Zscaler - wading in

I have been baffled by Zscaler in more ways than one, but the valuation has always caused the most consternation for me. I wrote about this struggle a month ago when the share price was around $47: https://discussion.fool.com/zscaler-33159259.aspx. However, after fantastic earnings, lockup expiration, and a month where Zscaler actually pulled back, I took the opportunity to buy a small position last week at around $38. It’s only about a 2% position. My thinking is that I may want to add to it over time, but the stock is still quite expensive at a PS around 25! (I feel somewhat vindicated for passing on it when the PS was 33 – didn’t really need a crystal ball for that one, but nonetheless, it appeared to be the right call.) More importantly, I just can’t wrap my head around exactly what they do, and I have trouble even distinguishing them from Okta, which I also don’t hold. (I guess I’m just a skeptic on internet security companies of any kind.) Still, after the pull back, and my reading up on the quarter they turned in a couple weeks ago, the valuation is bothering me less. Saul did a very thorough review here: https://discussion.fool.com/zscaler39s-results-my-thoughts-34000…, and I noted a few things that I think begin to support the valuation:

1. Cash of $298.5 million and no debt. This means that the EV/S is a little lower than the P/S. Still 23 or 24, but every bit helps.

2. If you look at billings instead of revenue, they have $258m in the TTM instead of $191m. That’s pretty big. The “EV to billings” ratio would be more like 17 or 18.

3. Their cash flow progress is legit, mostly driven by the revenue they’re deferring. I happily note that they are among the thriftiest of the companies we follow in terms of how much SBC they grant. They’ve also reduced OpEx as a percentage of sales quite a bit in the last twelve months. As far as the Q and TTM results, let me cut to the chase: they delivered everything you’d want. Easy to see why Bert called it a perfect quarter.

4. I like how straightforward and clear the company is – they haven’t created any crazy metrics to make themselves sound better: they don’t need them. They offered supplemental information that includes the last 8 quarters. Definitely check this out if you’re interested in how fantastically the business is progressing. The final page, with billings, is especially impressive and informative. https://ir.zscaler.com/static-files/b8f0a9f2-78ca-49f1-9e25-…

5. I just couldn’t ignore the fact that they seem to be dominating their space (even though I don’t understand how the product works, at all). It seems all signs point to a company that is building a giant moat. Maybe they will be the ones to finally solve internet security. I keep going back to this amazing testimonials/partners link provided by Robear1020: https://discussion.fool.com/anyone-still-on-the-fence-about-zsca…. It looks rather obvious that Zscaler is beloved by those who know most about secure computing, including the likes of Microsoft’s CEO. That speaks volumes to me.

I’m in, cautiously.

Bear

I guess I’m just a skeptic on internet security companies of any kind

Name any significant enterprise (public or governmental) that does not require network security . . . You can’t because there are none.

You can’t understand exactly what they do. So what. The people who need to understand it in detail, do. And they buy it and they love it.

In fact, without understanding exactly how it is accomplished can you understand that ZS provides mission critical functionality with essentially zero competition? Can you understand that complexity = vulnerability? Can you understand that the manner in which ZS provides this functionality greatly simplifies the IT infrastructure via the elimination of myriad appliances? Can you understand that while ZS provides vastly improved protection it simultaneously enhances the user experience?

I spent 30 years in IT. I was not in the security department but I worked with those folks on a regular basis. I am 8 years into retirement and the environment has changed drastically in that time. The threats have multiplied and the sophistication of the attackers has increased dramatically. I can say with a fair amount of confidence that every alternative to ZS has greater vulnerability while simultaneously degrading network performance (that’s why I said that they have no competition). I pretty much understand what they do, I just don’t understand exactly how it’s done. I don’t need to know that to have a high degree of confidence in the company as an investment.

And, BTW, ZS and OKTA play in very different arenas of the complex world of IT security. I’m long both.

The people who need to understand it in detail, do.

Given the frequent breeches, it would appear that this understanding is not well-distributed.

And, BTW, ZS and OKTA play in very different arenas of the complex world of IT security. I’m long both.

Brittlerock -

Would you mind elaborating on this point? In what ways are their arenas very different?

Thanks.

Yes, that is true . . . That is also an indication of the market opportunity.

OKTA provides MFA, multi-factor authentication. What that means is they provide functionality that the individual singing on to the system has authenticated that they are who they claim to be with more than a simple ID and password (single-factor authentication). Together with MFA, OKTA supports SSO, single sign-on. What this means is that all the various home screens of the applications available to that user (and the associated security parameters for that user) are presented without forcing the user to log off from one application and sign on to the next. They sign on once for everything and they sign off of everything at one time when finished with the session.

Zscaler provides network security. That insures that the traffic on the network is safe without intrusions. Viruses, trojans, keystroke loggers, etc, etc are blocked from ever gaining access to the network and therefore blocked from taking up residence on peripheral terminals (e.g. PCs), servers, databases, routers, and other infrastructure components.

