Zscaler, Inc. (NASDAQ:ZS) Nasdaq 45th Investor Conference December 2, 2021 10:30 AM ET
Company Participants
Jay Chaudhry - President, Chief Executive Officer & Founder
Remo Canessa - Chief Financial Officer
Conference Call Participants
Hamza Fodderwala – Moderator, Morgan Stanley
Disclaimer*: This transcript is designed to be used alongside the freely available audio recording on this page. Timestamps within the transcript are designed to help you navigate the audio should the corresponding text be unclear. The machine-assisted output provided is partly edited and is designed as a guide.
Hamza Fodderwala
00:02 [Abruptly Started] Financial Officer, Remo Canessa. Before we dive into Zscaler we have the Founder and CEO of Zscaler, Jay Chaudhry as well as the Chief Financial Officer Remo Canessa. Before we dive into the question is just a brief programming note from our end. So for important disclosure, please see the Morgan Stanley Research disclosure website at www. morganstanley.com/userdisclosures.
Hamza Fodderwala
0:36 With that, Remo, Jay, thank you so much for joining us. We'll jump right in. So, Jay, Zscaler was found on the premise that the traditional network security model is broken. Can you explain why Zscaler’s architecture was fundamentally different and better than that traditional model?
Jay Chaudhry
0:57 Thank you, Hamza. [Indiscernible] give me a simple analogy. A few hundred years ago, if you needed to protect with castle, you built the market around it, and no one could cross the moat, mode was safe, that’s network security was done by using firewalls and VPNs as a moat to the castle. Then Canessa came in then moat wasn't that good. Then we start to build the wall taller wall around on the castle. We have been spending billions of dollars on security and then air fights got invented, even Paul walls don't help. So using the analogy, let me walk you through a couple of slides and visually, you can see the story better.
01:45 So what's the problem, well, over the last thirty years, when IBM era ended, and we started building applications in the data center and we have branches. Cisco was born to help you connect branches to the data center we extended our network to every branch office, that's wonderful. Then we want to work from home, we extended the network to every household using VPN then we want to extend the network the cloud because applications must be on the same network users around and then we got tired of managing appliances, we came out virtual firewalls and virtual VPNs whether you call them virtual or whatever. VPN is still, VPN firewall is a still firewall. What is the problem with this model? Number one, our tax surface anything that resolves to open internet by the firewall or VPN, or an application can be discovered and attack, bigger your attacks or [Indiscernible] the bigger risk you have.
02:49 Number two, they try to in fact you, as you connect to internet. We must prevent compromises from happening that requires proper inspection technology. Three, the most dangerous one. You know, you see this network, it's well-connected any user anywhere can access any application. It is like I get on interest rate zero point eighteen dollars from Francisco. I can reach New York, Miami, or Dallas without hitting a single light. It's a wonderful. But so kind of add guys. A single infected machine in some household since that’s on your network, in spite of all the firewalls and everything, it can infect the whole thing.
03:29 And you start wondering, should I create network segmentations? It is like trying to build walls inside the castle because you're worried than I got permission to get in the castle. It's not very pragmatic, and then that guys want to exprotrade, steal your data. These are the full thing that should be fixed to do things right.
03:51 Now we are putting people on the network, to secure the network is fundamentally the biggest thing we needed to do. So what does that mean, I will give you a simple analogy If I come to see you at your headquarters, they stop me at the reception, they check my ID, and they say, Jay, If they said go on escorted to meeting room number twenty two and escorted I could wonder around going to any room that's opened adjacent buildings that are interconnected like branches connected to your data center, I could snoop around and leave, not a very good thing. Do any of your all visitors unescorted in your headquarters, you don't but when you people get on the network in the office or through VPN they get on the network, that's exactly what it is they can sue, but looking at every application whether they're allowed or not. How do you fix it? A new architecture that you are building [Indiscernible]. No big logos, nobody knows they exist, they're not interconnected, and you still had reception that got gets moved away from your building. So people don't even know where the building is, I can't see you, let's stop me on the reception. They checked my ID and then they said, Jay, stop. You'll be blindfolded and escort to room twenty two and twenty two only. Your meeting happens, you get blindfolded and gets walked up. Each building is like a data center or agile cloud or AWS cloud. Each room is like an application. You are only granted applications, access to certain applications. So, in the same way, in this world, your applications are merely destinations. The users are all untrusted then are on the same network is no roundtable network. We are sitting in the middle as an intelligent switch room. Users come to us, we say stop, who are – who are you, we authenticate them using Okta and Microsoft Azure AD, if the check passes, we said, where are you going? You could say or you can only go to preapplication here, they are just like you can go to room twenty two and twenty two only.
