a data center, including certain AI data center there.
Mm-hmm.
You're also kind of supporting work from home and remote access. At the same time, the new fast-growing area we see is the OT/IoT area. So a lot of connected devices also need security, network security. And most of the time, the only way to secure a lot of these devices is by network security, because endpoints cannot apply there because they all have a different operating system, and they may not have enough computing power to run the software agent on there. So the only way to secure a lot of OT/IoT devices is by network security. So we see all this will drive the growth of network security, and in five, six years, the network security is bigger than networking.
That's where I do believe, in the next five to 10 years, the network security will continue to grow like in the last 30 years, 10%-20%. So we're keeping growing, and a lot of new use case will be in the network security space.
Okay, so it's a really important point. I think what you said, network security could potentially be larger than the networking market overall. I think today it's maybe about 1/3 or 1/4 of the networking market, network security, so definitely a bold statement there. Some of the use cases driving that you mentioned was OT/IoT, micro-segmentation. Anything else that sort of bridges that gap?
Yeah, work from home, all the SD-WAN, and that's not I say, it's the Gartner saying that.
Right.
By 2030, the network security will be bigger than networking. So we do see a lot of new use case, and we see customer definitely more interest. The only issue today is, really, network security, on average, is about 10 x more expensive than the networking device for the same throughput, the same bandwidth there.
Mm-hmm.
So that's really how to drive the cost lower. So our solution from day one, 24 years ago, is really develop ASIC technology. So we're still the only company develop our own ASIC for the network security, and same time, how to integrate more function into the single operating system and accelerate this function using ASIC to lower the cost, we improve the performance, and also to lower the energy consumption there. So that's really the way, I think, can drive the whole market.
Okay. All right. You mentioned the growth rate. So I mean, we set up here last year, and your view was that the market that you're going after within network security should grow 10%-20% on an annual basis. Obviously, there's cycles. You know, this year, you're forecasting an overall growth rate in the single digits. So talk to me about where we are in that cycle. Do you think we're nearing a bottom here? And when do you think we'll start to see growth rates converge back to that 10%-20%?
I think the market this year a little bit distorted by the last two, three years. If you look at three years ago, we started seeing the bookings grow over 50%. So that's where you can see 2021, 2022, the business, the billings grow, like, 30%, 40%. So basically in, like, two, three years, we double the product revenue, double the business there. And then that's where mid of last year we started to say, hey, this thing's starting to need some digestion. Certain verticals, like we see in, like a retail space, the last two, three years when they grow over 100%, now it seems relatively flat or even maybe negative there.
So some of the customer, they order some extra inventory because when they experience the supply chain issue and also sometime the price, the price of the product also kind of go up quarter by quarter, they tend to order extra product. And also the product usually when you deploy in the field, whatever, usually last for four to five years. After four or five years, just like any other networking product, you do need a new product, which has a faster, higher, more function and all these things there. So that's where I think the supply chain issue, even the COVID in the last two, three years, kind of distort the market a little bit. That's why you see some kind of a up and down.
But we do believe maybe towards the end of the year, things will be go back to normal. And then maybe, next year, I think long term will not change in the whole landscape there. Probably Keith also have a pretty good comment.
Well, yeah, I think the compares, as we call them, get a little bit easier in the third and the fourth quarter this year, so I think there, there should be some benefit from there-that. I think a couple other, you know, early data points in terms of recovery mode, looking at our own pipeline, you know, for the second part of the year, and, you know, we start looking at pipeline that far out, it's a pretty soft number, but I think the indications are for, you know, more strength in the second half of the year at this early stage.
The other data point I would offer is we're on the road with customers last week, and I think that the conversations with CIOs and CISOs around their plans for 2024 and budgets, you know, have improved from a year ago. I think a year ago, everybody was contemplating, you know, a hard recession, and I think a lot of the actions and conversations were very soft in terms of what they wanted to accomplish in 2023. And I think as 2023 played out, we saw that. It's still early in 2024, but I would say the tone was different last week than what we saw a year ago.
