Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

Thank you, and welcome to the Morgan Stanley Zero Trust Architectures Virtual Conference. Very pleased to be kicking off the conference this afternoon with Zscaler. We have Founder and CEO, Jay Chaudhry; CFO, Remo Canessa; as well as Bill Choi, Director of Investor Relations, to talk us through the Zscaler perspective on zero trust architectures. Before we get started, Bill does have a couple of quick disclaimers he wants to get through, and then we'll launch into Q&A. [Operator Instructions] So Bill?

Thanks, Keith. Thanks, everyone, and appreciate your interest. I'd like to remind you that today's discussion will contain forward-looking statements. These statements and other comments are not guarantees of future performance but rather are subject to risk and uncertainty. These forward-looking statements apply as of today, and you should not rely on them as representing our views in the future. For a more complete discussion of the risks and uncertainties, please see our filings filed with the SEC. Back to you.

Excellent. So Jay, starting off with you. Thank you very much for joining us this afternoon. I'm really looking forward to the conversation. The theme of the virtual conference is zero trust architectures. And while we're hearing that phrase a lot more, I still think that it means different things to different people. How does Zscaler define zero trust architectures? And can you walk us through where the Zscaler solution offering, where it fits into that framework of the zero trust architecture?

Thank you. Zero trust actually started with a very clear meaning. The vendors who couldn't do zero trust try to hijack the term and come up with their own definitions. Then Gartner stepped in, they published a very good paper called Zero Trust Network Access, which actually frames the cons of zero trust well. So here is a basic concept. Traditionally, when a user needed to access an application, a user was connected to a network. Once on the network, user could access all the applications that are connected to the network. But it is like once I got into the Morgan Stanley headquarters building after they check my ID, I could go anywhere, in any conference room, at any meeting room. Not a good idea. So zero trust concept came and said, don't connect the user to a network, connect the user to particular application or surface. All security devices, all network firewalls and everything is based on the premise that user must connect to the network and they'd protect the network. The problem is, in today's world, the network is everywhere. Internet has become your network. When I go from home to my applications in the cloud, I am on Internet. When I call from a mobile phone, I'm on 4G. So you cannot do network security anymore. You need to do -- zero trust means a new way of building security. Almost like a switchboard service where a user connects to this exchange to switch board and the switch board connects the user to an application without needing any firewalls because there's no place to put any walls in the world of cloud.

Got it. So in terms of zero trust, is this a concept that your customers are talking to you about, that they're asking you saying, listen, we want to move in this direction? Or is this kind of secondary? This is kind of a conversation we're having, it's a marketing term, but not really driving purchasing decisions. Like where are we in terms of that being actual demand driver for you guys?

I've been watching that for the last several years as zero trust terms start to pick up. I talked to lots of customers, probably about 40 to 50 at least every month. And zero trust is one concept that gets asked by the customer more often than any other concept from security point of view. And this is driven by the fact that they feel like users are everywhere. They're using more and more cloud-based applications and work from home actually accelerated the demand for zero trust.

Got it. And then that was going to be my next question. So one of the premises that we had coming into this conference, we read a report about it last week where -- by the way, we upgraded your stock. But also, we talked about it in our intro this morning that we think that COVID-19 is accelerating the shift of workloads into the public cloud, is creating a more distributed workforce, more distribution in terms of the elements that we're trying to secure. And that's going to accelerate the shift in security architecture. So one, do you agree with that underlying premise? And two, how should we think about like what pace of change is possible?