06:08 Three, what else is our risk? Identity can be stolen looking at the kind of device working with again device vendors like CrowdStrike and Microsoft location and all, better, next level checks. Are you getting that same? This is boring airport technology. You don't want dangerous luggage on the plane, in the same way you don't want use it to download dangerous stuff by mistake, so we expect stop it and we connect. That's how our ZIA has been working. In this case, going to office three sixty five, internal applications the first four steps are similar, the last two steps are very different. We connect to realize to the only outside in connection, It's like don't call me, I will call you if I need to talk for you. With that, our tax office goes away. Your applications are hidden, they can't be discovered and no lateral movement.
07:07 Number colonial pipeline, they store VPN credentials gone on the network, moved laterally found billing applications and boom. The lateral move, this is the opposite firewalls and VPN. When I can asked, they can do the same thing? No. No. Not at home. Yes, you probably can say, I can put some guardrail around it, but it's not design like that. Thinking lot Zscaler architecture? What's the firewall, it's like comparing Tesla to a traditional internal combustion engine car. You can say both get to the same place. Yeah, they can, but one actually really makes life simple clean and all the stuff, other doesn't.
07:50 So with that, probably we should move on to the next level Q&A answer.
Question-and-Answer Session
Q - Hamza Fodderwala
07:55 Sounds good. No, that was a really helpful overview. So it's clear that the market is coming around more to this more efficient way of network access. So, let's assume, let's Zscaler is Tesla. You know, your [Indiscernible] except less prolific on Twitter. What do you think is the pace of adoption here? Because there's a lot of existing infrastructure on premise, a lot of data center, a lot of existing investments has been made around traditional forms of networking. You're still seeing companies buy on-premise firewalls for certainly in the midst or refresh cycle. So when you think about the pace of change in this market, do you think it's really accelerating coming out of COVID or do you think that is going to take multiple years, for this to really become mainstream.
Jay Chaudhry
08:57 You know. First of all, you can see the growth from our numbers, seventy one percent billing growth, sixty two percent revenue growth at a scale of a billion dollar in ARR. It's pretty good. Now COVID, the biggest thing did want change the mindset and certainly people discovered that. I have a massive network, the network security in six hundred offices. No one goes to those offices, that network has never used, and the business has happened. So, they realize that the legacy network and security [Indiscernible] it is really not that critical. There was kind of a great moment, that's when customers felt like, I can jump on and start doing Zscaler a lot better, a lot faster, that's point number one. Point two, if you ask me, my competition is known legacy vendors. It has been in our shift. People are used to doing concerned way. Lack of understanding and knowledge. We're seen on brain and awareness go up big time. Now, there's still a lot of traffic that goes through the dataset that direct access to internet and cloud application still on these stages. Most of that is done by Zscaler and that's only about twenty five percent per Global 2000 company. Either most are others went traffic routes to traditional way and it's growing, you need to buy more route, it was in the data center or more switches, more firewalls, more proxies in live, you know, I've seen this movie before about four or five years ago, I was asked, you're doing so well. Why is blue code sales still going so well? All because we're only peeling up a small piece, a big piece was still going to data center. I believe it's the same single happening with firewall. Firewalls are needed in the data center. We don't replace firewall data centers, firewalls in the data center. But you know what's happened to data center. It's not growing, it’s shrinking. It'll be faded out in the world of cloud, in the cloud. There's no room for firewalls. There's no model that makes sense. We believe as more and more application goes the cloud, are offerings things like Zscaler zero trust for workloads, just like zero trust for users is actually the right architecture for that and I think it's met our time when firewalls and VPNs [Indiscernible].