Fair enough, and the new way to say CISO, CISOs, tomato, tomato, I guess.
Sorry.
No, it's, I think, Keith, you also mentioned, towards the back half of this year that Fortinet will grow above market, right? So, like, I think initially it was after the really strong Q4 performance you had, or before the strong Q4 performances you had, the view was we'll be back to double-digit growth by, end of this year. Now, it's above market. I guess Ken is saying market growth is 10% +, so, you know, what does that kind of imply,
I think Ken and I should talk more often, I think, now.
Not more for long term, in the next few years.
Fair enough.
Yeah, I think if you go back to the earnings call, I think we're, you know, thumping our chest and offering a note of caution at the same time around the fact that we had closed six eight-figure deals in the fourth quarter of 2023. You know, those deals were a mix of firewall and software solutions. We're very, very proud of that. But we also want to make sure that, you know, investors on the street had visibility to what we saw in the fourth quarter with those large deals to help explain what we would expect to see on a quarter-over-quarter comparison, but also a bit of the challenge that we create for ourselves in the fourth quarter of 2024 with that compare.
Fair enough. Fair enough. So on those lines of sort of the longer-term growth trajectory, so you mentioned, you know, obviously, you had multiple quarters, years of 30, 40% top line growth, the product revenue doubling through COVID. At the same time, network traffic has increased, bandwidth has increased quite a bit, especially post-COVID. I would say typically, you know, in the past, Fortinet hasn't really benefited from the enterprise refresh cycle as much. Today, almost 40% of your billings are coming from large enterprises, and in the past, we've seen around a four-year replacement cycle. Do you expect to benefit more from enterprise refresh going forward? And if we assume four years, would that imply that we'll see healthier refresh activity by 2025?
A bit of a loaded question there, but maybe first part on the enterprise refresh, and then whether you see replacement cycles along getting beyond four years.
Yeah, I, I won't be shocked if replacement cycles extend a little bit beyond four years. And, you know, are we talking about the age of the unit? Are we talking about the supplier, like ourselves or our competitors, providing a new generation of firewall? So I think there's, you know, a bit of that nuance. I think for Fortinet, you know, while 35%-40% of our business is large enterprise, you know, that's still a fairly smallish percentage of total enterprise space.
Why that's important is that we believe when the competitors or the incumbents, you know, are coming up for a refresh cycle or renewal cycle, you know, that's a logical time to create opportunities for those same customers to, to look beyond their incumbent, to look at other opportunities and other price points and other performance points from competitors as part of that. So it's an opportunity for us to displace some incumbents in the enterprise space further.
Got it. Got it. One of the other things you announced in the last six months, Ken, was revamping sort of the go-to-market to align more to some of these newer areas like SASE and SecOps. Could you talk a little bit about that and what some of the initiatives you put in place to drive growth beyond secure networking?
Yeah, like, November last year, four months ago, we started divide the market into secure networking, which is about 70% of business, and then, SASE is about 20%, then the Secure, i t's about 10%. And, we do see during the current environment, economy slow down, the money kind of cost pretty high, this kind of, OpEx consumption model, like a SASE, will be more attractive to a lot of enterprise customer. And, so the SASE actually is not new to us. We have all the function in the FortiOS for about five years, just as SD-WAN, just the go-to-market strategy we have in the first few years, so we try to go to service provider carrier first. Because a carrier service provider usually is the biggest market for us.
So when we IPO 14 years ago, it's about 30% business come from carrier service provider. So today, it's only about 10%. So that's why we want to have all the service provider carrier go back and keeping growing, offer the secure service to their customer, leverage their infrastructure. But somehow, in the last few years, they are moving too slow, so much slower compared to the SASE player. So that's where November, last year, we decided we do ourselves now. So we quickly increased the number of PoP from 30 PoP, which are owned by ourselves, to sign up with Google, some other partner there, to increase PpP, like, over 150. And the same time, so we launched the SASE to the Salesforce, the partner.
