2023-09-12 16:55:23 ET
Zscaler, Inc. (ZS)
Piper Sandler Growth Frontiers Conference
September 12, 2023 2:30 PM ET
Company Participants
Jay Chaudhry - Chairman and CEO
Conference Call Participants
Rob Owens - Piper Sandler
Presentation
Rob Owens
All right. Well, good afternoon, everyone. Rob Owens with Piper Sandler covering the Security and Infrastructure Software segment. Really pleased to introduce our next company, Zscaler. And with that, Jay, please join me.
Jay Chaudhry
Thank you, Rob.
Question-and-Answer Session
Q - Rob Owens
Thank you very much. Thanks for coming. So Jay, last week, you reported a very strong fourth quarter, and I'd love for you to high level to talk about the broader macro and what you're currently seeing from customers regarding general purchasing behavior and security prioritization?
Jay Chaudhry
Yes. The macro environment is still tight, but it does feel like it's getting slightly better in terms of scale of scrutiny. As you know, a few quarters ago, the scrutiny on deals, especially larger deals, got tighter and tighter. But we have adapted and our area is very good. Cyber is number one priority. Cyber budgets have not been impacted a whole lot. In many cases, they're similar. In some cases, they've gone up. But if you can combine cyber along with cost savings, it becomes very attractive.
Zscaler is one of the few cyber companies that actually eliminates a lot of point products and that results in a pretty good amount of savings. So we combine the two and then by really having engagement at the C level, which we have done for years, it's helping us. So you saw strong results. We still have to work harder to close deal than we did four or six -- four, five quarters ago. But I would say it's slightly better. I'm not here to say it's turnaround, but it feels better.
Rob Owens
So I guess, to that end, you're in Nashville for multiple reasons, not just to hang out the honky-tonks on Broadway, but there is a CISO forum that's happening here in town. So I know you spoke over there. You've obviously been speaking to customers and prospects. Would love to know just generally, what are a lot of the themes they're talking about? And what are they struggling with in this environment aside from trying to do more with less, with budgets?
Jay Chaudhry
So the message is very clear that customers are worried about cyber threats happening. I mean, it goes, it happens all the time. I mean yesterday, big headlines, MGM results, right? A week before, a week before. It keeps on happening. So CISOs are worried and nervous, then SEC ruling comes on top of that. The job of CISOs is actually getting much harder. Four or five years ago, they would often talk to me and say, "Man, I'm not getting enough attention and time and budget." Now they're being asked to present at every Board meeting. So there's definitely focus and Zero Trust is one of the key themes of what we are trying to implement. But they do acknowledge that Zero Trust is getting kind of lost out there, in terms of meaning, because every vendor is trying to change it. But it is a priority and most of our projects are driven by Zero Trust. It's not just CISO priority itself, so actually CIO priority. It's also a Board-level priority. So I do not think there will be a budget issue in cyber side of it.
Now there are 3,000 cyber companies. Each just talked about my budget is better than yours. So the platform plays, certainly an important play where CISOs don't want to say here, here, here. Can you give me a good set of integrated products for a given area? And that's what we are hearing.
Rob Owens
So let's dive a little bit into network transformation and just where we are in the journey. And I remember in the early days of Zscaler, we sat down and you were -- give me grief about some of my other recommendations. We won't get into that right now. But the conversation shifted where you made the comments to be successful in security, drive ROI in one area, commoditize it and then add on. And we look at just a simple VPN lease line replacement cycle, which I think we're still in the early innings there.
Jay Chaudhry
MPLS.
Rob Owens
Plus the -- MPLS aspect, plus the add-on. So maybe you can just speak to where you think we are, in terms of this network transformation?
Jay Chaudhry
Yes. So eight, 10 years ago, most customers had MPLS, okay? Big, big costs. Today, most customers are in some stage of the journey. SD-WAN rollout took longer than planned. Five years ago, I were here. I am trying to deploy SD-WAN. I had done it for a few dozen branches on slow down. But that was driven largely by cost savings, too. So -- but one of the things we offer was we could take off all the Internet from every branch, all the Internet-bound traffic and give you quick savings because the amount of traffic that needs to go back to the data center on SD-WAN or MPLS is actually a small amount.
So our customers, which is 40% of Fortune 500 companies and some of the other large companies, they have actually realized a big chunk of MPLS savings. But this journey is still going on. I would say for -- to quantify, probably half where the costs are taken care off, the other half where it still needs to be done. That's my personal guesstimate.
Rob Owens
All right. And looking ahead is software and IT spend normalize, what are the biggest growth drivers for your story or your slice of the security pie?
