How Zscaler is cracking APAC’s cloud security market
Zscaler’s head in Asia-Pacific and Japan talks up the company’s growth momentum in the region and what it is doing to address areas where it can do better
When Scott Robertson, Zscaler’s senior vice-president of Asia-Pacific and Japan (APJ), first joined the cloud security hotshot in 2015, cloud security was very much in its infancy in the region. It wasn’t until cloud adoption started to accelerate in the later years that the company started to see growing demand for its services.
Today, APJ is Zscaler’s fastest growing region, with revenue growth of 88% year over year during the fourth quarter of its 2022 fiscal year. Much of its growth has been spurred by the rise of hybrid work amid the pandemic and a shift towards cloud-based applications.
In a wide-ranging interview with Computer Weekly, Robertson talks up the company’s growth momentum in APJ, how organisations are using its services and what it is doing to address areas where it can do better.
Tell us more about Zscaler and the genesis of the company
Scott Robertson: When I joined Zscaler in 2015, cloud security was relatively unknown in Asia-Pacific. It was far more prevalent in markets like the US or Europe, where connectivity between countries was strong.
Almost eight years since I joined, I’ve seen a complete transformation in demand, with organisations adopting cloud at a growing rate. It typically starts with applications, and today, those applications are either software-as-a-service (SaaS) applications or being moved to the cloud. The destination for the user is no longer your [own] network – it’s some public destination. Zscaler realised this early on and that’s why Jay Chaudhry, our CEO and founder, built this company.
He was thinking: “Why am I building servers in my office to host all these applications? Why wouldn’t I just lease the servers and the applications, put them somewhere else, and not have to pay for the power and everything else to manage them?” We thought that as those applications make that transformation, that’s where Zscaler has an opportunity.
How do you see the Asia-Pacific market as a whole?
Robertson: Certain markets like Australia and New Zealand adopt new technologies more rapidly. Many companies from the US invest in Australia first because it’s a similar market, and then they branch out to other key markets. I feel privileged to be in this role because I get to see the nuances in each market.
Australia was certainly the first mover. There were more cautious markets, like Singapore, South Korea, and even Japan, where companies had adopted Kaizen and constant process improvement from an IT perspective, but they did not progress as fast.
But in the past five years, we’ve seen Japanese businesses move more progressively. In Southeast Asia, Singapore is leading the pack, with some of the largest companies using Zscaler. In fact, when I first joined, I was thinking I’d probably be selling to small companies, but it turned out that it was the biggest and most sophisticated companies that saw the value of Zscaler.
And it’s not just about the scale of cloud security. If you look at the traditional hub and spoke architecture, which is about hosting applications in one location to be accessed by all your branches, you didn’t have instances of applications in every branch because it was too expensive. That’s also where you build your security stuff. You’d invest in firewalls, DDoS [distributed denial of attacks] mitigation, antivirus, and things like DLP [data loss prevention] just became an additional box every year. You just couldn’t keep up with new threats and technologies.
Surprisingly to me, it was the largest companies, like the National Australia Bank, that were first to move forward with Zscaler. These household names with the largest distributed networks are looking at how to be mobile and access applications without introducing more risk to their organisations.
Of your core products – Zscaler Internet Access (ZIA), Private Access (ZPA) and Digital Experience (ZDX) – which are most used by your customers in Asia-Pacific?
Robertson: What we see is a modern workplace transformation where organisations need to bucket their security into workloads, devices and potentially server traffic. ZIA ensures that nothing good goes out and nothing bad comes in.
Scott Robertson, Zscaler
With ZPA, we’re connecting your device to a specific application and there are several use cases around that. Traditional technologies like VPNs [virtual private networks] are typical network access solutions with that hub and spoke topology. If you have a public IP address, then you can connect to the network if you have the right credentials, but there’s a huge risk if those credentials are compromised.
Another use case unique to ZPA is mergers and acquisitions. If a big bank acquires a smaller bank in a new market and does not intend to bring additional users to its network immediately, it can use ZPA to provide access to HR but not finance applications. Our solution creates a unique connection between the user and the cloud through our zero-trust exchange. The application environment creates an outbound connection to the exchange, so the user never knows where the application is sitting.
The third area you mentioned was ZDX, an exciting technology where traditional security and remote access are morphed into a broader platform. Because we’re the last point of access between the user and the internet, we manage a lot of traffic. We see every bit and byte between you and the internet, so we can provide customers with visibility into their traffic they’ve never had before.
For example, if a user is complaining about a connection to Salesforce, you’d be able to tell if it’s because of issues related to the device, network, access point, or if Salesforce is running slow. In a typical case, the user would call the helpdesk, which can then use ZDX to troubleshoot environments and networks which don’t necessarily sit under their control.
During Zscaler’s Q4 2022 earnings call, your chief financial officer (CFO) mentioned that APJ was the fastest-growing region for the company. Which of those products are the key contributors to that growth?
Robertson: My answer would have been different if you had asked me the same question three years ago when ZIA was our main offering. Now, obviously, the pandemic has had a big impact on how businesses operate.
During the pandemic, no one was in the office for two years, so organisations had to move quickly to a remote access solution. But while most organisations had a VPN, they probably only had it for 10-15% of users who were expected to work remotely, so ZPA has become a large component amid the pandemic.
As we break into new markets, ZDX has become a strong contributor. But it’s becoming a platform for other products, led by ZIA still. ZPA has picked up a lot of momentum for remote access, and that will continue because we’re not expecting people to drop everything and return to the office five days a week.
