Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

Great. Thanks for joining us this afternoon. I'm Rob Owens with Piper Sandler, and I manage our firm's security and infrastructure software research practice. Very, very pleased to welcome our next company and welcome a couple of old friends, as Remo reminded me in the green room earlier, the management team from Zscaler. Goes without saying Remo was counting back. It's been 2 decades since I've known Remo, and I think just a few years shy of that for Jay and myself. So gentlemen, always a pleasure to see you.

Thank you.

Thank you, Rob.

And for those of you in our viewing audience, Jay Chaudhry is the CEO; and Remo Canessa, the CFO of Zscaler.

So I guess, just to put things in perspective and lay a groundwork here, Jay, network security is traditionally dominated security spending as this category. And we've seen major consolidations playing out recently with firewall vendors have created a refresh. But we've always had the same cloud that's been hanging out there. And it's clearly driving this radical network transformation. So I think relative to Zscaler, can you speak to the problem set that you're solving near term? And obviously, it's a highly competitive space. How are you different from other players in zero trust?

Yes. About 25, 30 years ago, when we started building networks, Cisco just came on the scene. We could connect with private MPLS network to various offices. And data center was the center of the universe for applications. It was natural. The right thing to do was to secure the network by building a moat around your data center and everything. So we called the network security. Network security has lived its useful life. Applications have left the castle. They're in the cloud. Users are working from everywhere. We are trying to do the old approach of extending our network to every household, so people could work from home. They couldn't be anything crazier than that. You've got 50,000 people working from home. Your network is sitting in 50,000 households. Someone will be infected, and that user is on your network. It's going to spread laterally and infect everyone. That's what happened with Colonial Pipeline attack. That's what happened in Maersk and all these other guys. So the true approaches to fix it, keep on doing bandage. That's where network security vendors are doing before they built firewalls. What can you do with firewall? Build moats or you build zero trust. Zero trust means don't build any moats. Build, maybe in a layman's terminology, a switchboard, a control panel. There's no inside. There's no outside. Everyone is untrusted. Trust no one. Users come and connect to us. We verify who you are. We look at the policy we connect you to the right application or service. We don't put you on the network. Technically, it's as different from a network firewall and VPN as anything would be. It's our belief that it's a matter of time when firewalls will disappear. Maybe I shouldn't say. I should say they'll be somewhere out there just like mainframes I sold during my IBM days are still running something. But the real security will come from zero trust. As long as we depend upon firewalls and VPN, we'll keep on seeing ransomware attacks and the like.

So talk about the different elements of zero trust and what really needs to come together to have an end-to-end platform for end-to-end architecture. What's the role of identity? What's the role of networking? What's the role of app security? And where do you think you [indiscernible]

Yes. So it's so unfortunate that when new trend takes off, legacy vendors that get concerned for getting disrupted, they try to hijack the run, and everyone becomes zero trust overnight. It's a lot easier to write PowerPoint slides than actually build products. When client server happened, every company became client-server company overnight. But let me explain to you in a simple way. Zero trust came from the fact that zero trust network access was causing problem: putting people on the network was a problem. Because traditionally, we put person on the network. On the network, a person can find all the applications and connect to them. It has worked wonderfully in the past. What zero trust says, users and applications are not on the same network, you go through a switchboard that connects you to the right person. That's the switchboard role we play as a policy engine. Next, identity is very important. Who are you? Identity vendors play a very important role. That's two. Three, checking the portion of the device is important. Is the device already compromised? Endpoint vendors often provide that. So combination of identity, endpoint for security posture and Zscaler as a switchboard is essentially zero trust. Now people are trying to extend to here and there, wherever. If you read Gartner's white paper on zero trust network access, it talks about not connecting the people to the network, but only do applications after validating identity and the device first. Did that make sense?

Absolutely. Absolutely. We'd love to better understand, I think, how far we've come in security. And as I mentioned upfront, I've done Remo for 2 decades, Jay, at least 1.5 decades, if not for 2 decades at this point. And obviously, we all begin our careers in security at a much different time than we're at now. So we used to have a lot of cause-and-effect type of situations in security. We saw a breach, we saw some spend. We saw the Melissa virus, everybody put AV on a computer. Talk about how this has transformed, how this has changed. And the breaches that we've seen most recently are more seminal moments lending to momentum in a long tail than they are that typical kind of cause-and-effect spend that we've seen historically.

