Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

All right. Well, good morning, everybody from New York. My name is Hamza Fodderwala. I'm the cybersecurity analyst here at Morgan Stanley. And with me, I have the pleasure of hosting the team from Zscaler. We have the Founder and CEO of Zscaler, Jay Chaudhry; as well as the Chief Financial Officer, Remo Canessa. Before we dive into the questions, just a brief programming note from our end. So for important disclosure, please see the Morgan Stanley research disclosure website at www.morganstanley.com/researchdisclosures. With that, Remo, Jay, thank you so much for joining us.

We'll jump right in. So Jay, Zscaler was founded on the premise that the traditional network security model is broken. Can you explain why Zscaler's architecture is fundamentally different and better than that traditional model?

Thank you, Hamza. And if I were to give you a simple analogy, a few 100 years ago, if you needed to protect your castle, you built the moat around it. And no one could cross the moat. Moat was safe. That's how our network security was done by using firewalls and VPNs as a moat to the castle. Then cannons came in. Then moat wasn't that good. Then we started to build the wall taller and taller wall around the castle. We have been spending billions of dollars on security. And then air fights got invented. Even tall walls don't help. So using the analogy, let me walk you through a couple of slides, and visually, you can see the story better. So what's the problem? Well, over the last 30 years, when IBM era ended and we started building applications in the data center and we had branches. Cisco was born to help you connect branches to the data center. We extended our network to every branch office. That's wonderful. Then we wanted to work from home. We extended the network to every household using VPN. Then we wanted to extend the network to cloud because applications must be on the same network users are on. And then we got tired of managing appliances. We came out of virtual firewalls and virtual VPNs. Whether you call them virtual or whatever, VPN is still a VPN, firewall is a still firewall. What is the problem with this model. Number one, attack surface. Anything that resolves the open Internet, whether your firewall or VPN or an application, can be discovered and attacked. Bigger your attack surface, the bigger risks you have. Number two, they try to infect you as you connect via Internet. We must prevent compromises from happening. That requires proper inspection technology. Three, the most dangerous one. You see this network, it's well connected. Any user anywhere can access any application. It is like, I get on Interstate 18, San Francisco. I can reach New York, Miami or Dallas without hitting a single lights. It's so wonderful. But so can the bad guys. A single infected machine in some household -- since it's on your network, in spite of all the firewalls and everything, it can infect the whole thing. Then you start wondering, should I create network segmentations. It is like trying to build walls inside the castle because you're worried that I got permission to get in the castle. It's not very pragmatic. And then bad guys want to exfiltrate, steal your data. These are the forcing that should be fixed to do things right. Not putting people on the network to secure the network is fundamentally the biggest thing we needed to do. So what does that mean? I'll give you a simple analogy. If I come to see you at your headquarters, they stop me at the reception, they check my ID, and they say, Jay, if they said, go unescorted to meeting room #22 unescorted. I could wander around going to any room that's open, adjacent buildings that are interconnected. Like your branches, connected to your data center. I could snoop around and leave. Not a very good thing. Do any of you allow visitors unescorted in your headquarters? You don't. But when your people get on the network in the office, or through VPN, they get on the network. That's exactly what it is. They can snoop around, look at every application, whether they're allowed or not. How do you fix it? A new architecture where your buildings go dark. No big logos out. Nobody knows they exist. They're not interconnected. And you're still at reception, gets moved away from your building. So people don't even know where the building is. They come to see you. You're stopping at the reception. They check my ID, and then they say, Jay, stop. You'll be blindfolded and escorted to room 22, and 22 only. Your meeting happens. You get blindfolded and gets walked out. Each building is like a data center or Azure cloud or AWS cloud. Each room is like an application. You are only granted applications, access to certain applications. So in the same way, in this world, your applications are merely destinations. Your users are all untrusted. They're not on the same network. There's no routable network. We are sitting in the middle as an intelligent switch board. Users come to us. We say stop, who are you? We authenticate them using Okta and Microsoft Azure AD. If the check passes, we say, where are you going? You could -- or say you can only go to 3 applications here, there. Just like you can go to room 22, and 22 only. Three, what else is the risk? Identity can be stolen. Looking at the kind of device, working with identity -- device vendors like CrowdStrike and Microsoft, location and all better, next level checks. Are you getting bad things? This is boring airports analogy. You don't want dangerous luggage on the plane, in the same way you don't want users to download dangerous stuff by mistake. So we inspect, stop it and reconnect. That's how our ZIA has been working. In this case, going to Office 365, internal applications. The first 4 steps are similar. The last 2 steps are very different. With Connect, we're allowed to do only outside in connection. It's like don't call me, I will call you if I need to talk to you. With that your attack surface goes away. Your applications are hidden. They can't be discovered. And you know, lateral movement. Remember, Colonial Pipeline, they stole VPN credentials, gone on the network, moved laterally, found billing applications and boom. The lateral move -- this is the opposite of firewalls and VPNs. When I get asked, they can do the same thing. No, no, not at all. Yes, you probably can say I can put some guardrails around it, but it's not design like that. Thinking about Zscaler architecture versus firewall, it's like comparing Tesla to a traditional internal combustion engine car. You can say both get to the same place. Yes, they can, but one actually really makes life simple, clean and all that stuff that other doesn't. So with that, probably we should move on to the next level Q&A, Hamza.