Let’s talk about areas where Zscaler can do better. There have been concerns that setting up and running Zscaler can be complex, particularly with regard to having to manage three separate consoles for ZIA, ZPA and ZDX. What are your thoughts on that?
Robertson: In the old world, people were using multiple security technologies from different vendors, each with its own interface. When you are trying to consolidate legacy policies built over 20 years for those security technologies into a cloud environment, there are natural concessions on how you configure policies, because they are no longer controlled in your network.
Often, we get into consulting conversations with our partners and resellers to condense 4,000 policies into 200 policies that make sense. And now that I have visibility of my users wherever they are, I no longer need to log on to a device or firewall in the network to use that interface and try to understand what policies have been enforced.
Plus, you’re now managing two consoles compared to eight or 10, which is an improvement to me. But like moving to a new smartphone platform, there are some teething challenges. Very often, it’s about helping customers with their deployments to ensure that they are getting value as quickly as possible.
I also understand that some customers have had issues with performance?
Robertson: It’s a conversation I have with customers from time to time. Sometimes, we tend to take the position of ‘we’re guilty until we’ve proven ourselves innocent’ because we are that last step between you and the internet.
So, when a customer calls us and says, ‘hey, you’re slow’, we assume that we’re guilty. We’ve used our own systems to analyse those problems and incidents, and on average, 85-90% of them are not related to Zscaler.
Let me give you an example. I might be in Taiwan, and I want to access a website in Hong Kong. But my company has set up a least-cost option with a service provider to provide a cheaper route to Hong Kong via the US, rather than a direct connection between Hong Kong and Taiwan. We can help to circumvent those problems with configuration, and sometimes those are the sorts of teething problems, but I’m not trying to pretend that’s always the case.
Sometimes, we have our own challenges with our architecture. What we’ve built is a multi-tenant environment, which means I can be an organisation that’s connected to one datacentre and my users can roam around the world, connect to any datacentre, and have a similar experience.
From time to time, we will have performance issues in one datacentre or another. But we typically have two or three telcos providing access to that datacentre so that we can failover if one’s going down. Many customers appreciate that about Zscaler, because in their own environment, they might have one or two telcos, but they don’t necessarily have a third.
While there are sometimes performance challenges, which we will work with customers to resolve, we’ve built our architecture to provide the highest possible uptime in our service-level agreements. And customers can have confidence that if we fail to deliver on those service levels, we will issue service credits.
Having said that, what sorts of infrastructure-related investments is Zscaler planning to make in this region, particularly in emerging markets?
Robertson: Zscaler often moves with the hyperscalers. I’ve seen commitments from the big hyperscalers in markets like Indonesia and Thailand, and we’ve been operating in several ASEAN countries for many years. Most of the traffic in those markets is still being pushed to central hubs like Singapore before they reach the US.
Depending on the organisation and where their users are, quite often the datacentres in central hubs deliver satisfactory performance. If not, we have solutions to deliver a fast user experience in-country. Datacentre investments are not really my area of expertise. That’s something our cloud operations team manages, so I have low visibility into that, other than to say that the way we operate provides a fast, secure experience for users wherever they are.
You may say that sounds great and that it’s a marketing comment, but what does that mean? Well, I’ve got customers like General Electric which has customers in 185 countries, which means we have to provide a good user experience for all their users globally.
With 150 datacentres, we’ve covered a good 90% of the global market. There will be some markets where we may not have a local datacentre, but we have solutions to either connect customers to the nearest datacentre, which may be satisfactory, or potentially deliver them a service in-country that leverages their own network and infrastructure.
You talked about the hyperscalers – I understand that right now, Zscaler’s business from cloud marketplaces is still small compared to the other revenue sources. Do you see that growing in this region?
Robertson: Cloud marketplaces provide a unique opportunity for customers and channel partners. The investments organisations make in their application transformation will often be in the eight- or nine-digit range. I know organisations that are spending upwards of hundreds of billions of dollars with their cloud providers. That’s a big commitment, so naturally there’s an avenue to pay within your environment for other technologies to get that environment up and running securely and efficiently.
We do see marketplaces growing and they offer an opportunity for channel partners to add value by delivering services to help customers implement and configure our technologies.
Amid the economic uncertainty, have you seen customers deferring their investments to see how things pan out before committing to Zscaler?
Robertson: That’s a poignant question. Every tech vendor will tell you that organisations are certainly becoming more curious about their investments. This means if you had 10 projects last year, maybe five got through, but each one must be backed by a solid business case which is being scrutinised not just by the CIO and CFO, but by other teams as well. The thresholds for approval cycles may change, and that’s natural in any downturn.
But one thing for Zscaler that stands true is we’ve worked with all our customers on business cases to justify the value of what we provide, because it’s not logical to expect an organisation to increase their investments to get benefit. Today, you have to look at costs to take out, as well as future benefits, which are scrutinised by every department.
As an organisation, it’s our responsibility to help IT departments and finance and procurement teams understand not just the security, efficacy and user experience of our solutions, but the fact that we can help them scale in the next three years. Those are the sorts of in-depth conversations we must be prepared for.
Read more about cloud security in APAC
- Cloudflare co-founder and CEO Matthew Prince talks up what has changed since the company’s first business plan was written in 2009 and how it keeps pace with the fast-moving network security landscape.
- Google’s AI smarts and Mandiant’s intelligence on new and emerging threats could lay the foundation of proactive security.
- Dell Technologies’ zero-trust reference model starts with defining business controls and having a central control plane that manages all the security aspects of an organisation’s infrastructure.
- Mimecast opens regional office in Singapore and is looking at setting up a datacentre in Southeast Asia as it makes a deeper push into the region.