Zscaler, Inc. (NASDAQ:ZS) Bank of America Global Technology Conference June 5, 2024 12:20 PM ET
Company Participants
Steven House – SVP, Product Management
Remo Caness – CFO
Conference Call Participants
Tal Liani – Bank of America
Tal Liani
Steve House, welcome. First of all, I think it’s the first time I’m hosting you for one of these sessions. And Remo, I’ve hoped you many times. We have a lot of cybersecurity companies today. And maybe before we start, Steve, just before — because it’s the first time you’re here at our conference, maybe you can present yourself in your position, and then I’ll start with the questions.
Steven House
All right. Excellent. Good morning, everyone. Steve House, I’m the Senior Vice President of Product Management at Zscaler, I’ve been at Zscaler almost nine years. Prior to Zscaler, I was the VP of Product Management at Blue Coat Systems was there seven years running all their core appliance product lines. I got there when they acquired a company called Packeteer around product management team for Packeteer. I was there six years.
Question-and-Answer Session
Q – Tal Liani
Excellent. Thanks. So I want to start from the last quarter and then go back basically and maybe Remo. You outperformed billings significantly last quarter. You grew 30%. We expected 21% and you — the performance was so much better than expectations. Then the question is, what is happening in the underlying market? Meaning what is — on one hand, we are worried about newcomers, Cisco and Fortinet, etc. On the other hand, your performance was phenomenal. So how do you describe the competitive landscape, your ability to sell? What kind of questions are you getting from customers about competition, etc.?
Remo Canessa
I’ll start and hand it over to Steve. I mean, from our perspective, from a win rate perspective, we’re really seeing still very, very strong win rates with Zscaler. I think we’re perfectly positioned in this market with our platform that — we’ve been doing this for 15 years. You take a look at our customer base, we have 40% of the Fortune 500 companies, over 30% of the Global 2000, and Zero Trust SASE market, I think we’re perfectly positioned for it.
From an outperformance perspective in Q3, it was an outstanding quarter. As you mentioned, we beat our consensus numbers by 8% in the quarter. And we’re also going through a transition right now in our go-to-market. We hired Mike Rich from ServiceNow back in November. And when I take a look at our Q3, Q3 is — he’s built — he’s hired his entire leadership team, and his leadership team has hired their leadership team.
So the focus basically in Q3 was to really build that leadership. And then once you build the leadership then you can go out basically hire your quota carrying outside account reps. The comment that I made on the earnings call is that through May, so the first month of the fourth quarter, we hired comparable the same amount of outside quota carrying reps as we did in Q3. I think going through that transition, showing the strength of Zscaler and our platform. Really, it was a great quarter. It’s a transition quarter, though.
And so when you and our attrition in Q3 was higher than our expectation. So the comment we made on the call was that off of the consensus for fiscal ’25, we expect 2% to 3% or a few point headwind basically on the billings growth. The reason for that is, as you have the transition, the higher-than-expected attrition in Q3, and as you’re getting new leadership in and as those cap reps ramp, which takes our expectation as they ramp in a year. So they’re on full quota after a year, that’s going to cause a headwind.
From my perspective, though, the market is huge. If you take a look at what we go after, our real customers we go after, it’s the customers like better than 2,000 employees. There’s about 20,000 customers like that, of that size on a worldwide basis. Our penetration in that is less than 20%. So a huge opportunity to go after new accounts. In addition, you take a look at what we have the ability to sell to our existing customers. We have a 6x opportunity to upsell just on the user side, not the workload, not the other products that we’re selling just on the user side. So — and that’s what basically the new leadership we’re bringing in.
One of the companies that we emulate is ServiceNow, which they get deeper into the accounts and sell more. So basically, going from an opportunity type sales, the comment we made to basically an account sale. So basically, that account sale, we get the change basically in the type of reps who sell deeper in the accounts, and that’s what we’re doing. So I think basically, Tal, on strong company, significant need for our type of security that we have. We’re going through a transition, which has gone very well. We’re positioned very well going forward with the changes in the market and we feel good about things. And Steve, any really comments?