More importantly, I just can’t wrap my head around exactly what they do, and I have trouble even distinguishing them from Okta, which I also don’t hold. (I guess I’m just a skeptic on internet security companies of any kind.)

We have both at my company. Okta provides a secure portal that allows single-signon access to our cloud apps (Office 365, Ultipro, Timecard, ServiceNow, etc). It probably does a lot more, but I don’t see that. Both Okta and Zscaler are part of a “zero trust” architecture (trust nothing or no one unless you know who they are, where they are coming from and where they are going). So to me Zscaler seems like it took the place of my old VPN. When I take my laptop home, it is just like being plugged in at work. I see my local MS Outlook and all my corporate share drives. But unlike my VPN it is transparent to me and FAST. I don’t have to login to it each time I go home, just turn on the laptop and start working. Awesome.

But the big deal is that Zscaler lets my company jetison all the old security hardware. With VPN, I went from home, to the company “ingress” then back out again to a clould or stayed in on a share drive (which was slow). Now, I go seem to go through the (fast) ZScaler cloud to get out from home. The make sure I am encrypted and protected. Access is fast and easy.

Each Sunday or Monday I have to reauthentic zscaler. That means pushing the authenticate button, which then presents me with my Okta login. Once I authenticate with Okta, I am send a second authentication request to my phone. I push that, it goes to my OktaVerify app and I press accept again and I am in. It might sound complicated, but it is not. This provides two-factor authentication so even if someone gets your password, they would need you phone and its password to authenticate on the second step.

So back to the hardware aspect. Hardware sucks. We are currently in the process of spending TONSs of tax payer money to replace “End of Life” equipment on our customer job (Cisco routers, switches, Dell Pcs, Pritners, phones, servers, etc). The hardware still works fine, but the manufacturers no longer provide security updates, so the Gov requires it to be replaced. Nice little game. But the same is true for the stacks and racks of security equipment that Zscaler replaces. That gets old. The processors can’t keep up. The security patches are discontinued. Then your company spends money out of their profit to replace it all and pay the nerds to keep it updated and running smoothly.

With Zscaler, no equipment and only a couple of nerds to keep it running, not an entire nerd herd.

Check this link posted early for a better descritpion of what I said…
https://www.youtube.com/watch?v=2LOe7glGj8U

My “new” company had the chance to srart from scratch and they chose Okta, Zscaler, Ultipro, ServiceNow and more. I love how zscaler simplifies my life. I suspect they love how it eliminates all that hardware.

Pete

4) I like how straightforward and clear the company is – they haven’t created any crazy metrics to make themselves sound better: they don’t need them.

I actually had a bit of a laugh when I saw Zscaler’s earninngs slides for this past quarter. Unlike most everyone else with graphs and charts and marketing spin, etc., Zscaler just had a few slides with the financial spreadsheets that spoke for themselves. How Buffetian I thought, albeit Buffett would never pay these prices I do not think. Not his thing.

Tinker

Given the frequent breeches, it would appear that this understanding is not well-distributed.

I agree with this, and it is what has kept me out of the internet security businesses (so far). It seems like all it will take is one breach, with Zscaler’s name on it to drop the stock significantly. Other businesses don’t have that one Achilles heel that could do so much harm in one swipe (sure, some do).

I very well could be wrong (and probably am) with this thinking as I really don’t know this space at all, but that’s the way I think about it.

That’s a cool description, Pete. Thanks.

Okta provides a secure portal that allows single-signon access to our cloud apps (Office 365, Ultipro, Timecard, ServiceNow, etc). It probably does a lot more, but I don’t see that.

So you just log into Okta and then see links that authenticate you through to the Office 365 site or the ServiceNow site, or whatever? I guess I can see why that’s cool, but I don’t see why a VPN couldn’t offer the same…it seems more like a feature than a standalone product. Same with the multi-factor authentication piece you mention later.

to me Zscaler seems like it took the place of my old VPN. When I take my laptop home, it is just like being plugged in at work. I see my local MS Outlook and all my corporate share drives. But unlike my VPN it is transparent to me and FAST.

My guess is you still have a VPN – I don’t think Zscaler is one…but someone correct me if that’s wrong. I would guess that Zscaler replaced the legacy security measures that were making it slow…maybe?

Interesting. Thanks again.

Bear

Zscaler removed the need for a VPN. You do not need one with Zscaler. Zscaler’s ZPA product makes VPN’s obsolete, according to Zscaler, and GE’s CIO made that case as well, as did Siemans’s CIO.

https://www.zscaler.com/products/zscaler-private-access

Zscaler is utterly disruptive. In practice Zscaler is marketing towards lower hanging fruit, instead of companies all at once making the “digital transformation journey” as has become the corporate speak. Some companies like GE have gone all in Zscaler and make the internet their network. Most are using it for new offices, remote offices, mobile workers, etc. Many stories though of starting out that way and then deciding to cover the entire organization. Sometimes this will replace the appliances in the data center, other times it simply substitutes for appliances that would have had to be purchased.

