Moving Zero Trust Conversations Beyond the CISO to the BoardZscaler's Jay Chaudhry on How CISOs, CIOs Can Join Forces on Architectural Changes
CISOs have gone from complaining that they don't get enough time and attention from the board of directors to presenting to the board every quarter, said Zscaler CEO Jay Chaudhry.
Conversations with CIOs or boards tend to focus on what architectural changes can be made to reduce business risk and avoid the brand, reputational or sales damage tied to a successful cyber incident, he said. The CIO, CISO and infrastructure leaders must work together to make architectural changes that eschew a hub-and-spoke approach in favor of connecting users directly to applications, Chaudhry said (see: How to Distinguish True Zero Trust From Imposters).
"There's a culture and mindset change, which is harder sometimes," Chaudhry said. "People like to keep on doing what they have been doing for years. But now, they're seeing that they have spent so much money on firewalls and VPNs, and it isn't helping. The breaches are still happening. So they are embracing zero trust architecture."
In this video interview with Information Security Media Group at RSA Conference 2023, Chaudhry also discusses:
- How U.S. government directives have spurred private investments in zero trust;
- Why many businesses prefer a multiyear, phased journey to implement zero trust;
- Why generative AI is a double-edged sword for the cybersecurity community.
Chaudhry founded a series of successful companies, including AirDefense, CipherTrust, CoreHarbor and SecureIT. He has more than 25 years of IT industry expertise spanning engineering, sales, marketing and management at leading organizations, including IBM, NCR and Unisys.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. We're going to be doing a deep dive on zero trust with Jay Chaudhry. He is the founder, chairman and CEO of Zscalar. Hi, Jay. How are you?
Jay Chaudhry: Great, Michael. Thank you for the opportunity.
Novinson: And thank you for making the time. I know historically zero trust has really been a conversation with the CISO. But increasingly, we're hearing boards and CIOs talking about zero trust. Why has the conversation expanded to include them?
Chaudhry: Well, because cyber is becoming a bigger issue. All technology based on firewalls and VPNs has failed to secure it in spite of massive investments. So the CIO and the board are worried about it. And hence, it's a boardroom conversation. CISOs used to tell me that they aren't getting enough attention and time with the board. Now they wonder, "Man, what am I signing up for? They want me to come and present every quarter."
Novinson: So when you're speaking to a board or when you're speaking to a CIO about zero trust, how's the conversation different than the conversation that a CISO has about it?
Chaudhry: So CISO is more focused on cyber, while CIO and board is focused on cyber too, but generally they come from broader perspective. The broader perspective starts with what's the impact of a cyber incident on my business? Could it change my sales, my reputation, brand, all that type of stuff - a little bit broader conversation. But at the end of the day, they're looking for what can be done to reduce my business risk. And that's where the discussion starts getting into architecture. It's a little bit technical discussion, but it can be simplified. That architecture we have been using for the last 30 years is what I have called castle and moat. It's here on my firewall, here in my VPN, inside your safe, the challenge is that applications have left the castle, users that move to greener pastures, what's there to protect inside? So the new architecture had to be invented, technology incrementally changes all the time. But every 20 to 30 years, you have to change the architecture. And that's what Zscaler pioneered. We came up with an architecture, we called it the Switchboard, connecting right party to right party. And the name zero trust has become popular in the past few years. But it is what we have been doing. It took a slow start, because there's lots of inertia. But today, over 40% of Fortune 500 companies have embraced it. Now, we still have 60% more to go. But it's fundamental to secure our enterprises.
Novinson: So when it comes to that architectural change, what role does the CIO have to play? What role does infrastructure leaders have to play? And what role does the CISO have to play in order to make that a reality?
Chaudhry: Yes, all three roles have to work together. Before zero trust, you only sold to the security team, you move one firewall with a better and faster firewall box. But the network, the architecture access to application remains the same. But CIO starts with, "I am developing and deploying new applications, Office 365, SAP is moving to my AWS cloud." And that starts breaking the network because the network tries to bring all traffic to a choke point, using this hub-and-spoke architecture. So network must change, you should be able to go direct, just like flying from San Fran to Chicago by Houston doesn't help, you need to go direct. The network needs to change. Hence, the leader of infrastructure needs to play a role. And cyber needs to change. All three leaders work together to drive this transformation. And that's why Zscaler works with all C-level leaders to drive this journey. Now architecture is one part of it. There's a cultural mindset change, which is harder some time. People like to keep on doing what they have been doing for years. But no, they're seeing it. They're seeing that they have spent so much money on firewalls and VPNs. And it isn't helping. The breaches are happening. So they are embracing zero trust architecture, a true zero trust, from companies like Zscalar.
