Black Hat USA 2024 | Sam Curry | Zscaler

theCUBE.net

Clips
News
More from Black Hat USA 2024

Sam Curry

Global VP, CISO

Zscaler

Zscaler stock falls on weak outlook amid revenue and earnings beats

Shares in Zscaler Inc. fell 14% in late trading today after the cloud security company forecasted a lower-than-expected full-year outlook alongside solid figures for its fiscal fourth quarter.For the quarter ended July 31, Zscaler reported adjusted earnings per share of 88 cents, up from 64 cents per share in the same quarter of the previous year, on revenue of $592.9 million, up 30% year-over-year. Both were beats, as analysts had expected adjusted earnings of 70 cents per share on revenue of $567.46 million.The company posted adjusted income from operations of $127.5 million,or 22% of revenue, in the quarter, up from $86 million, or 19% of revenue, a year ago

Zscaler on the role of leadership in cybersecurity innovation

Cybersecurity leadership is crucial in navigating a battlefield marked by relentless innovation and constant adaptation.As threats evolve and grow more sophisticated, the industry must remain agile, leveraging cutting-edge technologies, such as zero-trust architectures and artificial intelligence. This dynamic environment demands a unique blend of creativity, strategic leadership and a willingness to rethink traditional defense approaches, according to Sam Curry (pictured), chief information security officer of Zscaler Inc. From early security measures to today’s advanced strategies, the journey underscores the industry’s commitment to staying ahead of intelligent adversaries

play_circle_outline Examining the Ever-Changing Landscape of Cybersecurity: 15 Years of Evolution and Ongoing Innovation

play_circle_outline Empowering Cybersecurity Through Disruptive Enablers, AI, Challenge to Status Quo, Rebels, and Leadership

play_circle_outline Application of artificial intelligence in cybersecurity and its unique challenges.

play_circle_outline Unlocking the Potential: Zscaler's Impact on Security Defense Capabilities and Speaker Attraction

Info
Transcript

Sam Curry | Zscaler

Sam Curry

Global VP, CISO Zscaler

TheCUBE covers Black Hat, discussing the chaos in the security landscape over the past 15 years. The evolution of cybersecurity, from the dark web to current challenges of product sprawl and compliance, is emphasized. Continuous innovation is needed to stay ahead of intelligent opponents. Zero Trust architecture is seen as a game-changer, offering new ways to combat evolving threats. Disruptive innovation and rebel thinking in cybersecurity are highlighted. The importance of specific and strategic use of GenAI is stressed to avoid predictability by intelligen... Read more

explore Keep Exploring

What is the exception to the trend of IT commoditization and consolidation mentioned in the text? add

What characteristics does a rebel have in the context of transforming a company during times of disruption and change? add

What are some challenges associated with predictability and automation in cyber applications, particularly when facing an intelligent opponent? add

What factors are important for the speaker in determining where to focus their efforts and apply themselves in their industry? add

bolt Powered by CUBE AI

Sam Curry | Zscaler

search

>> Welcome back, everyone, to theCUBE's coverage here at Black Hat. I'm John Furrier, host of theCUBE. We're here for our second day of wall-to-wall coverage. A lot of great action, talking to all the experts, all the security gurus, and of course, theCUBE is making the news. We've got Sam Curry is in the house, theCUBE alumni from 2010, one of the original CUBE guests of all time when we started theCUBE. Sam, great to see you. Now the CISO at Zscaler, a company that's really kicking ass.

>> Thank you.

>> Zero Trust. What's the phrase? If it's addressable, it's breachable... What's the-

>> If it is reachable.

>> If it's reachable, it's breachable.

>> That's right.

>> Welcome back to theCUBE. Good to see you.

>> Good to be here. Well, it's been a while generally.

>> Yeah.

>> Yeah, the OG stuff from way back in the day.

>> If you go back 15 years ago, the dark web was on the horizon. It was a lot of... Security was well-known. Botnets were just kicking in, cloud-

>> Ransomware was just starting. Well, actually it'd been around for a while, but it was just starting to take off commercially.

