RSA Conference 2024 | Sam Curry | Zscaler

Clips
News
More from RSA Conference 2024

Sam Curry

Global VP, CISO

Zscaler

Zscaler posts strong growth, but SentinelOne shares fall on missed outlook metric

It was a tale of different outcomes in security company quarterly earnings reports today, with Zscaler Inc. shares surging and SentinelOne Inc. falling, the latter on a missed metric on outlook.For the quarter that ended on April 30, Zscaler reported adjusted earnings per share of 88 cents, up from 48 cents in the same quarter of last year, on revenue of $553.2 million, up 32% year-over-year. Both were beats, as analysts had expected adjusted earnings of 65 cents per share on revenue of $535.93 million.The company saw adjusted income from operations in the quarter of $121.8 million, up from $63.9 million in the same quarter of previous year. Deferred revenue sat at $1

Three insights you might have missed from theCUBE’s coverage of the RSA Conference

In the 12 months since security practitioners gathered in San Francisco for the 2023 annual RSA Conference, the view of artificial intelligence has expanded. Where AI was once either bad for business or good for improving protection, it has now become a whole new challenge that will require a novel approach.This was one of the key themes to emerge from four days of coverage as theCUBE, SiliconANGLE Media’s livestreaming studio, interviewed industry executives, government officials and analysts to hear the most recent insights into the future direction of cybersecurity

Zscaler enhances AI data protection platform with new security innovations

Cloud security company Zscaler Inc. today unveiled new artificial intelligence innovations for its AI Data Protection Platform, including natively integrated data security posture management and real-time email data loss protection that aim to streamline data security and reduce complexity across multiple environments.The new features are focused on assisting users in protecting intellectual property and customer data from malicious insiders, accidental data loss and bad actors. Thrown into the mix is the threat of shadow AI, ransomware and increased cloud usage

AI and the accelerating threat landscape: Insights from Zscaler CISO

Among the many insights emerging at this week’s RSA Conference, one thing’s been perhaps the most clear: You almost can’t move without someone talking about artificial intelligence. That’s influencing how people are viewing security.The threat vectors are so far the same, but what’s being seen is an increase in efficiency and effectiveness, according to Sam Curry (pictured), global vice president and chief information security officer of Zscaler Inc. The undertones are that the toolkit’s getting better on offense faster than it’s on defense, he noted.“That’s been true for a long time, but it seems to have taken a sharp turn and is accelerating,” Curry said

play_circle_outline The Impact of Artificial Intelligence on Threat Vectors: Improving Efficiency, Effectiveness, and Facing Deep Fakes

play_circle_outline Navigating Regulatory Pressure: The Shift in Privacy Regulations and the Crucial Role of Authenticity in Information Security

play_circle_outline Advancements in manufacturing and supply chain security

play_circle_outline Addressing Security Challenges Amidst Wars, Elections: Advice for CISOs to Respond Thoughtfully and Minimize Risks

Info

Sam Curry | Zscaler

Sam Curry

Global VP, CISO Zscaler

search

Shelly Kramer

>> Hello and welcome back to theCUBE's coverage here at RSAC here in San Francisco. We are joined today on what we are starting to call CISO Day by Sam Curry, who's a CISO for Zscaler. Welcome, Sam. We're so glad to have you.

Sam Curry

>> Thanks for having me.

>> Welcome back to theCUBE, man. This is unbelievable. The very first CUBE we ever did.

Sam Curry

>> Was it the first?

>> Yes, May of 20 ... Sorry, May of 2010-

Sam Curry

>> Yeah....

>> And we called it-

Sam Curry

>> 14 years ago.

>> It was in Boston at EMC World. We called it the Chowder.

Sam Curry

>> The Chowder....

>> CUBE. Chowder and Lobster.

Shelly Kramer

>> And you have an aged a day.

Sam Curry

>> I haven't. It's unnatural, but there you go. There you have it.

Shelly Kramer

>> Yeah. Some people just have it all going on, so. Oh my gosh, amazing event. We have shared so many different thoughts and insights over the course of the last three days.

Sam Curry

>> Sure.

Shelly Kramer

>> Tell me though, tell us what your key vibe that you're getting from the show.