Steven House
Yeah. The only thing I’ll take you back on in the market opportunity, we have broadened our platform in a way that it’s not just about the Zero Trust for users or Zscaler for users. But as Remo said, we’re selling more to protect workloads. Last quarter, we had our largest deal ever in that. We’re also doing more at the branch with our Zero Trust SD-WAN and our new acquisition of Airgap, which brings that down into the land as well, Zero Trust.
And architecture really does matter and when we go in and compete, people like the way we built our next-generation technology with true Zero Trust, where you don’t have to worry about exposed firewalls and exposed VPNs that people have to dial into to get through, which allows you onto the network. And any time there’s a zero day that causes a big problem, not a big scramble, in our world, there isn’t that concept of a zero day because you don’t have any exposed assets at all.
Tal Liani
So Steve, I’m going to ask it in a simple way for non-tech investors our non-tech people, what does it mean Zero Trust SASE versus the competition? How is your offering different from the others?
Steven House
All right. So if you come from a legacy firewall VPN world. What you do is you put a perimeter around your environment. And then as people try to get in, you challenge them and say, is that allowed in or not in, and then try to little bunch of gates and what they can get to on the other side, with Zero Trust done right, which Zscaler does, a few others do as well, but not the legacy firewall folks, you’d know the identity and what they’re trying to access, and that gets authorized in the cloud first and only if you’re authorized is a single connection made.
And for us, it’s two outbound connections that get stitched together in the cloud without ever putting that user onto the network. They don’t get a real IP address. They don’t know where they are. They don’t know if they’re in Azure AWS or a data center. It’s completely obscured from their knowledge. And for us, that’s true Zero Trust. You don’t have to expose anything to the Internet. So you don’t have to worry about DDoS or a zero day vulnerability. Someone breaking into your firewall or VPN concentrator, which has happened a lot recently because there’s nothing exposed out on the Internet in the true Zero Trust world.
Tal Liani
And when you look at the competitive solution, for example, Microsoft has announced they don’t have a firewall, so is — when you’re talking about firewall-based SASE, you only referred to Fortinet, Cisco, maybe even Palo Alto or you also refer to Microsoft?
Steven House
We really don’t see Microsoft. I mean they’ve made some announcements. The product wasn’t even GA and it’s going to be just or users very Microsoft centric. And I think eventually, you’ll see them at the really low end, but people who just want to check a box. But at the large enterprise, we sell to and we haven’t seen them right at all.
Tal Liani
So what do you say to a customer that tells you? And that’s coming from Fortinet for me, that tells you, you charge — I’m making up a number, you charge $300 license, if I put it on top of my Fortinet, I’m going to pay only $100 a license. They offer significant — current management they offer a significant price advantage over a Zscaler. What — how do you position yourself versus this kind of price difference?
Steven House
All right. So we still don’t run into further that much. They’re a firewall vendor when we talk about that. They have been talking about SD-WAN for a little while and now Zero Trust SASE. But in the end, architecturally at the large enterprise that isn’t what they’re looking for. It’s the true Zero Trust that I was talking about a few minutes ago, and I haven’t seen them seriously considered at of our customers. They are occasionally as the SD-WAN piece, but never at the SSEP. So when Gartner defines SASE, it’s plus SD-WAN. We do occasionally see them as the SD-WAN, and we interoperate with them just like we do with everyone else.
But when we announced and released our Zero Trust SD-WAN that competes on that side for the full Zero Trust SASE architecturally, it’s different. They’re about easily connecting the network in a cloud-managed way that makes your performance and your ability to move around easy, but that’s also easy for the adversaries. So if they get into the network, they can also move around. It’s not Zero Trust at the branch. It’s just connecting the branch. And they think of the security when that branch tries to reach out to the Internet, not when that branch tries to move laterally to your high-value assets.
Tal Liani
Got it. The fact — so historically, you offered SSE and not SD-WAN. What’s your journey on SD-WAN? How important is it to have SD-WAN as part of the solution.
