300-815 answers - Implementing Cisco Advanced Call Control and Mobility Services (CLACCM) - CCNP Updated: 2023

Shares of Cisco Systems Inc. fell more than 11% in extended trading today as the company warned it will likely miss analysts’ expectations in its fiscal second quarter by a wide margin.

The company expects this to have a knock-on effect, and its forecast for the current fiscal year also came in low.

The disappointing guidance came in the wake of a solid earnings beat. The company reported first quarter earnings before certain costs such as stock compensation of $1.11 per share, with revenue up 8% from a year earlier to $14.67 billion. The results were better-than-expected, with analysts looking for earnings of just $1.03 per share on sales of $14.61 billion.

All told, Cisco reported a net income of $3.64 billion for the quarter, up from $2.67 billion a year earlier.

Cisco said its problem is that it has experienced a notable slowdown in new product orders during the quarter. This is because many of its clients are currently busy installing and implementing products that were delivered recently, over the prior three quarters, Cisco Chief Executive Chuck Robbins (pictured) said in a conference call with analysts.

During the COVID-19 pandemic, the company had been stuck with a backlog of unfulfilled orders caused by component shortages. But its supply chain constraints eased rapidly about a year ago as China exited its lockdown strategy, leading to a glut of product deliveries over the last four quarters. Now, customers have their hands full implementing all of those products.

“Our customers and our sales organizations have been very clear with us over the last 90 days that this is the issue,” Robbins said, though he also admitted that sales cycles are still longer than is usually the case.

According to Robbins, “customers are now taking time to onboard and deploy these heightened product deliveries,” hence the slowdown in new orders. He said it’s mainly larger enterprises, service providers and cloud customers that are facing these challenges, adding that the issue was “most pronounced in October.” On average, Cisco’s biggest customers are waiting to implement one to two quarters’ worth of shipped products, he added.

Cisco had a good quarter, but is now suffering from its post pandemic high, when it was finally able to deliver pandemic orders it could not fulfill due to supply chain challenges. Now that it has fulfilled those orders, the demand has weakened as enterprises are implementing and the channel reducing inventories. The good news is all product lines are growing, which has not been too often the case, and Cisco delivered approximately 1B more in profit on roughly 1B more in revenue, which means Chuck Robbins and team have kept costs constant and EPS per share are up a quarter. Let’s see if this trends continues.

Because of these customer issues, Cisco could only offer a much lower forecast than Wall Street analysts had been anticipating. Officials said they’re looking for earnings of between 82 and 84 cents in the second quarter, with revenue of $12.6 billion to $12.8 billion, implying a 7% decline from one year earlier. That compares very badly with the Street’s forecast of 99 cents pre share in earnings and $14.19 billion in sales.

For the full year, Cisco is reducing its revenue forecast while bumping up its view on earnings. The company now sees full-year earnings of between $3.87 and $3.93 on revenue of $53.8 billion to $55 billion. Previously, it had forecast a range of $3.19 to $3.32 in earnings and $57.0 billion to $58.2 billion in revenue. In any case, the new forecast is not great, as Wall Street is hoping for earnings of $4.05 per share on sales of $57.7 billion.

The after-hours stock decline masks the fact that Cisco delivered strong quarterly results, thanks to it finally being able to deliver pandemic-era orders that could not be fulfilled earlier, said Holger Mueller of Constellation Research Inc. “But now those orders have been shipped, it is faced with weakening demand as enterprise implement those products and the channel reduces inventories,” he explained.

Charles King of Pund-IT Inc. said Cisco has been caught on one of those “damned if you do, damned if you don’t situations”, because it did a great job in recovering from the pandemic-related supply chain chaos and has gotten back its manufacturing mojo. However, he said many of its customers have been slower off the mark. “Many are still struggling to deploy and configure the new kit they ordered months ago, so you can’t really blame them for slowing or stopping orders to deal with the backlog,” King said. “But investors appear to be blaming Cisco anyway, for failing to live up to analysts’ consensus. That may be short-sighted, but no one ever said that life, let alone the markets, are fair.”