So you can see in the last quarter, in two months, we signed up like an eight-figure deal. We signed up a lot of customer. I think if you talk to some other SASE player, they usually say the sales cycle is probably between nine to 18 months, but for us, we see close with much quicker, much shorter there. And also, we do believe we are also probably the only player offering SMB customer a SASE solution. So, and also, what's different from Fortinet and other competitors, well, first, we have a huge installation base. So we're number one on the firewall network security. We're number one, number two, on the SD-WAN. It's all built in the same operating system. And the same operating system, you can turn on the SASE function now.
That gave us huge advantage for the current customer installation base. And at the same time, we also have a kind of a single OS SASE approach. So a lot of SASE customer, you have to have a go to the PoOP or some other one. We put all the SASE function in the same operating system. You can using hardware to deploy locally on the, we call local SASE, or kind of a private SASE, or you can go to cloud, go to the PoP, all this approach. And we also differentiate ourselves. We do have what we call the hardware agent, like the FortiAP, FortiSwitch. FortiWiFi can be the hardware agent to enable customer using SASE. They don't have to load the software in their device.
So if you're using a Wi-Fi or switch and, or FortiGate, and then you can enable the SASE to secure all the SASE traffic there. So that gave us a huge advantage. So we do believe we see the SASE ramp up, probably very similar, like we ramp up SD-WAN, like four, five years ago. So in, like, a few years, we become number one, number two in SD-WAN market. We see the SASE also have the same growth. So the pipeline is grow, like, over 150% and, just in a quarter. And we also see, pretty strong demand.
The only thing we feel we need to quickly move is really train the sales force, train the partner, because they are very good on selling the firewall, but SASE is relatively new for them, even the product already, the infrastructure already. So I think if we can get a sales force, the partner, quickly get a SASE selling, we do believe we'll be better, bigger than any other SASE player in the space.
Got it. Got a lot to unpack there, and I should mention the eight-figure deal. I think it was 350,000 seats as well, so quite notable. You, if I recall, you weren't early to the SD-WAN market either. Now you're number one, number two. Do you foresee—I mean, I'm sure you do, but do you foresee a similar type of playbook in SASE like you have with SD-WAN, where you can sort of naturally upsell into your branch customer base?
Yeah, because, like, we are the number one, number two, both in the firewall, in the SD-WAN, which we have probably the biggest customer base, over 700,000 customer, which we can easily turn on the SASE because they're using the same FortiOS, which run in their firewall, run in their SD-WAN. Now they have all the SASE, whether DLP, CASB, Web, all this, you know, in the same OS. And then with all this, agent, whether software, hardware agent. So that's why we're starting probably the try and buy program this week, and then we can see customer interest is pretty high.
So that we believe will ramp up SASE faster than any other SASE player, because the installation base, because the single OS approach, because the hardware from ASIC acceleration to the hardware agent can support in the SASE deployment.
Got it. So really, from what I'm hearing is, you know, you've been doing SASE for really a number of years. If we think about SASE, it's just security at effectively every edge, whether it's the WAN, edge, remote user, cloud, et cetera. Is it just the flexibility of having a more software-led OpEx as opposed to CapEx approach? And do you think that your SASE portfolio ultimately will be complementary to what is still a very large, you know, branch firewall estate that Fortinet owns?
I think the SASE is more related to the business model, little bit more like a OpEx consumption. But if you look at the function-wise, it's a very similar, like, in the last 30 years, how the things evolving the network security space. From like, 20-some years ago, my previous company, NetScreen, we do just a firewall VPN. And then we started Fortinet 24 years ago, we call the next-gen firewall or the UTM, basically add intrusion prevention and antivirus and other function into the old traditional firewall become a next-gen firewall. Now, a lot of enterprise, they need additional function, like a DLP, like a CASB, like all the WAF there. And the same time, the working environment also changing. People work from home now, and also within the enterprise, there's so many way to connect online.