Hamza Fodderwala
11:33 Got it. Okay. So your test flow, we're going to stay with this analogy. You're very hard or pioneer, but Volkswagen has a great electric vehicle as well. Once to say that some of the network security vendors, some of the incumbents can't build a similar architecture. To Zscaler by either you know, having their own paths or leveraging public cloud providers and close the gap versus you tesla over time.
Jay Chaudhry
12:08 So one, we remain turning, so, first of all, let's think about the pops thing. Can I take my firewalls and spend them as VMs in google cloud of whoever? Yes. You can do that. But it is like if you are DVD player manufacturer, and you need to compete with that Netflix streaming service. You can spin up DVD players in every data centers of Google and AWS for consume because a single time. Will it work, kind of, what scale and will have the reliability and functionality of a cloud data stuff, not really, so that's point number one.
12:48 A vendor tries to take what they have and kind of bolt on things to make and work for the new world. That's what placebo try to do to compete with sales force to have our people so tried to do to compete with workday and that's our legacy firewalls guys are trying to do to compete with us. So I think of course, they can go and build the new architecture.
13:11 Architecture is not like a feature. You can add in six months or twelve months. We built a clean architecture starting in two thousand eight with evolving it and growing it and it’s become very robust, that's point number one. Point two, building technology that sets in traffic path to inspect traffic without introducing latency and casual the bad things is hard, but running a massive cloud that makes sure you've got traffic and everything, it’s literally ten times harder. When I started, I did not realize that I to learn about networking and traffic forwarding into my cloud and all of this stuff. We essentially had to become an ISP where we can control traffic routes in the line. That's a tall order who provide nineteen nine point nine nine percent latency, sorry, yeah, uptime. So in the market keeps moving fast, right. Look at what my portfolio looked like in three and half years ago when we've went public. Today, it has expanded. We think security segments will cease to exist the way they have been for the last thirty years. The cloud is pending everything, and they keep on innovating and guys obviously will try to catch up with us, but our innovation speed is pretty impressive and we're very happy with that.
Hamza Fodderwala
14:33 Got it. So you made a point about security segments increasingly getting blurred and I think we're seeing some of that, the network security or the SASE market as we now call it. But when I think about the Zscaler, when you come into a customer and you sell ZIA, ZPA, it might be a good opportunity to bring pretty much the foundation as well. What was some of the cost saving that the customer has from either, getting rid of existing point solutions, maybe getting rid to certain calls in the networking side, what is the typical ROI that you might see?
Jay Chaudhry
15:18 So, Remo, I can start, then then you probably even time in after that. Perhaps, if that slide can be shared, I'll show you one final diagram and see if that's great. But in this world of the journey we take you through, you select cloud providers, SaaS provider data center as your destinations. The users of anywhere and everywhere. We're sitting in line like an international airport enforcing policy, who can go where and whatnot. So we assume all the functionality that's done by typical network security vendors, which is a massive market. We are in together again three providers a very important piece for zero trust architecture. We work with endpoint vendors that’s a platform office its own to make sure you can do device fortunately like, you need security operations, the whole thing form dozens and dozen upon product becomes platforms that are meaningful. We become one of the important platforms the savings come from removing all the network security care on eliminating or not having to buy more for the cloud world savings come from not having the network cost in the line. So ROI is never an issue in our case, and also as we do our sales that are driven at the CIO seasonal level. They actually drive the transformation because transformation not driven from the bottom. Pricing and ROI has not been issue for us. It has been a matter reaching the light audience engage.
Hamza Fodderwala
16:56 Got it. So, you mentioned the expansion of product portfolio. Obviously, the core product has started out with ZIA, ZPA. It seems like the next pillars are now, ZCP and ZDX. I wanna start with ZCP. Can you talk a little bit about what you're doing here that's different? Obviously you have a CSPM. It seems like everybody has CSPM details. But I think what you're doing differently is around the workload communication side. So maybe explain a little bit what that is and why that's going be more relevant for cloud security architectures going forward.
