Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

All right. Good morning, everyone. I am Melissa Franchi, cybersecurity analyst here at Morgan Stanley. Very happy today to have Zscaler management. We have Remo Canessa, CFO; and then we also have Amit Sinha, CTO and President of R&D Cloud Ops and Support. Thank you both for being here. Before we get started, let me just read the disclosures. Please note that all important disclosures, including personal holding disclosures and Morgan Stanley disclosures appear at the Morgan Stanley public website at www.morganstanley.com/researchdisclosures or at the registration desk. Great. With that, let's kick it off.

Maybe, Amit, let's start with you. So Zscaler actually was founded more than 10 years ago. But it really seems like over the past 2 years, you've really started to see accelerating momentum. I think, that's on the back of increased enterprise adoption or willingness to adopt more cloud-based security solutions. Can you talk about what stage do you think we are in terms of that transformation and security architectures towards more modern cloud-based approaches versus the traditional perimeter-based security that we've known for a while?

Yes, sure. So when Zscaler was founded, the first iPhone had just come out. And there was one cloud application from an enterprise perspective that everyone was talking about, it was salesforce.com. Fast forward to today, 9 out of 10 CIOs that I talked to are adopting Office 365. We're seeing increased adoption of overall SaaS applications. We're seeing SD-WAN, where customers that had a traditional hub-and-spoke network, where all their branches and users, VPN back to 1 data center or 2 data centers, now going more direct to the cloud. And all of that, the application transformation as the center of gravity moves from the data center to the cloud as your users become more and more mobile, as your branches go more and more local, it's forcing the whole security transformation that Zscaler is driving aggressively. Where are we in that journey? I mean, we're focused on large global organizations that have lots and lots of employees across the world. We're deployed in over 400 of the Global 2000 organizations. So 400 done, 1,600 more to go.

Yes. Our run rate business is about $400 million coming off of last quarter. The TAM, both for the -- that security stack for the network security is over $20 billion. So there's a long way for us to go. And we feel we have the right solution, and we feel the market is coming to us.

To what extent are you engaging with enterprises today to transform the entire network security stack and kind of re-architect what they've been doing historically versus just initially a replacement of the traditional web security gateway and then maybe it expands over time? Can you just talk about how the customer engages with you and how that's changed recently?

I'll start, then I'll let Amit go. The Transformation Bundle that we have for ZIA at the time of our public offering, which is a couple of years ago, was around 20%. It went up to 35% and now it's 43%. When you go transformation, what you're doing basically is saying, you're going to go directly to the cloud through our security stack, and not back -- calling back into the data center. So that is moving in that direction, with the growth rate going up to the 43% last year. In addition, there's 2 pieces, you got the outbound and the inbound. The ZIA is the outbound, the inbound is the ZPA. It's a product that we introduced about 3 years ago or so -- a little over 3 years ago. It's gone from 4% to 10% to 14% of our new business over the last 3 years. It represents basically single-digit revenue currently. So there's room for that to grow also. And I'll turn it over to Amit.

Yes. I mean, I -- the Zscaler sales motion is a top-down CIO-, CXO-driven sale -- sales process. And what we look at is not just replacing a proxy, I mean we started off as a secured web gateway. But over the course, Zscaler has added the full outbound security stack in everything from a next-gen firewall to SSL intercepting proxy, everything from in line AV scanning to cloud sandboxes, everything from data loss prevention to CASB style controls, right? So once a customer has done the hard part of transforming their network, which is plumbing their network, going through Zscaler, allowing users to authenticate, adding those services on top of that is relatively a frictionless process, right? So we don't want to be a one-trick pony, replace this box with Zscaler. We want to look holistically at what sits between a user and destinations that they want to access. On the outbound path, it's the Internet and the SaaS applications they are accessing. On the inbound side, traditionally, they might have used a VPN to access some internal application, maybe an SAP application, maybe a wealth management application. Those applications themselves are transforming. They're going to Azure, they're going to AWS. And so we want to sit between users, and destinations become the policy engine, give them awesome user experience because the entire security services right next to where the users are present. Gartner calls it SASE. So when you're in San Francisco, the entire Zscaler security service is available in San Francisco, and we are co-located in much of the same data centers, where most of the applications that users want to access reside. So we're looking at it at a holistic level.

