Zscaler, Inc. (ZS) CEO Jay Chaudhry Presents at Morgan Stanley Technology, Media and Telecom Conference (Transcript)
Zscaler, Inc. (NASDAQ:ZS) Morgan Stanley Technology, Media and Telecom Conference March 2, 2021 3:30 PM ET
Jay Chaudhry - Chief Executive Officer & Founder
Remo Canessa - Chief Financial Officer
Bill Choi - Head of Investor Relations
Conference Call Participants
Keith Weiss - Morgan Stanley
Good afternoon, good morning. This is Keith Weiss coming at you from day two at the Morgan Stanley TMT Conference, our virtual format. And we're very pleased to have with us this afternoon from Zscaler, CEO, Founder, Jay Chaudhry; we have CFO, Remo Canessa; as well as Bill Choi, Head of IR with our Zscaler.
So thank you gentlemen for joining us. Before we get started, just a real brief disclaimer. For important research disclosures, please see our website www.morganstanley.com/researchdisclosures.
Q - Keith Weiss
So just to really kick into this. We're looking at our CIO surveys and the like, even before solar storm the priority of security was rising in our surveys. And from my perspective, this was really about the disruption that people are seeing and how they're working and the increasingly distributed working style and it was pushing people that have to rethink how they're doing security.
And I think, in that rethink, in that progression and how we should be securing a distributed user, distributed data, distributed applications, Zscaler obviously did really well in that concern. In your most recent quarter you guys reported results last week, 71% billings growth and acceleration from 64% a quarter ahead.
Jay, can you talk to us about one what is that Zscaler is doing? And two, what is the trend that is resonating into? What has that change that your customers are trying to make that they're trying to evolve their systems to, that's matching up so well in the marketplace that is driving those really strong results?
Yes. Keith, thank you. Technology always evolves. And generally it evolves incrementally, okay? If you look at security and networking, last time big disruption happened was when IBM-SNI went away Cisco's rise happen and the new kind of networking was born. And that led to network security, secure my network by building a castle-and-moat. The thing we are seeing now is, with cloud being the destination, users being anywhere that moat model for networking as well as network security is broken.
I started the company in 2008 with that vision. Now it has taken a lot of evangelism and education, because disrupting things takes a little bit. But things like COVID are kind of showing the world that what we envision is actually the right way of doing things.
So it's actually helping educate the market that's changing the CIOs mindset. Typically people think they are comfortable with the way they are doing things. Now they are finding that my massive network, I'm paying tens of millions of dollars, is not doing anything. It's not being used when you work from home. My security devices aren't being used a whole lot.
And we have already had a pretty sizable customer base that's a referenceable base. So it's giving us a further push and this new model is being embraced. And obviously, legacy vendors are trying to kind of say, I can do it too, but it's a totally different architecture. It's like DVD players versus Netflix streaming.
Got it, got it. So a changing architecture increasing distribution of all the assets that we're trying to protect, it really -- I mean, it falls straight into sort of the vision that you and I have been talking about over the past 10 years of taking policy, taking proxy, taking all the elements that enable that enable that secure network communication and changing the architectural point, changing that to the cloud, so its accessible no matter where you are on the globe.
So the fact that the crisis pushed a lot of conversations for Zscaler, it makes a ton of sense. Now it's creating solar storm into the equation. So solar storm has created a lot of discussions about the threat environment out there. It was a supply chain attack if you will. But one that sort of brought malicious activity get into on-premise environments, does that still impact Zscaler? Is that still something that's going to drive conversations towards your company?
It has, it is. First, let me tell you how and then I'll talk about the impact we're seeing. So the supply chain attack of SolarWinds set, while 18,600-some-companies. Are you one of those companies that are infected with it? You don't even know.
The eye inside your house, inside your castle and in my typical network security model, once I’m in the castle I can go anywhere. Okay? My branches are like tunnels from the castle. Once I'm in I can go through any tunnel and get to any branch. So what it's raising that big thing is the lateral movement.
So, putting people on the network inside the castle is a dangerous thing. And the Zero Trust conversation that has been picking up quite a bit for the last two to three years, actually have picked up significantly because Zero Trust says don't connect the network, don't try to do this castle thing just connect a person to a particular application minimize lateral movement. ZPA just does that. And that's why the interest in the ZPA kind of technology has moved up quite a bit.