Sam Curry

>> Well, key vibe, I think you almost can't move without people talking about artificial intelligence these days. I think the threat vectors so far are the same we've seen for a long time, but what we're seeing is an improvement in efficiency and effectiveness. And I think the undertones are that the tool kit's getting better on offense faster than it's on defense. That's been true for a long time, but it seems to have taken a sharp turn and is accelerating and people seem to be waiting for the shoe to fall. But a lot of talk about what's happening in the wider world, geopolitically that's happening. We just put out a threat research report, for instance, through threat labs and phishing is up again. It's up 58.2, nearly 60%. A lot of phishing, a lot of course the deep fakes, that sort of thing. So yeah, it's a buzzing show. I actually thought maybe the attendance would go down, but I'm hearing rumors it went up. So I don't know what the official reports are yet.

Shelly Kramer

>> I think Dave and I talked about this yesterday. I think maybe you mentioned you heard about 45,000 and then last night I heard somebody saying maybe 60, so-

Sam Curry

>> 60 would be....

Shelly Kramer

>> I don't know that we really know. We're kind of guessing.

Sam Curry

>> I've been to all but four of these conferences in its history and that would be amazing.

>> I think it's bigger this year than it was last year. I think last year was 40 to 45.

Sam Curry

>> Yeah. I think I heard 42 was some official.

>> Yeah, something like that.

Sam Curry

>> I don't represent the conference now.

>> I'm thinking when we first met, the world was a lot different. We were just coming out of a financial crisis. We were starting a decade-long tech boom with zero interest rates. Cloud wasn't really a thing.

Sam Curry

>> We were just starting to talk about it and private cloud was what was on people's minds at the time. Yeah.

Shelly Kramer

>> Yeah.

>> Cloud meets big data.

Sam Curry

>> That's right-

>> Remember that?...

Sam Curry

>> Big data. Yeah. I think we actually talked about how do you know it's big data was when you could create PII or something we talked about.

>> Yeah. Yeah. Right.

Sam Curry

>> It's all coming back to me now. Flashbacks.

>> So much has changed.

Sam Curry

>> Yeah.

>> Obviously the threat surface has grown. I don't know by how much It's 2x, 3x, 10x. Being a practitioner in this world for so many years, take us inside the CISO's head from 10, 20 years ago, fast-forward to today, what's it like?

Sam Curry

>> Well, two big things have changed. I think the first is ransomware. We really can't ignore that. It was on everyone's lips for a long time and it's not gone away, making too much money for the bad guys. And I think we had a bit of a hiatus due to war. There was a polarization of the cyber criminal community around the Ukraine and Russia for a while, but they just keep getting more effective at it. Automation seems to be the name of the game. And now the application of Gen AI in particular. The other thing is regulatory pressure and that's not changing. So Europe, we've seen NIS2 and DORA now coming out. We've seen GDPR influence other privacy regulations. We've seen the SEC in 2023 take some new steps and everyone sort of where's this headed? And of course the Biden Administration has brought out guidance for safety around AI and now guidance around and trying to use liability in order to change incentives for corporations. That happened just yesterday. We'll see where that actually plays out, but-

Shelly Kramer

>> What do you think about that?

Sam Curry

>> Well, I think we have to start changing to some degree how companies think about it. But I think it's a delicate game we have to play. And I don't know how other nations and other jurisdictions will respond to this. We don't want to bayonet the wounded. What we want to do is make sure, and I think they've been very cautious to say it's not about liability per se, so much as getting this on the corporate agenda. And I think the biggest problem in cyber is that we don't have alignment between cybersecurity and business. And even when it exists, it tends to drift apart and that has to be fixed. It's not just in response to a regulation. There seems to be a misapprehension that you can have such a thing as perfect fault-free cybersecurity and you can't. The question is, are you doing the right things and what does that mean in a world that's evolving very, very quickly? And that is going to change dramatically in the next few years as well. So there is no safety standards or even practice standards like you'd have in the medical industry at this point, but we have to start having that dialogue. It's academia. It's private sector. It's public sector. And I think leadership is what's needed and we're starting to see that.

>> You mentioned geopolitical talk here. We got two prominently in the news hot wars. One in Ukraine, one in-

Sam Curry

>> One in Israel....

>> Israel and Gaza. What do we take away from a cybersecurity standpoint? Ukraine, we didn't have Starlink back in 2010. But what are we learning about cyber and war?

Sam Curry

>> Well, you also can't ignore elections and something like half of the world is electing its government right now this year. Misinformation, disinformation is not just an American challenge with our elections here in the United States. It's everywhere. So I think we need to realize that we have authenticity I think is a word we need to add more to our discussion. We've always talked about CIA, confidentiality, integrity, availability. I think non-repudiation was added that list in a banking scenario. But authenticity is super, super important. Do we test it enough? Do we understand it? And is it something that we're considering in our information security strategies generally? Now we get that in war and cyber is both a plane for war and it's a dimension of classical warfare. We need to remember that in a cyber terrorism context. We need to remember it in a nation state context. And I think we also need to remember that in a preserving democracy and freedom context. So this is non-trivial stuff.

