Cybersecurity Has Been Focused On Solving Urgent Problems: A Podcast with Zscaler’s Stan Lowe

On this edition of the Designing Enterprise Platforms Podcast from Early Adopter Research (EAR), EAR’s Dan Woods spoke with Stan Lowe, chief information security officer at a global level for Zscaler, while both were at RSA 2020. This continues a series of interviews Woods conducted that focus on four key questions about cybersecurity. These questions include:

  • Has cybersecurity been an area in which platforms have been slow to develop? 
  • Why have point solutions been so persistent in the cybersecurity arena?
  • Are we entering an era in which platforms may develop? 
  • And if not, how are we going to deal with a world of all these point solutions?

Their conversation covered:

  • 2:30 — Why haven’t platforms developed in cybersecurity?
  • 5:15 — Zscaler’s offering
  • 13:45 — The need for platforms in cybersecurity
  • 18:30 — Balancing cybersecurity needs

This is an edited version of their conversation that can be heard in full on the podcast.

Woods: Can you introduce yourself and explain your role at Zscaler?

Lowe: I’m Stan Lowe, I’m the global chief information security officer for Zscaler. Like every CISO on the face of the earth, I’ve got lots of hats that I have to wear. I am responsible for enterprise security, I help with the platform security, I deal with global governments, and I have a customer-facing role as well. 

Why have platforms been so slow to develop in cybersecurity?

I think the reason there are so many point solutions is a result of the way that cybersecurity developed over time. We were constantly discovering new issues  I’ve never met a security person that didn’t like a tool to solve a problem. We ended up with so many point solutions because that’s what our architecture drove us to. When we discovered a problem, we needed a tool. 

Do you think that was driven by customer preference? Or do you think it was driven by the fact that these problems were urgent because they represented vulnerabilities?

It was driven by the urgent need to solve a problem. Remember back in the early ‘90s, ISS RealSecure popped onto the market to solve a specific problem, based upon the architectures that we had at the time. Now we’re at an inflection point in our architectures where what we’ve done before to get us to this point from an architectural perspective has changed or is starting to change. Our business models are moving a lot more to the cloud, we’re seeing a lot more SaaS services, and businesses are consuming Office 365, Workday, Azure, S3 buckets, and AWS instances, and they’re moving their data and their applications from a traditional datacenter out into the cloud. The fact that we still see a lot of these point solutions tells me that we have a way to go with regard to how we look at architecture and how we design solutions to fit that. At Zscaler, we are betting the farm on the fact that platforms are the way to go.

Why don’t you explain what Zscaler does and how is it different from other cybersecurity platforms?

Zscaler is primarily a cloud security service provider. We provide two main things. We essentially have a full-security stack in the cloud for your outbound connection that makes the security stack more efficient. You know, it’s a single, open, multi-access, so as the packet goes by, we fire off all the ideas, the IPS firewall, assess, auto encryption, that whole nine-yards happens to every packet. As it goes by, there’s one, single admin portal to govern all this stuff and you get a single log feed out of it which drives complexity out of the organization. Plus, it gives you a better user experience and it allows you to access those applications and data in the cloud, no matter where they are. The second part of the platform is ZPA, the Zscaler private access, which allows you to access applications and data securely from anywhere your workers are. You know, either in Starbucks, 35,000 feet in the air, flying through the little metal tube, in South Korea, in Japan, in South Africa, in Europe. And you get the exact same access, the same user experience, and the same policies that are applied to them, no matter where they are. And that gives you secure access to applications and data everywhere. But the kicker is this is not a VPN replacement because we don’t put people on the network. We connect the user to application, and data, and not the network.

You have both an integrated set of point solutions in the outbound domain, and then you have an integrated set of solutions in the ZPA domain. And when you say that it’s not a VPN, what you’re saying is it’s not that you don’t get VPN-like protection, it’s you get it without being the network being the problem?

Right.

Zscaler is like a content distribution network in that you have points of presence all over the world. And when you connect to Zscaler, you connect to your applications, you first connect to Zscaler at the closest point and Zscaler gets you to the application.

Yes, exactly. It’s like an on-ramp for an expressway that we manage. You get on the HOV lanes and you whip by everybody else. 

Back to our thesis, now what you’re saying is that you have a platform and the platform that you have is oriented toward a new model of consumption of computing in the cloud. You’re saying, essentially, that you see platforms happening but they’re happening as a transition to the cloud and that we’re really unlikely to see a platform in the on-premise world, we’ll see one in the cloud before we see one in the on-premise world.