Steven House
I think long term, people are going to look to what Gartner calls a single vendor SASE, so they do want that to come together. So that’s, in my mind, long term very, very important. We’re approaching it in a way that nobody else in the industry is. We’ve looked at everybody’s messaging, everybody’s products. They still think of SD-WAN as connectivity and SSC as security. But to us, the connectivity should also be Zero Trust to turn it into a zero trust branch office, which means if anything gets infected, whether it’s a user or a printer or an OT manufacturing line, it can’t move laterally and infect other things.
So our customers understand Zero Trust. They’ve been doing it with us with our ZPA offering for years, many of them for their users and now they want that everywhere. They want it in the branch, they want it in their cloud with their workloads. They want everything to be authorization first before connectivity. So the traction we’re seeing is pretty strong. People are starting to kick the tires, make their first purchases and they’re starting to think when this SD-WAN refresh comes up, let’s move to a single vendor way to do it, and we’re the only one that does that in a Zero Trust way.
Tal Liani
Got it. When I look at competition, and by the way, I know people are standing in the back their seats here, if you want to sit down. When you — when I look at the competition, not competition, other cybersecurity plays — take, for example, CrowdStrike. They started from endpoint and then they expanded into many, many other areas. Take me through the same journey from the eyes of the scanner (ph), meaning you started with ZIA, ZPA, how will the company evolve over the next three years in a way that expands the TAM?
Steven House
So yeah, going back in time, we started as a Secure Web Gateway in the cloud, replacing your on-premise appliances from Blue Coat, where I used to work or Forcepoint, all those legacy vendors, expanded it out to private access, which again, people originally thought of – start of as just VPN alternative, a way to do that differently and more securely. But now that has moved to how do we do that when a user is on-prem as well as remote.
We added in ZDX our data protection capabilities have been growing tremendously the last three, four years from just in line DLP to cover all the different channels, the CASB, the endpoint, the e-mail just announced DSPM or that same data security in the clouds. And then that was all Zscaler for users. And then that growth has been into workloads, now the Zero Trust SD-WAN, with the acquisition of Avalor to the micro segmentation world, where how can we bring that same zero trust concept to the LAN.
So just two things on the same local area network and only talk to each other if they’re authorized. Airgap gives everyone a network of one. They’re on their own network and to get off of that network, they have to have authorization. And now with most recently, the Avalor acquisition, which gives us this foundational data security fabric where we can build applications on that, giving insights to companies around not only security but other areas, I’m taking that $400 billion transactions going through our cloud every day and better find reps, better give business insights around what’s going on in that environment, and we want to monetize that in different markets that aren’t traditional SSE (ph), things like vulnerability management or security scorecard types of things with Risk 360.
So we’ve been providing more and more solutions that take budget from other areas, not just the SSE and the legacy firewall market the traditional things, even things like VDI, we started to have an alternative way to do VDI that’s more cost-effective with a better user experience and better security all wrapped in, wrapped in one that can be done sometimes at a quarter of the price of Citrix VDI solution.
Tal Liani
Still on going back to competition, you — what is the risk that the market will be bifurcated into customers that understand zero trust and customers that will not understand Zero Trust. What I’m asking is, when I look at your competition, none of them is offering the same vision, you’re differentiated in your vision. And this differentiation is both a risk and an opportunity, like, how many people are going to adopt it. So how do you — what are kind of discussions do you have with customers? Where do you see reception for the Zero Trust offering? Is that a certain vertical, big companies, small companies, etc.?
Steven House
Yeah. Back to some of what Remo was saying before, with Mike Rich and the large account selling model, we want to get very deep into the large enterprise. And that’s the core group, which understands the value of Zero Trust and is willing to invest in the right technologies to make sure the security is top notch.
As you get down, it gets harder and harder to have those individual conversations and the customers are generally less sophisticated, which is why our go-to-market model for the smaller ones would be through partners and integrators and MSSP, but we are having those discussions with the large enterprise to make sure they not only understand it at the website level because — and to be honest, everybody says you’ll trust everywhere, but we get down into the details.