A very good question. So we all know, we have been talking about the COVID has accelerated trend towards digital transformation. And let me give you 2 reasons why. Number one, to work from home, you need basic tools like collaboration. You need access to e-mail and calendaring, those systems, the Zoom video calls and the like, company who had not embraced tools like Office 365 and Zoom couldn't even do basic collaboration. That is one part. And the next part is related to other applications. But that's one part. The second part was network and security, what's the impact of those? When a user talks to customers before COVID, they will all agree that they needed to transfer from their network to local breakout, this traditional private hub-and-spoke network has to go away, but they were slow. Why? Because they're a little concerned that my business is running on this network, what if something goes wrong, I want to change. It was in inertia. In some of the networking leaders who really had the big budgets, really, they didn't want to lose their budget. So there's a little personal stuff around it. And certainly, with COVID, the CIO is phoning that my business is working well. Actually, it's working better than it work for my branch office coming out of the private network. So now our CIOs, who deployed Zscaler, especially ZPA because they've already done ZIA, they said my employees are working beautifully without using a corporate network at all. So the notion that I can leave from this chain yet not even worry about my SD-WAN deployment, not worry about local breakout. I don't need a corporate network, which means security model of Zscaler which says you come and connect with me and I'm going to exchange service for you or digital exchange or connect with the right application or service where data center's one more destination just like Azure is or Office 365 is. So yes, it is accelerating the trend towards security significantly.

Got it. And does the ability to sort of shift in this direction and adopt a new technology, is that dependent at all on the kind of size of the organization? Like one of the things we've seen is SMBs tend to shift faster, larger enterprises like a Morgan Stanley tend to shift a little bit slower. Do you see that in your customer base? Is it dependent on customer size?

So in general, SMBs embrace faster than enterprise, that's very true. But in the case of Zscaler, even from very early on, some of the largest companies like GE and Nestle embraced us far faster because they had bigger pain because they had employees in every country, and they were suffering. So banks are an exception. Since banks were really concerned about cybersecurity, didn't want to embrace cloud. So companies like modems and the others actually took longer to embrace a technology like Zscaler. Now that there is a lot of pressure on large enterprises to embrace digital transformation, the goal is to be agile, to be competitive. A CIO says, "I want to set up a new office in Kuala Lumpur in 5 days." An old world of ordering an MPLS network which takes 3 months, ordering the box and all, it took 4, 5 months. In today's world, all they do is they get a local broadband connection, point it to Zscaler and they turn it on. So with that type of stuff, we are seeing larger companies embracing it very well. In fact, if you look at Zscaler's customer base, somewhere in the 20% to 25% of the largest Global 2000 companies are using Zscaler. When I started the company, I thought we'll start with midsized companies and go up. It actually happened the other way around. The CIOs who are progressive and forward thinking, they actually drive it. So when we go to large enterprises, we look for a CIO who is progressive, and we pursue him. If a CIO who is not progressive, we kind of slowly handle it over to him.

Right. Got it. And how should we think about how zero trust emerges versus kind of the traditional security environment? Is it going to sit alongside traditional security environment to just become more of a sort of center of gravity more important than the traditional environment persists? Or does it actually replace them over time? Like will physical firewalls actually go away? Or will they just become a less important part of the equation?

It's a very good question. I get asked this question by CIOs and CTOs quite often. When they like zero trust, they say, "how do I go about it?" Now if you look at in many areas, take SAP as a very important application, either it sits in the data center or it sits in the cloud. It doesn't just -- you don't do halfway because it's a one integrated application. But in the case of security, you can do actually in meaningful steps. For example, when Zscaler customer roll out, they would go with ZIA to break out all the traffic going to internet and SaaS, nothing else is impacted in terms of internal applications. The second step they could do is replace VPN. So with ZPA, they got broad range. Third step they'll do is don't go through your data center to your Azure and AWS applications, but go direct with ZPA. So that -- it's a step-by-step process. Also, the other piece is, you don't need to go and try to fight the backlog, displacing a bunch of other clients in the data center because data center is withering away. If 40% traffic gets moved from the data center directly to the cloud with ZIA, you've got that 40% less traffic going through it. You need less routers, less switches, fewer firewalls. And as more applications move to AWS and Azure, the traffic will probably go down to 20% or 30%. I think data center will be there for a while. And there will be some firewalls and routers setting there, just like the mainframes I sold during my IBM days are still chugging along somewhere, but who cares. I think it will become far and far less important. And customers won't need to buy more load balancers, more routers, more switches and more firewalls. So they go away over time. When you do applications in public cloud where everything is headed, in the Zscaler world, you don't need any firewalls.

Got it. It makes a ton of sense. I'm going to hand over the conversation to Hamza Fodderwala, our new security analyst here at Morgan Stanley, to dig into sort of deeper details around Zscaler in particular. Hamza, do you want to take over questioning?