Now, what have I seen in terms of impact? First of all, a lot of our trusted customers CSOs and CIOs reached out to us pretty quickly. We had scores and scores of meetings at the CECL level to share with them how they should be doing some of the stuff.
And since infected customers eventually have to go out to the Internet through Zscaler our Zscaler customer, we are able to actually find out that customers who are infected and proactively reach out to let them know that they are infected.
We did a webinar recently, over 800 senior IT executives attended that. In fact, I had in a few cases the CIOs reached out to me and said my Board wants to talk to you to understand this stuff. So, having that dialogue as well. So, it just shows heightened interest and awareness and we are making a difference in it.
Got it. Maybe to bring Remo into the conversation. As we think about this the heightened level of conversation, as we think about driving more higher level conversations, Board level conversations, as an investor, how should we think about the time horizon in which those conversations can actually translate into business getting done? And we should be expecting to see the positive impacts of solar storm or demand impacts translated into the income statement if you will?
Yes, that's a great question. I think it started Q3 of last year when COVID hit. And when COVID hit, our ZPAs percentage for our new and upsell business that quarter was 43%, which lapped everything we had before.
The question back then was is that a one-time event? And once COVID, are we going to basically get through that and get down to a lower growth rates? The comment that we made was that no, we don't see that. It's changed the conversation. It's changed the conversation to digital transformation as Jay mentioned. And so we saw it in our pipeline. We saw it in our conversations with C level.
Now, with solar storms hitting, it's brought heightened awareness again. And again it's a supply chain attack which is lateral across your network brought in through the network. And with Zscaler introduced at our Analyst Day is we have introduced basically our vision which is four pillars, it's the ZIA, ZPA, ZDX, and Workload Protection. And so what's happening is the conversation continues to evolve with CIOs. And all these proof points that are occurring and related to the breadth of our platform, that's what's kind of spurring this greater conversations with CIOs.
As Jay mentioned solar attacked and things like that does bring heightened visibility. Question is when does it turn into significant business? It's hard for me to say. But we have had a reacceleration. Our reacceleration last quarter in billings was 64% in Q1. Then it's gone to 71% as you mentioned. Our revenue growth rate is 55% this last quarter.
So, we are -- all those are proof points related to the evolving environment recognizing that the legacy structure -- security networking structures in the past really aren't set up for the world going forward today and going forward with applications with cloud and users mobile.
If I may add one comment. I get asked this question quite often how much impact is solar going to have this quarter or next quarter. It's not one of those things that some breach happen let's ship 2,000 boxes and plug their rolling. I mean we are fundamentally driving the change in architecture and transformation.
Now the interest has heightened, the urgency is heightened. The projects -- the more projects are happening at a faster pace. So it's having an impact but trying to say will it impact this quarter or next quarter it's a little bit hard to point it.
Got it. So Jay, Remo brought up two of the sort of expansion platforms that you guys have built out ZCP and ZDX. So the evolution of the product strategy thus far has made tons of sense to me. ZIA, Zscaler Internet Access, so people coming out trying to Access the Internet. This is not to that same sort of access and policy control applies on the way in ZPA, Zscaler Private Access. Can you tell us why ZCP fit -- or maybe start with what is ZCP? What is ZDX? And why does that fit so nicely into that same construct?
Good. Good question. Let me start with ZDX first. ZIA and ZPA together say, no matter where you're sitting, what device you're on, you can access any application, anywhere internal, external doesn't matter. So that truly make sure you can securely work from anywhere, which is good. But if you can work from anywhere but your response time is slow or do you figure out what the problem is.
You don't -- so ZDX was actually the first main product line that was asked for by customers. ZIA, no customers asked me to build ZIA. No customer asked me to build ZPA. We actually did it for disruptive. But customers start to say, there's a performance issue. People are sitting anywhere. In fact, my typical story I got from a CIO was this was a few years ago.
My CEO lands in Sydney, Australia, checks in a hotel, connects to the Internet and Office 365 things are slow. He calls me, say things are slow. Where do I start he says? It could be a laptop, local DNS is slow, WiFi in the hotel is slow one of the 10 hops or the Internet is slow, you don't know where do you start.