Yes. But if you think about what's being done out there, a big part of the enterprise world is still my network, my network security, my firewall. So am I surprised that so many of these attacks are happening? Not at all, right? So the security, by and large, hasn't changed a whole lot. Outside Zscaler, which came up with the essentially disruptive new technology, zero trust. It's almost like you have -- we invented internal combustion engine a long, long time ago. We have been all tweaking. That's what all these network security vendors have been doing. The basic packet-filtering firewall can stay to the next generation. These aren't tweaks. What's needed is decoupling network and security from each other. That's really what zero trust is supposed to do, and that's what we are driving. And I believe that there will be a little bit fight for a while. Legacy vendors will keep on claiming that there's zero trust just like Siebel software claimed for a while that they could do what Salesforce does, just like people sort of claim that they are the best HR system and Workday is kind of no good. It's just a newbie that's going to go away. Architecture wins. The right architecture will allow us to scale. We've built the right architecture that scales that's why about 5,600 customers, including some of the largest Global 2000 companies, are Zscaler customers. We are transforming security. We are -- there's no such thing as trusted network and untrusted network. Everything is untrusted. Every user is untrusted. And we connect the right thing to right thing. That's really what things to go. With ZIA, we securely connect to external applications; with ZPA to internal applications, never put people on the same network applications are. With ZDX, we give you a user experience. It's a combination of these 3 services allows you to work from anywhere without needing any firewall, any of the other systems out there besides identity, endpoint, and of course, you need some kind of security analytics to really do security operations.

But Jay, to your point, maybe you can articulate just how pervasive this opportunity is moving forward. 5,600 customers is not a lot of customers. These trends are still in their infancy. And so, Jay, love you to speak to that. And Remo, love you to follow up with just some perspective on having been CFO at several security companies, where you're seeing this opportunity manifest either in terms of what a sales cycle looks like versus what it used to. I mean we talked about a rule of 40 4 years ago, and there's a bunch of companies out there, yourselves included, that are destroying this from a financial perspective. So Jay, if you could focus on the opportunity set; and Remo, how it's impacting companies and what you guys are seeing, I think that would be great.

Yes. So if you look at the number of customers, there's some 12,000 customers we are targeting and focused on, okay? In the first bucket and then there's a next level. There are probably about 25 big customers that are good interest to us. If you do the simple math, we are probably about in that low 20s from a penetration point of view. In global -- sorry, in Fortune 500 companies, we have about 35% penetration. In Global 2000, it's in the high 20s. And in the next level, we are down to about 25%. There's a 75% market that needs to be done. All these customers will move to zero trust, guaranteed. It's almost like 3 years ago, 4 years ago, when I was advocating that MPLS will go away, people kind of laugh at me. Really? I mean are you out of your mind? MPLS is the network out there. No one questions that today. I think same thing is happening. So we have a much bigger opportunity. In fact, if you take our installed base loan, we covered during our Analyst Day that we could take our current ARR, which is just shy of $1 billion, to 6x by selling the product we have in place, not even including new products. So there's a massive opportunity, and customers are looking at consolidations. They're looking for simplification. And consolidation is not about firewalls. Consolidation is around zero trust. That's why we have 2 big lines: zero trust for users, which is ZIA, ZPA for users and ZDX; and we have zero [indiscernible], which is ZIA for workloads and ZPA for workloads. That's a massive opportunity for about 100 million workloads. Our momentum is growing because our solution works. Our NPS score is 76. That score of an average SaaS company is about 30. It's an architecture scales. The number of transactions we are doing on a daily basis, somewhere in the 160 billion, 170 billion, 180 billion transactions a day. Lots of customers talk. Vendors talk about this stuff. Who talks about actual transaction and scale? Hardly anyone. So I think the right architectural win and we got a great go-to-market engine to make it happen. Remo?