Thank you, Keith. And thank you so much, Jay, for joining, and Bill and Remo as well. Really appreciate your attendance today. So I really wanted to dig into some of the architectural differences that I do think a lot of that might not be as well understood by the broader investor community. So one of the areas you discussed that you differentiated is the proxy architecture, the scale of your cloud, right? And while obviously a lot of competitors recently have been trying to close the gap, building these point of presence locations on GCP or AWS. Can you help us or refresh us on why Zscaler's architecture is more effective, particularly when it comes to remote access versus some of the other vendors who are emerging in the space?

So if you look at the 2 architectures, broadly speaking, for security, one has been what I call the pass-through architectural traffic. Typically, firewalls as a gateway or VPNs are created to connect you to the network. They're doing -- they sit in the middle, but they let the traffic pass-though. The zero trust architecture actually believes in the fact that you connect to this exchange, and exchange terminates the connection, inspects it and let you go where you need to go. That's essentially, in traditional terms, called a proxy architecture. So 2 fundamental differences. And let me give you one at a time because ZIA, the proxy architect is there to open SSL traffic, inspect it for security, inspect for data loss and the like. So we have been traditionally competing with proxy vendors like Blue Coat and McAfee and Cisco over the past 10 to 15 years. Blue Coat especially had a very good proxy. Others had poor proxies because building a proxy is very hard without adding latency to it. But what Blue Coat lacked was a multitenant architecture. So in our battle over the past 10 years, ZIA has dominated, and all of these proxy vendors who are trying to be cloud vendors have gone away. It doesn't matter whether you're sitting in 10 paths or 20 paths. If your architecture is not multi-tenant, you really don't win. That's one part. I can look at the second part of firewalls. Large companies have never considered firewalls for user protection as a secure web gateway. Gartner has kept firewalls out of web gateway because they couldn't do proper inspections. Now firewall companies threatened by the changes that are going on are trying to enter this space, and it's natural for them to try to do so. But they lack 2 things, not 1. They don't have the right proxy architecture to inspect for DLP in threats because they are pass-through architecture. And number two, they're single tenant. Trying to spin virtual machines out there is like trying to put 1 million DVD players in a data center and say, I got Netflix streaming service. It just doesn't work. Maybe for a demo, it works okay. In the real world, it doesn't. So wrong architecture. You can spin as many things in any of these data centers, it really doesn't help a whole lot.

Understood. I mean as far as what you're seeing from customers, right, so as more of these vendors are coming out like the Palo Alto Networks or even Prisma Access, right, we have heard there's been pretty strong adoption of that vision. So has there been any instances where in head-to-head bake-offs that they've come up more often recently? Are there customers who might be using a competing solution that is not built on the native cloud architecture that you have that are coming back to you and saying, maybe this doesn't work? I'm curious to hear what some of the recent dynamics have been.

Yes. So as we said, firewall vendors are threatened by this new opportunity or are trying to claim. So just like Blue Coat, Websense, McAfee, they're all built to their cloud even though they had the pass-through point. Every firewall vendor will try to build a firewall, okay? We were seeing it from -- ultimately, we have seen it from actually checkpoints of the world, okay? Now if you think about how enterprises do security, with some exception, most -- probably 85%, 90% of the large enterprises, take Fortune 500 -- would require a proxy architecture or user traffic inspection that's headed to the Internet. Now firewall guys are saying, I can do that, too. Firewalls were designed to protect servers, to become a door or gate in front of the servers in the campus. We believe it's a retrofit. If you do simple, in fact, the part you guys will also try to say, proxy is such a bad architecture. They forgot to tell you that without the proxy, you can't open SSL traffic for inspection. Imagine 90% of the traffic, 90% of travelers going international on international flights, they're own luggage cannot be inspected by TSA because it is sitting in some steel case. That's how security gets done with the firewall vendors. That's why large enterprises don't take them seriously. We don't really see them competing in that space. When it comes to lower down...

Jay, I think you broke up there for a second.

Can you hear me now? Hello?

Yes, I can hear you now.