All the network performance tools you have are designed for working between your branch office and the data center, which is not relevant in today’s world. So we are sitting in the middle. We have a footprint on the endpoint. We can monitor and collect telemetry on ongoing basis to tell you performance of every user end-to-end, for say your top 30, 40 whatever application.
So you know exactly what's happening before the user calls. So it was very natural for us, where we were sitting to provide the performance index for customers because now you're not just secured, you're also a happy user with great performance. I expect it's a matter of time, when every Zscaler customers, every employee will have ZIA, ZPA and ZDX, all three pillars from us. So that is a story about protecting user side of it.
Now let's look at the workload side of it. Workloads could be viewed as mirror image of users. Just like users need to be protected workloads need to be protected. Users access applications, actually workload access other workloads to communicate. Workloads talk to Internet because there are sun servers and services on the Internet, they need to be accessed. How do you ensure that communication? Since Zscaler was fundamentally designed as an exchange or a smart switch board that connects not just a user to application, it can connect an application to application, as well with a proper policy enforcement. So it is natural for us. Our core technology fundamentally applies for workload-to-workload communication, that's our biggest advantage in this area.
Got it. Got it. That makes a ton of sense. I want to dig into the various components a little bit. Maybe starting with -- at the beginning with ZIA. One of the things that I always sound super compelling about ZIA is unlike most sort of security solutions, it was actually -- there's always been a strong ROI when you guys went to market with ZIA.
You could go into a company and say listen, the way you're securing your office traffic in particular is not only is it inefficient, not only is it non-performing, you're spending too much on it. You're backhauling vis-à-vis these MPLS lines, they're dedicated and flexible. We can deploy our solution and actually save you money.
Not too often security companies get to say that. Usually there's a tax for that security. As you move the conversation broader and you're talking more and more about the ZIA, the transformational SKU, of where it is a much bigger set of functionality. Does that same ROI argument still holds?
Yes. Actually think of the falling way. What should be your gateway? It used to be well, it's my old -- proxy. Well that's on -- it's antivirus. It is advanced threat protection. It is sandboxing. It's need to be BLP. The whole thing has been growing and the DMG has become cutter and those things are not just hard to buy, deploy, manage. They're not very effective because each is acting in isolation as an island.
When we bring together and we built a bottom-up integrated solution where you get the traffic once you apply policy, you do the stuff, you move on. The ROI savings for elimination of point products and offering integrated consolidated solution that ROI is very high.
The second point, when people try to build multiple gateways they will have the data center gateway very good -- everything bought in. The branch they'll say well, let's buy a UTM and move on with that. Now they know that the security is not good enough, but they kind of -- that's all they could afford.
With our Zscaler approach no matter where you are at home or coffee show, airport, branch, data center or your factory you have the same level of security, same level of protection. And the ROI becomes much less. You don't have to figure out how many branches. It's number of users. You don't even to worry about devices. We cover laptop and mobile devices and it just works.
Got it. So you're able to go into these customers. And once they decide that they're going to do this transformation once they decide that it's really time to modernize our security architecture, you can replace a lot of point solutions, a lot of these various appliance and give a good ROI to the customer. Maybe a question for Remo, what does that do to your price point? The per user pricing as you go from sort of the basic ZIA for Internet access to a full transformational suite, how does that improve the Zscaler price per seat if you will?
Yes our current ARPU is in the high $20 range and it continues to go up. But that's primarily focused on ZIA and ZPA. ZIA, if you go to the transformation bundle this is on the user protection side and this is four companies of 5,000 employees. We're seeing ARPU in the $45 range for transformation. And the way it works professional is, 1x business is 1.5x and professional is 3x. So we are seeing more companies going to the transformational stage for ZIA.
For the add-ons which is; DLP, CASB, out-of-band and browser isolation, CASB and out-of-band and browser isolation are new we're seeing prices in the $30 range per user per year. ZPA, similar pricing as ZIA so $45 for that and ZDX, it's early stage. But for larger type companies, it's in the $25 range.
So the ARPU from a user protection basis is around $145. And we saw that also in Q2. We've seen customers in that range. The workload protection there's three parts to it. There's the CSPM, workload segmentation and workload communication. Again, very early stage, but we're seeing prices in the $40 range for the CSPM workload segmentation in the $60 range and workload communication in the $55 range. Workload communication isn't out, but this is just based on conversations with customers where we think it's going to land. So on a per workload basis that's $155.