Jay Chaudhry
So if you look at Zscaler, we started out providing secure, direct, fast access to Internet and SaaS applications, the ZIA family has done quite well. Then ZPA was added to provide access to internal and private applications. Those two have done very well. ZPA, whilst tiny at the time of IPO, ZIA was about 90% of ARR and ZPA was about 10%. Today, both are significant. In fact, ZPA last year grew about 57% year-over-year. Both are big flagship products for us. Then Zscaler Digital Experience came along. I mean one of the things I'm proud of is we don't really look at it and say, "Hey, Gartner or IDC is asking for this market or that market." We are in tune with customers who look at the problems and some of these problems are newer problems, when you work from anywhere.
All these network performance-monitoring products are useless. They're only designed to figure out performance between the branch office and the headquarters of the data center, that's it. Now if applications are in the cloud like SaaS, they don't do anything about it. If you're sitting at home, they don't do anything about it. So we came with the idea that we need to be user-centric, user-focused, we built Zscaler Digital Experience. No one had anything like this out there. No investor asks us to build anything, no, but customers actually were having pains. We built it has become very fast-growing product. So that's one of our emerging products.
The second area that's growing rapidly for us under emerging products is workload communication, workload protection. How do you make sure workload can talk to workloads, workload can talk to Internet in Zero Trust fashion? That's one bucket. And this ended up being about 18% of our new business last fiscal year, fiscal year '23. This was almost 0% about three years ago. It's pretty remarkable.
One other area worth highlighting. We don't really call it emerging because it has been growing nicely. It's data protection. Data protection was part of our portfolio all along, but not fully flushed out. Customers want to start with cyber protection first, make sure they don't get compromised. And now that's done as traffic goes out through us. Most of the data is lost to the Internet. So it's natural for them to turn on data protection. Some of the large, large companies in the world, they have been using Symantec 1, 2 DLP products, okay?
So when three, four years ago, we were talking to them to put our DLP in. They said, it's pretty good, but not good enough. Go and add EDM technology, IDM technology, this is exact data match, index data match, optical character recognition and workflow automation. We've done all of that. Now we are taking out some of the large -- Symantec 1, 2 deployment. But it's natural for us to do DLP in line because we are sitting in line and we just got to just nearly $0.25 billion in data protection ARR. We expect it to grow at a pretty good pace.
Rob Owens
Yes. And that really was dovetailing into my next question around because you highlighted it, I think, twice on the last call and I think 15 years ago, I was on this stage at RSA, interviewing all those independent DLP companies. So I guess to just shift the question a bit, how much market is there in DLP? What are people using? And does it work and then you can start to think about GenAI and where data is, where data goes?
Jay Chaudhry
The whole DLP and actually cybersecurity market is growing at a much faster pace than most of the estimates. The reason is that the estimates are based on old security product paradigm. The new paradigm is changing a lot of that. Take data protection, five, seven years ago, data protection was in line DLP, period. Then came, how much your data in SaaS applications sitting in Salesforce, Office 365, do you protect it against oversharing, CASB was born.
Then this new hope. The Salesforce and Office 365 could be misconfigured. How do you protect that? SaaS security posture management showed up? Then lately, you said, my Salesforce is good, I trust it. But Salesforce is connected with 30 applications that are SaaS application. Through API, data is exchanging, data is going out there. And probably half of those SaaS applications are startups and probably half of them are getting shut down. They've probably done nothing for data to protect the data.
Also that's a supply chain ecosystem. So all this stuff is expanding the endpoint data protection, all that stuff. It's a big market by any number. It's probably far bigger than $10 billion, but Gartner put the number at $10 billion. It's a big market. And I don't think there's room for stand-alone companies in data protection. There will be some of these companies a little bit. They get acquired. We had done a couple of acquisitions. And it makes sense. You want same policy, same protection for data that may be headed to the Internet data that's sitting in SaaS applications to life. So we are in a very good position to leverage it.
Rob Owens
So where does the thought process or in the vision for Zscaler start and stop? And in terms of that, I mean, if we look at cloud, you have workload production. You've also got the cloud native application protection platforms because they paid by the letter in acronyms. You know that, right? Your partner does. So if we just think about Zscaler's opportunity of sitting in the middle, the switchboard. What areas are ripe for consolidation from a best-of-breed standpoint not just going and buying? And what areas do you just say, we're going to partner there?