Jay Chaudhry
17:36 Yeah. Let me try to explain in simplistic way, security is so confusing. I was having dinner with partner VPO of research three years ago he said, Jay, I started at eight a.m. I had nine meetings and at the end of the day, this was nine security event. He said I'm more confused at the end of the day then I said, the start of the day. So I can kind of think about how investors are trying to sort it out and stuff. But think of workload security, cloud security in two buckets. One is inline communication, which workload can talk with which workflow. To do so, you must sit in line and communicate of each other. That's like similar to what we did for users to application communication with ZIA for one kind applications ZPU for second kind of applications.
18:30 So with ZIA, ZPU as you know, our users then talk to any application anything. [Indiscernible] workloads has better innovative users. Workloads talk to Internet, workloads talk to other workloads, so we've taken the ZIA and ZPA applied to the world the cloud. So now we have zero trustable workloads as highly highly differentiated zero trust, there's nothing what's the competition there? Firewalls and VPC legacy? Okay? So we believe will confidently replace that stuff.
19:05 And then this further micro segmentation would say who talks through. That’s one piece [Indiscernible] differentiate, The second piece is not in line, outdoor bank, which means [Indiscernible] to see how well are these, workloads configured which users have access to which workloads that's called permissions and title mans. Everyone read sustain logs, everything has the same API called at who has better UI who has better UX. That's why you see my team counted over hundred vendors in the space. Okay, this is a piece of the overall cloud portfolio needed two acquisitions in that space to speed up on delivery. We believe our combined solution for inline communication combined with auto band policy enforced posture check gives us an advantage, but that's very young market it's evolving, and we are investing it.
Hamza Fodderwala
20:06 Got it. Can you remind so how does the ZCP product and the workloads side. How does that get priced? It's per workloads, so we're talking VN’s containers?
Jay Chaudhry
20:23 Yep. It is, it is by number of workloads. Our institutional model just like the users, we are based on users, workloads is based on workloads. And there's a loop and nuance sophistication to the that but some of the workloads are come and go. We have a little bit nuance model. But for simplicity, you can assume that by number of workloads.
Hamza Fodderwala
20:43 Got it. Got it. So you recently turned some heads on your last call by mentioning five billion dollar ARR bill. I'm curious why five billion dollars, why not two or three first? And how did you arrive at that at that number?
Jay Chaudhry
21:02 Internally, if you're debating five or ten, Remo convinced me to go only with five, each of your investors will be happy with five. But it's a big market. It's a massive opportunity. The solution works, it's highly highly differentiated and we are seeing great momentum. We really, if you ask me what's stopping us, right? We have the market is coming to us at a rapid pace. COVID further accelerated better architecture scales, two hundred billion dollars transactions, they all these competitors who talk about the [Indiscernible]. What's the last time they talked about how many transactions they actually process and all the stuff? Those numbers never got talked about because they're we're talking about. We have customer list I mean, thirty five percent of Fortune five hundred, those numbers are growing, with a customer satisfaction NPS score of seventy six. Everything is lined up. So what will it take for us to keep on growing? I think all the factors are largely internal, which can be keep on executing. Well, I mean, that's where I want to make sure our companies stays a child, it doesn't become complacent or [Indiscernible] customer of sessions one of the key value, it starts with me, and we all take care of them. So, I think making sure we keep them hiring of right people at each level to keep on executing, is probably the biggest thing, and that's what we are focused on to go from one to five, honestly, I would have been disappointed. We just set target two to three.
Hamza Fodderwala
22:42 Okay. Fair enough. So when you think about that, five billion dollar ARR target which I know is in the formal target, but you mentioned you feel like you have the existing power portfolio in place to get there? How much of that five billion dollars would you say is going to come from continuing to penetrate within your existing base, like, the fact that you involve these Fortune five hundred customers versus, you know, continuing to get net new logos.