So what's happened is that the platform has expanded, the breadth of the platform. And you hit it. The ROI is significant. It's very, very large. And when you take a look at what sets Zscaler part, it's a multi-standard architecture in the cloud SASE which is putting the user close to the application with security in the cloud and Zero Trust. That's what Zscaler is.
So that's -- when you talk about what do we see with and everything else really the COVID last Q3 really brought it to light and got CIOs thinking and that's -- so the per user pricing, we'd expect it to continue to go up because of just the amount of things that we're putting on to our platform.
It sounds like there's just a massive opportunity for just upselling a broader solution base into your existing customers, let them on bringing new customers on board?
Yes, it's a great question. I mean, we brought this up in the Analyst Day. Just with the ZIA and ZPA not ZDX or ZCP 6x. So if it's -- if they go full transformation if they go with ZPA and also the add-ons on ZDX, it's -- sorry -- without not ZDX, but going up to the transformation stage. And so it's -- yes with the existing customer base it's a big, big opportunity. The key thing for us is really as you see with our growth it's outstanding. And when you see the market acceptance that we're seeing it's outstanding too. We've got 500 of the Global 2000. We've not -- now we have 5,000 customers.
It's just -- it's really a unique opportunity that both Jay and I see and we're going to invest in the growth of the company. We'll be mindful of the operating profitability free cash flow, which we have from the beginning we went public. But it's such a large market opportunity we're going to continue to invest. And that's the message we want to get out and we feel that we're in a really good position.
Yes, definitely. And the results really held that out. I wanted to dig into Zscaler if I could ask us. So ZPA seem to be -- and you talked about this earlier one of the key beneficiaries from the work-from-home environment. But also it seemed to -- it wasn't just the crisis because these are definitely in process beforehand, but also the solution that seems to have brought the most kind of competitors out of the wood work and out of places that we wouldn't have really expected. Like you would expect at some point call out networks is going to be a fast follower into the marketplace a little bit less expected didn't see this coming from Cloudflare. I didn't see this coming from Akamai and these guys trying to get into this marketplace or a Citrix trying to modernize their solution. How do you think about that competitive dynamic? When it starts to bring in more networking oriented vendors, more infrastructure oriented vendors, is it harder to compete on that sort of very competitive playing field?
Actually? No, no it's not. I tell you while it looks competitive. Every company takes whatever they have, they try to retrofit figure out to see or rename it if they can. Now what have people done to work-from-home, VPN, more access. Now you can say, I won't sell you the box I'm going to spend that box and the cloud for you. Of course you -- it is self VPN okay? It doesn't change anything. What's the biggest down set of VPN? Two things. User experience is always bad. It's rare to find something that says, I love my VPN. That's number one.
Number two is security. If you got 50,000 people on VPN work-from-home, your network has extended to 50,000 households. Any infected machine in the household maybe your kids laptop, basically it's all easily reaches your network. It has lateral movement. It's the most dangerous thing out there. So it has to change.
So can anyone say iGuard remote access solution? Yes. Are firewall vendors claiming to do remote access from the cloud? Yes. Technically they are right. But still you're putting people on the network. The notion of Zero Trust, which is very well-documented by Gartner, by the way any investor listening to it should read a paper called Zero Trust Network Access by Gartner, because it spells out the Gartner is very credible. It basically would say you basically do not connect a user to a network, you connect to an application, which means it's a new architecture. And all these applications are hidden behind your Zero Trust Exchange, they don't result to the Internet, they can't be seen, they can't be exploited or DDoS.
If you did the basic check up, most of these vendors, they don't really meet the basic criteria. So are they there to try to leverage something? Yes. Do they have -- they're in various stages. We started building ZPA almost 6.5 years ago. Now we have been selling it for 4.5 years, okay. It has evolved. So it's not just VPN replacement. It's an entire inbound DMC. When people use ZPA to go to AWS and Azure applications without ZPA, they'll have to figure out global load balances, they'll figure out DDoS, externally of firewall as an IPS, VPN internally of firewalls internal load balances. We subsume this entire product portfolio. That means we are not selling DDoS. We are eliminating the need to buy DDoS, because you're hiding behind us. So it's a very disruptive very cool technology. And then on top of that, it's helping eliminate lateral movement from security point of view. We think we have a very significant lead in this area. And as we deploy more and more, there's more and more functionality that's needed.