Okay. I'm sorry, not sure what happened. So I was basically saying that the serious companies don't look at it. You'll probably see some wins from firewall vendors or any vendors with some customers. It's always easy to get a handful or some of small customers. But getting serious customers, we don't think firewalls will be the real competition in this space.

Got it. I mean -- so this is my last question on that, right? So what is the limiting factor, right, of having the security offerings built on AWS and GCP from just a technical perspective because a lot of cloud vendors, right, are leveraging AWS and GCP. And obviously, the cloud vendors have a lot of coverage. So if you could help us elaborate on that point, why will they not be successful regardless of how many paths they have?

Right. So the 2 points to think about when it comes to being a security vendor who needs to sit in the traffic path as compared to an application. If I am an application, I'm sitting on AWS as a destination, not a problem because only vendors who need to go there will go there. But if I'm sitting in line to get to any application out there, I must be properly distributed in lots of bases. All I wanted is that while Googles of the world may have 100, 120 locations, about 20 to 25 is where you have compute center, where you can spin-off firewalls and the like. The remaining 100 are collection points, the front doors, and the traffic gets backhauled to the compute center. That introduces latency. And that's one big reason. The second reason is the following: these vendors, they don't have multi-tenant architecture. So it gets very hard to manage spinning a virtual machine or many virtual machines for each customer. The third is actually to do SSL inspection. You need some hardware assist. VMs can't do SSL inspection even if you build a proxy architecture. So performance becomes a third issue. If I may give you a fourth point, that is cost. Any serious cloud vendor when running on AWS of the world at scale ends up having fairly low margins. Read our papers published by the founder of Dropbox or read some studies for Netflix. Anyone who is aimed to offering a large cloud service ends up running its own service to have meaningful gross margin. We're sitting at 80%. I think a lot of competitors will go there. Some of the numbers I hear is, they sit in the 30% to 40% range. They're proud about it. If you ask them and say, tell me your cloud gross margin? My bet they'll dance around it and won't answer the question.

Got it. That's helpful. So one of the theme on security has been around consolidation, right? There's an age-old debate about best-of-breed versus suite. As color -- obviously, there's a lot -- encompasses a lot of solutions within security, either cloud firewall, there is the Secure Web Gateway, DLP, CASB. How do you think that this shift towards zero trust is going to play out when you think about the market shifting towards a suite versus best-of-breed? Do you think it's going to lean more towards the best-of-breed? Do you think it will be suite over time that vendors look -- or customers rather look for one drug to choke or one sort of vendor to deal with. Just curious how you think that plays that?

Yes. It's a very good question. So first of all, it's pretty clear that customers don't want to deal with dozens and dozens of enterprise. Consolidation is a natural thing. But the consolidation such that there's no god security cloud or god security box that does everything because there are core competencies needed for different things. Doing endpoint security is one kind of core competency. And sitting in the traffic is very different in competency. So we believe there's consolidation happening. We are driving the consolidation as a platform for zero trust. But we aren't trying to mix it up with endpoint, which is a very different thing. So consolidation along logical areas is one point. The second point I'll make is when people think of consolidation, they think of taking traditional products and putting them together. In this new world at zero trust, we believe the security segments won't look anything like they look today because today's security is all about building a moat. Tomorrow's security is not about building a moat. So if you're not building a moat, what role will many of these API products will play? I don't think so. So I think 5 years, the segments will be very different. Yes, there will be consolidation, but don't look for current market segments as adding up in a consolidated fashion.

Got it. Got it. And if I could dig into the security spending environment in the near term, right? So it really seems like security budgets for the most part -- can you hear me?

You went away for 3 seconds. Security budgets for the most part...

Yes. All right. Sorry, I went away for a little bit. So security budgets for the most part have been pretty durable year-to-date. And a big question that I get from investors is how much of this is coming from emergency spending from customers that are trying to ensure business continuity because all of a sudden a lot of their users are now working from home versus a fundamental reprioritization of how they're thinking about security budgets? And the second part to that question would be, longer term, do you think that this distributed work environment because it is increasing complexity for organizations, it's going to be a positive tailwind for security spending overall?