Yes. And one thing also, Zscaler's platform play under one code base. So everything that basically that we've developed, it's pretty much been developed by Zscaler. We've done a couple of small acquisitions. One was the browser isolation, which we rewrote the code to be on our platform in an AI company. So pretty much all homegrown under one code base with a multi-tenant architecture.

Just given the fact that you're increasingly selling more transformational deals, can you talk about what you're seeing from a sales cycle perspective? I think -- and these are big, large undertaking to transform your security architecture, but there is an increased comfortableness or comfort with changing your security architecture. So are you seeing sales cycles shorten as enterprises are getting comfortable with this new approach? Or is it still a pretty high hurdle?

It's still the same as it was before. There's really not much change. For smaller customers, it's 3 to 6 months after the customer has decided to do the transformation. Larger customers, more than 9- to 12-month type range. So not really much changed yet in the sales cycle.

Okay. Got it. I mean, you've talked about the concept of SASE, a Gartner term, secure access service edge. Can you talk about how Zscaler's technology fits into that theme? Is it within customer's vocab today to come to you for SASE-specific solutions. And related to that, what are the principles within SASE? Is it really the convergence of network as a service as well as network security as a service? So how do you play in that network as a service?

Right. It's a great question. So I'm very happy that Gartner has coined a SASE term and actually defined what SASE means. If Zscaler wrote a constitution for itself, it would be SASE, right? So this is just great. So we're getting a lot of inbound interest, and it's not just Zscaler talking about that, but Gartner and rest of the customer base as well. So what is SASE? I mean, SASE boils down to 4 core principles. The first principle is take the compute edge as close as possible to where the users are, right? I mean, I call it the physics problem. If your users are sitting in San Francisco and your data center is in New York, it will always be slow. You're crisscrossing the country to get any security service, right? And so in the case of Zscaler, we built 150 data centers because you have to solve the physics problem. When you're in San Francisco, you want your security service to be available locally. Closely tied to that concept of compute is that you need to be able to do hard things like SSL inspection. These are cryptographic operations that require a lot of compute. Now when you try to do this in AWS or Azure, they make great virtual machines, but they don't give you crypto acceleration that is needed to do some of the intensive security scanning that is needed. And so SASE, step one, putting the compute next to the users, making sure that you have enough juice to be able to do it is something that Zscaler has done from day 1. The second thing that SASE talks about is legacy vendors cannot necessarily transform to this new world, right? The analogy that we've used is just because you made a great DVD player, you cannot virtualize it, containerize it, run it in someone else's cloud and become a Netflix, right? You need to build that architecture from the ground up. So again, that's something that we have done. The third area is the importance of a proxy-based architecture that -- and Gartner talks about that as well. And what's the difference between a firewall and a proxy, right? A firewall is more a -- here's some source IP or some destination IPs, they're not necessarily looking at content. In today's world, you have to look at content, right? When you send me a Google drive link and I click on it, I need to be able to see this is an Excel file, and it had a macro virus embedded in it. A firewall can't see it. So firewalls are generally blind to anything that is encrypted with SSL, right? So this -- I mean, those are some of the foundational principles behind Gartner's SASE. And as I said, that's something that we've been doing from day 1. We believe that the market's now coming to us and embracing some of those things, and we are poised to exploit that.

Since you referenced the legacy providers, maybe we can just drill down on that a little bit. So it seems like some of your competitors on the legacy side are trying to close the gap in terms of increasing their data center footprint, to increase the performance capabilities, perhaps adding some proxy security capabilities. Are those competitive moves meaningful? And how far is the lead you think Zscaler has relative to, let's say, Cisco, Palo Alto?