For example, the customer said, please bring your switching function to my data center, because I want Zero Trust even for employees, who are sitting in my office and want to access data center that's about three milliseconds away. So we made that happen. So it's a great thing. If you ask me, are we really seeing an increased competition on the ZPA land not a whole lot, and VPN is the competition. Just like in ZIA still my number one competition is Blue Coat.
Still the legacy architectures out there?
Yes. Inertia sits out there. And there are reasons why Blue Coat was so successful. They just couldn't pivot to multi-tenant. They had an amazing proxy architecture. VPN is sitting out there. It needs to be rolled out. And Gartner says in the next three years, most of it will be gone, and we hope to be the beneficiary of it in definitely large enterprises.
Got it. So we have about a minute left. I want to squeeze in. I was hoping you could answer a riddle for me, if you will. On one side of the equation, we've talked about the broadening solution portfolio. We talked about a 6x opportunity with just the core two solutions within your existing customer base. We talked about accelerating billings growth into your most recent quarter and all huge opportunities ahead of you guys. You guys have been investing in. You guys have been driving huge expansion of your quota-carrying risks, big investments into the channel opportunity. Well, we know, growth in software particularly subscription models tends to be really expensive, right? The faster you grow, the less at least possibly you are that has nothing to do with the underlying unit economics. You could have a really efficient business. It's just -- it's expensive to get that first year dollar in the door.
But then you've also targeted for FY 2024 20% to 22% operating margins. So, how are you going to drive that increased efficiency in your business while there's so much opportunity ahead, while there's so much good things to invest behind while there's so much good potential to sort of drive more sales capacity to cover this huge market?
Isn't that a fun, I think Remo, and I have lively discussions about all day long. Remo, you can go ahead.
Yes. Keith with the SaaS model as you're aware it doesn't take much to get to high operating profitability. All you got to do is slow down hiring. I mean, your contribution margin is so high you're absolutely right that the big cost is the initial. After that, it's not. The contribution margin is like 65%, 70% in years two and three. And so from my perspective right now, it's such a big market opportunity. I'm not focused in on, like I mentioned before, driving an operating profitability. It's a SaaS model. It's different. And again, when I work the numbers, it doesn't take much to change it.
We got plenty of time to get to 20%, 22%. I'm not concerned about it. And as long as this opportunity is there, we're going to go after it, because the bigger we can become and the more market share that we receive and the more basically services that we offer to our customers.
We're still an R&D company. We're going to continue to invest and innovate. I mean, you take a look at what we've introduced this last six months, nine months we've been just like six, seven things. I mean, if you look at browser isolation, CASB out-of-band, ZDX, CSPM, workload segmentation, workload communication, we're not stopping. It's going to continue. And so we're going to keep going.
If I may add one last comment, as we wrap-up, what Remo said, I agree. The two other special advantages we have over anyone out there, even though we take all this traffic, because of a great architecture, gross margin is sitting at 80% range, which is -- which means, we have more room to invest in other areas. That's number one. Number two, we set up offshore for a lot of functions early on, which gives us several points that we would not have had otherwise. So combination of all those factors gives us a lot more flexibility to do what we need to do.
Right. So bottom line the profitability is already inherent in the renewal base and that big subscriber base you guys are building out. A lot of R&D going into a lot of innovation, bringing sort of broadening that market opportunity. Now is the time to press on the gas, go after that market opportunity aggressively, keep up these high-growth rates, and that's -- and the profitability comes over time. It's there in the model already.
And just to clarify that was at our Analyst Day, we talked about 20% to 22% in fiscal 2024.
Yes. Outstanding. Excellent. Well, unfortunately guys this takes us to the end of our allotted time slot. Fascinating conversation as always. Really appreciate you guys spending time with us, and looking forward to keeping tabs on the story on a go-forward basis. So, thank you guys.
Really appreciate. Thank you.
Thank you, Keith. Goodbye.
- Read more current ZS analysis and news
- View all earnings call transcripts