Zscaler, Inc. (ZS) Presents at JMP Securities Technology Conference (Transcript)

Zscaler, Inc. (NASDAQ:ZS) JMP Securities Technology Conference March 1, 2021 11:00 AM ET

Company Participants

Remo Canessa - CFO

Patrick Foxhoven - CIO and EVP of Emerging Technologies

Bill Choi - VP of Investor Relations

Conference Call Participants

Erik Suppiger - JMP Securities

Erik Suppiger

Welcome to JMP's Virtual Tech Conference. I want to welcome Zscaler's management here with us today, and I want to welcome our clients on the call here.

Before we dive into Q&A, I want to just encourage our clients to ask questions. We have a box available for any Q&A. And we will take questions real time as they come in. So please do feel free to ask. And with that, I want to introduce Remo Canessa, CFO of Zscaler. I want to introduce Patrick Foxhoven, CIO and EVP of Emerging Technologies with Zscaler; and Bill Choi, VP of Investor Relations.

I think our clients have a pretty good understanding for Zscaler. So I'm going to kind of dive into some of the dynamics initially here. On the competitive front, it's been an interesting dynamic, where I think Jay has said that there's only been two companies that have successfully built a scalable proxy based security solution. And so the question I have is, how come it’s so difficult to build a proxy based security solution the way Zscaler has done it? And why is it something that your competitors have not been able to replicate?

Remo Canessa

Patrick, you could take that.

Patrick Foxhoven

Sure. I can start off. So if you think about what a proxy is doing fundamentally, it's terminating a connection from a user and then creating a new connection on the other side and handing it off to where the destination is going. And you're doing that in line at scale for all connections that are coming to or from the Internet or a user's device, so to say. That kind of brokering of connectivity is just, from an engineering perspective, hard to accomplish. And you've hit off the question well with the lead. And there's been very few companies in this space at all that have ever been able to develop, one, a proxy that works; and two, one that works at scale. And it's because you're brokering all connections all the time and that's just when you're doing that well and you're not degrading performance for a user's machine and then you're also introducing things like inspection into that path, it's not an easy computer science or engineering problem to solve, let alone to solve it at scale.

Erik Suppiger

And I think the idea was that Blue Coat had done this a number of years ago. They did it as a on-premise architecture. And then really, Zscaler is the first one to successfully build this out at scale in the cloud. Talk a little bit about what the dynamics are about building this in the cloud. How do you achieve that kind of scale for the type of data volume that you're able to support?

Patrick Foxhoven

Sure. Yes, there's fundamentally two parts of the scale question. There's just raw capacity part of scale and then there's also the angle that we decided to take, which is add multi tenancy to that proxy architecture. So that we have a pool of resources that can be shared by all our customers, not just like what a legacy proxy vendor would do on-premise for one company we wanted to do and allow that to be shared among all.

So there's two really important parts of that scale. I mean, from what we had to do, we had to -- not to get too technical, but we had to go so low level in terms of our software engineering stack that we wrote the TCP/IP stack from scratch. And we had to build multi-tenancy in at that level, which is kind of as low as you can go from a foundational perspective when you start designing this kind of architecture. And if you go that low level and then you start building out, how do you do multi-tenancy? How do you do all the things that a proxy would do? That's quite a proposition and that's actually the source of quite a few of the patents around the IP that we had to build and why it took lots, lots of manhours and engineering time to build the foundation right.

Erik Suppiger

Okay. And one of the key strategies that Zscaler has adopted is you really developed your own network of data centers instead of using the public cloud. I know some of the companies that are coming after you are leveraging the cloud. Can you talk a little bit about why it's important to have your own network of data centers, and is that a competitive advantage?

Patrick Foxhoven

Sure. Yes. I mean, at the end of the day, the service that we're providing, like I just mentioned, being a proxy where we're taking every connection from a user's machine or device and terminating it and inspecting it and then sending it off in the other way, to do that, not just to the last question at scale, to do that at speed, meaning without introducing the bottleneck, to do that well, you have to be physically close to the users that you're serving, as you have to be as physically close as you can be because no one can claim to go faster than the speed of light, so to say. So what that means is we think you need to be in the tens of milliseconds close to where a user is. And the way the Internet is architected today, that means you have to be in, I would say, a little over 150 sites around the world if you're going to service any user on the Internet anywhere around the world well.

If you look at public cloud providers, they have lots of capacity and infrastructure. The places in which you can run computes, run a proxy, run inspection capability or whatever your service is, those are usually in the dozens of sites, not even close to being 100 because it wouldn't be economical to build the kind of scaled infrastructure that they build in hundreds of sites. They have hundreds of points of entry but then they backhaul it to more centralized regions, and we had to run at the edge. The proxy that we do when a user comes into -- I'm in our San Francisco area. So when I come into our -- one of our data centers in San Francisco, we want 100% of all my inspection capability that's going to happen to happen at the edge and never backhaul to a more centralized region because that's where latency gets introduced. That's where user experience suffers. So I think it's just how do you design an Internet scale infrastructure in a way that we can come in line and not slow anyone down. It quite literally has to be in over 150 sites. You can just can't do a service like that in a public cloud provider today.

