Zscaler’s Jay Chaudhry On What Matters Most In Cybersecurity Today
At the RSA 2018 Conference, I had the chance to discuss the current landscape of cybersecurity technology with a wide range of industry leaders, CEOs, and thinkers. I’ve written extensively over the past few years about the need for companies to adopt a portfolio approach to their cybersecurity needs modeled on financial investments, so that companies use their limited amount of resources on products that prioritize and solve their greatest needs, while ensuring they have coverage across all threats that could affect the entire business. The full-depth of that analysis is available at Early Adopter Research, my company’s research site, under the “Creating a Balanced Cybersecurity Portfolio” research mission.
As I’ve continued to explore the subject, I’ve realized that there are a number of questions that adopting a portfolio approach leads to that have yet to be answered. So, while I had the ear of all these industry heads at RSA, I posed a series of these questions to them to gain their insights into where cybersecurity is now and where it needs to head. And as I wrote recently in a Forbes column (“RSA 2019 Prep: Crucial Cybersecurity Questions for CISOs”), I’m already looking ahead to the most vital questions for this year.
One of the best interviews I had at RSA 2018 was with Jay Chaudhry, the CEO of Zscaler. I’ve profiled the company before and its unique approach to providing security as a service in the cloud. But in this conversation, we focused less on what Zscaler offers, and more on Chaudhry’s view of the cybersecurity industry as a whole. Here is an edited version of our conversation.
How can you make the components of a cybersecurity portfolio work better together?
While at RSA, both Chaudhry and I were struck by the sheer number of cybersecurity products available on the market. While in many technology markets, consolidation occurs, that has yet to happen in cybersecurity. The current expanse of products seems unsustainable as a result, as every time a new problem arises, a new vendor and product appear to try to solve it. Consequently, companies have too many options to choose from when trying to fill out their cybersecurity portfolio. It also means that once they have chosen products, it can be difficult to make them work together.
Thus far, integration has occurred mainly as point-to-point solutions between individual products. Over time, I think this has to change, and more of a hub approach has to be adopted. But integration won’t be easy. “Everyone wants integration – but there are too many products out there to really do it,” Chaudhry said. “No one will disagree on the desire to get there. I think there needs to be some level of consolidation and simplification for things to work. Trying to connect all of these things together is just not going to work. It won’t be practical.”
Chaudhry also pointed out why he thinks we’re in this situation. “What makes the problem worse is the approach security has taken,” he said. “Every new little thing that happens, a new startup is born and says, ‘I do this little solution.’ And it should be a feature. But it becomes a product.”
We agreed that integration in some form has to come and Zscaler’s approach to this is ensuring their technology integrates well with market-leading vendors. Thus, he and I both foresee that the integration will be productized for well-worn paths. Point-to-point is fine for that and many situations. And then companies can construct situations where a hub would work at a larger scale, but it will always be optimal to have point-to-point integration for certain high-volume issues.
Can you future proof your security with a cybersecurity data lake that prevents vendor lock-in, integrates more data, and supports more use cases?
What we’ve seen to this point is that data lakes work better in cybersecurity than they do for BI. My opinion on the reason for this was confirmed by Chaudhry: there are certain aspects of cybersecurity that are simpler than BI.
“Logs are structured data by and large and that’s the type of data used a lot in cybersecurity,” he said. “When there’s structured data, it’s easier to figure things out than when the data is unstructured.”
Thus, Chaudhry thinks creating cybersecurity data lakes is a smart way forward to ensure more of security data can be put to use. But he pointed out that the logistics matter. “The next question is who should build it, who shouldn’t build it, and what should happen?” he said. “I think if you look at where the market is heading, where the market starts and where the market ends, when a new technology comes, a cottage industry is born that everyone tries to do something. And over time, that cottage industry moves to a professionally managed utility service. I think that’s where we’re headed.” And many vendors are now offering the ability to build data lakes for companies, but there remain the questions of how much information the vendor must provide and how much must be done by customers on their own.