In the longer term, Cisco’s prospects do look better. During the quarter, it announced that it intends to buy the data analytics and cybersecurity software giant Splunk Inc. in a bumper $28 billion deal, which would be its largest-ever acquisition. The move catapults Cisco, which is best known for its networking gear as well as other data center equipment, to the leading ranks of cybersecurity providers.

Robbins said at the time the deal was announced that the combination of Cisco’s and Splunk’s data would have real value for enterprises, allowing them to “move from threat detection and response to threat prediction and prevention.” He said it will enable Cisco to become one of the world’s largest software companies.

Besides its cybersecurity ambitions, Cisco has a lot of hope for artificial intelligence in the longer term. During the conference call, Robbins told analysts that his company believes it can win more than $1 billion worth of orders in fiscal 2025 for AI infrastructure from cloud providers alone. He said cloud providers are looking to move to “more of a standard, broad-based technology like Ethernet, where they can have multiple sources” to support AI networking workloads.

Mueller said it’s also notable that Cisco is running a tight ship in terms of its business expenditures. “Investors can be pleased that all of Cisco’s product lines grew during the previous quarter, which has not been the case too often,” he added. “That allowed Cisco to deliver approximately $1 billion in profit on almost $15 billion in revenue. That shows Cisco has kept its cost base constant, resulting in increased earnings per share. Cisco needs to continue this trend.”

The after-hours stock decline means that Cisco’s shares are now up just 12% in the year-to-date, trailing the wider S&P 500 index, which is up 17% for the year.

Photo: Fortune GLOBAL FORUM/Flickr

Abstract

Reviews Cisco System's approach to implementing Oracle's Enterprise Resource Planning (ERP) software product. This case chronologically reviews the diverse, critical success factors and obstacles facing Cisco during its implementation. Cisco faced the need for information systems replacement based on its significant growth potential and its reliance on failing legacy systems. The discussion focuses on where management was particularly savvy in contrast to where it was the beneficiary of good fortune.

Keywords

Citation

© 2023 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.

Ask any CIO or CISO, and they’ll tell you that protecting, securing and, if necessary, recovering data are major points of concern. Having a strong data and security posture is vital for maintaining data integrity, customer confidentiality, business operations and an organization's cyber resilience. Yet the challenges around data security are only getting harder in a world where companies increasingly operate in hybrid, multi-cloud IT environments, while bad actors use everything from ransomware to generative AI to threaten enterprise data.

Hackers now have nation-state budgets to draw from, and hacking as a service is a very robust business. The security centerpoint has shifted from solely perimeter defense of data, adding identification of the threat, adding removal of the bad actors, then adding recovery of the data and fixing the damage done.

The other trend we are seeing is the shift from one-off security and data protection packages to “suites” of software and services. ”Best in breed” solutions are great at first, but enterprises realize that by the time they have integrated the new bits, they are one to two revs behind. They have also learned that integration itself is causing security issues and consuming many resources. This is why the market is shifting to “suites.”

Commvault Cloud Fights AI With AI

With this in mind, I was glad to talk with Commvault CEO Sanjay Mirchandani about his company’s brand-new platform, Commvault Cloud. This new AI-powered offering combines the company's SaaS and software data protection solutions into a single platform to provide control over an organization’s data with unified visibility. This new platform also brings together data protection, security, intelligence and recovery, with a focus on cyber resilience—which has never been more timely given today’s threat landscape.

“The world of data protection as we know it and data security as we know it is becoming one,” Mirchandani told me, “and when it becomes one, the real purpose behind what you’re trying to do is to provide your business resilience.” Commvault Cloud does this by enabling data protection and recovery for any type of workload across any infrastructure in any location.