Erik Suppiger

Okay. Maybe this would be for Remo. You've talked about your sales efforts. You've described it as a sales machine to sell value and to deliver measurable outcomes at the CXO level. Can you talk a little bit about why your sales strategy defers from a lot of the more traditional enterprise sales models out there?

Remo Canessa

Yes. That's a great question. Related to the traditional enterprise sales models, there are four basically selling appliances, you're selling more to the mid level. What we're selling truly is a transformational sale related to changing the architecture from legacy architectures that were built basically to the world 20, 30 years ago versus where it is now. Our sales approach is different than anything I've seen. For example, we'll start with CXO events, which lead into lead generation. And then we work with SIs and SPs and VARs. And our percentage of the business through SIs and SPs is higher than I've ever had in companies I've been at, and I've been at both security and networking companies. And then we basically go into identifying where the pain points are, and those are basically we have CXOs on board, former CIOs, and CISOs, and VPs of networking, which work with our top level customers at the C level. And we talk to them about the benefits of basically Zscaler, which then goes into architectural reviews and whiteboard sessions with solution architects that we've got on board. And so we'll actually whiteboard how things will work in a Zscaler world and the benefits. And then we demonstrate ROI.

So we'll have a business team that goes in and talks about, these are the savings that you're going to get. These are the efficiencies that you're going to build; things like MPLS savings; savings related to not having to buy equipment and put it into your data centers; savings you get by not having to manage it because all you do is basically once you set up your policy, you point the traffic to Zscaler. Then we'll go into deployment, so deployment through our deployment services. And we monitor it and we'll do quarterly reviews with the companies. And then from that leads into executive briefing centers, kind of giving high level view of where the world's going and where Zscaler is going. The benefit is when you have access to the top companies in the world and really the top level people in these companies, the information that you get related to the future direction of what we develop is significant. So that's that cycle that we have, that we've created, which is, like I mentioned, it is not like what it is with traditional appliance companies.

Erik Suppiger

I imagine that extends the sales cycle in a pretty notable way. Can you talk a little bit about your sales cycle and how the deployments work?

Remo Canessa

Yes. I mean the sales cycle for smaller companies, once companies make the decision to actually do transformation, three to six months; large enterprises, six to 12 months. Anecdotally, it feels like it's getting shorter. Clearly, with COVID last Q3 last year, with our high ZPA, our sales cycles were shorter, but the world's changed over the last year significantly. And from the start, COVID was like the thing that got people thinking about their networks, their infrastructure, which led to thinking about, man, I'm not ready for this new world. So I've got to rethink how I'm going to do things, and that's digital transformation. Then from a Zscaler perspective, we've got four pillars now. We're not only user protection or workload protection. So we were ZIA and ZPA, but then we introduced ZDX, which is monitoring and identifying where problems are and ZCP, cloud protection, which is workload segmentation, workload communication and CSPM.

So the breadth of the platform has increased. And so what that did basically is at Zscaler, we've always said we're a platform. And as Patrick talked about, we developed it -- not we, Patrick, because Patrick one of the early, early people in the company, and the founding engineers built the platform to scale. And so we're seeing 150 billion transactions per day right now. So we're just in a unique position. And now you've got SolarWinds in the supply chain, which kind of points to the, wow, how do you protect yourself? What is the basis of Zscaler? Well, we're SASE, Secure Access Service Edge, as Patrick mentioned, closest to the applications, speed of light. Don't go through your network and expose yourself to potential vulnerabilities that happen when you have VPNs going into your network, which can transcend across your network and zero trust. That's Zscaler, zero trust. So that is resonating with companies right now.

Erik Suppiger

So just to be clear, had a client of yours has been using SolarWinds, would using Zscaler have restricted the attack, would they have been secured if they were using Zscaler?

Remo Canessa

I'll let Patrick answer that.

Patrick Foxhoven

Short answer is yes. There's quite a few different parts of our platform that would have. Now there's no silver bullet to security, and nothing is impenetrable. But we even took the opportunity to look at our customer base and identify customers that we saw that potentially could have been compromised by it and reached out to them proactively. And our platform fundamentally helps with, not only preventing the source of infection but creating what we call zero trust network access segmentation zone, so that if something is compromised, things can't spread laterally. And then we also very much are relevant when data is exfiltrating out of the environment, we help prevent that. So short answer is yes, very much so.

Erik Suppiger

Remo, let me ask, you had mentioned the cost savings to the customers. I assume that's based on a TCO analysis. What kind of cost savings do customers generally get when they migrate to a Zscaler architecture?

Remo Canessa

It can be very significant and what I'll point to basically is our S-1. We have two customers in there that we've called out that they're getting literally 60%, 70% savings annually by implementing Zscaler. At our RSA last year, we had a CIO of a company who talked about the savings and basically, the savings were 7x of what he currently is having. So it's huge. I mean it is significant. And so yes, I mean, really from a savings perspective, and it is significant. But really, for me what it comes down to is you want to secure yourself. There's no cost that you can put on your company if you're attacked and basically brought down. And Zscaler, with our architecture and the platform that we've created, really addresses that the best for today's world. Because applications are in the cloud and users are mobile or every place and clearly now with COVID, there's no reason to bring things back into the data center. And one of the biggest savings is the MPLS. We do thing across broadband, which is a lot, lot cheaper.