I mean, we've seen some of this movie before. Back in the day, some of you might have heard of a Cisco scan safe solution. It didn't go very far. Blue Coat had an amazing proxy appliance, and they tried to sell a WSS service where they tried to sort of cloudify that appliance and sell it as a service. That also didn't go very far. So traditional security vendors, what do they do? They have a security appliance, then try to virtualize it and run it in AWS and Azure. And that -- I've described the Netflix example, right? You cannot just take a single-tenant box and become a service by running it in a cloud. I mean, if that was the case, then anyone could take directory software and run it in AWS and become an Okta. Anyone can take an open source database and put it in AWS and become a Salesforce. Successful SaaS companies have built their infrastructure, have built their service from the ground up, right? Now you talked about data centers. When traditional firewall vendors say, I can take my firewall and run it in Google. Google makes a great cloud infrastructure. So clearly, it's a better service. I mean, that argument has many, many flaws. Flaw number one, Google's infrastructure is very good if you are hosting a service on Google. A security service, by definition, has to be service-neutral, right? If 1/3 of my traffic is going to Microsoft, why should I send my traffic deep into Google's core to get a firewall service only to come out and then enter Microsoft's network, right? So how did Zscaler approach this problem? We said the Internet is 15 Tier 1 ISPs working across the world, right? Google doesn't operate in China. I have to work with China Telecom and China Unicom in China. When I am in India, I have to work with Airtel. When I'm in Australia, I have to work with Telstra. So you -- to build a cloud security service, you have to be cloud-neutral and vendor-neutral and service-neutral, right? The question you have to ask is how do 100 million users talk to 10 billion destinations without getting into a walled garden, right? So when you take a firewall and put it in Google, number one, you don't get that SASE edge that we talk about. Google has 20 compute regions and 120 front doors. It's great when you host a service in Google, but not very good when you try to do an inspection service that's meant for the general Internet, right? There are other factors, right? When you take a appliance firewall and run it as a proxy, you can look at the NSS Labs test reports. All firewalls slow down by a factor of 15 to 20x, not percent, 15 to 20x slower, when you take a firewall and run it as a proxy that the scanning SSL content. So you take an appliance firewall, run it as a proxy, you lose 20x the performance. Then you virtualize it, run it in someone else's cloud, you don't get crypto acceleration, you lose more performance, and then you have to do all the rerouting. I mean, the net result is, it's not a very scalable solution. So it becomes a flanking strategy for traditional security appliance vendors to say, hey, buy my security appliance whenever you want, and we also do cloud, right? That's really the approach.

That's clear from a technology perspective. But Remo, have you seen any changes in terms of who you're baking off against over the past year? Are these legacy vendors more relevant in the conversation today?

Any more competition?

Right.

Not really. I mean, from our perspective, when we're able to talk to the customers and show our solution, there's really no competition. There are the incumbent vendors. You've got smaller companies, startup companies are trying to come in. But Zscaler was developed 10 years ago with the SASE approach, built its own TCP stack. So the lead that we have, companies who are CASB companies, or companies that are CDN companies, they're trying to move into the secure web gateway. It's a hard thing to do. And this is the core of Zscaler, which was founded, built in our TCP stack 10 years ago. So the architecture, the multi-tenant architecture created a single path. Once that packet comes through under traditional companies, what you're going, you're going through different layers, different applications. With Zscaler, what happens is that, that packet comes in, it opens up, we fire all engines at it. So the efficiency that we've created at 80% gross margin, this is pretty impressive, and it's very hard for other companies to catch up to that.

Do you know of any other CFO who can say TCP stack?

Very impressive. Okay. That's clear. When we think about the term of SASE or -- all right, the concept of securing local Internet breakouts, we typically think about the security architecture in the branch. Is the opportunity really about transforming the branch largely today? Or are you starting to see displacements in data center deployments for the traditional web gateway?

Right. So let me answer that. I mean, if you go to the Zscaler website, you'll see the CTO of GE talk about how they've transformed with Zscaler for their 400,000 employees, right? The big driver there wasn't, hey, my headquarters is covered. I need to get a solution for the branch. The big driver was, I have so many disparate proxy and web gateway solutions. I'm looking for consolidation and operational ease and simplification. I don't want my CEO to have one experience when they are in headquarters and when they fly it and go to Singapore. It's a completely different experience, right? So you're looking for simplification and consistent policies across the board. In today's environment, it should not matter whether you're sitting in your New York headquarters versus a San Francisco branch or in a coffee shop. You should get great user experience and consistent security policies wherever you are. So yes, as people are making more local branches go locally to the Internet, it is forcing some of these decisions. But the answer is not. Let's keep our headquarters the way they are, right, and do something new in the branch. The answer is, what's the -- or the question they are asking is, what is the blueprint for my network and security stack for the next 10 years? In this cloud-first, in this mobile-first world, where users can be anywhere and my branches want more autonomy, what's the common way of doing things as opposed to -- well, headquarters is covered, let's go to the branch.