So while the account reps or account executives themselves are coming from the enterprise software. We’ve got the SEs and the solutions architects and the CXOs, we hire out of customers, all of those get brought in and talk to the different groups inside of the large enterprise to make sure that it’s understood throughout the organization, not just one champion, but all the different parts of the organization understands what it really means to be Zero Trust and why you need to do it right.
Tal Liani
What if a customer tells you I’m not talking about data center firewall, that will probably never change. So I’m talking about branch firewall and (indiscernible) but no data center. So what if a customer tells, you don’t touch my firewall. I have — I’ve been around for many years. I’m a big organization, politically, I can’t change it or whatever. What do you offer to those that still want to keep their firewall in the branch what are the advantages that you have and how can you compete to — and then compete with the firewall company?
Steven House
Yes. Still tell you don’t need a firewall in a branch and eventually, it will come out. But to be honest, most of the large enterprises didn’t have firewalls in every branch because they were backhauling everything out through a core set of appliances. So as they’ve moved to direct-to-Internet with SD-WAN and SASE, most have chosen not to put a firewall in every branch, right? There are some — and when we see it, we say you definitely don’t need to, that’s money that you’re wasting by doing that. But most people are saying, if I’m going to go direct, I still need security, that’s where SSC combined with whatever the SD-WAN came into place.
And for those who want it in their data centers, like you said, the core East West is going to take a long time to disrupt, but even the firewall between your data center out to the Internet, that’s going to stay for a while. People, they’re not going to just remove that firewall, but it will get smaller and smaller as you take traffic direct, you no longer have that 1,000 branch offices coming through that one. So you can shrink the size of the firewall, people already weren’t doing us a sell inspection on the firewalls. They weren’t sized for that. It’s not an easy thing to do.
And in today’s world, all the threats are encrypted. So it becomes a mandate for any fully security-conscious organization to be inspecting not only for threats but also for data leakage, same thing. We have to be able to see the content to do that.
Tal Liani
So we spoke about data index takes me to the next question, which is about, I asked you about it, but I’m going to ask it more direct and what are the, where are the opportunity to grow your NRR, meaning to upsell additional modules to existing customers. So what are the markets you’re going after? And you mentioned data there was mentioning of cloud before, etc.
Steven House
Yeah. So NRR is a tricky one because we want to sell bigger and bigger bundles upfront, which gives less opportunity to upsell. But even when we’re selling those bigger bundles, they tend to be the Zscaler for users which includes ZIA, ZPA and ZDX. And in that case, we still have the opportunity to expand to workloads, to expand to the Zero Trust SD-WAN and the new Airgap pieces for the LAN. And now with Risk360 business insights UBM, which came through the Avalor acquisition.
We’ve got more things to sell in terms of different parts of the security budget and in some cases, even to the CIO or CFO or Head of Facilities, understanding where people are, where their football (ph) is in their offices, what times people work, etc. So there’s a lot of opportunities to continue to sell even the ones who come in at the Zscaler for users high end of the bundle, which doesn’t necessarily have too much to sell to the users because they have ZIA, ZPA, ZDX, even data protection in those high-level bundles.
Tal Liani
One of the things you spoke about was cloud. What do you offer for cloud protection?
Steven House
Yeah. We have a variety of solutions in there to do both the workload communications where if a workload is trying to talk out to the Internet, which is very common, maybe it’s integrated in with ServiceNow, or Salesforce and has API connectivity, but it shouldn’t be going to some random site in Russia or China. So you want to do Internet access protection and data protection on it. But more importantly, workloads that communicate to other workloads maybe in the same cloud world, maybe from Azure to AWS. We do that in a zero trust way. We call those things workload communications.
We also have the cloud workload protection with the CSPM. We just announced DSPM data security posture management, which leverages the same sensitive data definitions you did for in-line DLP and for CASB an endpoint DLP, but now on those workloads themselves. So there’s not always sensitive data, but it’s configured in a way that it’s exposed to, too many people or as privileges are escalated too high of some of the users, so we put all of that together into an overall data security platform, which touches the workloads as well. So that’s another piece of the workload protection.