It no longer just goes through the internet gateway anymore. You can do Wi-Fi, you can do wireless, you can do all this kind of for 3G, 4G, 5G, even 6G connection there. So that's where you need to build all this network security to fit the current environment, and the new function, and, all this, kind of huge, connection everywhere there. So to build kind of a little bit more in the Zero Trust environment. But on the other side, the function you needed in the current enterprise environment, you need to go through some, like, security computing process. Whether you process within the cloud using a general purpose CPU, or like us, we can process locally using the FortiASIC, FortiOS, that's probably the same. That's why we see a lot of big enterprise customer now they approach us.
They're not feel comfortable to send their data when they work in the office, send their data outside out to process. They more prefer the data being processed locally in their data center. If you work from home, it all makes sense, right? There are certain data you have to go to cloud or whatever to make connection there. But if you're in the office or if you are in the data center there, you would rather process all this new security function within the same local networking environment. So that we see the additional use case, additional opportunity for us to keeping growing, because the technology we have in a single OS with ASIC accelerate can well apply in this high speed environment, local environment, the traditional SASE not play there.
The same thing, some hardware agent, like we mentioned, the AP Wi-Fi space and also the FortiSwitch, can also enable a lot of customer in the Wi-Fi switch environment to enable SASE without using the software agent.
Basically, security embedded in every networking device, effectively, vis-à-vis on a single operating system powered by Fortinet? Got it. Just on the sales cycle, so, I mean, when I think about the SD-WAN part of the SASE market, largely, you're solving for network optimization, and then you have security on top of that, vis-à-vis the firewall. When I think about that or Secure Service Edge, the other part of the SASE market, where you're talking about things like secure gateway, DLP, et cetera, Zero Trust network access. When you're selling that portion, is that, is that more of a complicated sale to the enterprise? And does that elongate sales cycles relative to maybe what you were seeing when you were selling SD-WAN?
Actually, Keith said the number, like last year, we had about 22,000 new customer.
It's 25,000, yes.
It's 25,000, but 93% is really-
A firewall
A firewall first. Yeah, go ahead.
Yeah, I think that, you know, no two customers are exactly the same. But I think there's the common approach of Fortinet, and, you know, of those 25,000 customers, 93% of them bought a firewall to start with. And with that firewall, they got the operating system. The use case for the firewall could have been the data center, it could have been SD-WAN, it could have been micro-segmentation, what have you. But you see customers getting comfortable with the operating system, SSL encryption, the encryption, the SD-WAN functionality, and now you bring SASE to the party as well. And in this case, SASE includes the SSE functionality that you're making reference to, and that is now part of the operating system.
On the road last week with customers, I would say that 90% of the meetings, and these were all with customers, the first question was, "Tell me about SASE." Because they see the progression of the firewall, combined the ASIC combination with the operating system, see this functionality all in one operating system. It makes logical sense for them to have a conversation with us about SASE and how it will continue to move forward. I do think that SASE is a little bit unusual compared to some of the other SecOps or SaaS solutions, in that I do see a little bit more of first-time customers coming to us and inquiring about the SASE solution. As I say, normally, it's a progression: firewall, SD-WAN, SASE, Zero Trust.
Here, a little bit, people are kind of jumping the line, particularly in the smaller enterprises, and wanting to have a conversation about the SASE solution.
Yeah, the ramp up very similar, like, we did on SD-WAN. So because including FortiOS, so customer can easily turn on, and then they can try, and then eventually it will be become a SASE customer, SD-WAN customer.