Sounds good. That was a really helpful review. So it's clear that the market is coming around more to this more efficient way of network access. So let's assume -- or let's say, Zscaler is Tesla. Your Elon Musk, except less prolific on Twitter. What do you think is the pace of adoption here because there's a lot of existing infrastructure on-premise, a lot of data center, a lot of existing investments that's been made around traditional forms of networking. You're still seeing companies buy on-premise firewalls. We're certainly in the midst of a refresh cycle. So when you think about the pace of change in this market, do you think it's really accelerating, coming out of COVID? Or do you think that is going to take multiple years for this to really become mainstream?

First of all, you can see the growth from our number, 71% billings growth, 62% revenue growth at a scale of $1 billion in ARR. It's pretty good. Now COVID, the biggest thing it did was change the mindset. When suddenly people discovered that, I have a massive network with network securing 600 offices. No one goes to those offices. That network is never used and the business isn't happening. So they realize that the legacy network and security they depended upon is really not that critical. That was kind of a great moment. That's when customers felt like, I can jump on and start doing Zscaler a lot better, a lot faster. That's point number one. Point two. If you ask me, my competition is not legacy vendors. It has been inertia. People are used to doing in certain ways, lack of understanding and knowledge. They're seeing our brand and awareness go up big time. Now there's still a lot of traffic that goes through the data center. The direct access to Internet and cloud application is still not early stages. Most of that is done by Zscaler. And that's only about 25% of the Global 2000 company. I bet most of others went traffic routes to traditional way. And it's growing. You need to buy more routers in the data center, more switches, more firewalls, more proxies and the like. I've seen this movie before about 4 or 5 years ago, I was asked, you're doing so well, why is Blue Coat sales still going so well? Well, because they're only peeling off a small piece. The big piece was still going to data center. I believe it's the same thing will happening with firewall. Firewalls are needed in the data center. We don't replace firewall data -- firewalls in the data center. But you know what's happening to data center. It's not growing, it's shrinking. It will be faded out. In the world of cloud, in the cloud, there's no room for firewalls. There's no model that makes sense. We believe, as more and more applications go to the cloud, our offerings like Zscaler Zero Trust for workloads, just like Zero Trust for users is actually the right architecture for that. And I think it's a matter of time when firewalls and VPNs will fall off the cliff.

Got it. Okay. So your Tesla -- we're going to stick with this analogy. You're a great car, you're a Pioneer, but Volkswagen has a great electric vehicle as well, was to say that some of the network security vendors, some of the incumbents can build a similar architecture to Zscaler by either having their own POPs or leveraging public cloud providers and close the gap versus you, Tesla over time?

Sure. Well, we remain paranoid. So first of all, let's think about the POPs thing. Can I take my firewalls and spin them as VMs in Google Cloud or whoever's cloud. Yes. You can do that. But it is like, if you are a DVD player manufacturer, and you need to compete with Netflix streaming service. You can spin up DVD players in every data centers of Google and AWS per consumer because a single tenant. Will it work? Kind of. Would it scale and will have the reliability and functionality of a cloud-native stuff? Not really. So that's point number one. Every vendor tries to take what they have, and kind of bolt-on, things to make it work for the new world. That's what Siebel tried to do to compete with Salesforce. They have what people saw try to do to compete with Workday. And that's how legacy firewall guys are trying to do to compete with us. So I think, of course, they can go and build a new architecture. Architecture is not like a feature, you can add in 6 months or 12 months. We built a clean architecture starting in 2008. We're evolving it and growing it and it's become very robust. That's point number one. Point two, building technology that sits in traffic path to inspect traffic without introducing latency and catch all the bad things is hard. But running a massive cloud that makes sure you get traffic and everything, it's literally 10x harder. When I started, I did not realize that I had to learn about networking and traffic forward into my cloud and all the stuff. We essentially had to become an ISP where we can control traffic routes in the line. That's a tall order to provide 99.99% latency -- sorry, uptime. And the market keeps the moving fast. I -- look at what my portfolio looked like in 3.5 years ago when we went public. Today, it has expanded. We think security segments will cease to exist the way they have been for the last 30 years. The cloud is upending everything. And we keep on innovating. And guys obviously will try to catch up with us. But our innovation speed is pretty impressive. And we're very happy with that.

