Zscaler CEO On SecOps Push And Why Network Security Architecture Is ‘Irrelevant’
‘I believe the current market segments that have been in place for years will eventually go away,’ Zscaler CEO Jay Chaudhry says during an interview with CRN.
Whether it’s in the area of securing network access or security operations, massive shifts are coming to some of the most established segments of cybersecurity—and partners have a central role to play, Zscaler founder and CEO Jay Chaudhry told CRN.
During an interview at the 2025 XChange Best of Breed Conference, Chaudhry said that decades-old network security architecture based upon firewalls and VPNs is increasingly “irrelevant” amid surging network compromises and the availability of zero-trust security approaches from vendors such as Zscaler.
[Related: Zscaler CEO Jay Chaudhry: ‘Don’t Do Network Security’]
Meanwhile, when it comes to security operations (SecOps), Zscaler is likewise looking to deliver a “very disruptive” offering built upon the acquisitions of security data fabric provider Avalor and managed detection and response trailblazer Red Canary, he said.
Crucially with SecOps, “we make the solution available to our partners to offer as a managed service because we don’t want to be in the services business,” Chaudhry said during the conference, hosted by CRN parent The Channel Company in Atlanta.
Ultimately, in both the cases of traditional network security and SecOps, “I believe the current market segments that have been in place for years will eventually go away,” he said.
During the wide-ranging, 45-minute interview, Chaudhry also discussed how the emergence of agentic AI is creating new opportunities for Zscaler and its partners, as well as sharing how he came to become an “accidental entrepreneur” after growing up in a small village in northern India.
What follows is more of CRN’s interview with Chaudhry.
When you look at supply chain attacks such as the Salesloft Drift attacks, what can partners do about it? How can you secure yourself against your supplier?
The problem is the architecture was built 30 years ago. … We came at the notion of security using firewalls and VPNs. What’s a firewall? It’s a moat, it’s a gate. It’s trying to secure the network. This network is trusted. Everything else is untrusted. The problem is [when you have] a trusted computer which is infected. Now the malware is trusted too. Almost all issues are related to the lateral movement of the malware or the network. We have to go away from this network security architecture to a zero-trust architecture where everything is an island, and only the right party can connect to the right things. … That’s the foundational change in how things are done. Inertia is so powerful that the industry is taking so long to adopt zero trust. If we adopt zero trust, probably 80 percent of the issues will go away.
With the recent Cisco firewall vulnerabilities that hit the news where CISA had to issue an emergency directive about them—what did you think when you saw that story?
We’ve only seen three directives from CISA in the past several years. There was one about Palo Alto [Networks] firewalls in 2024. There was one about Ivanti VPNs and the Cisco [directive]. Now the issue is not to say they don’t write good software. Software can have issues. Zscaler software can have issues too. But there are two problems with the kind of issues we’ve seen with Ivanti or Palo Alto or Cisco. One, if there are [devices] sitting out there somewhere, the patching always lags behind for various reasons. The patching becomes very, very hard. And the second part is they are doing network security. They’re part of this network architecture. Once someone gets on the firewall, compromises the firewall, that firewall is part of the network. The malware moves laterally, finds other things and infects other things. That’s why having the network security architecture is irrelevant. I like to say, ‘Don’t do network security.’ If you think about it, what is there to secure in a network? The packets are flowing, and the packets are encrypted. It’s all about securing data. Data sits with applications, data sits with servers or endpoints. By making sure that the right endpoint talks to the right server, the right application, we secure data. That’s the mindset change we need to make.
You recently acquired Red Canary as part of a reimagining of security operations. What do you think the future looks like, in which SIEM goes away, and what opportunities does that create?
I believe the current market segments that have been in place for years will eventually go away. So when I started Zscaler, we kind of said that we are the switchboard, the exchange, connecting users to applications. We call it ‘zero trust for users.’ Then we took the same thing to workloads. Workloads are somewhat like users. They talk to the internet; they talk to each other. Then we [went to] the branches so that each branch could become like an island, with zero-trust branch. Then customers wanted zero-trust devices, so we acquired Airgap for that. So we want to make sure we do zero trust everywhere. Then our customers have been telling us, with all of this, ‘You’re generating so much [data from] logs, so much telemetry. And we send all this telemetry to Splunk or somewhere else. And I pay for that data lake. Why can’t you deliver more value and help us in the area?’ So it’s with that notion in mind that we said we are going to work on disrupting security ops. We bought a company called Avalor that takes all the logs and telemetry, synthesizes it, creates entry relationships. Now you’re dealing at a very different level to do SecOps. Then we needed the better front end, and Red Canary had built a beautiful agent technology that can do multiple tasks for security operations. So we said if we combine the two, we can offer a very disruptive security operations solution.