Tal Liani
And how well are you positioned? I ask it because some of the big start-ups like Wiz, etc., started earlier, Palo Alto, Prisma Cloud started earlier. But we do see CrowdStrike as a late entrant or entrant after the market. So where are you positioned from a technology readiness point of view?
Steven House
Yeah. Good question. So all their traditional CNAPP (ph) vendors like a Wiz, they are strong in kind of the DevOps side through to run time, and they put DSPM as part of that cycle. Zscaler is approaching it a little bit differently as DSPM is just another channel that you can lose data on, like, your users out to the Internet or your endpoint to your USB stick — this is the data that’s there. Is it leaking or exposed or externally or internally to too many people and we’ve tied it directly into that SASE framework and the SSC framework where you define your data protection once and you secure all of your channels.
And for us, that’s kind of moved a little bit further away from the DevOp side, but the run time side because you want to protect your sensitive data that’s out there. And for us, it’s just going to be another channel we sell with our platform and not try to go in and sell to direct against the CNAPP side, if it’s led from the DevOps and art, which a lot of their businesses.
Tal Liani
Got it. Now it’s time to ask some financial plans. So quarter was great, but still if you look at Street consensus growth for next year, it went down from 25.6% to 20% revenue growth. And the question is, when I spoke to your team, it was about Street did a model properly the cyclicality. Fundamentally the question is, how do you see next year playing out? How do you see pricing environment? How do you see growth environment? What is the outlook for next year?
Remo Canessa
Yeah. So broadly speaking, I’m not speaking specifically for fiscal ’25. Based on how we’re positioned as a company and based on what we’re seeing with run rates in the pricing environment right now, I don’t really see much changes basically in fiscal ’25. Still, we’re in an environment of high scrutiny. I don’t see that changing either. So we’ve taken that into account. From my perspective, what it really comes back to is that what company has a solution, which addresses really the needs of today and also in the future.
And when you take a look at Zscaler, we’re built in the cloud, for the cloud, and when I met with Jay Chaudhry about 7.5 years ago, I was interviewing for Zscaler, is very simple concept and the concept was — and again, I came from NetScreen, which is a firewall VPN company sold Juniper and then also Infoblox, which is a core DDI company, DNS, DHCP, IPAM. And when I met with Jay Chaudhry, basically, I knew that the ship had sailed related to applications going in cloud seven, eight years ago, which there’s a debate on that, whether that’s going to happen or not, that clearly has happened.
My feeling was that security had to stay on-prem. And the reason for it is because I got to control it. I’ve got to basically get — I got to protect the crown jewels. And Jay’s comment to me was, was after a 3-hour meeting, he said, if applications are moving to the cloud and users are mobile, why do you want to backhaul everything back into your data center? And the answer is you don’t. So when you take a look at the legacy companies and you look at their fundamental architecture, which is the architect, which was hub-and-spoke, which has basically came about in the mid-90s. And that architecture is still fundamental to basically their platform.
Zscaler basically through that upside down, and that is not — we’re not having spoke. We’re basically a cloud. We’re in exchange. It’s invisible and we connect the right user to the application, the right workflow, the right IoT device. So from my perspective and what I commented, when I first started, we’re still very early innings in this market. I think architecture and platform matter. I think I felt that eight years ago, when I spoke to Jay, I’m more convinced of that now. The breadth of our platform, which continues to grow, our ability to do acquisitions and to integrate those acquisitions, I think is very, very good.
From my perspective, from a fiscal ’25 perspective, we talked about the headwind with the higher attrition in Q3, which will have an impact on us. But we’re a much stronger company now with basically the changes that we’ve made. And also basically, three years ago, four years ago, five years ago, it was more of an evangelical sale. You have to convince people. Everybody is Zero Trust now. Everybody’s SASE. Zscaler have been doing this from the very beginning. So I think overall still scrutiny, still expect one rates to be up. I expect basically the sales organization to mature. I expect it to get stronger, sell deeper into the accounts to make us a stronger company.
Tal Liani
Great. Ran out of time. Thank you very much.
Remo Canessa
Thank you.
Tal Liani
Thanks, Steve.
Remo Canessa
Appreciate it.
