Zscaler CEO Chaudhry: disrupting the old guard is a mega-opportunity

Cyber-security firm Zscaler’s “zero trust” software, a kind of secure “switchboard,” has obsoleted the old guard of security, says co-founder and CEO Jay Chaudhry. “Check Point is the living dead,” is the way he talks of competitors. His sights are now set on AI to crank up the volume on detecting threats.

One of the things people love about CEOs who are founders is that the passion they express tends to come with a very sharp, clear, view of the marketplace born of conviction.

“Technology changes incrementally all the time, but there are disruptive technologies that come every twenty to thirty years, and those disruptive technologies create mega-opportunities,” says Jay Chaudhry, CEO and co-founder of cyber-security firm Zscaler.

“That's when new companies are born.”

Chaudhry founded Zscaler fifteen years ago, convinced that the rise of cloud computing was destined to change the nature of the cyber-security business.

I was talking with Chaudhry a week ago, following another successful quarterly report. The company has never missed expectations in a quarter for sales and profit since coming public in March of 2018, an amazing and unusual record of achievement. On a path to $1.6 billion in revenue in the fiscal year ending next month, Zscaler has grown by providing an alternative to the traditional security market of firewall devices and the like.

“When you do this, the incumbents say, no, no, no, this is never going to work,” says Chaudhry. “That's why, when disruptive changes happen, incumbents generally fall off a cliff.”

Well, the incumbents haven’t exactly fallen off a cliff, I point out. Check Point Software Technologies, for example, is still minting money three decades after creating the firewall category.

“Check Point is the living dead,” says Chaudhry, which is the kind of response that makes it so much fun to talk with founders. “I mean, HP Enterprise hasn't fallen off a cliff, IBM hasn't fallen a cliff, but does it matter? Does HP matter?”

“Check Point doesn't matter to any enterprise,” he contends.

To make such stark statements, you have to have a pretty strong conviction about the importance of what you’re bringing to market.

Zscaler’s software, as expressed in numerous patents, doesn’t protect an office or a network in the traditional fashion of a firewall, by controlling access at a “perimeter,” where a company’s computers meet the outside world.

Instead, the software functions as a kind of inquisitor, inquiring, for every action by an employee’s computer, whether they are authorized or not to take a given action, such as visiting a Web site. It is a form of security known as “zero trust” that has become increasingly popular because in a cloud age, there is no longer a perimeter.

“We said, don't do network security,” he says of the founding principle. “Instead, simply build, literally, a smart switchboard that connects party A to party B securely, and that's what has created a big opportunity.”

Chaudhry uses the analogy of building access. The traditional firewall is too permissive, he says, “like getting into the building after showing your ID, and getting a badge, and wandering around wherever you feel like wandering around, ”including places you’re not supposed to be.

In the zero trust scenario, by contrast, “once you’re given a badge, you’re escorted to a meeting room, and once the meeting is done, you’re escorted out.”

The Zscaler name stands for “the zenith of scalability.” That is not a reference to the defunct television brand Zenith. It is a reference to the company’s contention that its software is powerful enough to keep covering more and more of the millions of corporate users who keep joining the public cloud. It scales to greater and greater capacity, currently covering forty-five million users.

The year that Chaudhry started conceiving of what would become zero trust, 2007, was the year that Amazon introduced its Web Services business, the year public cloud computing was born.

“Having done four startups, and sold them, I didn't want to do one more startup and sell it,” says Chaudhry. “I was looking to build a lasting company — looking fifteen, twenty years down the road, to where will the market be, knowing that the market takes its own time.”

Evangelism was arduous for this new approach in the early days, he recalls. “I’d go and talk to ten CISOs [chief information security officers], and six would say, you're crazy, three would say, I like your idea but it's not for me, and one would say, it's so exciting, so innovative, let's work together,” he recalls. “That’s all I needed, was one for every ten to say yes and work with us.”

“Now everyone is saying, yes, I need it.” Once zero trust was proven, says Chaudhry, the competition, including Check Point and other very established names such as Palo Alto Networks, tried to be fast followers. “Every legacy guy is saying, of course I do cloud too,” says Chaudhry. “That’s like DVD players saying they do streaming just like Netflix.”

As in an old western movie, whenever a new, young company has established itself in tech, there’s bound to be a new, young company coming up right behind them to take it away. Every startup has a brilliant new idea, and they may be promising. “Look, there are lots of ideas; every idea doesn't succeed,” is Chaudhry’s response.