But in the end, and it seems inevitable as HCI with Nutanix (meaning not 100% of the world but piece of piece it will take over the world) Zscaler offers the capability to enable an enterprise to make the internet its data center as it resolves the issue of security both in-bound and out-bound. ZPA is their smaller and new product, it enables applianceless security for private networks. It is why VMWare incorporates Zscaler in their software stack. It is why with ZIA, Microsoft incorporates it in 365.

Anyways, as I gotta a bit verbose, yes, it can remove the need for your VPN entirely. In practice things happen piece meal, and only some early adopters have gone all in.

Tinker

It seems like all it will take is one breach, with Zscaler’s name on it to drop the stock significantly.

I don’t have data, but my impression is that most, possibly nearly all breeches happen on sites where there is nothing like a modern security implementation. I.e., the issue is not that someone hacks Zscaler, but that someone left the admin login/password as “admin” and “password”.

I work cyber security and wanted to weigh on on the possible drop of ZS regarding a breach scenario.

First off, hackers would not target the security implementation of ZS. That would require too much resources with a high degree of failure. They would go after users and endpoint security. End point security has to do with all devices that login to your corporate network. This can range from mobile devices, tablets, laptops, and computers.

In the world of cyber security there are two main points of weakness assuming you have best practices currently running: users (who are insane) and endpoint security (bring your own device also).

If your system admins do not have a comprehensive strategy in dealing with these two areas, it’s quite easy for a hacker to gain access through social engineering, spear phishing…or really low key…steal a laptop of an executive while not looking(at a conference, meeting, Starbucks). Without a remote wipe policy, strong group policy, and a strong INF security template, that laptop could be an easy vector for an intrusion. Especially if the executive doesn’t report the loss and then a random samaratian happens to turn the laptop back over saying they found it. Obviously with some malware attached just waiting for the executive to enter all the necessary credentials for a advance and persistance attack to remain!

The vectors for an attack vary but ZS would do well to run scanners and audits on the end points to ensure all the security they offer is all for naught.

Nice post, and agreed.

Another way to look at it is like a sporting event: would you want your team’s worst player to go against the other team’s best player to decide a match?

Probably not.

So a great hacker doesn’t need to target a great defense/security. The hacker can just target the weakest end user.

You know: that guy that walks away from his desk with laptop opened and unlocked, or maybe he is at Starbucks when he goes up to counter to complain he didn’t get enough whipped cream.

Or maybe the guy that opens every email and clicks on every file, NO MATTER WHAT. The IT folks hate that clown.

There is a whole part of selling security solutions that includes “People” in the form of training for a company’s employees around security policy and protocals. Even with top-notch training, you are still as vunerable as your weakest employee in this regard.

While ZS could take a temporary uneducated hit on a big security breach, if the fault was internal and end user-related, I would expect the correct news gets out and eventually reverses any lost gains due to FUD. If ZS software is found at fault, that could be an issue, for sure.

I have expanded my port a bit with the recent dips of some high-flyers, and have ZS (again) now. Still pricey, but believe it is higher in a year from now and have given up timing the market.

Dreamer

been long: TTD, IQ, TWLO, AYX, BZUN, NTNX, NVDA
new longs: ZS, MDB

Pete,

Check this link posted early for a better descritpion of what I said…
https://www.youtube.com/watch?v=2LOe7glGj8U

Actually, I think you said it better than the video. My takeaway from the video was the CEO saying, “Look how great I am.” I couldn’t quite tell what they did. I was thinking firewall/proxy.

But likening it to a VPN makes more sense to me. Using that VPN-like service inside one’s company could simplify the user experience (one experience to rule them all, not one at work and one at home), as long as the overhead isn’t noticeable at work (which seems to be the case, according to your account). It makes mobility much easier. And it means you don’t have to go to a lot of effort keeping people out of your internal network, if that is the same as the public internet.

The company I used to work for had a secure internal network, as well as access to the public internet (outside the firewall) via WiFi. Life was fine if you were on the internal network. But if you unplugged your laptop from Ethernet, you had to switch to WiFi and VPN, which sucked. The main meeting rooms had a few Ethernet outlets so people could plug their laptop into the internal network and avoid VPN. VPN sucked badly enough that managers often pulled rank so they could have Ethernet for themselves. Fast and seamless VPN (which Zscaler appears to be) would have been a game changer.

I particularly appreciate the personal testimonial about how much Zscaler (and Okta) simplify your life.

-Mark

"Obviously with some malware attached just waiting for the executive to enter all the necessary credentials for a advance and persistance attack to remain

The vectors for an attack vary but ZS would do well to run scanners and audits on the end points to ensure all the security they offer is all for naught."

If Zscaler removes the issue of security inbound as well as outbound as stated earlier would’nt it able to red flag the problem laptop and prevent it from causing harm.