I think you’re correct, because the cloud is the easiest integration point, because it’s an untapped field. We’re dealing with a legacy architecture on the on-prem, that it’s hard to develop a platform approach because you require that same common toolset, that same common environment, across the enterprise. And that just doesn’t exist in a legacy environment because of the way we built that stuff.

I mean, you know, it’s sort of a Frankenstein model of, “Hey, we need this, we’ll buy this server, we need this application, we’ll buy this server.” And it has grown that way over time. Now, there are some organizations that have been lucky enough to have an enforced architecture where they have a lowest common dominator that they could possibly put a platform on. But there’s nobody looking, because there’s no money there. The money is in selling point solutions to solve problems that they have that are point problems that they’ve had forever. And if they take the solution out, then they won’t have that, that creates a risk profile. So, we do what we’ve always done, and that drives that behavior that we’re seeing now.

If you look at Zscaler as a platform or something like CrowdSrike or Carbon Black as an endpoint protection platform, all of those are narrower than these larger platforms we see for the e-business suite or something like that. Is the targeted nature of the cybersecurity platform driven by the fact that there’s not a commonality of requirements in cybersecurity world? Are we going to see not platforms, but targeted suites?

I think that’s a transitional step. And I’m saying that because if you look back in the history of IT, back in the mid-nineties we had many operating systems, from Windows to Linux. If we look today, we’re at three — Chrome OS, Apple, and Windows, for the most part. The reason why it got driven to that way was a commonality of use, which we were just talking about, is a standard. So, enterprises set the standard or they standardized on Windows, a lot of the consumer-based organizations settled on Mac, you know, because it was a consumer product and still is, for the most part. You see organic standardization forcing itself on the market by pure virtue of choice. I think the way that is going to drive that is not necessarily a standard that somebody says, “Hey, this is a security standard,” although from a global, strategic type thing, there needs to be something done with regards to behavior on the internet, what’s good, what’s bad, what’s allowable, what’s not, sort of like a Geneva Convention for the internet.

You’re saying that these targeted platforms are a transitional step, but why? 

The cost curve for cybersecurity right now is unsustainable. I mean, if you look at the O&M cost for most organizations based upon the number of toolsets that they have and just by pure virtue of the fact of inflation, the amount of money that is being spent on maintaining the stuff that you have today is an exponential curve. And boards are going to go, “Hey, I’m paying you for all of this. I’m paying for all this, I’m paying for all these tools, I’m paying for all this O&M, I’m paying for all this overhead, but yet we’re still getting popped.” That’s going to drive us to a platform.

What you’re saying now is people aren’t pruning their portfolios because they’re not being demanded to?

Right, there’s no external pressure to.

At some point the cost will get so high that people will say you’ve got to prune this and that’s going to drive to platforms?

Yes, that’s going to drive to platforms, and the way that our businesses are actually conducting business. They want to use these tools, they want to use these things, the latest, best, brightest, the different versions of Salesforce or some type of marketing campaign or some type of tool that they can put in the cloud to make them agile and use everything, the promise that the cloud has to offer, which is the ability to change the way you do business quickly. In order to have that happen, you can’t have a point solution that does that, you have to operate in a platform. It needs to be able to respond, changing market trends are going to drive that whether we want it or not. I think in the next five years or so, in order to have that ability to drive efficiency into the security organization and thus drive down costs, you’re going to get your entire security stack from one, two, three, four, maybe as many as five different vendors. Just like you do now, you get your operating system from Microsoft, you get your office product suites from Microsoft, there’s some Google out there floating around and there’s some Mac stuff, but they’re all outliers. But I think you’re going to see people getting everything from the large security players.

But that’s the question. My argument would be that you will get a certain set of security that’s integrated tightly from a Zscaler or a Fortinet, but then you’re going to have different anchor tenants. Zscaler will be an anchor tenant and then CrowdStrike or Cylance or Carbon Black will be the endpoint protection anchor tenant. And then maybe you have a point solution that helps you do better in something that you think is really important, like encryption or data protection or something else that you’re vulnerable to. And the challenge will be to make all of these anchor tenants work together and then fill in gaps with point solutions.

Yes. And so that’s one way it can go. In five years we’ll come back, and I’ll bet you a nice cigar and a bottle of bourbon.

Okay.

I think we’re going to get to the point it will be either that, or a version of that. Or you’ll be a Microsoft shop or a Zscaler shop or whoever’s shop and you’ll get everything from them. It will be driven by the economics and the complexity of a network.