Shelly Kramer

>> It is world changing.

Sam Curry

>> Yeah.

>> 2016 was kind of like the weaponization of social media, we're like, wow, okay. And then 2020 built on that with fake news in a big way. And 2024 is going to bring-

Sam Curry

>> We haven't yet seen...

>> Deep fakes is going to be-

Sam Curry

>> Deep fakes are here. That was part of our phishing report as well. We saw phishing rise up, but deep fakes we've already seen in many regards. New Hampshire had an election where people were told not to go to the polls by a deep fake through robo-dialing by supposedly Joe Biden, at least the Democrats were for primaries and things like that. That's going to become much more commonplace. And so how do we validate these things? It's getting harder and harder to do. It's getting cheaper to execute these attacks. And so what we're also seeing at the same time, you mentioned the two hot wars, is the nature of warfare where things like drones is changing. Now we're talking about unmanned warfare or un-personed. When drones go to war with one another, be it air, land or sea or space, and so-

>> Space warfare.

Sam Curry

>> Yeah. So what's the cyber dimension there? And even self-replicating drones. So we really do need to come up with new norms for several new battle spaces and how they interact with each other. And then we can back up and say, so what is the role of corporations here? Companies shouldn't have to face off and individuals shouldn't have to face off with nation states. So where do we draw the lines and what are the new standards and how do we come up with a new world order around this? And it's some trivia.

>> And the physical security and digital security used to largely be kind of separate topics and-

Sam Curry

>> For the most part, yeah....

>> They're clearly smashing together. And you talk about, you think about low-cost drones inside the country-

Sam Curry

>> And low-cost energy for them, so they have long-range and what have you.

>> And then the exposure to critical infrastructure. So how are you thinking about critical infrastructure? A scale of one to 10? We're not a 10 in terms of being ready. Definitely closer to one than we are 10.

Sam Curry

>> Sounds like you have an opinion on that.

>> I do. Tell me if I'm wrong.

Sam Curry

>> No. I think it varies by critical infrastructure because not all the same-

>> By industry, by-

Sam Curry

>> Yeah. Some of it's health. What happens when hospitals go down or water's not available, food's not available is not quite the same, although it might be just as important in a different way as say banking or mining, those sorts of things. So you got to look at the sectors and say, well, what is the risk profile and what are we going to do to maintain things? And what are our emergency responses and how do we test that? We also have the ability to game a lot of this stuff out just as we do in companies. We can do this at national and international scale and how do we work with our allies. For instance, in the United States, our electric grid isn't just us, it's also Canada, it's also Mexico. Same thing is true of other forms of energy supplies. So this is more than just one or two parties.

Shelly Kramer

>> I was looking at some data from your report and one of the things that you mentioned is the manufacturing industry, no surprise, is experiencing a considerable uptick, 31% in phishing attacks. And then we go to supply chain and the dangers of supply chain. And so we've got the threat to critical infrastructure, but we've also, I mean, manufacturing plays a significant role in our ability to survive.

Sam Curry

>> Yeah. And of course we have additive and now synthetic manufacturing and new advanced technologies coming. We often have focused on things like quantum computing or cryptocurrency, bitcoin-

>> Sure....

Sam Curry

>> And that sort of thing. But there's actually a whole bunch of concurrent advancements that are going through, let's call it, sharp accelerations. There's something called the law of accelerated returns. So what's next in AI? That's important. And what's happening in quantum? That's important? But what's happening in manufacturing? That's important. How do we make sure that in an emergency we can manufacture the things we need, that we have redundancy in the supply chain? But then you get to I think the security of the supply chain. And let's not forget Stuxnet was a supply chain issue. Maybe not for us, but SCADA, ICS systems, what do those segments look like? How do they access? Because a lot of the systems in our manufacturing and our factories, they were never designed to be connected. And so how can they be turned against us or used in ways we don't expect? That's a very big deal. And can they be bricked? I mean, one of my big concerns is if you look at the way that artificial intelligence was used in a classic gaming sense in chess and board games like that, new strategies have been found that the grand masters of the game never expected. I heard Gary Kasparov speak on it with the respect to chess. The strategies that AI comes up with are not what we expect. And if you flip over now to cyber, the attack surface is too large. So we've got to start thinking of how do we remove options for AI to find attack vectors we never suspected.

>> Game of Go.

Sam Curry

>> Go, absolutely.