>> You started to see the scale cloud coming, and then that just became the chaos of the cloud.

>> We used to talk about private cloud.

>> Private cloud, the journey of the private cloud. I think that was the year.

>> And Z-blocks.

>> Yeah, well, VMWare is now owned by Broadcom. But again, that's a whole another story, but security is been always been your wheelhouse.

>> Yeah.

>> So I want to get your take on it. Looking back 15 years to now, we're still in a chaotic environment. The threats are there, product sprawls everywhere, thousands of vendors, thousands of products, CISOs lies around now risk management. Policy and compliance is a big part of it, continues to be. It's a lot of stress and a lot of chaos.

>> Yeah. I think I can finally tell the joke I used to tell off camera with you, which was I joked once when security became 8% of IT and it equaled storage. I joked with some execs at EMC because I was of course at RSA, the security division of EMC. I said, "When does it become EMC in the storage division of RSA?" It did not go .

>> And so RSA got spun out because of you.

>> All my fault. No, I left in 2014.

>> I'm just kidding.

>> But no, I'm with you. But the fact is that most of IT winds up on a commoditization curve, right? So when something is available everywhere and the quality's the same from everywhere, it only differentiates on price. And what you wind up then is with consolidation, less vendors, the aggregation of similar functions, you had it with ERP, you see it in all the suites that emerge, right? It goes from best of breed to suites, and that's always the motion. The exception is cyber security, and that exceptionalism in our industry has to some degree off execs in other spaces. They're like, "What's so special about you guys?" And we sort of know there's something special about us and we sort of sheepishly think there might not be. The fact is that we have an active and intelligent opponent, and it's that intelligence on the other side, that means that we never get to the point where the quality is the same everywhere. And so we have at shows like Black Hat or at RSA or all the others, there's hundreds if not thousands of startups. And what they do that's different actually makes a difference in defense. And so you never get to the point where you consolidate everything under one vendor. You get one platform and that's it. You brush your dust off your hands until the cloud or something like it. Like maybe quantum computing disrupts you or AI or something like that. By all means, those can change the game, but we are constantly having to innovate. We never get to rest on our laurels. And I think that's the difference. So you talk about chaos in the last 15 years, it's things like Zero Trust that provide new paradigms and architectures that can change the game. And that's why I'm at Zscaler, by the way. I always look for where can I put my hand down that's going to have the most leverage and make a difference like that. But in the end, that opponent's what makes the chaos. I talked to execs inside and outside of cyber, so boards and those sorts of things, and they say, "So when is the cyber thing going to be solved?" I think we may have actually talked about that 15 years ago.

>> Never.

>> It wasn't making that one U rack mountable solution. I'd love that, right? But some things it doesn't happen with. And the rest of business, there are other areas like that. In legal for instance, you have intelligent opponents, their lawyers versus yours. In sales, you have their salespeople versus yours. So you can't say, "Oh, it's okay, we found the perfect sales pitch. We will just sit back and make money now." Or you can't say, "Hey, we'll never be faced with a tort." That's a problem. Likewise, you can't say the risk due to intelligence trying to break the system in our infrastructure is done, at least not yet.

>> Yeah, it's interesting. You've seen many waves of innovation. Every once in a while you have that moment where there's general recognition that something's happening. We got to apply new types of security. Just going back COVID 2020, everyone's working at home. Who would've forecasted that? We'd have to essentially do SD-WAN and do everyone at home, 100%.

>> Oh, yeah.

>> Okay. So now you have SASE.

>> Well, that's forced us.

>> Now, you got SASE. Zero Trust emerges out of that architecture. And so now we're in that moment now where generative AI is pretty clear to everyone that there is something there that needs to be looked at. Because when people bring their co-pilots to the network, whether it's home or the office, that's another service area. So you have a moment where security will have to get refactored for this next big wave. What's your view on that? Do you take the Band-Aid approach by putting on another thing from a startup? Do you want to platformize it? Is it a do-over? What do you do?