All of this is supported by Commvault’s new Metallic AI, a suite of AI- and ML-driven data protection and security solutions that enable faster threat prediction, faster threat response and clean data recovery. Commvault Cloud users can also access a new integrated AI copilot called Arlie (derived from “autonomous resilience”). Users can ask the assistant questions, and Arlie provides practical answers in natural language. Among other things, Arlie can provide real-time threat analysis, generate relevant code snippets for integrations, offer recommendations for optimizing cyber resilience or help a user verify a clean recovery point for an enterprise system. For starters, Arlie integrates with Azure OpenAI; other GAI integrations are slated to follow soon.

Reducing recovery time—ideally to just hours—after a cyberattack is vital, because longer downtimes can lead to significant costs and the erosion of trust from customers, potentially causing a loss of clientele and revenue. As part of addressing this critical need, Commvault has developed its new Cleanroom Recovery solution. By combining Commvault and Microsoft Azure capabilities, this service enables customers to recover a clean backup of their data in a “cleanroom” in the cloud to expedite the recovery journey.

Commvault is also preparing to launch Platinum Resilience, a fully managed service to help companies thwart cybersecurity threats and support disaster recovery. The service, which is being piloted with some customers through an early-access program this year, is planned for general availability early in 2024. Commvault is confident enough in the program that it comes with a warranty (the details of which we haven’t yet seen).

Hybrid Environments Need Hybrid Data Protection

Enterprises are seeking a single solution for data protection that offers security and improved efficiency across their entire IT environments, including on-premises infrastructure, private clouds and public clouds. Commvault addresses this need with its hybrid approach to cyber resilience. According to Mirchandani, Commvault's philosophy is straightforward: no workload, new or legacy, is left behind or unprotected.

By covering all types of workloads across all locations, the company’s approach also doesn't force customers into awkward choices between SaaS or on-premises software. The company also simplifies safeguarding data by implementing a single policy engine that covers every aspect of a business’ data.

Commvault, headquartered in Tinton Falls, New Jersey operates development centers in India, the U.K. and New Jersey. Commvault originated in 1988 as a data management, backup and recovery development group within Bell Labs. It was subsequently established as a business unit within AT&T Network Systems. Following AT&T's reorganization, the group became a part of Lucent Technologies before being spun off in 1996 to become an independent company. It anticipates achieving revenue of approximately $820 million in its fiscal year 2024.

A Rapidly Evolving Market

Global spending on security and risk management is expected to reach $215 billion in 2024, a 14.3% increase from the estimated $188 billion in 2023, according to Gartner, Inc. This growth is attributed to factors such as the adoption of hybrid work models, cloud technologies, GAI and increased efforts to Strengthen security governance and data protection. Spending on data privacy and cloud security is projected to grow by more than 24% annually for the next several years. Organizations are maintaining a strong focus on privacy due to new regulations that influence the processing of personal data, particularly against the backdrop of hype about artificial intelligence. Gartner forecasts that by 2025, privacy regulations will create legal protections for the personal data of 75% of the global population. This trend, along with the surge in cloud services usage, is driving increased investment in cloud security and data management.

Competitive Landscape

While Commvault is a recognized leader in data protection, the company has worked hard to bring together separate SaaS and software capabilities onto one platform, removing complexity and simplifying management. Moor Insights & Strategy will be tracking the execution, quality and customer feedback of these integrated parts. Commvault is one of many security vendors that have turned to AI to Strengthen their cybersecurity products and services. Cisco, for example, employs AI for advanced threat detection and management across its security products. Symantec, now a part of Broadcom, integrates AI to strengthen its threat detection and response capabilities. Similarly, Microsoft leverages AI across its security solutions, including Azure Security, to augment threat detection and response efforts.

In the area of data protection solutions, Veeam is recognized for scalable options in virtualized settings, while Veritas is valued for its AI-driven anomaly detection, workload and cloud protection. IBM's data products are notable for giving hybrid cloud environments a focus on governance and security. Rubrik stands out for its cloud-native solutions that prioritize encryption and immutability for multi-cloud data safety. Cohesity is known for its simplified, scalable, hyperconverged platform. Dell offers dependable, high-performing IT solutions across data protection and recovery.

