Frankly Speaking - How Zscaler fails

It's hard for companies to adopt new GTM motions

Nov 01, 2022

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

Thanks to all the new subscribers! If you enjoy the content, please consider subscribing to the paid version.

LET’S BE FRANK

Inspired by Benn’s Substack posts on how various modern data stack companies would fail, I decided to do this for cybersecurity companies. I’ve written about how I think Crowdstrike might fail. In this newsletter, I go through the thought experience of how I believe Zscaler might fail. To be clear, I believe it’s an incredible product and a well-run company, but all good things can come to an end.

For context and disclaimer, I currently do not use the Zscaler product. My old employer, Dell Technologies Capital, was an investor in Zscaler. I didn’t have economics in that deal, and I no longer have any economics at Dell Technologies Capital. I do not have a financial position in Zscaler and do not plan to start any in the next 72 hours.

The rise of cloud security

Zscaler started around 2007. Interestingly, it was a bootstrapped security company that didn’t raise funding until 2012. Jay Chaudhry invested his money initially, and he still owns a large portion of the company.

The company has two main products: Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA). In my mind, ZIA is similar to an SWG, and ZPA is an application reverse proxy that allows for zero trust network access and could be a VPN replacement.

Zscaler was really the first scalable SWG solution for companies that were moving to the cloud. Although some companies were moving to cloud infrastructure, what I mean by “cloud” here is that companies were moving to SaaS from their private applications. Now, the IT security team was left to manage security policies on a mixture of private (on-prem) and SaaS applications. The difficulty here is that some traffic remained in the network, but now some traffic was leaving the network. This was the start of the breakdown of the corporate perimeter. (Moving to cloud infrastructure only furthered this breakdown.)

With increased traffic leaving and entering the corporate network with the rise of SaaS applications, IT security needed a way to enforce security policies in a scalable manner. Enter Zscaler. Although the market was large, other products on the market at the time didn’t scale well. They either required that the company itself have dedicated infrastructure to manage the traffic or didn’t have the infrastructure to handle the scale of traffic, leading to increased latency. However, Zscaler built out a massive, global infrastructure system to handle its customers’ traffic. It recently handled more than 100B transactions in a day, which is a huge undertaking, adding only minimal latency. They solved a technically difficult problem that was plaguing IT and security for a while. It turns out to be a great business!

Enter new competitors

As more companies move toward SaaS applications and cloud infrastructure, the demand for SWGs and products like Zscaler has increased. Although Zscaler had a strong competitive advantage in its infrastructure compared to other security companies in the space, competitors from adjacent spaces emerged, namely the CDN players. Akamai and Cloudflare started as CDNs, but they already had large worldwide infrastructure systems that were comparable to Zscaler. Moreover, companies were already routing traffic through CDNs outside of their network. Since they were already seeing the traffic, naturally it made sense to be able to enforce some security policies on them. It was a natural extension of the CDN platform. Also, it turns out security is a great business!

Similarly, a new category called CASB emerged as SaaS applications became more prominent in companies. CASBs were able to provide more granular access control for SaaS applications. Companies like Netskope were able to get a wedge into organizations by providing a more specialized product to solve IT security problems around SaaS. They were able to start off more easily because they were able to take advantage of cloud infrastructure, e.g. AWS, rather than building their own. That allowed them to get to market quicker even though for the economics to work out, they have to build their own infrastructure eventually. It is a natural extension for CASBs to move into SWG since they also see some of the traffic leaving the organization.

Competition has ramped up for Zscaler. They have expanded into replacing VPNs with their ZPA product. However, because Zscaler was an early leader and had a strong infrastructure, they are able to keep a solid lead. The market is large enough for multiple players, but more companies are getting into this space.

Complacency kills

Despite having a comfortable early lead and good technology, Zscaler starts to become complacent. Compared to other large cybersecurity companies, they aren’t large spenders. They have good earnings and don’t make large acquisitions. However, this might be part of their flaw.

Although they were an early cloud security company, they start to miss other cloud-related trends, namely the power of the developer. The main buyers of Zscaler have been IT and IT security. However, as more infrastructure shifts from IT to engineering, the target persona for Zscaler products shifts from IT to developers. Unfortunately, Zscaler does not have clout in the developer community. Unlike Cloudflare and other competitors, they don’t have a self-serve product or way for developers to try before they buy. Their developer tooling, such as Terraform, is not as mature, and their platform is not developer-friendly. As companies transform their infrastructure, DevOps is replacing Zscaler with more developer-friendly brands. DevOps doesn’t want a tool that requires a team to configure and maintain. Slowly, Zscaler loses market share — their competitors and new startups chip away.

Now, Zscaler tries to use its reserves to buy companies that have strong developer communities. However, these companies are expensive, and they hesitate to make large acquisitions. Instead, they invest more in changing their GTM motion, but that requires substantial changes to their product. The public market sours as their earnings decrease.

The board decides that it is time to take more drastic action, so they hire new management who tries to mimic what Palo Alto Networks did with their acquisitions. Zscaler aggressively acquires companies with strong developer communities. However, they don’t quite know what to do with these products and communities. They acquire communities that don’t interact well together, and slowly, these communities go seek other products, defeating the purpose of these acquisitions.

As a result, Zscaler ends up with products that have IT buyers, which has slowing growth, and products that no developers want. They are back to square one with less capital in the bank. They never figure out the developer-focused GTM and choose to focus on their original products and try to maximize their earnings. Since growth is slow, their stock price takes a hit, and they end up like the other zombie security companies, e.g. Proofpoint, Symantec, etc., and are just another part of a PE security rollup.

Conclusion

Zscaler has managed to build an impressive global infrastructure that allows them to create an awesome product that customers love. Every cybersecurity company has to face the possibility that the buyer for their product can change as the underlying industry evolves. As a result, a company has to make drastic changes either through spending on GTM and product or acquisitions. These are major bets that can go wrong if not carefully managed.

Zscaler has created a great product and set a high standard for solving zero-trust network access, which will continue to be an important security initiative over the next 5-10 years. But can they make it through the next part of the cloud wave?

Frankly Speaking