Good. Very, very good question. So let me answer this question. So first of all, work from home really increase the need for doing some of the security that was in place. We benefit from it. And many legacy vendors benefited for it because they could sell a lot of VPN. Even though the customer didn't care about VPN, that was the only quick solution to kind of get ready overnight. So that's one piece. But also, I do believe that emergency spending with work from home is, by and large, over. Because if you aren't having your employees work from home safely in the past 2 months, you have a problem. So whatever you had to do was done. Now, it's a matter of ongoing journey towards the cloud. As digital transformation is accelerating, security is part of it, security is accelerating. But what's happening is security has been a Board topic for the last several years. Security will remain the Board topic, so that means security will remain a high priority. What the shift I've seen with CIOs and CSOs is the following. Now they want better security. They want lower costs because this pandemic is putting pressure on them. So CIOs and CFOs are actually asking for more consolidation and simplification for cost reduction than they did before. That's one big change we have made in our strategy. But if you look at from total budget point of view, security is still a relatively small part of the overall budget for an enterprise. So for a CIO to reprioritize a little money from other side to this side, it can be a big increase in security even though it's a small shift for an enterprise budget. So we believe that security budgets will remain robust and enterprises are focused on implementing newer technologies such as zero trust, and we are a clear beneficiary of.

Got it. And last couple of questions is, so around M&A, right? So we've seen a couple of recent acquisitions with edge network -- excuse me, Edgewise Networks and Cloudneeti, what is Zscaler's just general philosophy around build versus buy? And is M&A -- now that you guys have reached a certain scale, is that going to be a more important part of the Zscaler's story going forward?

So if you look at Zscaler, we built a platform, a purpose-built cloud native. Can you guys still hear me?

I can hear you. Sorry. My video keeps going way.

My video went away. That's okay. All right. So we purpose build platform, and we have been expanding it, but almost like a concentric circle. We had a bull's eye, we have been adding. We don't just go and set up a bull's eye at second place or third place, we're very methodical in it. We only want to do acquisitions that fit nicely and integrate with our platform. Contrast that of so many times you see the M&A philosophy, let's go on a buying spree and buy 10 companies. Guess what? 5 years later, ADAS then gets sold at 1/10 of the price you bought because integrating them becomes very hard. Instigation is very, very hard. So we did these acquisitions. For example, Edgewise or Cloudneeti or actually browser isolation for that because those early-stage companies could be easily integrated into our platform and could be offered as one product, and it gave us probably about 12- to 18-month lead over what is we had tried to build similar technology on our own. So we will do highly targeted tuck-in acquisitions to accelerate, taking some additional features to the market. But those features need to fit into our strategy. We're very methodical of what to -- where to compete and where not to compete because strategic partnerships are very important for us. So trying to open battlefront on too many areas, I believe, is not a good thing.

Got it. I know we're about finish here, but one question from the audience I'm seeing is how does Zscaler's ZIA, ZPA compared to Cloudflare teams? If you could help sort of differentiate those 2.

Yes. So if you look at Cloudflare, Cloudflare comes from the same background as Akamai can. It was, I want to offer CDN. Our caching is important. Then the natural thing for them to serve on. Well, can I offer our DDoS protection on top of that because I am sitting in front of servers? So they always sat in front of servers. And they were designed to take any user from anywhere without even having to authenticate or do anything. For example, if I go to united.com, a website, United Airlines, probably Akamai is front-ending it and any user from China or France or wherever can go and access. Zscaler is protecting all United employees. When any United employees goes anywhere, they go through us. So we are actually user-centric. We are protecting every United users no matter where they go. The skill set, the core competency of where you sit and what you do is fundamentally very different. That's why, I mean, look, even Akamai has tried to get into this space for a while. Now Cloudflare is trying to do the same. Haven't seen Cloudflare much out there to call. I haven't seen them in any deal with ZIA or ZPA out there. I've seen Akamai in a few place. They actually bought a proxy company about 4 or 5 years ago. I have yet to see them in a single deal. We think, unless you have some core competency, you understand where you fit, it's great to have aspirations to get into other space, but it requires a lot more than aspirations to succeed.

Got it. Got it. Well with that, I think our time is up. Thank you so much, Jay, Remo and Bill for your time today, and I look forward to seeing you again soon.

Thank you.

Well thank you so much. We really appreciate it.