Novinson: So how can security leaders help with that change in mindset, if they're interacting with the CIO or with the board or other members of the C-suite? How can they get them on board with zero trust?
Chaudhry: It's very important. And the discomfort comes from two things. One, I do not know this area. I've been doing my network, my firewall for the last 30 years. I know it well. So they need to understand that the old technologies are going to fade away. Firewalls and VPNs will become like mainframes, so the more better skill set the users get, the more they can add value and more comfortable they get. So that's one message and investments CIOs are making. And the second part is also showing them that they could be playing a more strategic role. The old roll of patching managing boxes, not exciting, but you could be more strategic. So a conversation coming from the C-level, it's not about job elimination, it is streamlining, it's simplifying the stuff, it's then the technical people understand it, they get excited and they start driving it.
Novinson: So turn to the public private piece. So we've heard a lot of language from the Biden administration around zero trust. How do directives at the federal level play out in the private sector, how does it spur investment among private organizations?
Chaudhry: Yeah, it's good to see a couple of years ago, Biden administration jumped on zero trust architecture, which is great, because that's what's needed. And when they formed the CISA agency, they hired some very smart people. Jen Easterly, the leader there, they are driving a number of programs, they are actually pushing and prodding government agencies to embrace zero trust and they are learning, they are figuring out. In fact, 12 of the 15 cabinet agencies have embraced zero trust, they are on a phased journey, but good to see them embrace it. And now the next phase is securing government is good, but not enough. The critical infrastructure that our country needs - and they are the 15 or 16 buckets of that - starting with financials or transportation, or energy companies, they all need to be secured. And that's where the public and private sector joint cooperation is very helpful. I think as long as government helps act as a catalyst, set some standards is a good thing, but when government starts interfering too much, it can slow things down. So they have a role, but not pushing too much regulation, too much control. I can understand that. And in terms of that zero trust journey, for organizations just getting started, what tends to be the most common phase, one or phase two? And why does it often take companies multiple years to get to full zero trust? There's a lot of technical debt in large companies, lots of boxes deployed, built. And one CIO told me, "My data center has so much stuff, I don't even know what each box is doing and what's on need to sort it out." So the first phase generally starts with securing users. So all user traffic goes through a zero trust exchange. And that's for two reasons: one, user's little easier. And also, user is the weakest link. If we secure the weakest link, life gets better, then they need to secure their workloads. Workloads are somewhat like users, they talk to internet, they talk to each other. So with zero trust, they go over the zero trust exchange to talk to each other. Then they need to secure communication with the customers, the suppliers and B2B. So it becomes a meaningful phased journey. We got many customers who have done it. I had the CISO of E.ON - that's one of the largest energy company in Germany - on stage with me at CSA talking about how they did the phased transformation, CISO of Dow Chemicals Fareed did the same kind of stuff. So it's a meaningful thing. One of the reason, when you do phased journey, you show results to the organization. And then they feel confident, then the business supports doing phase two and phase three.
Novinson: Wanted to talk finally here about generative AI - I guess they wouldn't pay me if I didn't mention ChatGPT at least once during our conversation. Why do you see generative AI as a double-edged sword for the cybersecurity community?
Chaudhry: Almost all technologies can be applied for the good and applied for the bad. Even a basic search engine, you can search for good stuff, you can search for dangerous and harmful stuff. So AI has the power where you can train things and you can pull information out very easily. There's so many examples, the ChatGPT is able to give you answers very quickly on your fingertips. But the bad guys could be asking the same kind of information. Imagine a simple question coming from bad guy to ChatGPT, "Show me the entire attack surface of enterprise X." This could have taken them days and weeks to get it, now the answer could be available in a matter of minutes or so. So that kind of stuff is dangerous, but at the same time, we can use generative AI to train where companies like Zscaler can provide better information. For example, we handle about 300 billion requests per day through our cloud every day. And each request has a log, the 300 billion log entries is like, what's the log? Almost like international airport: who is going in the country, who is going out? Now all these communication have lots of telltale signs. If you really could figure it out, you can predict if this enterprise is likely to be an attack target. Zscalar is working on figuring out those type of use cases where I want to let enterprises know where their areas of threats may be, so they can take proactive action. So that's the good side.
Novinson: Jay, thank you so much for the time. We've been speaking with Jay Choudry. He is founder chairman and CEO at Zscalar. For Information Security Media Group, this is Michael Novinson. Have a nice day.