AI Is Not Always Right

It’s important to know that AI-powered security platforms can come with potential issues. AI may produce false positives, creating invalid threat alerts and potentially wasting security team efforts. There can be biases within AI algorithms that may cause them to detect some threats more frequently than others, leading to overlooked vulnerabilities. For effective use, these platforms need to be able to explain their decisions to human operators, ensuring that the reasoning behind identified threats is clear and actionable. To minimize risks associated with AI-powered security platforms, organizations can use a layered approach to security with a variety of tools, both AI-driven and traditional. Continually monitoring these platforms is critical to quickly catch and correct any false positives. Regular testing is essential to confirm these systems’ efficacy and discover any hidden vulnerabilities.

Wrapping Up

In our view, Commvault is charting the right course with the Commvault Cloud platform, which enables a hybrid strategy for data security. Its focus on resilience is well-tuned to current market needs. Nonetheless, as the company embarks on its new initiatives, Commvault must tread carefully to fulfill its commitments without sacrificing quality, but still remain focused on the future and continued development of Commvault Cloud. While the growing reliance on AI brings greater efficiency, productivity and innovation, it can also bring issues related to data integrity and the essential need for ethical guidelines to ensure responsible AI use.

Commvault Cloud is available with multi-level SaaS pricing via several marketplaces, including Oracle Cloud, Microsoft Azure, Google Cloud and Salesforce AppExchange.

Note: This analysis was co-written by vice president and principal analyst for Enterprise Data and ERP, Robert Kramer.

Secure-by-design as a requirement is coming. Developers should start preparing for it now.

The March 2023 National Cybersecurity Strategy (NCS) includes, “In setting cybersecurity regulations for critical infrastructure, regulators are encouraged to drive the adoption of secure-by-design principles…”

There are two important elements to this. The concept of secure-by-design is introduced but not defined; and it is implied that this undefined concept will be enforced on the critical infrastructure by regulations that are yet to be established. This is more than a little nebulous but is something that cannot be ignored.

At the end of February 2023, CISA’s director Jen Easterly had said that federal procurement power will be used to encourage secure-by-design. In April 2023, CISA published a set of principles to achieve ‘secure-by-design’. In September 2023, CISA announced that it had hired Pieter (Mudge) Zatko “to help us collaboratively shape a culture of security by design that is foundational to every security team…”

Secure-by-design is clearly important to the federal government, and there is a strong possibility that it will become a regulatory requirement for the critical industries enforced through an Executive Order. But what does secure-by-design mean, and how can it be measured for enforcement?

In August 2023, Lawfare announced a new project seeking to provide the answers – specifically, how do you define it, how do you measure it, how do you translate this into regulations, and how should you enforce those regulations?

All product developers describe their products as secure-by-design. However, the justification for this claim differs between different vendors. 

Kelly Bissell, CVP Microsoft Security, comments, “Our approach to secure design is to implement security and privacy considerations throughout all phases of the development process from ideation to support plus SbD within development environment tools and processes – no matter the product. It’s a principle that goes back to 2002’s Trustworthy Computing initiative.”

This may be true. But while Bill Gates’ 2002 internal memo stating, “Our responsiveness has been unmatched – but as an industry leader we can and must do better,” may have led to the Trustworthy Computing (TwC) unit and the development of the Microsoft Security Development Lifecycle (published in 2008), nowhere does it define ‘secure-by-design’ in general purpose terms. The TwC was effectively disbanded as a single unit in 2014.

Scott Gerlach, Co-Founder and CSO at StackHawk, similarly describes secure-by-design as a process, without defining the steps contained in that process. “Secure-by-design places accountability on product teams to ensure from product inception to delivery, security is not an afterthought,” he told SecurityWeek. “Any playbook designed to achieve ‘secure-by-design’ must prioritize security with the same level of importance as desired features.”

Cisco also describes its process as proof of security-by-design. “Over the years, Cisco has established a mature secure-by-design program,” claims Matt Fussa, trust officer at Cisco. “Cisco continues to build the program with a substantive software transparency program centered in SBOM, SSDF and Vulnerability Information Exchange (VEX), uplifting the build environment security to Salsa (SLSA) Level 3.”