Got it. Got it. You know, you very purposely didn't really monetize the SD-WAN, you know, base really that much at all. I think you have tens of thousands of SD-WAN customers. Now that you're trying to sell SASE, are you going back to the SD-WAN base and saying, "Hey, we have a great SSE product now, so we can do full single-vendor SASE?" Has that been a natural area of upsell for you? If they don't adopt the product, is the alternative maybe you now pay us for the SD-WAN, so it's a bit of a carrot and a stick, if you will?
So the SD-WAN, we see very quickly within the market share in the last few years.
Mm-hmm.
Because a part of FortiOS offer come for free, and also we did not charge the service. Now we're starting to offer additional underlay, overlay service for SD-WAN. We see the service steady ramp up pretty quick now. We're, we're probably the similar strategy for SASE. We'll let the customer to try to see the benefit of that, and eventually leverage our customer base, the infrastructure, to quick ramp up the additional service. So we do believe, with all the skill we have and all the customer base we have, we can quickly turn customer into our SASE, and eventually will benefit from the huge installation base we have.
Got it. Got it.
Yeah, I think despite the fact that at the same time that we brought SD-WAN to market, we also had the dual objective of penetrating the enterprise space as well. And I think SD-WAN, you know, was a logical place for the larger enterprises for us to gain a foothold inside those enterprises. And whether we charge for SD-WAN separately or not—you know, that same customer base, that same foothold that we got, creates the opportunity now for us to come back and have the SASE conversation, which, yes, we are charging for.
Got it. Got it. And then on the price point, I think, Keith, you're about 1/3 of the price per seat relative to your competitors. How are you able to charge so effectively, given that a lot of the SASE services may not necessarily be tied with the hardware portion? Because I understand the hardware side, you've got the ASIC, and, you know, obviously, Ken mentioned that a big part of the SASE portfolio does underlie some of that, but just curious how you guys are able to charge effectively.
Yeah, I think it's no great secret that when you're bringing a product to market you're pretty excited about, you may lean into it from the investment side a little bit, and you can lean into it a number of different ways, whether that's incentives for your sales team, for your channel team, or price point for the market. I'm not trying to build a point solution company around SASE. I have a very large network engineer, or pardon me, network security business, as well as SecOps. So if you look at our total gross margins, you can see that I'm able to make—we're able to make those investments in SASE, at the same time, maintaining our total gross margin.
Okay. Maybe shifting to SecOps, so that's about 11% of billings, I believe, in Q4. XDR, SIEM, I think the, you have EDR in there as well. Any other big pieces that is noteworthy within that SecOps portfolio? And how do you think, going back to Ken's point on, one integrated operating system, one fabric, how do you think it allows you to more effectively pull data from these different vectors?
Yeah, we see the FortiSIEM, FortiSOAR, and especially we have the FortiAI, already the generative AI, already in the FortiSIEM, FortiSOAR now, grow very strong. At the same time, the NAC, Network Access Control, other things we see pretty strong growth. The same thing for email security, also the mentioned endpoint security also has pretty strong growth. But a lot of it's our current customer, so it's more easy to upsell, cross-sell. It's really how to train the sales force, the partner to sell the different kind of securities and the network security.
Do you think on the SecOps side, is that an area do you foresee a lot of success in the very large enterprise, or do you think it's gonna be more in that mid-market? Very similar to how in the early days, in the firewall, when you were selling that, it was more mid-market, then you moved up naturally.
I think probably more mid to large enterprise. So the SMB, they tend to be like using multiple product already, but it's really the big enterprise, like I said, they tend to get network security first and then keep expanding, keeping integrate, automate other things together.
Got it. Ken, just a high-level question. There's been a lot of debate around platform versus best of breed lately. Where do you fall on that? Obviously, you're trying to consolidate. You have a big portfolio, too, but do you think that at some point, you know, key concepts that we've learned in cybersecurity, things like defense in depth and not having too much vendor concentration, do you think those act as natural barriers for ultimate consolidation in cybersecurity?
