Analysis: The highly competitive cyber security market battle between the appliance makers and the ‘as a service’ providers is heating up. CEO Briefing: Jay Chaudhry, Zscaler
Jay Chaudhry, founder and CEO at Zscaler says that the cybersecurity market is a shouting match between competitors about who can track most threats. He also believes that security appliance makers are going to be threatened by companies such as his which provide ‘security as a service.’ He tells CBR his vision.
Zscaler is a network security company that provides distributed protection across clouds.
It is a software firm with 600 staff, 200 in product and delivery, 200 in sales and marketing, 80 in customer success and support – rest is general and administrative. It has a large development team in San Jose and another smaller team in Bangalore, India.
Jay Chaudhry, CEO, is a man who has built and sold several IT firms. With this firm he says that international business is far more important and is a far greater piece of his revenue pie.
Internationally over 50% sales for Zscaler come from outside US and that is a good thing, he says. EMEA is 45%.
Mr Chaudhry says he does not believe in running losses.
"We are cash flow neutral for the last three years, we don’t run into the red. This year with the Google and TPG investment [In August last year the firm raised $100m in its second round, it included Google and TPG Investment. The firm has so far raised $138m in two rounds] We’ll do a little bit more aggressive and go little bit into the red and come back the following year. But with 600 employees to run a break even business is a very significant number. I never done business where you say let’s lose $50m or $100m per year. You see some of that. They end up building a culture that is very hard to fix."
Says Mr Chaudhry, the biggest advantage of staying private is you don’t have to be short term focused on earnings. Too many companies he believes start rushing and going out to the public market. They should wait until they’ve figured out the business model and growth plans.
The first big part is to build disruptive innovative technology. You don’t build new architecture every two years, he says.
His approach is to set it right and start scaling. If you don’t set the right architecture you’re not going to fix it in year seven or eight. So I think we start out with a clean multi-tenant architecture we can scale out. So I have no worries about scaling the architecture to scaling to 50 or 100 million users. The big surprises come if you have to pivot in a totally different way – the big surprise is if you have to shift, but we’re totally aligned with the market, he says.
Then you need to figure out how to scale.
"Most companies do it in two steps. How do you scale in the US and how do you scale internationally. International can be tough. Especially when you hit a certain size and need a certain level of investment. If you’re gross margins are good, you have a fair amount of room. Our architecture scales very well so our margins are much better than a typical cloud company. It is surprising [the cloud company margins] it is better than box companies but far worse than software companies."
The technology that scales is owned by Zscaler.
"We built from scratch, we built high performance because we sit in the data path and people don’t like it if you slow down their data. So if you can really do high speed inspection, it is like airport security, it is a race between speed of inspection and depth of inspection."
If you look at any security solution that is sitting in a box it does certain. First it defines the policy, what kind of traffic, who’s allowed to do what? Company may say, ‘I don’t want you to post on Facebook or you are using too much bandwidth streaming or watching football.’ Then as traffic comes, your defined policy is implemented. You log. Logs are like you go and sign into a building. A traditional security box solution does this and that’s what they know."
In a cloud solution your employees could be anywhere. Any of your employees could be served from any of a 100 data centres. [The software layer is sitting on standard intel hardware all around the world in the growing number of data centres from which Zscaler operates, being located in Swisscom, Telecity, Interxion and other facilities]. The architecture is in physically separate pieces. Policy is defined once for your organisation then 100 different data centres pick it up on demand. One hundred data centres do one thing. Inspect traffic, move it in and out and logging activity.
"You can try to secure every office and house. But this is hard and expensive. You’re going to secure for me a defined number of cloud applications across any device, any network. I’m your guardian, between you and the application, it could be Salesforce, or another enterprise application. It could be anything on the internet."
The big issue is the application that is open to the internet, ‘all threats essentially come from the internet,’ he says.
"What Zscaler does is see who is coming in and going out. If your PC is calling a host in Korea, you cut it off and inform the IT department," he says.
"In the competitive world of IT security – there is a shouting match, we cover more threats, we’re up to speed. It is a race to the bad guys but being in the cloud is very beneficial. We’re set apart. Security boxes inspect traffic but they don’t inspect everything because it uses more cycles. They say look at the header, they may look at source, they may look at behaviour. But we put our R&D into inspecting every byte that goes in and out. Tracking a phone call is easy but inspecting the content of the conversation is hard. That’s what we do. We inspect the content. So my software does it better than any box."
We are seeing and blocking 100m threats. We could see a new threat in our Moscow data centre this morning and this threat gets propagated to 100 data centres in seconds. So this is the cloud effect. Appliances and traditional software that sits in premises was never designed to do that. They’re lucky if they update a few times a day," he says.
Zscaler doesn’t see everything but has partnerships with 40 different companies.
"So we get their threat feeds, we exchange, they get ours we get theirs, some are commercial arrangements so we are leveraging the R&D of other companies such as google, Microsoft, Verisign and many others," says Chaudhry.
It describes itself as a call gateway to the internet. A large company may have three gateways, one in US, one in EMEA, Paris, and one in APAC, all traffic goes back to these, it is very slow- that is old way. Our gateway is in 100 data centres – your PC goes through nearest data centre.
The Zscaler definition ‘we would call it security as a service.’ It is a subscription based company.
"We are eliminating collateral, eliminating product, reducing cost, making it easy for business to have rich and faster experiences using the internet – for any cloud applications. You need to keep developing techniques, the value of security is always there. You need to do business on the cloud and on the internet, you need security. It doesn’t go away."
Matt Piercy, who joined Zscaler to run its EMEA business says some of the greatest value is in the reporting done. "We can filter every piece of traffic, we can now say, that is what your security landscape looks like. We say put us in as a filter and let’s see what we can find. Then we find, for example 400 botnets and so the dashboard you get by having the software in the cloud reflects this. This is good for the CIO."
Chaudhry says. "We built an architecture where we can add more and more things to it. Sitting in the traffic path is extremely expensive. Billions of dollars move every minute. It is for us to ensure this is highly redundant and a failsafe to ensure we never go down."