Pieter Danhieux, co-founder and CEO at Secure Code Warrior, continues the same theme from the opposite direction: “I tend to think about the definition of secure-by-design in simple terms,” he said. “If security has not been made a priority from the very beginning of a product or software build, then chances are good that the product in question will not have security baked in.”

John Steven, CTO at ThreatModeler, summarizes the current situation. “’Secure-by-design’ has been diluted by vendors taking a piece of it as their description of perceived differentiation. But no vendor can own ‘secure-by-design’, it’s a capability that leverages multiple tools and techniques within an organization’s software delivery culture.”

In effect, secure-by-design is currently just a label that says, ‘Our product is secure-by-design because in our opinion our proprietary processes justify us saying it is.’ This is good for the seller, but bad for the buyer – and meaningless for the NCS’ intent to drive secure-by-design through regulations on the critical industries.

You cannot regulate what is not specified and cannot be measured.

A definition for secure-by-design may lie in a universally applicable standardization of the approach currently taken by individual developers: the process. This would require a formalized process applicable to all product development. It would be a mammoth task more difficult for hardware than software, but possible. And it may be the path already chosen by CISA.

Gavin Ferris, CEO of LowRISC, comments, “the most relevant current definition of secure-by-design can be found in the guidance document published in April of this year by CISA, jointly developed with the FBI, NSA and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand.”

That definition states, “’Secure-by-Design’ means that technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure. Software manufacturers should perform a risk assessment to identify and enumerate prevalent cyber threats to critical systems, and then include protections in product blueprints that account for the evolving cyber threat landscape.”

On its own, this is still a description of intent rather than an enforceable generalized process. However, the document goes one step further by providing a set of principles to be used by all developers: “a non-exhaustive list of illustrative roadmap best practices”. A secure-by-design specification would require this to be expanded into ‘a full list of required roadmap best practices’.

This will take time and may still be unenforceable. However, it is noticeable that CISA is not limiting secure-by-design to software but includes the concept of secure-by-design hardware – recommending a visit to the University of Cambridge’s CHERI webpage. CHERI (Capability Hardware Enhanced RISC Instructions) is a joint research project ‘to revisit fundamental design choices in hardware and software to dramatically Strengthen system security.’

Cambridge is also home to the OpenTitan silicon-based root of trust (S-RoT) project guided by LowRISC. LowRISC’s OpenTitan project director, Dom Rizzo, comments, “Secure-by-design systems need to be anchored by a hardware root of trust — such as OpenTitan — or the laudable work being done at the software level can be undone. For example, SBOMs are an excellent idea, but in the absence of a silicon RoT, what ultimately guarantees that what’s in the SBOM is what’s actually running on your system? Or similarly, if your machine is attacked below the operating system level — and Microsoft has reported that 83% of businesses have been so attacked — a hardware RoT is vital both to detecting this, and to ensuring that the original firmware can be safely reinstated.”

If the NCS’s intent is to place the burden of security more on the product provider than on the product user, and secure-by-design is intended to make this possible, then secure-by-design hardware must be added to the mix. You cannot have secure software if it is running on insecure hardware. But a universally enforceable and measurable process for hardware is altogether more complex than one for software.

The ideal solution would be the development of standard processes – a secure-by-design specification – that can ultimately provide a playbook for product developers. CISA has a start point for software: the NIST SSDF. “Presently, the best organizations can do is largely governed by process or activity-based metrics,” says Steven. “The NIST SSDF (800-218) provides a guide. Organizations gauge how many activities from the SSDF’s design and defect discovery domains it employs.”

CISA agrees. “The Secure Software Development Framework (SSDF), also known as National Institute of Standards and Technology’s (NIST) SP 800-218, is a core set of high-level secure software development practices that can be integrated into each stage of the software development lifecycle (SDLC),” states its April document. 

‘Following these practices can help software producers become more effective at finding and removing vulnerabilities in released software, mitigate the potential impact of the exploitation of vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences.”