Yes. Rob, that's a great question. I mean we -- the company that Rob is referring to is NetScreen, which was an -- it was an outstanding firewall VPN company that went public in 2001. And basically, back in that market, it was an established market. Firewall VPN is an established market. And NetScreen, quite frankly, at the time, had a better, faster, cheaper product than anybody else. So our growth was explosive, but it's an understood market. When I look at Zscaler and when I first talked to Jay back about 5 years ago, the world move -- applications moved to the cloud, and I recognize that going to a smaller company and seeing what the impact of applications, basically SaaS applications to the cloud, how quickly you can spin up things and become efficient. I realize that ship had sailed. The -- my core bean was that security had to be on-prem. And so when I talked to Jay, we spent 3 hours. He whiteboarded the value proposition. I walked out of that meeting saying, you're right. I mean I told Jay, I said, "You're right. If applications are going to the cloud and users are mobile, security has got to be in the cloud." And I realize that that's the only way it's going to work going forward. The difference is this is earlier stage, and we first -- when I first got here, it was more educating the market of what we can do. Right now, when I take a look at our penetration into this market and our focus, which is companies with greater than 2,000 employees, we've got about 2,000. So it's about 10% penetrated. Look, that's for ZIA and ZPA. You look at our G2K, we've got over 25% of the G2K. It's a lot of runway. I look at our penetration of both ZIA and ZPA in the G2K, it's 44%. And Jay talked about the 6x opportunity and you look at our new products coming out the ZDX and ZCP, it's different. And what it is basically is that COVID basically really brought to light that the networks of yesterday aren't going to work. And so people have to change. Companies are changing and doing things. But Zscaler was purpose-built for this world, and the platform is created to scale. And when I first started, we had about 35 billion transactions a day. And now I think we're up to like 170 billion, 180 billion transactions a day and not missing a beat. The acceptance, the understanding, the need, the opportunity at Zscaler, I think, is significant and much, much bigger than anything I've ever seen. I'm excited being part of it. It's been a great time with me working with the company and Jay and seeing how it evolved. That's absolutely outstanding.

So help refute the bear case that this is just a remote play and evidence of what you're seeing in your customer base. Obviously, COVID and work-from-home threw everything out the window relative to kind of historical architecture, and you're kind of best with that remote client. But that success has come back into the enterprise, Jay. So dreaming the dream, it's Zscaler wall to wall. But talk about where you are relative to that penetration and that opportunity.

Sorry, relative to -- sorry, being able to come back to the office? Or sorry.

Yes. So when we come back to the office, we're not going to start to see it fall off. You're seeing penetration of remote office, branch office back in the central office. This is not just for the road [indiscernible] a crutch during work from home.

Zscaler was never designed to say you work from home, you work from office. Zscaler was designed to say it doesn't really matter where you work from. Zscaler is designed to say the network doesn't matter. Network is simply the transport. Network is simply plumbing, okay? Now when users come back to the office, if zero trust were not an issue, then they will be saying, perhaps, I don't need ZPA for the office. But then the big thing we would have been waiting for would be as more applications go to public cloud, Azure, AWS, Google, they do need ZPA. Otherwise, how would they go? So that is 1 piece. But ZPA -- sorry, zero trust becoming very critical. Most customers are talking to me and saying, I need to do the same zero trust in the office that I do at home. In fact, they're getting worried that many infected machines in the -- are at home, which don't get on their network because of ZPA. Even if an infected, they don't cause any problem. But once they get in the office on the corporate network, they can create problems unless they change. So they are essentially working with us to deploy it, call it, a private switchboard ZPA in the data center, which gets deployed as a VM, and users go through still the same ZPA. We believe that it's a matter of time that every user for a given customer will have same number of users for ZIA, ZPA and ZDX, so that they could have fast and secure experience. So customers, we're looking at doing 100 to ZPA driven by cloud applications. But now with zero trust security issue, that thing accelerating and moving fast.

Could you double click on the federal government opportunity? And especially as we're sitting here in the September quarter, they're fiscal 4 just -- have you had strength in the federal government historically? Is it a large purchaser of this technology? And how big of an opportunity do you see how many years out?

Yes. To succeed in federal government, number one thing you need is certification. They don't buy things unless they are federal certified. We start to invest in that area about 3.5 to 4 years ago. We have best certification than anyone else saw. That's number one. Number two, you could have certification of old network security. It doesn't matter because no federal government is saying, I must embrace zero trust. Thanks to the current administration, which is waking up and saying cybersecurity needs to be taken seriously. The new EO not only raises profile of cybersecurity, it highlights nests that model needs to be followed to do zero trust right. In that, if you read in this, firewalls are not part of zero trust because they put you on the network. So we have a sizable team in place. We have the right architecture. We have certifications. We're doing good business here. And I think we are expecting the business to accelerate and grow faster. But some of these large programs, they don't happen overnight, right? Are we seeing benefit or pipeline growing without EO? Yes. Are we thinking all this thing happening in the month of September? Not really. But we are seeing good benefits. Remo?