I think the consolidation makes sense because, most of the bigger customer, they don't want to manage, like, a 30-40 different vendor. But also, we talk to a lot of customer, they also don't want to have a single vendor, put all egg in a single basket. They would rather have a few vendor they can manage and reduce the number of vendors to manage, but not the single vendor approach. So that's what most of the customer, they don't feel comfortable just have a single vendor approach.
Got it. And, Keith, just to add to that, I think, obviously, you and Palo Alto are the largest vendors in the network security market, but outside that, what percentage of the market is still not addressed by, you know, the top two players?
Ooh, 60%, probably, if they top two. Yeah, it, it's quite... It remains very fragmented. And maybe to bridge that to the comment a moment ago, I don't know that if you were to compare and contrast, say, security platforms to ERP platforms, a company typically has one ERP, one platform. I don't think that's the vision for security. I think you're gonna may see several platforms within the inside of an organization, but not one single platform.
Yeah, security is pretty interesting. It's very dynamic, and every year there's a new threat. You do need some solution come up quick to address this new threat there. So that's where the point solution were always there, to quickly catch up the new threat to protect the customer there. But then you do need to start keeping integrate, especially in the network security, because customer don't want to have a multiple box in line, try to help them secure the network in there. So that's where when the platform vendor starting integrate some of the point solution function into their own kind of OS, then the point solution starting losing the market share there. That's happened to whether there's a few point solution company in the past, all disappear now.
On the other side, kind of, because we are the only one leverage ASIC to improving the performance, lower the cost, lower the power consumption, you can see the, the economy of scale also starting more working for us. So like, we have over 50% market share on the unit shipment and also the number one in the network security on the revenue side also. So that's what kind of, helping us to drive the cost even lower, whether on the ASIC chip or on the whatever the new product we launched there. So that will give us more advantage, both on the product, on the infrastructure side, to supporting the customer.
So that's why I feel, in the security market, you look at network security, like 15, 20 years ago, the top five vendor has less than 50% of market share. Now, the top two vendor already approach 50% market share today, like Fortinet, Palo Alto, some other. So you can see they do have some consolidation going on. But on the other side, we do see a lot of new market opportunity, like OT/IoT space and like internal segmentation, replacing some of the switch in there, remote work from home or other. It's relatively new market, not existing 20 years ago. So all this new market will continue to drive. So that's the reason I believe the network security, and including hardware, keeping growing 10%-20% in the next five to 10 years.
Got it. I want to ask one last question about OT security, then I want to open up to the audience. But, on the OT side, this has been a really strong area of growth for you. Ken, you've talked about OT security potentially being larger than the SD-WAN market over time. Talk a little bit about what's driving that, the need to secure critical infrastructure and how Fortinet is addressing those needs.
Yeah, because OT security, whether you have to deal with a lot of devices connected online, and most of them don't have a standard operating system, they also have very limited computing power. So the only way to secure them is probably by network security, because endpoints are difficult working there. And you can see even the 5G 60 will connect 10 x more devices than people connect online there. So it's a huge opportunity. A lot of verticals, like whether the healthcare, the manufacturing, they just have so many devices need to be secured. So that's why we see the huge opportunity keeping growing in that area. And we invest very early in the market, and we're the number one leader in OT/IoT security there, so we just see the growth pretty strong right now.
Got it. Any questions from the audience? I'm not seeing any hands raised. Okay, I'll ask a few more. So, you talked about a massive install base, 50% of hardware units in the firewall market are Fortinet massive install base. How do you think about monetizing that more effectively? I think today, or by our estimate, every $1 of hardware you're selling, you may be getting about $0.50 of software ARR attached, which is below some of your peers. So when you go back and you refresh some of these customers or you're selling newer units, what are some of the things that you're doing as far as attaching more software, more services, higher margin services to this space?