>> Which is a human creativity game. And then the machine actually comes up with things that humans never thought of.

Sam Curry

>> DeepMind. DeepMind found 59 new openings that Garen Mashers went, this feels like aliens. There's an article in The Atlantic about that, and we still don't know how to respond to those moves.

>> So Kasparov was on theCUBE. I interviewed him. It was awesome.

Sam Curry

>> He's amazing.

>> It was like an IBM event or something. And so we were chatting. It was interesting because at the time, this is maybe 2017, somewhere around there, when he lost to the machine.

Sam Curry

>> He was horrified, yeah.

>> Right. But because he's so competitive, he actually created, you probably know about this, a contest where humans used the machines. And so what he found was the human and the machine could beat the machine. Now I'm wondering-

Sam Curry

>> He actually said for a decade the best games were human-assisted machines, machine-assisted humans.

>> So I took the optimistic view of that and said, hey, this AI, it's still going to be humans and machines are going to be the best combination.

Sam Curry

>> That's where we are now.

>> So now though, with all this AGI talk, I'm thinking maybe that's not going to last so much.

Sam Curry

>> It's a much more complex field perhaps than chess, but it's anyone's guess how long it'll last for. He actually said it lasted 10 years in chess. Afterwards, the machines just owned it. And whatever that stretch is, we're at the beginning of it now. If it lasts a year, 10 years, 20 years, who knows. But at some point, the machines will be good enough to be fighting each other and we'll have to set the strategy up and then they'll fight it in real time and we won't have much say in the matter-

>> So at the moment, it's fighting machines.

Sam Curry

>> But at the moment, it's machine-assisted humans.

>> But it will be in your crystal ball, smarter-

Sam Curry

>> Grain of salt....

>> Smart, yeah. We all. What they say? Forecasting the future.

Sam Curry

>> Yeah.

>> Forecasting is hard, especially if it's about the future. Smarter machines attacking less smart machines and then more smart machines-

Sam Curry

>> Or maybe not even less smart, just it's all about prep. It's about how well the machines have prepped. You can game out millions of scenarios. And how well have you built your strategy? It's not necessarily which one has the higher IQ. It's which one has more thoughtfully planned its games.

>> And found it. Okay. So Amazon turned the data center into an API, and then ChatGPT showed us the way to turn technology into a natural language interface. How does that change how you think about securing AI?

Sam Curry

>> Well, that's a huge question because there's authenticity, the information we feed to it, and I think there's a lot we could be doing around things like honey AI, just like we had honey pots, honey nets.

>> Yes. Right.

Sam Curry

>> How do we make sure that we understand how these things are being poisoned or set up, that we understand the biases and the ingestion of information and the models themselves and the outputs that come out for justice? Sure. But also because the output actually affects business. Is somebody subtly influencing outcomes and then using it for manipulation of performance and results? That's a big deal.

Shelly Kramer

>> Yeah.

Sam Curry

>> Every company should be really thinking hard about where do they want it to apply. And I make a distinction right now between deductive AI applications, that is for a function as in coming down to a cog in a machine. Are you using this for finding malware? Are you using it for anti-fraud? Are you using it for risk determination? Because you can wrap terms around that versus the pulsating brain induction. Is it I have the brain that can do everything? Well, I'm not interested in that right now, by the way. Save that for the phase where it's machine versus machine, and I need it to be thinking about strategy as well. Right now, that's the harder thing to wrap your head around. So think about data leakage, about control of the flow of information, understanding it. Every company's going to have to embrace to some degree artificial intelligence and its tools. The question is how they go about doing so and how they go about governing it.

>> But if I understand it correctly, Sam, you're saying it's really use case specific in terms of how you defend today-

Sam Curry

>> And classifying those.

>> Classifying those in the future when it's the everything AI-

Sam Curry

>> We better do it-

>> That's a different game....

Sam Curry

>> Because they're doing it now. We're actually seeing changes in efficiency and effectiveness. They haven't yet done the Go and the chess thing of finding entirely new attack vectors, but when that happens, they will go on vectors, no pun intended, for which there are no responses, and Go does something called joseki, which is you get me attack and there's a planned sequence almost that you are expected to follow to minimize loss. We don't know what those are for the new openings and they may not be any. So we need to minimize the attack surface. It's a new application of zero trust or least trust. Let's start doing that now in our architecture.

>> My heart rate just went up.

Sam Curry

>> There you go. There you go. It wasn't meant to scare.