Got it. So you made a point about security segments increasingly getting blurred. And I think we're seeing some of that, the network security or the SASE market as we now call it. But when I think about Zscaler, when you come into a customer and you sell ZIA, ZPA, this might be a good opportunity to bring onto the conversation as well. What are some of the cost savings that the customer has from either getting rid of existing point solutions, maybe getting rid of certain costs in the networking side. What is the typical ROI that you might see?

So Remo, I can start. Then you probably, you can chime in after that. Perhaps, if the slide can be shared. I'll show you one final diagram. You can see it. That's great. But in this world of the journey we take you through, you select cloud providers, SaaS provider, data center as your destinations. Your users are anywhere and everywhere. You're sitting in line like an international airport, enforcing policy, who can go where and what not. So we have subsumed all the functionality that's done by typical network security vendors, which is a massive market. We integrated identity providers, a very important piece for Zero Trust architecture. We work with endpoint vendors. That's a platform of its own, to make sure you can do device caution or the like. You need security operations. The whole thing from dozens and dozens of point products becomes platforms that are meaningful. We become one of the important platforms. The savings come from removing all the network security gear or eliminating it or not having to buy more for the cloud world, savings come from not having the network cost and the like. So ROI is never an issue in our case. And also as we do our sales that are driven at the CIO, CISO level, they actually drive the transformation because, transformation is not driven from the bottom. Pricing and ROI has not been an issue for us. It has been a matter of reaching the right audience to engage with.

Got it. So you mentioned the expansion of product portfolio. Obviously, the core product you started out with ZIA, ZPA. It seems like the next pillars are now the ZCP and ZDX. I want to start with ZCP. Can you talk a little bit about what you're doing here that's different? Obviously, you have a CSPM. It seems like everybody has a CSPM these days. But what I think what you're doing differently is around the workload communication side. So maybe explain a little bit what that is and why that's going to be more relevant for cloud security architectures going forward.

Yes. Let me lie to explain it in a simplistic way. Security is so confusing. I was having dinner with Gartner, VP of Research 3 years ago at RSA. He said, Jay, I started at 8 a.m., had 9 meetings. And at the end of the day, this was 9th security event. He said, I'm more confused at the end of the day than as of the start of the day. So I can kind of think about how investors are trying to sort it out and stuff. But think of workload security, cloud security in 2 buckets. One is inline communication, which workload can talk to which workload. To do so, you must sit in line and communicate in each. That's like similar to what we did for users to application communication with ZIA for one kind of applications, ZPA for second kind of applications. So with ZIA, ZPA, as you know, our users can talk to any application, anywhere. Think of workloads as mirror image of users. Workloads talk to Internet, workloads talk to other workloads. So we've taken the ZIA and ZPA, applied it to the world of cloud. So now we have Zero Trust for workloads as highly, highly differentiated Zero Trust. There's nothing -- what's the competition there? Firewalls and VPNs, legacy, okay? So we believe, we'll confidently replace that stuff. And then this further micro segmentation, which says, who talks to who. That's one piece, we're pretty well differentiated. The second piece is not in line, out of band, which means I read logs from hyperscalers to see how well are these workloads configured, which users have access to which workloads, that's called information, entitlements. Everyone reads a same logs, everyone has the same API calls. It's a matter of who has better UI, who has better UX. That's why you see my team counted over 100 vendors in this space today. This is a piece of the overall cloud portfolio. We did 2 acquisitions in that space to speed up our delivery. We believe our combined solutions for in-line communication, combined with out of band policy and force posture check gives us an advantage, but that's a very young market. It's evolving. And we are investing in it.

Got it. Got it. Can you remind -- so how does the ZCP product on the workload side, how does that get priced? It's per workload, so we're talking VMs, containers, in particular.

Yes. It is. It is by number of workloads. Our subscription model, just like the users, we are based end users, workloads is based on workloads. And there's a little bit nuanced sophistication to that. But some of the workloads that come and go, we have a little bit nuanced model. But for simplicity, you can assume that by number of workloads.

Got it. Got it. So you recently turned some heads on your last call by mentioning $5 billion ARR goal. I'm curious why $5 billion? Why not $2 billion or $3 billion, first? And how did you arrive at that number?

Internally, we're debating $5 billion or $10 billion. Remo convinced me to go only with $5 billion. He said, your investors will be happy with $5 billion. But it's a big market. It's a massive opportunity. The solution works. It's highly, highly differentiated. And we are seeing great momentum. We really -- if you ask me, what's stopping us, right? We have -- the market is coming to us at a rapid pace. COVID further accelerated it. We have the architecture sales, 200 billion transactions today. All these competitors who talk about, yes, they're winning, what's the last time they talked about how many transactions they actually process and all that stuff. Those numbers never get talked about because they're not worth talking about for them. We have customer list. I mean, 35% of Fortune 500, those numbers are growing. We've got customer satisfaction. NPS score of 76. So everything is lined up. So what will it take for us to keep on growing? I think all the factors are largely internal, which is, can we keep on executing? Well, I mean that's where I want to make sure our company stays -- a child. It doesn't become complacent or arrogant. Customer obsession is one of the key values. It starts with me. And we all take care of them. So I think making sure we keep on hiring the right people at each level to keep on executing is probably the biggest thing. And that's what we are focused on to grow from $1 billion to $5 billion. Honestly, I would have been disappointed to just set a target of $2 billion to $3 billion.