Yeah, that definitely is a very good question. Approach which we pursue right now is really. Right now, we offer a lot of—there's about 30 functions in the FortiOS. And, I think the—probably most of them we offer for free. So that's a lot of additional service, including SD-WAN. We can set in kind of give additional service for customer and also charge some of service for ourself also. It's we just see right now is the, the market share we have, especially in certain verticals, certain area, that it more makes sense for us to really drive additional service from the area there. And, but on the other side, there's still pretty fragmented market, and there's some other market we do also feel growth probably more important right now.
We still want to drive some growth, whether in the SASE or in some other areas. So once we feel we have the market share, we definitely see the opportunity to drive additional service out of that.
Yeah, I'd probably add to that. If you think back a little bit in terms of the philosophy of the company, you know, what we were selling in during the period of time that generated those numbers that you're talking about, Hamza, you know, I think we were very committed to, you know, providing a very competitive price and performance offering for the firewall, but we were also doing the same thing with our service contracts. And we really placed a high value on being able to consolidate different security features into bundles. And it was really a model that you sold a firewall, a support contract, and a security contract, and you were done.
I think over the last several years, you've seen us do a lot more of the à la carte services, what are now talked about as being SecOps and those types of things, and SASE. As you look forward, over the next few years, you know, I would imagine what we've seen recently is a bit of a mix shift from what we used to call non-FortiGate to FortiGate, or actually from FortiGate to non-FortiGate. But I think that mix shift continues on, and I think it's really what's being driven there will be more SaaS solutions inside the SecOps offering, as well as SASE. So that, that metric you're, you're referring to, I don't know if we'll ever get to industry norms in the next year or two, but I do expect to make progress in that direction.
Yeah, we set up the price based on our own kind of growth margin, operating margin. Probably much less compared to other competitors. That's where when you compare network security, we tend to be like 20%-30% of the cost compared to other... Even for SASE, we are similar there, because we feel we have a very healthy growth margin, operating margin, probably better than our competitors. So with that base and we leverage our technology with an ASIC, with a single OS, I think we can offer pretty, pretty competitive price.
Yeah, certainly on a GAAP basis, the margins are quite higher. Maybe on that topic of margins, Keith, just to, you know, bring you in more into the conversation. Just on how are you thinking about balancing growth versus profitability right now? I know obviously SASE, huge initiative, SecOps, selling some of that stuff. But there's also a lot of leverage, natural leverage in the model, I presume, from the higher software services mix. So how should we think about the puts and takes there?
Yeah, I think we've talked about, you know, kind of a baseline of we'd like to talk about 25% operating margin. In what was once an aspirational target, became an average, became a floor, and I think that served us well to talk to people outside the company in that way. And I think we've shown the ability, you know, over the last few years to do a little bit better than that floor in terms of the margin. It speaks to the leverage that exists in the business model. On the cost structure for SecOps and SASE solutions, you know, we've been probably talking for the last year or so in the earnings calls about, you know, some headwind around data centers and cloud provider fees and such.
Not so much that they were, you know, hugely meaningful, but really to pre-sell the notion that you were going to see us coming to market with more hosted solutions. And the point being, we've absorbed those costs, and I don't think, you know, investors or Wall Street have really been concerned about that cost structure. We're rolling through the COGS line, and I think we can continue to absorb those costs. We'll, we'll call them out, of course, but I don't see that being disruptive to our margin philosophy.
Just lastly, on the hiring front, I think the headcount last one or two quarters downticked sequentially. Do you foresee yourself sort of picking up the hiring going forward?
We're still hiring, and at the same time, the headcount probably a little bit flat, but we're still growing. Whether last year or every quarter, we're still growing headcount right now. We do see there's a lot of opportunity going forward, and we do need to invest in some of the growth there. Especially in the U.S., we see huge opportunity, so we kind of feel pretty aggressive on hiring people right now.
Okay, great. Well, Ken, Keith, thank you so much for your time. Thank you for everyone for joining us, and have a great rest of your day.
Thank you.
Thank you.