Transcript
so far. And cybersecurity, it's that threat that never really goes away, right? We've talked about it for a very long time. You've worked in this business for a very long time. And it's still here. So tell us, let's just look back for a second. Let's talk about 2024, 2025 so far. What did we learn from cyber threats over the past, call it 13 months? So first of all, should this threat go away? Yes. Will it go away? No. Have thieves ever gone away? Wherever there's money, there'll be bad guys to go after it. We just need to make sure we're ready for it. Let's look at last year. Who hasn't read about United Health Group breach? They paid 30 plus million dollars, but the business damage is counting billions of dollars. I still recall my friends couldn't get a prescription filled in the pharmacy because all these systems are down. Then a lot of you may have read about salt typhoon, this Chinese national attack. They got into all US telcos. They could really see all communication happening out there. And then we all use VPNs and firewalls. Raise your hands if your company uses VPNs and firewalls. Everyone is. Pull out your phone. If you've got chat GPT on it, just type a little question. Tell me all the vulnerabilities they found in the last 12 months and all the firewalls and VPNs and show it in a tabular format with a risk assigned to it. Beautiful table shows up in less than 30 seconds. Now the hackers can go and work on it. So as we are getting more digitized, getting online, it's natural for bad guys to say, I want a piece of action or nation states to say, I want to steal IP so I can get ahead. Or if a war starts, I want to make sure I got control over the other countries' communication, the like. OK, but we have AI now, at least we have Gen AI, right? You just mentioned it. Is that the panacea? Are we going to see a step change? Is there anything that tells you that this is going to be a pivotal moment for cybersecurity? I was talking to a security professional a few months ago and I said, what do you think about cybersecurity now? He said, AI got it covered. I got AI powered cybersecurity. People make a big hype out of many new technologies. AI, like many new technologies, is a double edged sword. AI is powerful. AI is dangerous. You can simply ask AI to tell anything about your enterprise. A given companies, how many firewalls are there, how many VPN systems, what vulnerabilities do they have, and how do I attack them? It's all out there. And once you get in, you can even find which systems are more valuable that I should go and attack after. So AI is helping bad guys, but AI is also helping companies like Zscaler, who can actually get ahead and build better protection. I have no doubt in my mind that we can build better protection. The worry I have is hackers have no inertia. Large corporations have inertia. We all sit on the systems we deploy and sit on for a long time. That's our biggest weakness. And related to that is humans kind of get comfortable with what we have. We need to change that. Okay. So sounds like hacking is kind of exponential, but we've spent a lot of money on systems to manage this. You probably have a great figure for that. I'd love to hear it if you do. But if we've spent all of that money, why are we not there yet? And what do we have to do to get to the place where we at least feel like we're kind of like managing this exponential threat or keeping pace with it? Last year, a CIO asked me to brief their board of directors on cyber. And the board wanted to understand the following, exactly what you said. We are spending so much money on cyber. Why are breaches still happening? And one of the board members asked me the question. She said, Jay, you're sitting in Silicon Valley running the largest cloud security company. You're dealing with some of the largest companies out there. And these companies have all the expertise, all access to technology, and their budgets. And I read that they're still getting breached. If that's happening to them, what hope do I have? Oh, I never thought of the question. It took me a little bit. And I said, what you said is right. But it is the inertia that companies are sitting on. If you really think about technology, the network and security technologies we are using today is about 30 plus year olds. It's the same firewalls, they may gotten a little more sophisticated. A firewall is like a moat around the castle. So bad guys can't get in. If you read history, when there were basic foot soldiers fighting with swords and arrows, moats are very good. When cannons got invented and Air Force got invented, those moats are useless. Similarly, in today's world, we are mobile. Our applications are out there in the cloud, in SaaS applications, in plants and factories. Our users are no longer sitting in the office connected to the company network that's supposed to be trusted and good network. You're working from home and wherever. So the model of network security about securing the network is broken. That's why for the last several years, market has been talking about zero trust security. That security we pioneered when I started Zscaler in 2008. The notion was, don't build these moats. You build an exchange like a phone switchboard. A user comes to us, we validate who are you? Where are you going? Are you allowed to go there? If the answer is yes, we connect that user to a specific application, not to the network. So that's the fundamental change we need to do in networking and security. This change is no different than the change we did for application development and the data center. A lot of you are very comfortable in the old data centers. As cloud came, you could literally spin up your workloads in minutes or hours, build stuff faster. You moved your application to a different way of building it. You must change your network. Your network is still the old school network. Your security is the old school firewall based security. Firewalls will move out. They become like main frame. You need to get to zero trust architecture. That's what's going to change. Otherwise, you keep on adding more and more firewalls. You create complexity. Complexity is the enemy of security. Complexity is the enemy of resilience. But these things need to be driven by leadership. The lower down you go in your organization, the bigger the discomfort and less willingness to change. Talking of complexity, let's talk about how cyber is weaponized in geopolitical terms. We live in a geopolitically fraught world, an understatement. How as a business should you be thinking beyond just the corporation and about how you exist in a very globalized world when those kinds of geopolitics are also being weaponized? Geopolitical and cyber, they cannot be separated. They're very intertwined. Think of the digital world is the new world. Wherever you've got digital world, you need to worry about cybersecurity. Think of it, if you want to bring a country down, you attack the digital system. You attack the critical infrastructure. It has to be looked at. It's a complex topic, but it starts with every corporation start making sure their corporation is cyber protected. Then countries need to do next thing at the next level. State government need to make sure the organization they're dealing with, they have decent amount of security. People get hung up on security being very complex. It can be complex, but it isn't. They start about the risk here, risk there, risk there. Most of the breaches are fairly simple attacks. They steal your credentials, they log into your system, they steal stuff. Some of those things can be fixed quickly. The example I like to give is if your house has no protection, no fence around it, you could be debating which is the best fence. The best security is to have a 15 foot fence. I need to design it for two years. Let's start with a four foot fence around your house and finish it in one month. Then six months, add another two feet and so on and so forth. That's how you look at a pragmatic approach. You prioritize security that's fundamental. Maybe I should give an example here. General Electric, GE, is a large Zscaler customer for the last dozen years. I learned a lot from their head of security, global CISO, Larry Beggini. He would say there's no business without risk. There is risk. The CISO and CIO's job is not to make risks zero. The only business without risk is the business that doesn't exist or the business that doesn't connect to the internet. It's an island. That's not real wool. Then he would say a prioritized thing. If you try to secure everything, you secure nothing. He would say, I don't care about the intellectual property of my washers and dryers. My enemies can buy it from a store, open them up, and discover what's going on, but I'm dead serious about protecting IP of my jet engines. That's how you need to think about it. Prioritize application, prioritize data, put pragmatic security in place. Do not depend on firewalls and VPNs, even if the legacy vendor will tell you that they are cloud because they're spinning the virtual machines in the cloud. You can spin your DVD players in the cloud. You will never become Netflix. Jay, it sounds like you've got a lot of work to do here. Thank you for these very wise words. If you can stick around, I'm sure you can grab Jay afterwards. But thank you so much for being here today. Thank you.
