Zscaler CEO Jay Chaudhry: Firewall Vendors ‘Can't Really Do Cost Reduction’

In an interview with CRN, Chaudhry says that unlike firewall providers, Zscaler doesn’t have to worry about cannibalizing existing business while moving customers to cloud-delivered SASE.

Network firewall vendors are ill-equipped to help customers reduce spending amid the move to secure access service edge (SASE) and zero-trust security, due to hesitancy about impacting their often-massive existing firewall businesses, Zscaler CEO Jay Chaudhry told CRN.

On the other hand, Zscaler, a major SASE provider that fiercely competes with firewall vendors, has far more of an incentive to help customers to save money as they modernize their networks, Chaudhry said in a recent interview.

[Related: Zscaler CEO: Vendors Offering ‘So-Called SASE’ Aren’t Protecting Customers]

“Will a firewall company want to eliminate its firewall [footprint]? Not really. They can’t really do cost reduction,” he said.

“When a firewall company says, ‘I’m creating a platform for cost savings,’ it’s hard [to actually do],” Chaudhry said. “Half of the spend in security, most of the time, is firewalls and VPNs.”

On the other hand, “we don't have to worry about cannibalization [at Zscaler],” he said.

Chaudhry, who founded Zscaler in 2008, has for years been outspoken about what he views as the massive security advantages for implementing a zero-trust architecture on corporate networks in place of traditional firewalls and VPNs.

The benefits of zero trust are not just about better security, however, he told CRN.

“Today, cyber is very important, but cost effectiveness is important as well,” Chaudhry said. “We are in a unique position to do both.”

In the recent interview, Chaudhry also discussed how Zscaler’s first year as a player in SD-WAN and single-vendor SASE has gone — noting that the vendor’s “zero-trust SD-WAN” approach has been a key differentiator. The company debuted its Zero Trust SASE, featuring its inaugural SD-WAN device, in January 2024.

Additionally, Chaudhry spoke about opportunities for solution and service provider partners in working with Zscaler, including in data protection and enabling GenAI adoption along with SASE and SSE (security service edge). The company is “committed” to investing heavily in solution and service providers and is seeking to work with additional strategic partners going forward, he said.

“We are not trying to go and say, ‘I need 10,000 partners,’ like many of the firewall companies do,” Chaudhry said. “But we need hundreds of targeted partners who are focused on transformation.”

What follows is an edited portion of CRN’s interview with Chaudhry.

A year ago, Zscaler expanded into SD-WAN for the first time, though you’ve been skeptical about SD-WAN in the past. Could you talk about how you approached that move?

We internally debated, “Should we really call it SD-WAN? Or should we not?” Generally [with] SD-WAN, what it means is that once you're on the network, you move laterally left and right. We are really focused on eliminating lateral movement. Traditional networks enable lateral movement. That's a design feature. SD-WAN is no different, as traditional SD-WAN enables lateral movement. That's why I have said for a long time, we really don't want to do classic SD-WAN. What we launched [is what we call] “zero-trust SD-WAN" — so people can relate to it, but it's fundamentally a replacement for traditional SD-WAN.

What we’re doing with that is, we have a small zero-trust appliance. You ship it to your branch office, you plug it into the power socket and the internet. Within 15 minutes it discovers and configures [everything that’s necessary]. Literally, configuration can be done in 15 minutes. So your branch is up and running with full, bi-directional communication. That’s really the dream we had, and that's what we are delivering on. In this model, each branch office becomes like an island. An infected machine in the branch office can’t traverse laterally and infect everything else.

Our customers are excited. The Zscaler customer base doesn’t need explanations [about it]. They understand zero-trust architecture. And these large Fortune 500, Fortune 1000 companies have a large number of branches that need to be secured in a simple fashion. We are working with customers to phase out the traditional network. Eventually, the internet will become the corporate network for every company. That's what we are driving toward.

Since it is somewhat of a new approach, has it met your expectations for the interest from partners and customers?

It has. It will take some evangelism to new customers, who are not Zscaler customers. But Zscaler customers know it very well. We have a large number of [customer] engagements, a very strong pipeline — more than I expected. The key is now for us to make sure we keep on deploying, staying close to customers, and then they'll go to the next level.

For example, once we built this, the customer said, “This is wonderful. How about inside my branch?” What [they have] inside the branch [is] an east-west firewall or segmentation, with network access control type of technologies. So we wanted to do zero-trust segmentation inside the branch. But you couldn't expect Zscaler to start selling an east-west firewall, or any firewall. It just is not our DNA. We are zero trust. Firewalls aren’t zero trust. VPNs aren’t zero trust, no matter what you call it. So we did an acquisition, a couple of quarters ago, a company called Airgap Networks. Using some DHCP technology, we are able to do zero-trust segmentation on every device without putting any software on those devices.

The combination of a zero-trust appliance and the Airgap technology allows us to simplify the network and the whole branch. No firewalls needed. No routers needed. Switches are very simple. No NAC needed. Customers love it.

Still, some network security vendors have been saying they expect a rebound in growth for firewalls. What are your latest thoughts on whether we will get to a point where firewalls are nearly extinct?