Shelly Kramer

>> I think everybody's heart rate is up though. And so final question for you here is that what I think about when we talk about all of these challenges that we need to get arms around, and I think about the urgency of some of that. Again, we've got these wars happening, we've got elections happening in a very short period of time, some happening now. What's your best advice to a CISO? Because you get so crazy with worry about all the things I need to see to where do we start if you're a CISO?

Sam Curry

>> I usually tell people, don't panic. It is not just a Douglas Adams reference. And I usually say, for the most part, unless you're in critical infrastructure, people aren't going to die. It's the good news. And you've got to get out of the fight or flight response of practice. But at that point, the most important thing is to be thoughtful and to respond to what really happens. It may be happening faster, but it's still not instant, and it's still an economic game for the most part in terms of resources and investment. Nation states may have what seems like infinite budgets, but they still are part of an ecosystem where tools take time to build. And actually carrying out attacks is an investment of resources and there's risk and attack. And so our job is not to have perfect security, small improvements in risk, reduction of likelihood, making things less visible, reducing the blast radius. That has massive returns in terms of actually reducing risk and loss, and that's a game we can play and we can win at. Now on the other hand, if you're just incrementally changing your strategy by 10% every year, good luck with that. You might have a bit more cheese to move for you and your organization, and that's cultural change, inertia, if you will. And that's the hardest thing to do.

Shelly Kramer

>> Yeah. Well, Sam Curry, Zscaler, CISO, thank you so much for joining us here at RSA. And to our viewing audience, thanks for hanging with theCUBE, and we will see you back here for more live coverage from RSA in San Francisco for the rest of the day.

Sam Curry | Zscaler

search

Shelly Kramer

>> Hello and welcome back to theCUBE's coverage here at RSAC here in San Francisco. We are joined today on what we are starting to call CISO Day by Sam Curry, who's a CISO for Zscaler. Welcome, Sam. We're so glad to have you.

Sam Curry

>> Thanks for having me.

>> Welcome back to theCUBE, man. This is unbelievable. The very first CUBE we ever did.

Sam Curry

>> Was it the first?

>> Yes, May of 20 ... Sorry, May of 2010-

Sam Curry

>> Yeah....

>> And we called it-

Sam Curry

>> 14 years ago.

>> It was in Boston at EMC World. We called it the Chowder.

Sam Curry

>> The Chowder....

>> CUBE. Chowder and Lobster.

Shelly Kramer

>> And you have an aged a day.

Sam Curry

>> I haven't. It's unnatural, but there you go. There you have it.

Shelly Kramer

>> Yeah. Some people just have it all going on, so. Oh my gosh, amazing event. We have shared so many different thoughts and insights over the course of the last three days.

Sam Curry

>> Sure.

Shelly Kramer

>> Tell me though, tell us what your key vibe that you're getting from the show.

Sam Curry

>> Well, key vibe, I think you almost can't move without people talking about artificial intelligence these days. I think the threat vectors so far are the same we've seen for a long time, but what we're seeing is an improvement in efficiency and effectiveness. And I think the undertones are that the tool kit's getting better on offense faster than it's on defense. That's been true for a long time, but it seems to have taken a sharp turn and is accelerating and people seem to be waiting for the shoe to fall. But a lot of talk about what's happening in the wider world, geopolitically that's happening. We just put out a threat research report, for instance, through threat labs and phishing is up again. It's up 58.2, nearly 60%. A lot of phishing, a lot of course the deep fakes, that sort of thing. So yeah, it's a buzzing show. I actually thought maybe the attendance would go down, but I'm hearing rumors it went up. So I don't know what the official reports are yet.

Shelly Kramer

>> I think Dave and I talked about this yesterday. I think maybe you mentioned you heard about 45,000 and then last night I heard somebody saying maybe 60, so-

Sam Curry

>> 60 would be....

Shelly Kramer

>> I don't know that we really know. We're kind of guessing.

Sam Curry

>> I've been to all but four of these conferences in its history and that would be amazing.

>> I think it's bigger this year than it was last year. I think last year was 40 to 45.

Sam Curry

>> Yeah. I think I heard 42 was some official.

>> Yeah, something like that.

Sam Curry

>> I don't represent the conference now.

>> I'm thinking when we first met, the world was a lot different. We were just coming out of a financial crisis. We were starting a decade-long tech boom with zero interest rates. Cloud wasn't really a thing.

Sam Curry

>> We were just starting to talk about it and private cloud was what was on people's minds at the time. Yeah.

Shelly Kramer

>> Yeah.

>> Cloud meets big data.

Sam Curry

>> That's right-

>> Remember that?...