More specifically, he observes, startups only have a piece of the puzzle. “Startups need to be narrow and deep, otherwise they can't be good,” Chaudhry says. “But more and more, security needs to look at ten different techniques, and correlate, and figure out what's good and bad.” That, he says, is a requirement that “makes a case for a platform, and it's very hard for a young company to build a new platform.”

It has long seemed to me the security business must consolidate, I tell Chaudhry, just because there are so many players. There are select security deals now and then, such as last month’s buyout of Sumo Logic by Francisco Partners for $1.15 billion, and the pending take-out of ForgeRock for $1.7 billion by Thoma Bravo. But, I ask Chaudhry, will something more sweeping take place, a dramatic consolidation of the entire security field?

“Consolidation happens, but when the market is evolving and changing, consolidation never completes,” is his view. Individual features, those puzzle pieces, get folded together as startups get bought. Firewall products used to stand alone as a category, but they have been more and more joined to other functions. The same is true for so-called intrusion-detection and prevention, once its own distinct category.

“Now, who knows, in the next ten years, there may be a next big wave of AI stuff that, kind of, turns lots of things upside down,” offers Chaudhry. “So, we all have to be mindful and see how do we disrupt ourselves.”

In fact, a large portion of Chaudhry’s conversation with the Street during his company’s earnings call last month was about how artificial intelligence is being incorporated into Zscaler’s software. On the call, Chaudhry emphasized to analysts that with its fifteen years of work, Zscaler has some of the best data to train neural networks for the purpose of security, including the new kinds of “generative AI” such as ChatGPT that is all the rage.

“The most important data for cyber [security] is logs of who is talking, before any breaches happen,” Chaudhry tells me. In particular, the URL of a Web site, although only 500 kilobytes long, on average, nevertheless is rich in information, with “all the parameters of what was requested, how it was requested, if someone tried to send you a phishing attack, if someone tried to steal your password,” he points out.

All those data are clues to reconnaissance that an attacker is performing in advance of carrying out an attack. The job of ZScaler’s software is to collect that information with the purpose of averting the attack before it can be carried out. That string of text has to be parsed to reveal its secrets.

“Imagine being able to feed three hundred billion of these unstructured URLs a day” into the Zscaler AI, he offers. “It can give us tons and tons of information to figure out who is trying to do what, coming from where, and whatnot.”

The company has been doing that already for years on a limited scale, he notes. The prospect offered by AI is to dramatically increase the degree to which the software can inspect. “New technologies may come,” he says, “but without proper training data, they won't be very effective, so that's why I'm excited for us, because data is becoming the new currency, and we’ve got tons of it.”

What about, I suggest, the well-known gaffs in AI, the tendency to “hallucinate,” to perpetuate falsehoods? That has to be especially bad in a security context, I would imagine.

Chaudhry is unfazed, seeing it is a minor issue in practice.

“The customer is gonna say, I get it right ninety-seven percent of the time, it’s worth the risk, and that's how the world's gonna work,” he says. “I don't think the world will stop because one percent of the answers are not quite accurate.”

Perhaps. The proof will be in the pudding, of course.

As far as priorities, “one of the things we need to do a better job of, is, some of the legacy vendors have a big megaphone,” he says. Companies such as Check Point are doing a disservice to customers saying they can do the same thing the zero trust stuff does, he says. “Everyone knows that you cannot build zero trust on top of firewalls and VPNs [virtual private networks.]”

Given both his belief in building a lasting company and his belief in disruption, how soon is it before Chaudhry’s company becomes the old stuff, and in turn is disrupted?

“I think you become the old stuff if you don't disrupt yourself,” is Chaudhry’s retort. “Look, Microsoft was becoming the old stuff, then Satya [Nadella, Microsoft CEO] came in and turned it around.”

“None of us have a crystal ball,” says Chaudhry, “but my hope and desire is we keep on disrupting ourselves, and keep on moving to the next phase and the next phase, and many, many companies have done it for a long time.”

Before we wrap, I ask Chaudhry one of my favorite questions for a CEO: valuation. At the price on the day of our meeting, $148.82, the stock, up thirty-three percent for the year, was valued at 12.7 times this year's projected Street consensus revenue, and 9.9 times next year’s consensus. That valuation, moreover, is for a company expected to increase sales nearly thirty percent next fiscal year, a company that has been solidly profitable for some time now, with expected earnings in the new fiscal year of $2.11 per share.

Is that a good buy? I ask.

Chaudhry’s succinct reply: “This is a great buy at any price because we have a great future.”