Erik Suppiger

Patrick, there's been -- the company expanded into cloud protection, your ZCP solution. This is a new aspect for Zscaler, and it represents a pretty meaningful opportunity. Can you describe kind of a little bit of what you're doing there and who you think of as the competitive players across that segment of the market?

Patrick Foxhoven

Sure. Yes. So fundamentally, what we're doing in what we call the backroom ZCP, Zscaler Cloud Protection, is taking the same foundation that we've been building out the last little over a decade; protecting users going to the Internet, what I would call kind of north south traffic flows; and allowing our platform to be extended into what I would call more east west style traffic flows. So not the user going to a destination, but maybe a machine talking to another machine or server to server or, in essence, extending the foundation that we've been building into kind of the other side the adjacent workflow that's less user centric and it's more machine or server centric. Because there's still just as much of a need for servers as -- simple use cases like when they go out to the Internet to make sure that that's inspected and not malicious and also to apply a zero trust strategy to not allowing machines having untethered or unrestricted access.

And as more and more organizations start deploying infrastructure in the public cloud, they sometimes overlook -- at the sake of expediency, they overlook how you secure that or the principles around making sure that it's not misconfigured and things like that. So it's a natural extension of what we've already been doing for the last decade to kind of adjacent use cases that customers wanted us to go into. When you ask about competition, it depends on what part of the platform you're referring to because, obviously, it will be a different list of players. But the players that are in line being a proxy or a firewall for users are also still sometimes relevant in servers or machines. So that's not necessarily radically different competition. But then as you get into more of the emerging areas where how do you secure cloud workloads in terms of, maybe it's a public cloud provider, how do you make sure they're configured correctly or how do you make sure data is not leaking inadvertently. That's obviously a different category of newer emerging players on the competitive front.

Erik Suppiger

Okay. Let me ask this. Remo had talked about some significant cost savings, and I think part of that is eliminating a fair amount of other devices in the market. Can you talk a little bit about what impact the Zscaler model has on the firewall market? Is that an area that you would envision is likely to erode over time in light of this model gaining better traction?

Remo Canessa

Probably good for you, Patrick.

Patrick Foxhoven

Yes. If you truly embrace where I think the puck is going, so to say, it does because it starts to shatter the foundations of saying, do you even need things like firewalls anymore? And I don't mean to be too radically thinking about that. But if you deploy infrastructure in a public cloud provider, and they themselves are providing fundamental access control, which they all do and you add a layer of zero trust on top of it, which is things like applying technology like what we acquired from Edgewise last year, which is fundamentally doing zero trust network access style capability on the host.

If you do all those things, then why do you need to introduce a firewall in between all of this if it's already -- everything the firewall would be doing is already inherently happening with just a different architecture. It's not to say that firewalls were meaningless in the past. It's just to say that the architecture has evolved, and they may not be nearly as relevant anymore. And in fact, if you look at modern workloads, like if you start getting into serverless compute architectures and not just containers but evolving that forward, is there even room or does it even make sense to introduce a firewall into that architecture because that's introducing kind of a chokepoint. That's centralizing something that is kind of opposite of the whole trend of going to serverless and how modern workloads are looking in the future.

Erik Suppiger

Remo, the pandemic certainly was a tailwind for Zscaler. The growth for Zscaler has done very well since the pandemic started. And I know there's a thought process that we're not going to go back to the way we were, if you think of the working from home perspective. That said, on the margin, as we get past the pandemic and as the vaccines get more -- and as we get more vaccinations, on the margin, are you concerned that the drivers that have benefited from the pandemic, will that slow somewhat, or how are you thinking of the demand drivers as we get past the pandemic?

Remo Canessa

It's a great question. We were asked that question last year in Q3. You get the big pop in Q3. What's going to happen in the future quarters, Q4 and so forth? And we said, we don't see it as a onetime event. We see companies embracing or thinking about digital transformation that's just accelerated. And now with the increase in our platform with the two additional pillars of ZDX and ZCP, the conversations are different. They're not centered around a onetime event with COVID. It's really CIOs rethinking their architecture and thinking zero trust. And so from my perspective, we got the spotlight on us last Q3 or at least the need for a change. Digital transformation took cold now you're seeing more reasons to do it, like with the SolarWinds attack. And so companies, whereas before were concerned about making the change into a cloud-based networking security company, now they're feeling that they have to, from my perspective, so I don't think it's going to have an impact. I think that the train's left the station, to be honest with you and I think people are getting on board.

Erik Suppiger

All right. Well, with that, I'm going to have to wrap it up because we're just down to our last minute here. I want to thank Patrick and Remo and Bill for your time. And for our clients, again, I want to thank you for attending, and I hope you found this helpful. And with that, I will say a good day. Thank you.

Patrick Foxhoven

Thank you.

Remo Canessa

Take care.

Bill Choi

Thank you very much as well.

Erik Suppiger

Goodbye.

Question-and-Answer Session

End of Q&A