Sam Curry

>> Big data. Yeah. I think we actually talked about how do you know it's big data was when you could create PII or something we talked about.

>> Yeah. Yeah. Right.

Sam Curry

>> It's all coming back to me now. Flashbacks.

>> So much has changed.

Sam Curry

>> Yeah.

>> Obviously the threat surface has grown. I don't know by how much It's 2x, 3x, 10x. Being a practitioner in this world for so many years, take us inside the CISO's head from 10, 20 years ago, fast-forward to today, what's it like?

Sam Curry

>> Well, two big things have changed. I think the first is ransomware. We really can't ignore that. It was on everyone's lips for a long time and it's not gone away, making too much money for the bad guys. And I think we had a bit of a hiatus due to war. There was a polarization of the cyber criminal community around the Ukraine and Russia for a while, but they just keep getting more effective at it. Automation seems to be the name of the game. And now the application of Gen AI in particular. The other thing is regulatory pressure and that's not changing. So Europe, we've seen NIS2 and DORA now coming out. We've seen GDPR influence other privacy regulations. We've seen the SEC in 2023 take some new steps and everyone sort of where's this headed? And of course the Biden Administration has brought out guidance for safety around AI and now guidance around and trying to use liability in order to change incentives for corporations. That happened just yesterday. We'll see where that actually plays out, but-

Shelly Kramer

>> What do you think about that?

Sam Curry

>> Well, I think we have to start changing to some degree how companies think about it. But I think it's a delicate game we have to play. And I don't know how other nations and other jurisdictions will respond to this. We don't want to bayonet the wounded. What we want to do is make sure, and I think they've been very cautious to say it's not about liability per se, so much as getting this on the corporate agenda. And I think the biggest problem in cyber is that we don't have alignment between cybersecurity and business. And even when it exists, it tends to drift apart and that has to be fixed. It's not just in response to a regulation. There seems to be a misapprehension that you can have such a thing as perfect fault-free cybersecurity and you can't. The question is, are you doing the right things and what does that mean in a world that's evolving very, very quickly? And that is going to change dramatically in the next few years as well. So there is no safety standards or even practice standards like you'd have in the medical industry at this point, but we have to start having that dialogue. It's academia. It's private sector. It's public sector. And I think leadership is what's needed and we're starting to see that.

>> You mentioned geopolitical talk here. We got two prominently in the news hot wars. One in Ukraine, one in-

Sam Curry

>> One in Israel....

>> Israel and Gaza. What do we take away from a cybersecurity standpoint? Ukraine, we didn't have Starlink back in 2010. But what are we learning about cyber and war?

Sam Curry

>> Well, you also can't ignore elections and something like half of the world is electing its government right now this year. Misinformation, disinformation is not just an American challenge with our elections here in the United States. It's everywhere. So I think we need to realize that we have authenticity I think is a word we need to add more to our discussion. We've always talked about CIA, confidentiality, integrity, availability. I think non-repudiation was added that list in a banking scenario. But authenticity is super, super important. Do we test it enough? Do we understand it? And is it something that we're considering in our information security strategies generally? Now we get that in war and cyber is both a plane for war and it's a dimension of classical warfare. We need to remember that in a cyber terrorism context. We need to remember it in a nation state context. And I think we also need to remember that in a preserving democracy and freedom context. So this is non-trivial stuff.

Shelly Kramer

>> It is world changing.

Sam Curry

>> Yeah.

>> 2016 was kind of like the weaponization of social media, we're like, wow, okay. And then 2020 built on that with fake news in a big way. And 2024 is going to bring-

Sam Curry

>> We haven't yet seen...

>> Deep fakes is going to be-

Sam Curry

>> Deep fakes are here. That was part of our phishing report as well. We saw phishing rise up, but deep fakes we've already seen in many regards. New Hampshire had an election where people were told not to go to the polls by a deep fake through robo-dialing by supposedly Joe Biden, at least the Democrats were for primaries and things like that. That's going to become much more commonplace. And so how do we validate these things? It's getting harder and harder to do. It's getting cheaper to execute these attacks. And so what we're also seeing at the same time, you mentioned the two hot wars, is the nature of warfare where things like drones is changing. Now we're talking about unmanned warfare or un-personed. When drones go to war with one another, be it air, land or sea or space, and so-

>> Space warfare.

Sam Curry

>> Yeah. So what's the cyber dimension there? And even self-replicating drones. So we really do need to come up with new norms for several new battle spaces and how they interact with each other. And then we can back up and say, so what is the role of corporations here? Companies shouldn't have to face off and individuals shouldn't have to face off with nation states. So where do we draw the lines and what are the new standards and how do we come up with a new world order around this? And it's some trivia.