Okay. Shifting to some of the product-specific questions. Maybe we can start on ZPA. It does seem as though there's a different competitive environment with ZPA, there's a different level of maturity. It's a newer product for you. Can you just talk about what you've seen in terms of enterprise adoption of ZPA and how you're well positioned relative to what seems like a fairly crowded field of vendors trying to address remote secure access?

Yes. Over 3 years -- I'll talk about the numbers, then Amit can talk about the technology, the difference. ZPA of our total new upsell business has gone from 4% to 10% to 14% of our total new upsell business and still represents less than single-digit of our total revenue. So it is our fastest-growing product, has a -- ways to go. We think we're well positioned. And I'll turn it over to Amit.

Right. Yes, it is a -- ZPA is a fastest-growing product. And remember, ZIA started 10 years ago, and it's growing that way. And for ZPA to catch up as an overall percentage will take time. Now having said that, again, customers are looking for simplification and consolidation. When a customer has deployed Zscaler app that forwards all their traffic, that is Internet-bound and SaaS application bound through Zscaler Internet access, the same customers turn and say, hey, I've done this part. Now can I -- maybe 90% of my traffic is going to the Internet, and this 10% traffic that is still going to my data center. Can that same app, you already know who the user is, can you -- with Zero Trust principles bringing those users to those applications in that same infrastructure, right? And the answer to that is, yes. You don't need to deploy yet another VPN solution, yet another agent and do all the complexity around it. As an administrator, I would like to have a simple policy that says, Amit is allowed to use Office 365, is not allowed to use these unsanctioned apps. And by the way, Amit is also allowed to use these internal applications, maybe this SAP application, this HR application that is sitting in my data center, but tomorrow might move to Azure. With the Zscaler platform, you can do that consistently in one location. So we sit between users and destinations and become the policy engine to make sure that people can quickly and securely connect to what they want to access. And the beauty of that solution is, I mean, how many of you have gotten an e-mail on your iPhone, and you clicked on a link and it's broken because it required you to do some special VPN thing, right? Once you go to the Zscaler platform, there's no difference between what's an internal application and what's an external application. Fundamentally, we are separating application access from network access, right? And the example I often use is all of you who use Gmail, do you VPN to Google's network before you access Gmail? You don't do that, right? If that was the case, then you'd VPN to Salesforce, and VPN to Gmail, and you'll have 27 networks before you access those 27 applications. You don't have to do that. And that's the simplification that we're trying to drive. You come to Zscaler, and we become the policy engine that connects you to the application based on the fastest path but also proper security.

One of the comments on ZPA also, we came out with the press release and for our existing customers, we offered ZPA for free for 3 months in China with the coronavirus. Over the last 3 weeks, our traffic in China has increased 12x. So significant -- again, from a -- when you got mobile workers, trying to connect to your network, trying to connect to your applications, internal apps, huge advantage with a ZPA. So for our existing customers, we offer that, and a lot has taken us upon.

And that was just in China? Is there...

Just China.

An opportunity to expand it to other countries that may be affected?

We're considering it. At this point, here's just China.

There's definitely more inbound interest coming in to say, hey, we need to roll out emergency remote VPN-like services, can you help, right? And so I think that's part of the promise of the cloud to be able to elastically deal with it. And as a good corporate citizen, we gave that away for free in China. And we saw 12x traffic increase, so that's a testament of two things: one, we can deal with that kind of load as a cloud service; and two, definitely when issues like this happen, the ability to transform your network, so your employees can work regardless of location, becomes important.

And speaking of data centers, last week, we spin up -- we wanted to test our ability to spin up data centers quickly. So we opened up a data center in Milan in the middle of the coronavirus in 1 day with no human touch by Zscaler.

Okay. Just to be clear, how big is your business in China? I would imagine it to be...