Jay Chaudhry
Right. So if you just think about user protection, protecting users, user is the weakest link. So either it's user or its applications out there. User is the weakest link. We are sitting between all communication that users have with any kind of application. So that is one piece. What does that do? It essentially replaces your entire DMZ. It's a little geeky term, but it's called demilitarized zone, in the old world of castle-and-moat security, normal mode around the castle, so is the moat.
When you go in the castle, they check x number of things, are you taking ransoms, do you have the right ID, whatever else may be. When you leave the castle, they're going to check x number of things. Are you taking anything with you and the rest of the stuff. So ZIA is like an outbound DMZ, ZPA is like inbound DMC, we replace all of that. If that's gone, what's left? For user protection point of view, you do need endpoint security. It's like having a lock on your house, so people don't get in. We are like an international airport. They're going to stop bad guys at the airport. They can't even get close to your house. You do need identity. And when the logs are generated, you need some kind of system to really take those logs, data lake and SIEM kind of solution.
Outside that, all these firewall appliances, VPN, none of that is needed. Now I get asked the question the data center. Data center still has some firewalls protecting applications and doing from the east to west traffic for segmentation. Now while our technology can take it out. I would rather move where the puck is headed in the cloud rather than fight in this data center area, which is kind of going away. That's why our focus on workload protection is an opportunity. So user -- most of the revenue you've seen so far is user-centric. Workload Protection is the next growing category for us. And Workload is the same switch word technology, adapted for workload communication with some of the additions done for identity type of stuff.
Then IoT/OT communication, think of this way. It may not be next year. But it's a matter of time, whether it's two years or three years, more and more IoT/OT devices, everything has IoT/OT device, everything new will have IoT/OT devices. When gas station companies are converting into charging points. The -- those are IoT/OT devices, they send telemetry about their health. They need to be reached out from outside for certain information.
So with Zscaler SDK, we become the switchboard. And those devices will end up using a 4G or 5G SIM card in this. So the basic connectivity is a underlay, we become the overlay connecting. That's where we're headed in this IoT/OT world, and we are very, very much suitable for that. There's no VPN kind of stuff that works in the area. The one other area for us for expansion using the same core switch word technology is suppliers and customers, where the world is headed online, there'll be more and more applications and information available for sub suppliers and customers to interact with you.
Today, you create an application portal, make it open to the Internet and your customers can come and access it, but so can millions of bad guys can do that, too. So having that access is Zero Trust fashion becomes important. This area is taking off the new role that's being created out there is called Chief Digital Officer. CIO's job primarily traditionally has been internal IT. It doesn't necessarily generate lots of revenue. IT has been a cost function by and large.
The CDO role is not internal IT. CDO's role is to digitize my business. So I can get all the telemetry, all the information about my business transactions and the like. And I engage with a customer, my customer can't put my orders online. They can see the status, shipment, all those things, we call it B2B access. This could be bigger than your employee access and that's the right opportunity for us to go after. So these are next big opportunities for us to pursue.
Rob Owens
So given that vision, I'm guessing you're on a plane to Vegas after this for a sales call maybe or somewhere, right?
Jay Chaudhry
Actually...
Rob Owens
You look at what MGM just went through, the shutdown of the entire ecosystem from ATM to restaurants to getting in your room.
Jay Chaudhry
It's a shame. There are so many customers out there who are just sitting on VPN firewalls. The sad thing is the legacy vendors are worried about getting this update. They're all telling that buy my more VPN in the cloud. They don't call it VPN anymore. They say hide all of that stuff, but that's underneath. They're creating a false sense of security to protect to kind of generate revenues, but it's hurting companies, it’s hurting every...
Rob Owens
Have you changed your view around identity? And I know that's an area you always want to avoid, and you partnered with Microsoft because originally, Zscaler actually made Microsoft work. I don't know if a lot of people know that, but I remember the history. Maybe a few gray hairs of what's left on my head. But have you changed your view around identity longer term?
Jay Chaudhry
Our philosophy is do not do things where the market is mature and commoditized, because commoditized, they're already taken, there's only room for 1, 2 or 3 leaders in a given market segment. There's a fascinating book that a professor from Georgia Tech wrote about 22 years ago. It's called the Rule of Three. Check it out, The Rule of Three. It is Professor [Jack Segts]. He said in any segment, there's only room for two or three. You would say, FedEx and UPS and DHL. You would say Home Depot, Lowe's and -- not sure. Coke, Pepsi and maybe Dr. Pepper. And said I think in the high-tech world, there's room for not even three, okay? In a given area, there will be less and less players out there. I didn't see -- we integrate those with Identity, let Microsoft and Okta and Ping maybe do something in this area. If there's an opportunity to disrupt identity and do something totally differently, those are the kind of things we will be interested in.