>> Necessity is the mother of all invention, and I mean that. Because we had Zero Trust before COVID. Back in 2010, I actually talked to founders here at Zscaler from outside and said, "I need fine-grained authorization at scale where every request is uniquely handled." Later, John Kindervag came up with the term, "Zero Trust." It wasn't long after, by the way. So it's existed now for a dozen years as an idea, but it took a forcing function to make it happen. And the reason is that change happens because of leadership. If you just unleash the technology, people will continue to do things the way they've always done them. If you look at, for instance, new tools on the battlefield until you actually need them, people don't use them. If you look at tanks in World War I, they didn't use them to make breakthroughs. They peanut-buttered it. They kept fighting trench warfare, the way they had fought for four years and disastrous results. And they didn't use tanks, for instance, or even air power the way they could have even as early as 1917, 1918. That's what's happening here. And I think what we have to do is realize that we have to challenge ourselves and we have to take leadership seriously and take these new breakthroughs. And especially AI. Everyone talks copilots, okay, I'm good with that, and copilots are important, but how many companies started out saying, "I'm doing a copilot and everyone should do it." But the application for things like deception technology, where we finally actually make naming of things like files or passwords or things like that that really look like humans name them. We can make artificial traffic that looks like human traffic. We can create fake networks of people. Where's those ideas? And I think that we're seeing it right now, for instance, in the Ukraine. We're seeing drone warfare being driven to the next level out of necessity, just like we saw with tanks in World War I. And I think the next few years is where the toolkit will be available and the opportunity exists for us to say, "Okay, take the GenAI and the other things coming in AI as a set of innovations and let's use them not just the way we've always used them. Let's disrupt them."

>> What are some of those disruptive enablers? Because obviously what you're getting at is thinking differently. I love that analogy of trench warfare and then you've got tanks and then planes. What is the tanks and planes for us in cyber? Because you need a disruptive enabler. So you got to disrupt what was before and enable the new. Obviously, advances in silicon and compute and getting closer to the silicon is where the best AI companies are doing today, like the consumer ones. So you're seeing more kernel developers, you're seeing a lot more closer to the hardware in one end, and then intelligent apps in the other way. The data models are changing. So you're already seeing signs of the shift or enablement. What's your view on disruptive enablement that's happening?

>> I'm dangerous when you ask that question.

>> Yeah, go ahead.

>> Look for the rebels. Because in peacetime, we have managers who smooth things over and they get rewarded perhaps for... We need them. They make things incrementally better. But in wartime, we need people that are going to go tabula rasa and truly transform. One of the reasons that I came to Zscaler is it says, "Hey, just because the RFC says everything has to be open, doesn't mean it does. You can reduce your footprint. You can not accept the inbound request. You can become less visible online." I did the same thing with personal firewalls nearly 25 years ago so that you can shim a stack and say, "Well, there isn't a driver there. There should be one there. Let's go deep in the stack and let's actually start filtering traffic there with policy sets." That was back in '97 and '98, and...

>> What does a rebel look like now?

>> Well, rebel's the person who's sitting off to the side who's a little bit awkward. And you also need these managers who can come in and say, "Well, I don't care that we've built a policy set over a decade, that the firewalls sit a certain way." Instead, they're going to go, "If we were to start with a blank sheet of paper... " And by the way, re-architecture is one of the dirtiest words in the English language, but it's also one of the most necessary at the right time. And I think this is one of those times. When you see a big disruptor coming in, the first thing the company goes is, "Ooh, we don't want it. How do we keep it out?" And then, "It's okay, well, we've got to embrace it." And then you get the sense that, "Well, it's business as usual." And that's the moment when you look for the rebels because they're chomping at the bit in our industry. In security, they're there.

>> We have a few rebels on theCUBE.

>> I'll tell you, Black Hat's the place where we come to party and DEF CON.

>> There's rebels here.

>> Yeah. It's not just summer camp for security, they exist in every company and they want to be heard. You can do a lot if you really open your ears and pay attention.