Jay Chaudhry
23:14 Yeah. So if we look at get into those the five billion are getting passed in the few areas. One and is a big offset offer opportunity at our Analyst Day, computer and looked that and say, if we could sell a current portfolio for our customers [Indiscernible] without getting any new customer. There's a big opportunity out there and it is shown and proven all, we are able to sell bigger and bigger platform and IPO three and half years ago, there is only part of ZIA, and that even business bundle that's grown. That's big area, and especially, when your customer is not happy.
23:53 Two, a new logos. I mean, we aren't slowing down going after new market. Thirty five percent of Fortune 500 companies have Zscaler, sixty five percent are still there. And especially on the high end, we think just like Blue coat owned eighty five percent market share, we think we have a chance that owning a very, very high percentage of higher end market.
24:16 Three, this is just user fine. Zero cost workloads is a massive opportunity number of workloads that are growing and an astronomical things. That's our opportunity firms. Then zero cost of IoT and OT, those factories and plants are using all technologies with cyberattacks with ransomware that's becoming a big area of retention and our core technology of switchboard connecting right thing to right thing, but it’s your trust can be fairly easily applied to it. So and then lastly, we are going to slow down innovation to keep on happening.
Hamza Fodderwala
24:54 Got it. You know, you mentioned execution a lot of that. I I think has been done with the really meaningful improvements you made in go-to-market, which is definitely been, you know, doing very well. I think in twenty nineteen, there was a bit of a hiccup, it seemed like hiring and quite trying to plan. Maybe if you could talk a little bit about some of the improvements you made from a go-to-market front and how you see yourself as a destination for talent today?
Jay Chaudhry
25:30 Yeah. So, you know, first of all, when you grow things, a start offs starts doing things certain waves. You can go to a few hundred million dollars tend to go to X billion dollars, you need to fix the foundation at the go-to-market level. It’s like, you know, I can build a certain foundation to build a three story building, if it need to go ten story building, the same foundation doesn't work. So that's where we change our lead, go-to-market leadership, we brough value on board and we set up the foundation that core things, home enablement from recruitment from our sales leaders are training and whatnot the right way to scale. Those are the big investments we made. We are pretty transparent with investors so what we're doing, and it has worked. It has worked very well. So then you please and our customers are very happy so, it's kind of interesting that a lot of salespeople be acquired. Had told me the CIO of this company who has become my friend over the past years, told me, hey, you should go to Zscaler, that's a great, great place. They've become a destination for top talent, while the market is tough currently, but we are actually able to hire pretty good talent and doing very well. You're pleased with our hiring progress.
Hamza Fodderwala
26:50 Got it. Maybe one last question for Remo on margins. So you mentioned, growth is the number one objective, which makes sense. Can you just remind us like how we should think about Zscaler when it comes to balancing, growth and profitability, what's the general framework around that?
Remo Canessa
27:12 Yeah. What we talked about was that if we're growing revenue greater than thirty percent per a year, you can expect margin, operating margin expansion of less than three hundred basis points and if it's less than thirty percent per year, you can expect margin expansion of three hundred basis points or more. The reason that we said that and that's our long-term operating margin model is twenty, twenty two percent and the reason we said that is because want to give ourselves flexibility to make the right investments to drive shareholder value.
27:47 You can see that this last quarter our revenue growth rate was sixty two percent and from when you look at a SaaS model in particular Zscaler with the high gross margins that we have, it doesn't take, it's not hard to get to an operating profitability the number and if we drove operating profitability, we think we feel that this service to our shareholders and to ourselves. As Jay mentioned, we have a seventy two billion dollars serviceable addressable market and with the very, very early stages and you can see that with our ARR, we are currently in the billion dollar range. There's a lot of room for growth and we're just very early stage and we feel that we have a unique opportunity to really capture this market we're going to go after.
Hamza Fodderwala
28:40 Okay. Alright. I think with that, we're just run a lot of time. So Jay and Remo, thank you so much for your time today and I don't see you, have a great holiday.
Jay Chaudhry
28:49 Thank you and you too.
Remo Canessa
28:51 Thank you for that. Goodbye.
Jay Chaudhry
28:52 Take care. Bye.
- Read more current ZS analysis and news
- View all earnings call transcripts