So the goal of the acquisition was not necessarily to compete with existing MDR providers?
We are not becoming an MDR company. Red Canary is about 2 percent of our ARR. Yes, they’ll keep on offering that service. But a lot of our customers are very large. They want to either own SecOps or work with someone [where] they already have a partner in mind. We make the solution available to our partners to offer as a managed service because we don’t want to be in the services business. That distinction is pretty clear to us. The biggest benefit we bring is [around] our logs and telemetry flows. SecOps happens; we find [threats]. It becomes a closed-loop system of feedback to our exchange so we can stop bad things. So it became the second North Star because we had only one North Star all along with zero trust. The second is, with all the data and telemetry coming to us from third parties, being able to do detection and response kind of services became our second big area. The third big area is AI security. The biggest opportunity for us is extending our exchange to agents. … We’ve done this [securely] for users. It’s natural for us to extend it for agents.
In regard to agentic AI, what do partners need to be doing now to really prepare for a future where they can secure all these different scenarios you just talked about?
The world is getting complex, [and] agents and AI will automate many things. But the technology is moving so fast, there’ll be more and more help needed. I think understanding some of these new agentic technologies and approaches becomes the starting point. If you need to provide services, you need to get good at it. But don’t try to expand on all the areas. Narrow down [within] a given area. Try to get good at it. Because customers are looking for help as things are moving [at] a faster pace.
You revamped your channel dramatically to a more consultative approach with the hiring of ServiceNow veteran Mike Rich as CRO and president of global sales. What kind of evolution did that precipitate in the Zscaler and channel model, and what’s the next evolution you see for channel partners?
Our customers don’t want point products. They want a solution that can solve from end to end. Yes, the term ‘platform’ is widely used, but the term ‘platform’ has been abused. Do you know a vendor out there who doesn’t have a platform? Everyone has a platform. And some vendors go on a buying spree, and once they buy eight companies, they say, ‘I have a platform.’ I was talking to the CTO of a large retailer with 1,800 stores. And he said, ‘I was sold a platform by a security provider. Once I tried to deploy, I found that it was eight different products [with] eight policy engines. But I could pay one bill rather than eight bills—that’s the only benefit I got from this platform.’ Needless to say, he kicked the vendor out and went for the better solution. There are lots and lots of services that need to be done. Customers want consultative discussions where we can show them what can be done, how you simplify, things you can eliminate. The things you eliminate also pay for the project you may be [pursuing]. I wish we had more partners who picked up more services-led [engagements]. A lot of partners who came from a bulk-selling background have taken longer to get to that level. My message would be, think beyond the traditional [business], and think about the broad set of services that customers can add. Most of our proposals include cost takeout. And a big part of cost takeout is elimination of all of those point products. And U.S. partners will play an important role in that area.
You have founded five companies, and I would imagine that that level of success requires a certain level of confidence. Can you talk about how you taught yourself to be a risk-taker?
I’m an accidental entrepreneur. I was born and raised in a tiny village in the foothill of Himalayas in northern India. We got electricity after I finished my eighth grade, running water after my 10th grade. I was just a good student; I loved to learn and study. I was always No. 1 in my state, in my school and district. So I got into [Indian Institutes of Technology]. I chose engineering by accident because my teacher said, ‘There are two good professions, medical and engineering.’ And I didn’t like to deal with blood, so engineering it was. … I came to the U.S. to do my master’s. I came to the University of Cincinnati, Ohio, because they gave me a scholarship. Otherwise, I couldn’t come. In fact, the story is I almost missed coming here because I couldn’t afford to buy a ticket. I tried looking, researching, and I found a Tata loan scholarship for study abroad [that included a] one-way ticket to your university’s town. I did my master’s in electrical and computer engineering and got a job right there with a small startup. So I thought, ‘I’ll be a software engineer for the rest of my life.’ Until one day in this small startup [the company had me do a customer demo]. I said, ‘Wow, that was a lot more fun than writing code all day long.’ That’s when I said, ‘I need to move to a customer-facing role.’ I called IBM in Cincinnati. They were looking for someone [with] an engineering background. So I got a job for sales. I thought, ‘I’ll be part of the corporate world.’ … And then I stumbled across the worldwide web [where] you can access information without any special software, just a simple browser. [I thought], ‘That should change the world—but if it does, then everything will connect to everything. Cybersecurity could become an issue.’ And as I read about Marc Andreessen, the founder of Netscape, I said, ‘Huh, if this young guy, who just graduated from Urbana-Champaign, could do a startup, why shouldn’t I do a startup?’ And that’s what led me to do these things.