>> It's interesting you bring up re-architecture because one of the things we've been having a lot of conversations with our research teams and all over this is we're looking at the larger enterprises when cloud lift and shift, now they have full distributed computing architecture environments and they have existing workloads, banking apps, and so they have workloads and they know what they are end to end. So the first step is let's infuse GenAI into those existing apps, and then they have to, okay, what's our infrastructure needs? Which is why all the actors at the infrastructure and the silicon, were seeing that play out. Okay, assume there's going to be GPU clouds and all kinds of things emerge, assume that happens. The next step is that will enable them to do something. And they're all talking about reset. They're thinking, "Okay, next 10 to 15 years, I need a foundation that we can build on." And they're looking at it from a clean sheet of paper. How do I deal with catalog? Let's decouple data from the database. Why not?

>> Yeah.

>> Let's focus on a new kind of catalog. Maybe you call this-

>> That's what virtualization did for us when we finally understood it, right? And I'll tell you, that wish list that you put up, you should have been burying at the back of your computer and maybe somewhere, I'd say in a drawer somewhere, it's time to dust that off. And if you find at the end of the project, everything has been smoothed over with sandpaper and all you've done is you've reduced cost 10%, and maybe you've increased your capacity to 5 to 10% you've failed. This stuff is truly transformative. The numbers should look like 70%. And if you're not approaching that or don't have an ability to reach there, you're not doing it right. What you want is to think about the outcomes and to think, how do I simplify my stack? And you can still do complex things without being complicated.

>> So is the Zscaler customers like rebels?

>> Yeah, for the most part. What's remarkable is you can tell everybody eventually is a part of it, but you have your champions, and they could be IT people. They could be networking people, they could be cyber people. But it's truly remarkable when you find the believers because the energy and the passion of them is amazing.

>> It's time to dust off the Steve Jobs, the misfits, the rebels. Thinking differently is the-

>> I don't mean it in a Steve Jobs way, but yeah.

>> Well, that's what-

>> Maybe it is.

>> Well, not like that because it's different world, but I mean, this is what we're talking about. We're talking about, okay, flipping the script, because to make GenAI work, it's a data-driven world, and it needs low latency, horizontal scalability and domain expertise in apps.

>> Sure.

>> That is a hard technical thing to do.

>> But in cyber, we have another problem, which is that anything that is, I did this as a presentation a few years back with a guy named David Berliner called Mirror Chess, that any form of predictability or automation becomes a weakness when you have an intelligent opponent because they can predict what you're going to do, and there's ways specifically to avoid that. And so applications of GenAI tend to work really well when they're very specific, like cogs in a machine. And then you can look at how does the machine coordinate those. And so it's a different application in cyber than it is in ERP, as I said earlier, or in storage or in other areas. And so we have the meta problem of how is someone going to try and take advantage of this artificial intelligence? And that's an exciting problem.

>> And the opponent is smart, organized, funded, intelligent.

>> And they may poison or they may do kleptography or what have you. This is a fun set of challenges, but as long as we're aware of them and we're aware of the tricks with the case of Mirror Chess, how to avoid it and what some of the privacy enforcing technologies that are out there are. Did another presentation on that with Alon Kaufman a few years back. Still highly relevant in the AI space. This stuff is doable, but it takes an open mind and actually talking to people outside your normal .

>> How do you feel the industry, public-private partnerships and all that good stuff, how do you think we're doing against the adversaries?

>> Better than I expected, by the way.

>> Yeah, it seems to be going well, relatively speaking. At least we recognize that they're intelligent, organized, funded, and aggressive.

>> Yeah, it's never fast enough. It's frustrating when you look around and go, "Well, if they just did this, it would work. And if they could just do this, it's... " The truth of the matter is the dialogue actually helps to determine what it is we're going to do you couldn't have known before and everybody has to be part of it. But I've seen good leadership politically. I rarely say that. So things like the executive order on artificial intelligence had the right kinds of outcome-oriented thinking. It was 111 pages, and most of that was not prescriptive. It was like, we need to get to this point and this way of doing it. And I've seen international collaboration like between the U.S. and the UK that's kind of exciting. NATO recently spoke about how to do this as well and how to use the unique ability for NATO as buyers to come up with better systems for things like Zero Trust as well. So I actually think the right dialogues are happening, and I'm encouraged to see the pace of which it's happening, but it's never enough for me.