It's small. It's small.

Small. And just to round out the coronavirus discussion, are you seeing any disruption on the traditional ZIA business as some of the countries are seeing, perhaps some disruption?

Not at this point. Right now, it looks good. I mean, we are seeing disruption in Northern Asia. That's a very small part of our business, and it's not significant at all for us.

One comment I'd add is, while customers purely based in China might be small, remember, we sell to Global 2000 organizations, right? Whether it's GE or Siemens or NOV, these are public customers who talk about their deployments on the Zscaler website. All of them have some manufacturing presence in China, right? So for us to enable them successfully without having a China solution, it would not be possible, right? So I don't look at China as how many customers are purely located in China. I look at China as how many global customers we have enabled, and China is an integral part of their business.

Okay, great. In the last few minutes, I just want to shift to some of the sales force changes that you've made under the new Chief Revenue Officer. So you had a very helpful session last week at the RSA Conference, where you went through a number of kind of the changes that you've made. A lot of details behind the refinements you're making around the go-to-market. Remo, can you talk about what you think has been the most meaningful? And if we're thinking about where you are in terms of starting to see the benefit of those sales force changes? And what inning do you think we are in seeing that?

Yes. That's a great question. The biggest benefit is leadership. I think we -- we've gone without a CRO for 18 months. And to Jay's credit, the CEO of Zscaler, he waited to hire the right person. So we hired Dali Rajic, who was formerly the CRO of AppDynamics. The -- Dali's been on board for about 5 months. The thing that he's done over a 5-month period, this is -- it's significant. We've created a new layer basically of management, the RVP level. At the end of Q2, related to the RVP level and above, we have 80% of the people in those positions. He's put discipline into the sales forecasting process. He's put in new tools, Clari for forecasting, People.ai for tracking the activity of salespeople. He's put in place playbooks related to hiring. The hiring that we did in the second quarter, the gross hires were the highest that we've had since I've been at the company. He's basically transformed the organization into a much higher level type organization. The profile of people that we're looking for, there's an acronym called ICCE, intellect, curiosity, coachability and experience. Experience is the least important. Sales enablement group that Dali's put in place is 15 to 20 people strong, which is significantly larger than any organization that I've had at two previous companies, NetScreen and Infoblox. The training that we're doing related to boot camps. We'll have 2 boot camps versus 1 boot camp, when people come on board. Online training is significantly more than we've had before. Channel, basically, we've introduced a new channel program. That channel program is geared towards VARs, it's more numeric-based. So the foundation, what basically Dali's done in a very short period is position the company to really grow. And from here, what we're going to do is we'll be hiring a lot of field people and so forth. Our plan is to increase our sales, our RSMs, which are field salespeople, 60% year-over-year That was in our plan initially. So I actually saw the benefit of the first day that Dali was on board. When you get the right person on board in the interaction and you're seeing what he's doing, I think he's making an impact right now.

Last question. 60% growth in sales can -- pretty notable. How can you get investors comfortable with the ability -- with your ability to absorb that level of increase in sales capacity without significant disruption? And then how can you -- what gives you confidence that you can find that level of talent without making any compromises to that magnitude?

Yes. So those are both great questions. So basically, the levels that we've got in the company, you've got the GOVP going down to an area VP, going down to the RVP, going down to the regional director going to the RSM. So the span of control, basically that we've created is a lot broader span of control. So our ability to hire the right people with that increased span of control is much, much higher. The responsibility, the primary responsibility of hiring people is basically those leaders. So once you put those leaders in place, they know people they've worked with before. One of the key things that I look at, basically, or one of the things I look at is who follows the leader coming into a company, who wants to follow that leader. That's a sign, basically, you've got the right person. And with Dali, I can tell you that there's a significant interest in joining the company, not only for the opportunities that we have, which we think is very, very large, but also basically the training you're going to get to get to the highest level as a sales professional. The confidence that I have basically going into the second half, getting to that 60% growth year-over-year, I can tell you that February is a very strong quarter related to hiring. And I think we're well on our way.

Great. Well, we're all out of time, unfortunately. But thank you, Remo. Thank you, Amit. And thank you, everyone, for coming.

Great. Thank you.