Companies need to do what they need to do. But when new technologies come, they disrupt some of the incumbent technologies. Firewall has been here since the early ‘90s, 30-plus years. This technology, which really uses the notion of castle-and-moat and firewalls-and-moat, has to go away. I believe that a lot of customers get a false sense of security from the firewall. And to make it worse, some of these incumbent vendors, they kind of repackage the firewall as a [virtual machine]. They start calling it zero trust and all that stuff. I think it's not helping our customers. But the customers we are dealing with, they are looking [to have] no firewall in the branch office.

Now, some of the large campus and data center firewalls will take some time before they go away. But overall, our customers are looking at reducing the spend on firewalls significantly. Here is how we look at it. Once we go to large customers, if they're spending, say, $20 million on firewalls and VPNs, we can actually cut it down by about 50 to 60 percent in less than two years. Imagine bringing $20 million in spend down to $8 or $10 million, while adding Zscaler security at the same time — that cost included. Our case becomes very compelling. We are driving consolidation of cost and reduction in the number of security and network boxes you have out there today. Today, cyber is very important, but cost effectiveness is important as well. We are in a unique position to do both.

Will a firewall company want to eliminate its firewall [footprint]? Not really. They can't really do cost reduction. When a firewall company says, “I’m creating a platform for cost savings,” it's hard [to actually do]. Half of the spend in security, most of the time, is firewalls and VPNs. We don't have to worry about cannibalization. That's why, when we go in, we are able to show some significant cost savings and better security and better user experience. That's why our customers love us. That's why our sales are growing at a good pace.

In terms of SASE in general, you’ve said recently that some vendors are claiming to have SASE when they really don’t. What have you been seeing there?

It’s a shame. When you move firewalls to the cloud, you’re still building a mesh network. Lateral movement is still there. And when they take identity, they map the IP address of the device to the identity of the user. And when you move from room A to room B, the identity still is linking to the other IP address. So it's a [misleading] thing that’s going on. But that's the misinformation we have to help our customers get past. [Overall] SASE is a trend that everyone is latching onto — but SASE has SD-WAN, which is not really zero trust. So we like to advocate zero-trust SASE versus traditional SASE.

What do you see as the biggest opportunities for your partners in working with Zscaler this year?

Two big areas. No. 1, as our customers are embracing zero-trust architecture, they are eliminating so many point products. They are simplifying the network. All that stuff needs to be removed by someone. Without partners, it can’t be done. We are not a professional services company. In fact, for every dollar Zscaler gets in subscription services, there's an opportunity for partners to generate $3 to $4 of services. This is transformation, deployment and the like. A lot of our partners are doing it. I would like to see more partners get a little bit more focused on the services business. A lot of them came from a box-selling background. This does need a little bit of a broader understanding of the network and security. It's not just a box replacement play. It’s simplification of the network, security, DNS, DHCP, all those things. That opportunity is big. We have a number of boutique partners who are doing it. We have a number of global system integrators who are into it. That's one big area.

The second big area is data protection. Data protection is becoming a much bigger market than it was 10 to 15 years ago. [Previously] it was Symantec, it was McAfee. And Websense had a product only for DLP. We are replacing a lot of those legacy products that have deployed in the data center over the past 20 years. But now a lot of data is sitting in SaaS applications. A lot of sensitive data is sitting in a public cloud, [AWS] S3 buckets, [Microsoft] OneDrive, endpoint. We are taking a holistic approach. But data protection requires a good number of services [and] partners can play a big role in this area.

And if I may mention a third [opportunity], the whole AI thing is new, it’s coming along. Customers are looking, trying to understand. And partners can generate some services in that area as well. So three areas for services — simplification of the network and security, data protection and some of the new AI-related initiatives.

You’ve also said you are hoping to work with a larger set of strategic partners - could you say a bit more about what you’re looking at there?

We are. We know we can't keep on scaling without partners. But there's a little bit of an investment to be made for both parties. We are ready to make investments. They need to make investments. When you move away from selling boxes to selling a cloud service like Zscaler, there’s an investment needed. We are training our partners. We’re investing in that. I’d like our partners to think about, when you're doing transformation, you should think about some focused effort — having focused people who can drive some of these projects. And in that approach, they'll grow their business, and we'll grow our business.

It sounds like a little bit of it is partners catching onto this vision that you’ve had for a number of years now — about moving beyond the traditional ways of doing things in this area?

Exactly. I think a good number of partners have shifted. Others need to do a mindset change too — because it is a different way of doing things. But I'm encouraged by the number of partners who are working with us. We are not trying to go and say, “I need 10,000 partners,” like many of the firewall companies do. But we need hundreds of targeted partners who are focused on transformation. And we are committed to investing in them, to make them successful — so jointly, we become successful.

What would be your overall message for partners for 2025?

The last message I'll leave for partners is, technology incrementally changes all the time. And for every decade or two, there are step-function changes. When the market moved from traditional Siebel Systems to Salesforce, that opened up opportunities for new income, new large companies, and partners to offer new services. Similarly, as the network and security of the past 30 years are changing, they should take a look at how they can take advantage of the zero-trust architecture combined with AI — which can really set them up for several years to come. But for that, they have to [recognize] that what they’ve done and the way they’ve done it before — it can’t be done exactly the same way. And we are here for them, to help them.