And the skill shortage, probably.

Exactly. We’ll have different external influences on how this market develops and how we develop the technology to support that. And I think it’s going to be constant, I think it’s going to be skillset, I think it’s going to be complexity, and the ability to be agile, to be able to support the business’s ability to protect and drive revenue. And that’s what is going to drive this entire thing is security’s focus moving from technology. It’s about changing the way that security thinks about their job and their job is to allow their businesses to do primarily two things, protect and drive revenue in the most acceptable manner possible. And how do you do that? You can’t do it with point solutions, because your businesses are moving all to the cloud to take advantage of that agility and that speed to market.

Point solutions exist in the cloud.

Yes, they do, but it’s so complex that it’s hard to do.

But if you’re a company that has incredible valuable IP, like HBO, for example. They were hacked and there was a claim given that they were going to release the Game of Thrones episode. Let’s say you have a crown jewels situation there, you might invest in a super-advanced data protection, just for those crown jewels.

Yes, I don’t disagree with that. That type of thing is going to happen, but it won’t be the norm because a lot of people, most people, their businesses are very transactional. You’ll see that maybe in the entertainment and financial and maybe healthcare, but we’re already doing that with those things. But I think the mean will be handled by a platform.

Palo Alto, Fortinet, Cisco, etcetera, will be able to create integrated platforms and will be able to offer that integrated solution. I think that there’s an engineering problem to that statement. And that is, is it possible to create a platform out of separately engineered components? Like, Cisco would be the most acquired sort of company, Fortinet would probably be the least.

I think there is an engineering problem. That’s the flat point in my theory, where does innovation happen? Do you innovate, because eventually you’re going to get so big, do you innovate internally, or do you buy innovation? Do you invest in startups with the idea of acquiring them and importing them? That’s really the only flaw in that entire security ecosystem argument, is how does that happen? And I haven’t quite figured that out yet.

Even as a platform company, you’d have to be suspicious of your ability to sustain innovation. Because there’s so much integration work just to keep the thing together.

Yes, that is an engineering problem and then how do you solve that engineering problem? 

The other engineering problem is if you have three or four point solutions working together and they’re from different code bases with different engineering principles, how do you gradually synchronize them and move them so that they can start supporting each other and the platform can become better?

Yes, see, you have to be super picky about who you get and who you buy.

Because you can get into situations where the point solution and the engineering principles are incompatible with the rest of them.

Right. You end up with a problem, like the company formally known as Symantec. I mean, essentially their integration point was their UI and that caused an untold problem, back on the support side, the user happiness side, and customer retention side, because of the complexity of the engineering that had to happen to integrate all those products. They just went up the stack to the least painful point, which, you know, it is what it is, and it happened how it happened. But, that was the best engineering choice they had at the time, and I don’t blame them for making it. I would have made it. When we move to this platform thing, how are we going to solve all that? The idea is having engineered a core set of components or a core set of products that have the ability to have things bolted onto them that don’t require a whole lot of engineering. And you may have some one-offs where you have to do that sort of tie in while you work on the backend to be able to scratch that itch for the market. So, we’ll see what happens. 

What would your advice be to a CISO who had to figure out how in this current environment to prepare and create an environment that is using the current choices I have today, gets me to a situation in which I’m reducing my complexity, increasing my integration, all without having to pay for it themselves?

That’s the million-dollar question, literally. But, we’re going to exist in a hybrid world for the foreseeable future, because there are a lot of large businesses out there that have a lot of investment in legacy. So, we’re going to have a foot in both camps.

We still have mainframes running huge amounts of the world.

Yes. The idea is to architect your strategy. If you don’t have one, get one. 

What is the problem the strategy is trying to solve?

How to allow your businesses to use the tools and technology that they need to be able to drive and protect revenue. That’s the conversation. Unless you’re in healthcare, then it’s better healthcare outcomes. But the idea is you can’t be inwardly focused, you can’t be focused on the technology. You have to be focused on business outcomes and that’s the change that CISOs now have to make, they have to be business people first and technologists second. So, talk to your businesses, figure out what their strategies are, and then align your strategies to support what they’re trying to do.

We’re not going to be able to solve the universal solution for that, because there is no universal solution.

Yes, it doesn’t exist. But the best you can do is support the businesses and plan for their future. Architecture your strategy and your systems to be able to support rapid change. Don’t build yourself into a corner.