However, we should remember the purpose of the NCS’ drive toward secure-by-design is ‘to shift liability onto those entities that fail to take reasonable precautions to secure their software’, and ‘to leverage federal procurement to Strengthen accountability’. The strategy is also strong on the concept of regulation.

The NCS is primarily about software, although it also mentions the need for secure IoT devices. Hardware more generally will likely be drawn into the mix because of the futility of secure software running on insecure hardware.

But this is still only the beginning. If we assume that it will eventually be possible to specify secure-by-design, procurement of secure-by-design products will depend upon visible proof of secure-by-design processes. This is best achieved through an enforceable secure-by-design specification.

Regulation can be mandatory or voluntary. It can be a required ‘proof of compliance’ by regular audit, or an ongoing self-assessment assertion.

Regular imposed audits are expensive, time -consuming, and can be self-defeating. Passing an audit means a company is in compliance at the point of the audit. Companies can easily slip out of secure-by-design compliance when there is no real pressure to comply before the next audit – they are already in possession of a current secure-by-design certificate. The cost could also have a depressing effect on new startup innovation.

Self-assessment generally becomes a tick-box exercise against a list of requirements. This is not necessarily a bad thing if done adequately and visibly. Buyers can be presented with a list of areas met, and can compare different product assertions before making a choice.

Regulating self-assessment falls on the procurement side: federal buyers can be required to purchase only products complying with a minimum level of secure-by-design specifications. Enforcement of tick-box accuracy can be achieved by refusing to do further business with providers ever proven to have made false claims in their secure-by-design assertions; this is what is meant by ‘leverage federal procurement to Strengthen accountability’.

Second-guessing detailed CISA intentions is a futile task, but it will be required to assist in the implementation of the National Cybersecurity Strategy — and it will have been a major contributor to that strategy. It knows what it is doing. Enforcing, or at least encouraging secure-by-design will require a specification of secure-by-design. The current focus is clearly on software, but for the process to be fully successful, it will inevitably expand into at least some areas of hardware.

Delivering secure-by-design is a mammoth and complex task. It will be a multi-year project for CISA — but we should never underestimate the softly-softly persistence of the agency. Secure-by-design as a requirement is coming, and developers could do worse than to start preparing for it now.

Confirming the ‘softly-softly persistence’ of the agency, CISA published updated secure by design principles on October 16, 2023. The project has now been joined by an additional eight international cybersecurity agencies: the Czech Republic, Israel, Singapore, Korea, Norway, OAS/CICTE CSIRTAmericas Network, and Japan (JPCERT/CC and NISC).

“This updated guidance,” notes CISA, “includes feedback received from hundreds of individuals, companies, and non-profits. It expands on the three principles defined in the initial guidance: Take Ownership of Customer Security Outcomes, Embrace Radical Transparency and Accountability, and Lead From the Top.”

Related: From Basecamp to Icefall: Secure by Design OT Makes Little Headway

Related: CISA Unveils Cybersecurity Strategic Plan for Next 3 Years

Related: CISA Unveils New HBOM Framework to Track Hardware Components

Related: Mirai Variant V3G4 Targets 13 Vulnerabilities to Infect IoT Devices

SAN JOSE, Calif., Nov. 15, 2023 /PRNewswire/ --

News Summary:

• Strongest first quarter results in Cisco's history in terms of revenue and profitability with $14.7 billion in revenue, up 8% year over year; GAAP EPS $0.89, up 37% year over year, and Non-GAAP EPS $1.11, up 29% year over year
• Progress on business model transformation in Q1 FY 2024:
  • Total software revenue up 13% year over year and software subscription revenue up 13% year over year
  • Total annualized recurring revenue (ARR) at $24.5 billion, up 5% year over year and product ARR up 10% year over year
  • Remaining performance obligations (RPO) at $34.8 billion, up 12% year over year and product RPO up 14% year over year
• Strong Q1 revenue across Cisco product portfolio, driven by customers' investments in Generative AI, Cloud, Security, and Full Stack Observability
• Q1 FY 2024 Results:
  • Revenue: $14.7 billion
    • Increase of 8% year over year
  • Earnings per Share: GAAP: $0.89 ; Non-GAAP: $1.11
    • GAAP EPS increased 37% year over year
    • Non-GAAP EPS increased 29% year over year
• Q2 FY 2024 Guidance:
  • Revenue: $12.6 billion to $12 .8 billion
  • Earnings per Share: GAAP: $0.59 to $0.64 ; Non-GAAP: $0.82 to $0.84
• FY 2024 Guidance:
  • Revenue: $53.8 billion to $55 .0 billion
  • Earnings per Share: GAAP: $2.97 to $3.08 ; Non-GAAP: $3.87 to $3.93