Okay. Fair enough. So when you think about that $5 billion ARR target, which I know isn't a formal target. But you mentioned -- you feel like you have the existing product portfolio in place to get there. How much of that $5 billion would you say is going to come from continuing to penetrate within your existing base like the fact that you have all these Fortune 500 customers versus continuing to get net new logos.

Yes. So we look at getting to those -- the $5 billion or getting past it in a few areas. One, as you said, there's a big upsell opportunity. At our Analyst Day, we computed and looked at and say, if we could sell our current portfolio to our customers, ARR could go 6x without getting any new customers. There's a big opportunity out there. And we've shown and proven how we are able to sell bigger and bigger platform. At IPO 3.5 years ago, there's only part of ZIA and that was even business bundle that's grown. That's a big area, and especially when your customers are happy. Two, our new logos. I mean, we aren't slowing down going after new markets. 35% of the Fortune 500 companies have Zscaler. 65% are still there. And especially on the high end, we think just like Blue Coat owned 85% market share, we think, we have a chance at owning a very, very high percentage of higher end markets. Three, this is just user side. The Zero Trust for workloads is a massive opportunity. The number of workloads are going at an astronomical pace. That's opportunity for us. Then Zero Trust for IoT and OT. Those factories and plants are using all technologies with cyberattacks, with ransomware that's becoming a big area of retention. And our core technology of a switchboard connecting right thing to right thing with Zero Trust can be fairly easily applied to it. So -- and then lastly, we aren't going to slow down innovation. It'll keep on happening.

Got it. You mentioned execution. A lot of that, I think, has been done with the really meaningful improvements you've made in go-to-market, which has definitely been doing very well. I think in 2019, there was a bit of a hiccup. It seemed like the hiring quite trying to plan. Maybe, if you could talk a little bit about some of the improvements you made from a go-to-market front. And how you see yourself as a destination for talent today?

Yes. So first of all, when you grow things, a startup starts doing things certain ways. You can go to a few hundred million dollars. Then you go to X billion, you need to fix the foundation at the go-to-market level. It's like, I can build a certain foundation to build a 3-storey building. But if I need to go to a 10-storey building, the same foundation doesn't work. So that's where we changed our lead -- go-to-market leadership. We've brought Dali onboard, and we said, let's set up the foundation, the core things from enablement, from recruitment, from our sales leaders, our training and whatnot, the right way to scale. Those are the big investments we made. We are pretty transparent with investors on what we're doing. And it has worked. It has worked very well. So very pleased. And our customers are very happy. So it's kind of interesting that a lot of sales people we have hired have told me, the CIO of this company, who has become my friend over the past years, told me, hey, you should go to the Zscaler. It's a great, great place. We have become a destination for top talent, while the market is tough currently, but we are actually able to hire pretty good talent and doing very well. We're pleased with our hiring progress.

Got it. Maybe one last question for Remo on margins. So you mentioned growth is the #1 objective, which makes sense. Can you just remind us like, how we should think about Zscaler, when it comes to balancing, growth and profitability? What's the general framework around that?

So what we talked about was that if we're growing revenue greater than 30% per year, you can expect margin -- operating margin expansion of less than 300 basis points. And if it's less than 30% per year, you can expect margin expansion of 300 basis points or more. The reason that we said that, and that's -- and our long-term operating margin model is 20%, 22%. And the reason we said that is, because we want to give ourselves the flexibility to make the right investments to drive shareholder value. You can see that this last quarter, our revenue growth rate was 62%. And from -- when you look at a SaaS model, and particularly of Zscaler with high gross margins that we have, it doesn't take -- it is not hard to get to an operating profitability number. And if we drove operating profitability, we think, we feel it's a disservice to our shareholders and to ourselves. As Jay mentioned, we have a $72 billion serviceable addressable market, and we're in the very, very early stages. And you can see that with our ARR, we are currently in the $1 billion range. There's a lot of room for growth, and we're just very early stage. And we feel that we have a unique opportunity to really capture this market. And we're going to go after it.

Makes sense. Okay. All right. I think with that, we're just about time. So Jay, Remo, thank you so much for your time today. And I don't see you -- have a great holiday.

Thank you. You, too.

Thank you for the opportunity. Goodbye.

Take care. Bye.