>> Is there a point where we actually can identify statistically, oh, not 100%, but pretty much where the threats? I mean, at some point, is there a finite or-

>> It doesn't have to be. It doesn't have to be. Look, Zero Trust is the goal, but even slightly less trust is a huge win. Slightly less risk is a huge win. If I can raise the cost to break for a nation state, for hostile hackers, for cyber terrorists, for cyber criminals, even a small amount, it's a massive reduction in pain and agony and damage to critical infrastructure, to actual people getting hurt or death because that's real now, right? Small hiccups and interruptions in IT and in availability matter. So you know what? If I can get 5% reduction in trust, that's a big impact. So one of the problems I have at these shows is we all, and I've been as guilty as this as anyone, is we all go, "Hey, I found a perfect way to do something." And then we all cheer and then someone says, "I found a corner case that breaks it," and we get depressed. It's like, no, you know what? Does it meaningfully move the needle a little? That's a win. Let's keep doing that.

>> Okay, I have to ask you, because you haven't been on theCUBE in a while. Quantum happened since we last talked.

>> One of my favorites.

>> Crypt encryption is huge part of that.

>> Part of the rhythm and all that.

>> I hear great things that we'll have the ability not to crack the encryption, new solutions. What's your vision?

>> Most of your audience I think probably understands it. For those who don't, most crypto is based on a problem that's easy to do one way and hard to do the other. And of course Quantum makes it easy to do both ways. So multiplying large prime numbers versus factoring the product of them. So really what we want to do is find problems that remain hard or ways of using math in a few different ways that make it difficult to reverse. And there's some really good candidates for that and some really good advances that are happening. NIST has been sponsoring a lot of those. There's good commercial things available. But I think the most important thing that people can do to get ready right now is to be ready to swap out their libraries. You don't want to be caught flat foot and go, "Well, I don't have the option right now, and so I'll just wait." No, no, no. If you've ever been through what it's like to go to a FIPS 140 library, then you know want to be ready so that you can just be like, "Oh, just go change these files."

>> Yeah, you got to do the prep work.

>> Do the prep work. You can do that right now and you can pay attention to the evolution of that technology. And as soon as it's ready, you can start to adopt it.

>> Great to see. I want to ask you, what attracted you to Zscaler? Obviously, we've been covering them and we love the company, we love Jay's entrepreneurs, entrepreneur. He is very entrepreneur, even as a big company. Stock performance is obviously impressive. They're up there always in the top leaderboard. So the financial results obviously shown that they've got business going on, but technically, as the rebels start to rethink about this time we're moving into, what attracted you to Zscaler? What jumped off the page?

>> For me, it really does boil down to three things. Jay is of course part of these three things because I've always loved him. The first one is, the company's an incredible company. The second is the people. I can't think of anyone I don't get along with. My team is great, everyone I work with, but the technology has the ability to move the needle. And I think since I last saw you, I've lamented the fact that I constantly see the opponent getting better at what they do faster than we defenders. And I've said this with previous companies as well. So I wake up and go, "Where do I apply myself today to change that?" And Zscaler topped the list. What can we do in the industry from a tech perspective? What can I do? Where can I go that could have an impact to change that equation? And Zscaler topped the list for me.

>> Well, it's great to have you back on theCUBE and hope to have two more, and it's always great to get your big brain. Also, your experience and advice out there because these videos are free. We want to get the word out and thanks for sharing on theCUBE here at Black Hat.

>> Well, thanks for having me. It's good to be back.

>> Summer camp for hackers. I love it. We're here.

>> Hopefully, it's not another 15 years.

>> They're definitely partying like at summer camp, that's for sure. They know how to party. You're watching theCUBE. I'm John Furrier, your host. Thanks for watching.