Cisco today reported first quarter results for the period ended October 28, 2023. Cisco reported first quarter revenue of $14.7 billion, net income on a generally accepted accounting principles (GAAP) basis of $3.6 billion or $0.89 per share, and non-GAAP net income of $4.5 billion or $1.11 per share.

"We had a solid start to fiscal 2024 with the strongest Q1 results in our history on both revenue and profitability," said Chuck Robbins, chair and CEO of Cisco. "We are confident in the foundational strength of our business and future growth opportunities fueled by AI, Security, Cloud, and Observability."

"In Q1, we delivered revenue and EPS at the high end or above our guidance range, generating strong operating leverage," said Scott Herren, CFO of Cisco. "We also saw double-digit year-over-year growth in software revenue, product ARR and total RPO. After customers implement large amounts of recently shipped product, we expect to see product order growth rates accelerate in the second half of the year. We are committed to delivering operating leverage and increasing capital returns to our shareholders."

Reconciliations between net income, EPS, and other measures on a GAAP and non-GAAP basis are provided in the tables located in the section entitled "Reconciliations of GAAP to non-GAAP Measures."

Cisco Declares Quarterly Dividend

Cisco has declared a quarterly dividend of $0.39 per common share to be paid on January 24, 2024, to all stockholders of record as of the close of business on January 4, 2024 . Future dividends will be subject to Board approval.

Financial Summary

All comparative percentages are on a year-over-year basis unless otherwise noted.

Q1 FY 2024 Highlights

Revenue -- Total revenue was $14.7 billion, up 8%, with product revenue up 9% and service revenue up 4%. Revenue by geographic segment was: Americas up 14%, EMEA flat, and APJC was down 3%. Product revenue performance reflected growth in Networking up 10%, Security up 4%, Observability up 21% and Collaboration up 3%.

Gross Margin -- On a GAAP basis, total gross margin, product gross margin, and service gross margin were 65.2%, 64.5%, and 67.3%, respectively, as compared with 61.2%, 59.2%, and 67.3%, respectively, in the first quarter of fiscal 2023.

On a non-GAAP basis, total gross margin, product gross margin, and service gross margin were 67.1%, 66.5%, and 69.0%, respectively, as compared with 63.0%, 61.0%, and 68.8%, respectively, in the first quarter of fiscal 2023.

Total gross margins by geographic segment were: 66.2% for the Americas, 69.5% for EMEA and 67.0% for APJC.

Operating Expenses -- On a GAAP basis, operating expenses were $5.3 billion, up 10%, and were 36.0% of revenue. Non-GAAP operating expenses were $4.5 billion, up 5%, and were 30.5% of revenue.

Operating Income -- GAAP operating income was $4.3 billion, up 21%, with GAAP operating margin of 29.2%. Non-GAAP operating income was $5.4 billion, up 24%, with non-GAAP operating margin at 36.6%.

Provision for Income Taxes -- The GAAP tax provision rate was 18.1%. The non-GAAP tax provision rate was 19.0%.

Net Income and EPS -- On a GAAP basis, net income was $3.6 billion, an increase of 36%, and EPS was $0.89, an increase of 37%. On a non-GAAP basis, net income was $4.5 billion, an increase of 28%, and EPS was $1.11, an increase of 29%.