Chaudhry sees machine learning as particularly important to this question long-term. “Data lake vendors, or SIEM vendors, they’ll give you a certain number of things, but large companies will also want features beyond what the data lake vendor will provide. This market will evolve, and I think machine learning will play a bigger and bigger role as it tries to give meaningful information to customers.”
How can you expand the business value you get from cybersecurity data?
Cybersecurity data offers companies a trove of information, but thus far, this data hasn’t been used to really derive value for the business. I think in the future, this has to change, as the data has to be put to use. Chaudhry agreed and saw similarities to other ways in which the extensions of technologies expand over time. “Core technologies that can be applied in various areas is a good thing,” he said.
Ye, he was skeptical that we’re at a place where companies and vendors are ready to seize the opportunity of how cybersecurity data can offer business value. He pointed to network security. “Look at the network security model. It’s totally broken. The network security model said I assume that users and application servers are on my corporate network that I control. That’s my castle. This castle and moat security model by protecting the network is how we have been doing security for twenty or twenty-five years. Now we are all working from everywhere. Our applications are no longer sitting in the data center. We don’t control the network and we’re still trying to do network security. So I think that has to change. So my answer is when security isn’t even doing the basic job it’s supposed to do, how can we apply it to other areas?”
It’s a valid question. He has no objection to applying cybersecurity products to other realms, but it has to be a part of a larger process that is well thought out and not relying on the outdated technology of the past.
What are the biggest myths about cybersecurity companies should be worried about?
It’s often hard to tell the difference between hype and reality with cybersecurity products. Thus, I thought it was worth asking Chaudhry and others their view fn the biggest myths about cybersecurity today. Chaudhry offered three that are hard to argue with:
- Myth 1: The biggest myth is if I have a firewall I’m safe. “To me, firewalls were never designed to protect against threats. Firewalls were designed to be a door in front of the house which certain vendors open, so to speak. People have a false sense of security because they are deploying firewalls. Threat detection and firewalls are two different things. And often, CXOs kind of think that firewall means secure.
- Myth 2: I’ve got antivirus on my PC, so I’m safe. Chaudhry said this was a myth for the same reasons as firewalls — the technology is too dated and threats are moving much faster than in the past so antivirus technology is just no longer relevant.
- Myth 3: I’ve got sandbox and cloud technology to inspect traffic, so I’m safe. “But 70-plus percent of traffic is encrypted with SSL that these technologies can’t even look at. If you can’t even look at what is in it, you don’t know if it’s good or bad,” he said.
What questions should CEOs and CISOs be asking of their security teams?
Because the C-suite isn’t always as involved in the minutiae of cybersecurity, I think it’s worth hearing what industry leaders think CEOs should be focused on when analyzing their company’s security. Chaudhry emphasized that security teams are often too focused on security technologies. Instead, he said, CEOs should be asking about business risk.
“Often, security teams get hung up on every little feature in technology without properly classifying what needs to be protected and how much,” he said. “The CEO should be asking security leaders and business leaders to start with proper classification of IT assets for risk and make sure the most important assets are extremely well protected.” He echoed what I’ve written elsewhere that companies need to focus on protecting their crown jewels first.
Why do you see as the value of AI going forward?
Similar to cybersecurity in general, AI is swamped by hype about how it will change the world. Chaudhry is not an AI skeptic, but he thinks companies should approach AI products with skepticism.
That distinction is key because there are now so many products making outlandish claims out there. “AI is highly hyped, but AI can deliver value,” he said. “The better term to me is machine learning. AI is, so to speak, the intelligence that we deduce as a result of machine learning. The most meaningful stuff I see is, if you have tons of data and if you apply machine learning to it, you can come up with certain patterns you won’t be able to see otherwise. If you are able to see those patterns, they can give you good clues and bad clues about what to find and how to find it.
“But how do you figure out whether the vendor’s claim is good or bad? I’m afraid there are no easy answers at this stage.” He agreed with my own thinking, which is that companies have to ask vendors to put their own data into the products and see the results the underlying AI provides. “Rather than believing vendor claims, feed your own logs in real life and let their AI magic run and show you what they’re able to do. If you compare that, the real results of real data with a few vendors, you’ll see the difference,” he said.