The companies that built the first round of internet infrastructure didn't all make the transition to the cloud computing era. F5 did, and CEO François Locoh-Donou, now in his seventh year running the Seattle networking and security company, is steering it through yet another transition.
F5 began a pivot toward application software and security around the time he joined in 2017, after making a name for itself with networking hardware that was used widely inside the data centers of the dot-com bubble. Now its goal is to be an "infrastructure agnostic" provider of software that helps companies manage and protect applications spread across the cloud and on-premises systems.
But the enterprise software business has been slow over the past year, as recession fears collided with the hangover from the pandemic spending spree. Like many vendors, F5 has laid off staff and lowered its outlook for the year, but Locoh-Donou thinks businesses will still need to invest in software once they feel better about their own prospects.
"The expectations that consumers have of their digital experiences are way different than they were 15 years ago," he said in a recent interview. "The result is that what you have to do to both create a great digital experience and secure it is much more in depth, and actually much more complex than it was 15 years ago."
Locoh-Donou also touched on what he thinks is an overlooked part of the software supply-chain security problem and revisited the 2019 Nginx deal during our conversation.
This interview has been edited and condensed for clarity.
It's been a long time since business spending on technology has slumped the way it has over the last year. What are your thoughts from talking to customers and seeing what's happening in the world right now about the state of business technology spending?
We saw quite a sudden shift — I would say late in the fall — in the spending patterns of our customers, and then I would say it deteriorated and continued to get worse into the first calendar quarter of the year. Generally, it's deflated to what it was a year ago. We don't think it's getting worse. We don't think it's getting better yet.
Customers don't know what the next six months look like, so they've tightened their budgets. They don't want to make big spending commitments unless they absolutely have to.
I do think it will change. Application traffic continues to grow, cyberattacks don't stop. Customers can only sweat their assets for so long until they resume spending. When we saw that kind of a similar pattern in the last crisis, which was the Great Recession of 2007 and 2008, we saw this phenomenon for four to six quarters, and then people were spending again. Whether it will be the same here or not is difficult to say.
I wonder if this time is a little different or not just because of how much still needed to be built out in 2008. The world was just shifting to cloud, it was just shifting to mobile, there were all these really new drivers of application development and consumption.
I think not. Modern applications have gone mainstream; they are much more dynamic. And the expectations that consumers have of their digital experiences are way different than they were 15 years ago, in terms of the dynamic interaction, the speed of information available at your fingertips, the number of times you interact with these applications in a given day, the amount of data that these applications ingest and consume and the amount of analysis that goes on.
I think the bar is just way higher than it was 15 years ago, in terms of the whole digital experience. And the attack surface of these applications is much, much greater than it was 15 years ago, because applications are distributed because of APIs.
The result is that what you have to do to both create a great digital experience and secure it is much more in depth, and actually much more complex than it was 15 years ago. So I think because of that, you're going to continue to see investments in the space.
That makes sense. One thing I've heard a lot from folks is just that sales cycles have really extended or slowed down. Is that something you've seen as well?
Yes, sales cycles have elongated, I think it's largely driven by customers; when they tighten their purse, one easy way to do that is to insert more people in the approval process. A lot of companies have done that. And I think it's working.
A lot of the security-related conversations that I've been having lately are around supply chain and SBOMs (software bill of materials). Where do you and F5 sit on some of those issues, especially with respect to the SBOMs?
SBOMs are going to continue to drive more awareness at most large enterprises around what needs to be done. When you have applications that are using a lot of open-source code, for a long time I think a lot of companies did not know what went into their code and where it came from. Log4j was a huge wake-up call to a lot of people, and it's causing people to be more disciplined around managing their open-source code.
And applications now interact with a lot of third-party applications, so API security is a massive issue. A lot of people don't have the ability to discover shadow APIs and zombie APIs and third-party APIs. And so you will see more and more focus going to API security at F5.
Can you go a little deeper into what exactly that is? What is the threat with these zombie APIs, and how do businesses think about dealing with that?
As more and more applications become decomposed into multiple microservices, these microservices interact via APIs, and applications also interact between (each other) via APIs. When you're providing a digital experience to your customers, what they see in the end is an application on their mobile; let's say that that application is actually a composite of maybe hundreds of microservices. Some are yours, some may be third-party microservices that all interact via APIs.
APIs are an entry point for attackers to attack an application. They can pretend to be a legitimate API call and when they're not, they can detect vulnerabilities in APIs and exploit those vulnerabilities (and) they can inject malicious code through APIs. And the challenge for a lot of companies is they don't actually know how many APIs they have in their environment, either because developers have not updated all the libraries to say, "here's all the APIs we're dealing with," or because there are APIs that were legacy and not maintained — we call those zombie APIs, or shadow APIs — or because there are third-party APIs that you are not aware of.
Part of the domain of API security is first to be able to discover all the APIs you have, manage them, and make sure you have an inventory of all your APIs. Doing that requires strong application fluency. API attacks require strong Layer 7 understanding; the people who attack APIs have a strong understanding of application logic.
One of the reasons that F5 is so well positioned to secure APIs is because we have 25 years of application fluency; we are a Layer 4 to 7 company and we have spent our lives understanding application logic to make applications work and make them secure.
It's been a couple of years since the Nginx deal, which is a big target for attackers. How has that deal gone at this point, in terms of benefits you've seen or integration that needed more work than you thought?
We acquired Nginx because we saw that our customers were building more and more of these modern applications in container-native environments, specifically in Kubernetes-orchestrated environments. And we did not have a native form factor to insert the right security and application delivery (software) in these environments.
Nginx has this very lightweight form factor that can be used to deliver all these application services; load balancing, firewall, networking, security capabilities. When you are deploying in a Kubernetes environment, Kubernetes does the orchestration of your container environments. But when you want to deploy at scale in production, there are all kinds of security and networking needs that you have that Kubernetes does not address and will not address, and Nginx is really the answer to that.
It has grown quite a bit since our acquisition. We have several thousand customers now leveraging Nginx but, more importantly, our customers really are leveraging Nginx and Big IP together.
The value of our software here is that F5 is actually infrastructure agnostic. Relative to whether it's a CDN company, or hyperscaler, or even the private cloud companies like VMware, our software can run in any environment. We're increasingly seeing companies deploy applications in multiple clouds, and for that to be successful, you want a cloud-agnostic or infrastructure-agnostic set of solutions that will run across all these environments.