Cash Flow from Operating Activities -- $2.4 billion for the first quarter of fiscal 2024, a decrease of 40% compared with $4.0 billion for the first quarter of fiscal 2023, primarily due to the timing of tax payments.

Balance Sheet and Other Financial Highlights

Cash and Cash Equivalents and Investments -- $23.5 billion at the end of the first quarter of fiscal 2024, compared with $26.1 billion at the end of fiscal 2023.

Remaining Performance Obligations (RPO) -- $34.8 billion, up 12% in total, with 51% of this amount to be recognized as revenue over the next 12 months. Product RPO were up 14% and service RPO were up 11%.

Deferred Revenue -- $25.7 billion, up 11% in total, with deferred product revenue up 12%. Deferred service revenue was up 11%.

Capital Allocation -- In the first quarter of fiscal 2024, we returned $2.8 billion to stockholders through share buybacks and dividends. We declared and paid a cash dividend of $0.39 per common share, or $1.6 billion, and repurchased approximately 23 million shares of common stock under our stock repurchase program at an average price of $54.53 per share for an aggregate purchase price of $1.3 billion . The remaining authorized amount for stock repurchases under the program is $9.7 billion with no termination date.

Acquisitions

In the first quarter of fiscal 2024, our closed acquisitions include:

• Accedian, a privately held network performance monitoring company
• Working Group Two, a privately held company that developed a cloud native mobile services platform
• Oort, Inc., a privately held company focused on identity threat detection and response technology
• SamKnows, a privately held broadband network monitoring company
• Code BGP, Inc., a privately held border gateway protocol monitoring company

Cisco's Intent to Acquire Splunk

On September 21, 2023, we announced our intent to acquire Splunk Inc., a public cybersecurity and observability company. The acquisition is expected to close by the end of the third quarter of calendar year 2024, subject to regulatory approval and other customary closing conditions including approval by Splunk shareholders.

Guidance

Cisco saw a slowdown of new product orders in the first quarter of fiscal 2024 and believes the primary reason is that customers are currently focused on installing and implementing products in their environments following exceptionally strong product delivery over the past three quarters. Cisco estimates there are one to two quarters of shipped product orders still waiting to be implemented by its customers.

Cisco expects to achieve the following results for the second quarter of fiscal 2024:

Cisco estimates that GAAP EPS will be $0.59 to $0 .64 for the second quarter of fiscal 2024.

Cisco expects to achieve the following results for fiscal 2024:

Cisco estimates that GAAP EPS will be $2.97 to $3 .08 for fiscal 2024.

Our Q2 FY 2024 guidance assumes an effective tax provision rate of 17% for GAAP and 19% for non-GAAP results. Our FY 2024 guidance assumes an effective tax provision rate of 18% for GAAP and 19% for non-GAAP results.

A reconciliation between the Guidance on a GAAP and non-GAAP basis is provided in the tables entitled "GAAP to non-GAAP Guidance" located in the section entitled "Reconciliations of GAAP to non-GAAP Measures."

Editor's Notes:

• Q1 fiscal year 2024 conference call to discuss Cisco's results along with its guidance will be held on Wednesday, November 15, 2023 at 1:30 p.m. Pacific Time . Conference call number is 1-888-848-6507 ( United States ) or 1-212-519-0847 (international).
• Conference call replay will be available from 4:00 p.m. Pacific Time, November 15, 2023 to 4:00 p.m. Pacific Time, November 22, 2023 at 1-800-834-5839 ( United States ) or 1-203-369-3351 (international). The replay will also be available via webcast on the Cisco Investor Relations website at https://investor.cisco.com.
• Additional information regarding Cisco's financials, as well as a webcast of the conference call with visuals designed to guide participants through the call, will be available at 1:30 p.m. Pacific Time, November 15, 2023 . Text of the conference call's prepared remarks will be available within 24 hours of completion of the call. The webcast will include both the prepared remarks and the question-and-answer session. This information, along with the GAAP to non-GAAP reconciliation information, will be available on the Cisco Investor Relations website at https://investor.cisco.com.