But I don't need to try to go into every market. Our own market segment, if you look at the TAM, it's well over $72 billion by the time you put all these things together. I would rather take my core competencies and be the best in the area I'm in rather than -- other than I would partner. There's no need to have a poor product I've been asked by so many investors, why don't you get into endpoint security.
Every firewall company is an endpoint security, right? The big ones for a company. They all have endpoint solutions. I never hear from any customers that if we bought any of the solutions. So go after new innovative markets that no one else has gone. It may take little evangelism. But we are known to really figure out new stuff and make it happen.
Rob Owens
And in terms of the model, obviously, it's a massive opportunity. You're a Rule of 60 company. Congratulations on that, too. And that's very tilted towards the growth side. So how do you think about managing growth versus profitability moving forward and investing in growth, in the leaning of a couple of years ago versus returning margin and free cash flow margin for the Street?
Jay Chaudhry
So growth is our #1 priority. And if we need be, we can be a little less aggressive to make sure we can deliver reasonable bottom line as needed. But see everything starts from not the CFO managing expenses. It starts with the architecture of the model you put in place. The architecture built with our own data center, own high-speed technology. We do it on our own TCP networking stack, there are less than 20 companies in the world have written.
All those things are giving us architectural advantage that others would not have. You combine that with a lot of our operations from day 1 were in India. Most of the finance team is India, half of the engineering team is in India. So with that, our gross margins are sitting at 80%. If anyone else would try to do what we do, the kind of traffic, actual traffic moving I think they'll struggle to set at 60% or so.
If I'm sitting at 80%, I have a lot more freedom to invest and do things I need to do. So leveraging that basic foundation. That's what we try to do well. So the way we built our platform to be extensive. We didn't go and buy 10 companies in there. Our acquisition for small tuck-ins to really be integrated it works for well for our customers, working well for us. But you'll see us keep on pushing for growth while keeping the bottom line in mind, our operating margins have been pretty good.
Look at cash flow last year, fiscal '23, we delivered what? 20.6%? I think '24 probably will be better than that. I mean, if you're doing too much more, that means I'm not investing in the business enough.
Rob Owens
Fair enough. I've left time for one question, if there is one from the floor. Going, going. Obviously, there's a GenAI question.
Jay Chaudhry
Go ahead. No talk will be complete without one.
Rob Owens
So we'll wrap with GenAI, the opportunity for you. And what technologies Zscaler is looking at adopting internally to drive efficiencies from a GenAI perspective?
Jay Chaudhry
So you can look at getting efficiencies and you can always get efficiencies because GenAI can do automation and the user interface and all can be simple. And that's -- everyone will have to do that. I think our big opportunity is that GenAI needs data to really be able to -- whether you do predictive AI or GenAI. And we uniquely have far better data than any other cyber company. We got some 320 billion transaction logs today over 500 trillion in total signals a day.
Being able to feed that to GenAI, we want to be able to predict a breach. Imagine if we could reliably predict this company is likely to get breached because we are seeing step A, B, C, D, because of massive volumes of data. That's the kind of stuff where customers will pay a lot of money.
In the short term, could we get some extra money from co-pilots of the world? Yes. Eventually, there will be table stakes. But application like Risk360 that we launched recently, is a wonderful application that takes advantage of all the logs and data we have to tell the CISO, the overall risk and the factors that are contributing to it and what can you do to minimize it. So we are bullish on the opportunity for revenue growth there.
Rob Owens
Okay. What about internally, what efficiencies are you hoping to drive? What technologies are you excited about?
Jay Chaudhry
So quite a few. We have the two or three big areas, customer support is one of the big areas where I can automate a lot of things, the number of support engineers needed better, faster answer. That's number one.
Number two, on the marketing side, too, being able to create all the marketing content, I want to localize content in German and Swiss and all that stuff. It's a good starting point. It's not perfect, but I can easily edit it and in engineering to a lot of stuff in our engineering automation. We're using GenAI to figure out global cloud traffic bottlenecks here, there, what not, type of stuff. It's a combination of predictive AI and GenAI. GenAI can package the answer properly, but predictive AI, which is traditional, can actually predict what's likely to go bad where. And so a combination of the two, we think will benefit quite a bit from it.
Rob Owens
Great. Well, Jay, thank you for your time. Thank you, everyone.
Jay Chaudhry
Thank you.
Rob Owens
Always a pleasure.
Jay Chaudhry
Right.
For further details see:
Zscaler, Inc. (ZS) Piper Sandler Growth Frontiers Conference (Transcript)