>> And the physical security and digital security used to largely be kind of separate topics and-

Sam Curry

>> For the most part, yeah....

>> They're clearly smashing together. And you talk about, you think about low-cost drones inside the country-

Sam Curry

>> And low-cost energy for them, so they have long-range and what have you.

>> And then the exposure to critical infrastructure. So how are you thinking about critical infrastructure? A scale of one to 10? We're not a 10 in terms of being ready. Definitely closer to one than we are 10.

Sam Curry

>> Sounds like you have an opinion on that.

>> I do. Tell me if I'm wrong.

Sam Curry

>> No. I think it varies by critical infrastructure because not all the same-

>> By industry, by-

Sam Curry

>> Yeah. Some of it's health. What happens when hospitals go down or water's not available, food's not available is not quite the same, although it might be just as important in a different way as say banking or mining, those sorts of things. So you got to look at the sectors and say, well, what is the risk profile and what are we going to do to maintain things? And what are our emergency responses and how do we test that? We also have the ability to game a lot of this stuff out just as we do in companies. We can do this at national and international scale and how do we work with our allies. For instance, in the United States, our electric grid isn't just us, it's also Canada, it's also Mexico. Same thing is true of other forms of energy supplies. So this is more than just one or two parties.

Shelly Kramer

>> I was looking at some data from your report and one of the things that you mentioned is the manufacturing industry, no surprise, is experiencing a considerable uptick, 31% in phishing attacks. And then we go to supply chain and the dangers of supply chain. And so we've got the threat to critical infrastructure, but we've also, I mean, manufacturing plays a significant role in our ability to survive.

Sam Curry

>> Yeah. And of course we have additive and now synthetic manufacturing and new advanced technologies coming. We often have focused on things like quantum computing or cryptocurrency, bitcoin-

>> Sure....

Sam Curry

>> And that sort of thing. But there's actually a whole bunch of concurrent advancements that are going through, let's call it, sharp accelerations. There's something called the law of accelerated returns. So what's next in AI? That's important. And what's happening in quantum? That's important? But what's happening in manufacturing? That's important. How do we make sure that in an emergency we can manufacture the things we need, that we have redundancy in the supply chain? But then you get to I think the security of the supply chain. And let's not forget Stuxnet was a supply chain issue. Maybe not for us, but SCADA, ICS systems, what do those segments look like? How do they access? Because a lot of the systems in our manufacturing and our factories, they were never designed to be connected. And so how can they be turned against us or used in ways we don't expect? That's a very big deal. And can they be bricked? I mean, one of my big concerns is if you look at the way that artificial intelligence was used in a classic gaming sense in chess and board games like that, new strategies have been found that the grand masters of the game never expected. I heard Gary Kasparov speak on it with the respect to chess. The strategies that AI comes up with are not what we expect. And if you flip over now to cyber, the attack surface is too large. So we've got to start thinking of how do we remove options for AI to find attack vectors we never suspected.

>> Game of Go.

Sam Curry

>> Go, absolutely.

>> Which is a human creativity game. And then the machine actually comes up with things that humans never thought of.

Sam Curry

>> DeepMind. DeepMind found 59 new openings that Garen Mashers went, this feels like aliens. There's an article in The Atlantic about that, and we still don't know how to respond to those moves.

>> So Kasparov was on theCUBE. I interviewed him. It was awesome.

Sam Curry

>> He's amazing.

>> It was like an IBM event or something. And so we were chatting. It was interesting because at the time, this is maybe 2017, somewhere around there, when he lost to the machine.

Sam Curry

>> He was horrified, yeah.

>> Right. But because he's so competitive, he actually created, you probably know about this, a contest where humans used the machines. And so what he found was the human and the machine could beat the machine. Now I'm wondering-

Sam Curry

>> He actually said for a decade the best games were human-assisted machines, machine-assisted humans.

>> So I took the optimistic view of that and said, hey, this AI, it's still going to be humans and machines are going to be the best combination.

Sam Curry

>> That's where we are now.

>> So now though, with all this AGI talk, I'm thinking maybe that's not going to last so much.

Sam Curry

>> It's a much more complex field perhaps than chess, but it's anyone's guess how long it'll last for. He actually said it lasted 10 years in chess. Afterwards, the machines just owned it. And whatever that stretch is, we're at the beginning of it now. If it lasts a year, 10 years, 20 years, who knows. But at some point, the machines will be good enough to be fighting each other and we'll have to set the strategy up and then they'll fight it in real time and we won't have much say in the matter-

>> So at the moment, it's fighting machines.

