For this article, I had the chance to speak with Jay Chaudhry, the CEO and Founder of Zscaler. Zscaler bills itself as a cloud cybersecurity solution, or “Security as a Service.” Zscaler has a unique approach to cybersecurity, one that fits into my balanced cybersecurity framework, but that also dispels conventional notions of protection. Chaudhry offered insights into what Zscaler can provide for businesses and why he thinks network security is an outdated concept in general. Chaudhry recommends a focus on four key areas as away to construct a balanced cybersecurity portfolio.
Given the damage that can result to businesses from having too few, or the wrong, cybersecurity protections for their individual needs, I’ve chronicled a variety cybersecurity products available to businesses in a continuing series. In that series, I’ve examined the products on the market from two complementary frameworks, one of which is mine and one created by the National Institute for Standards and Technology (NIST).
From my framework, companies essentially must worry about five key threats to their cybersecurity: 1) identifying threats; 2) protecting yourself from them; 3) detecting them when they do get in (and they will); 4) responding to them; and finally, 5) recovering from them.
But companies have limited resources to devote to all five of these areas, and so they must make hard, but necessary choices about how to allocate their spend across these categories, based in large part on what is most vital to protect within their individual business. This investment strategy is like creating a strategy for a financial portfolio. But to make this judgment, I’ve used the framing provided by NIST for cybersecurity, throughout the series. NIST’s structure can help guide companies to find the right cybersecurity products for their business. Their steps are: 1) Determine Needs; 2) Allocate Spending According to Risk; 3) Design Your Portfolio; 4) Choose the Right Products; and 5) Rebalance as Needed. Chaudhry offers a novel perspective on how to achieve the right balance.
Disrupting the Notion of the Network
To explain the niche that Zscaler fits in the cybersecurity market, Chaudhry used the metaphor of a castle and a moat (I didn’t ask if he was a Game of Thrones fan). He said that the history of cybersecurity has been about keeping threats out of the network – companies thus erected moats around their networks, which they encased in fortresses.
But Chaudhry believes that type of approach no longer works in the world of the cloud and mobile devices. “The castle and moat says my network needs to be secured because my users and applications are connected to it. The castle and moat approach said if you are in my castle, you can come in and out only through certain doors, call it my drawbridge that I can pull up. And that model worked well,” he said. “When the center of the universe was your data center with applications, this network security made sense. But now, employees are everywhere. The center of gravity has moved from the data center to the cloud. So now, how do you do network security? Network security assumes that you control the network. If you don’t control the network, how do you secure the network? You can’t.” In other words, a castle and moat work well when your enemies are all on foot and horseback. It doesn’t work so well once they have artillery, drones, and airplanes.
Chaudhry said that Zscaler’s clients believe the network has fundamentally changed. “Current and existing IT infrastructure is being totally disrupted,” he said. He views the new world as a post-network one, a cloud computing driven landscape in which computing becomes a utility. “You don’t have your data centers. You’re not protecting your data centers. You don’t have your own infrastructure. All you have is a device, whether it’s a PC or my cell phone, and my compute resources and applications are sitting somewhere, we don’t even know where they’re sitting,” he said.