No, I agree. It's a big opportunity for us, and we're well-positioned. And last quarter it was mid- to high single digit or new and up-sell business. And as Jay mentioned, this Q1, it's going to take time, but we're well-positioned, and we're expecting it to accelerate and grow significantly for us.

Great. And on your recent earnings call, you did mention opportunities in IoT and OT environments to leverage ZTNA. Would love for you to elaborate if these capabilities sit within your existing portfolio right now. Or is this providing a little bit of a road map for future tuck-ins?

So the answer is both, okay? If you think about IoT and OT, that security is still done the old network security. For example, when IoT devices talk to Internet, they typically have gone through some firewalls out there. When someone remotely wants to access an OT system, they typically come through old school VPN. In fact, when folks like Siemens who have 350,000 MRI machines sitting in some hospitals, they need to remotely monitor and fix them. They go over VPN, not a very good thing. So those IoT/OT vendors are working with us. So you can remotely access those machines with zero trust rather than VPN. That solution is available today. Then you look at second part, IoT devices being able to send telemetry information to a data lake and Azure. That information works with us. It goes through on ZIA service to get to the application. The next third opportunity inside the factories are the plant. The micro segmentation that needs to be done or all things like workload segmentation are helpful in that area. So we have solutions in place today that we are selling, but a lot more -- when you succeed in something, you always have to build more and grow more and add more. So we are adding new functionalities. Having said that, IoT/OT market will move slower than the workloads in the cloud that are moving at a much faster pace. But we are pursuing both of those markets.

Great. And just had a question come in actually kind of reading real-time. How should we think about business being driven by SD-WAN partnerships, partners you've seen the most success with in paraphrasing there? But relative to completion of a SASE vision, are you advantaged/disadvantaged from partnering with SD-WAN versus having SD-WAN yourself?

It's a very good question. So first of all, SD-WAN, our view has been that we will be the Switzerland for SD-WAN vendors. So we'll integrate whoever like to integrate with us. #1 SD-WAN vendor in the market of Cisco, as you would expect, and they dominate especially on the high end. Most of the high-end customers have bought Zscaler, Cisco SD-WAN, connects with Zscaler, works beautifully. The other 2 main vendors in the enterprise we see and work with, VMware is one, they got Viptela -- sorry, VeloCloud SD-WAN; and HPE Aruba, okay? Those are the big ones. Now regarding our position, do we want to enter the SD-WAN space or no? I've been asked this question many, many times. I've been asked, why don't you buy another SD-WAN company? The answer is we believe in the zero trust world. You decouple network and security. You don't bring them together. In fact, it's unfortunate that a SASE document that Gartner wrote, which was essentially a framework that says this is how things come together. It was never meant to say that. You should put security in the SD-WAN box. That's what some of the vendors are trying to do. Gartner, about 2 months ago, published a new research paper. It basically said, SASE should be broken into 2 pieces. There's a security piece. They call it SSE, secure service edge. That's a zero trust piece. That's where it talks with the functionality offered by ZIA, ZPA and ZDX. The second piece, they call it WAN Edge. That is the networking piece and SD-WAN piece. You could not even do a Magic Quadrant on SASE because it's more first with lots of things around it. What is it? They're doing an MQ or Magic Quadrant on secure service edge. So I think -- and I had discussion with Gartner many times, the zero trust network access says decouple network from security. If you decouple them, why should I really try to intertwine the 2? So I think it is an advantage for us, not to be pushing SD-WAN as our own product. In fact, the recent discussion with CTOs I'm having, there's 1 CTO said, "Jay, I'm rolling our SD-WAN without a WAN." That seems weird. What does that mean? He said, "We all read that wide area network, facilitates threat to natural movement. Once you're on the WAN, you can go anywhere. If you do SD-WAN, you are facilitating movement of threats. I want to build my branch offices like Starbucks or a hotel. They won't be on my network. Just like you come from home through Zscaler. I want to come from a branch office over the Internet without a WAN and access whatever I need to access. I think that's where the world is headed, but we support SD-WAN, and we work without SD-WAN as well.

Sure. Well, gentlemen, that's all we have time for today. Thank you, both. Great to see you, and best of luck.

Thank you, Rob.

Rob, thank you so much.

Take care. See you later. Bye.

Goodbye.