Sam Curry

>> But at the moment, it's machine-assisted humans.

>> But it will be in your crystal ball, smarter-

Sam Curry

>> Grain of salt....

>> Smart, yeah. We all. What they say? Forecasting the future.

Sam Curry

>> Yeah.

>> Forecasting is hard, especially if it's about the future. Smarter machines attacking less smart machines and then more smart machines-

Sam Curry

>> Or maybe not even less smart, just it's all about prep. It's about how well the machines have prepped. You can game out millions of scenarios. And how well have you built your strategy? It's not necessarily which one has the higher IQ. It's which one has more thoughtfully planned its games.

>> And found it. Okay. So Amazon turned the data center into an API, and then ChatGPT showed us the way to turn technology into a natural language interface. How does that change how you think about securing AI?

Sam Curry

>> Well, that's a huge question because there's authenticity, the information we feed to it, and I think there's a lot we could be doing around things like honey AI, just like we had honey pots, honey nets.

>> Yes. Right.

Sam Curry

>> How do we make sure that we understand how these things are being poisoned or set up, that we understand the biases and the ingestion of information and the models themselves and the outputs that come out for justice? Sure. But also because the output actually affects business. Is somebody subtly influencing outcomes and then using it for manipulation of performance and results? That's a big deal.

Shelly Kramer

>> Yeah.

Sam Curry

>> Every company should be really thinking hard about where do they want it to apply. And I make a distinction right now between deductive AI applications, that is for a function as in coming down to a cog in a machine. Are you using this for finding malware? Are you using it for anti-fraud? Are you using it for risk determination? Because you can wrap terms around that versus the pulsating brain induction. Is it I have the brain that can do everything? Well, I'm not interested in that right now, by the way. Save that for the phase where it's machine versus machine, and I need it to be thinking about strategy as well. Right now, that's the harder thing to wrap your head around. So think about data leakage, about control of the flow of information, understanding it. Every company's going to have to embrace to some degree artificial intelligence and its tools. The question is how they go about doing so and how they go about governing it.

>> But if I understand it correctly, Sam, you're saying it's really use case specific in terms of how you defend today-

Sam Curry

>> And classifying those.

>> Classifying those in the future when it's the everything AI-

Sam Curry

>> We better do it-

>> That's a different game....

Sam Curry

>> Because they're doing it now. We're actually seeing changes in efficiency and effectiveness. They haven't yet done the Go and the chess thing of finding entirely new attack vectors, but when that happens, they will go on vectors, no pun intended, for which there are no responses, and Go does something called joseki, which is you get me attack and there's a planned sequence almost that you are expected to follow to minimize loss. We don't know what those are for the new openings and they may not be any. So we need to minimize the attack surface. It's a new application of zero trust or least trust. Let's start doing that now in our architecture.

>> My heart rate just went up.

Sam Curry

>> There you go. There you go. It wasn't meant to scare.

Shelly Kramer

>> I think everybody's heart rate is up though. And so final question for you here is that what I think about when we talk about all of these challenges that we need to get arms around, and I think about the urgency of some of that. Again, we've got these wars happening, we've got elections happening in a very short period of time, some happening now. What's your best advice to a CISO? Because you get so crazy with worry about all the things I need to see to where do we start if you're a CISO?

Sam Curry

>> I usually tell people, don't panic. It is not just a Douglas Adams reference. And I usually say, for the most part, unless you're in critical infrastructure, people aren't going to die. It's the good news. And you've got to get out of the fight or flight response of practice. But at that point, the most important thing is to be thoughtful and to respond to what really happens. It may be happening faster, but it's still not instant, and it's still an economic game for the most part in terms of resources and investment. Nation states may have what seems like infinite budgets, but they still are part of an ecosystem where tools take time to build. And actually carrying out attacks is an investment of resources and there's risk and attack. And so our job is not to have perfect security, small improvements in risk, reduction of likelihood, making things less visible, reducing the blast radius. That has massive returns in terms of actually reducing risk and loss, and that's a game we can play and we can win at. Now on the other hand, if you're just incrementally changing your strategy by 10% every year, good luck with that. You might have a bit more cheese to move for you and your organization, and that's cultural change, inertia, if you will. And that's the hardest thing to do.

Shelly Kramer

>> Yeah. Well, Sam Curry, Zscaler, CISO, thank you so much for joining us here at RSA. And to our viewing audience, thanks for hanging with theCUBE, and we will see you back here for more live coverage from RSA in San Francisco for the rest of the day.