Zscaler CEO Jay Chaudhry’s 10 Boldest Remarks From BoB Virtual

From why the cloud is safer than on-premises to VARs walking away from large box vendors to the need to protect workloads like we do applications, here’s a look at 10 notable statements made by Zscaler CEO Jay Chaudhry.

Out With The Old, In With The New

Zscaler was in the right place at the right time when COVID-19 struck, making it possible for the large cadre of newly remote workers to safely and conveniently access internal and external applications. The San Jose, Calif.-based cloud security vendor has notched a $25.89 billion valuation after nearly tripling its stock price over the past year, and is expecting to grow sales by 41.4 percent in the fiscal year ending July 31.

“When I started Zscaler, at that time the market wasn’t ready for it. But I could see the market was coming,” Chaudhry said. “Starting it early on gave me time to build a great architecture that scales. And as the market got hot, we were there way ahead of anybody else.”

In an interview at Best of Breed (BoB) Spring 2021, a virtual channel thought leadership conference hosted by CRN parent The Channel Company, Chaudhry discussed why the cloud is more safe than on-premises, why legacy security vendors spinning firewalls in the cloud will never succeed, and why VARs can safely walk away from large box vendors.

From the shortcomings of containers to partners embracing new types of services to the need to protect workloads like we do applications, here’s a look at 10 of the boldest remarks Zscaler CEO Jay Chaudhry made in an interview with Steven Burke, CRN’s Executive Editor, News.

Castle-And-Moat Approach Provides False Sense Of Security

Why are we spending billions of dollars on security and why are we still getting hacked? I think it seems like a tough answer, but it’s not. I think we’re getting a false sense of security doing security the way we started doing 20 years ago. The world has moved. We are still doing this castle-and-moat security. You are inside my firewall, you’re safe. You’re outside it, you’re not safe.

So this data center-centric approach, network-centric approach is broken. And the applications have left the castle. Users have left the castle. And we are still protecting those empty castles. I think until the enterprises wake up and start saying, ‘I must do security very differently’ - which is where zero trust comes in - I’m afraid we’ll keep on seeing these security hacks …

In spite of a lot of discussion about zero trust, a lot of enterprises are still doing castle-and-moat security and thinking then they are safe … We are buying billions of dollars’ worth of firewalls every day. If you buy a firewall, it is network security. It is castle-and-moat. Because zero trust means no firewalls, no moats. Zero trust is literally a switchboard concept. Everyone is untrusted, users are untrusted. They come to the switchboard, they validate who they are, and the switchboard connects them to the right application or service.

I think our enterprises have a false sense of security. I think it’s a job of security vendors like us; it’s a job for our partner channel community to really understand this and help our enterprises. It helps them with their security, and it helps us grow our business. It’s a win-win proposition.

Cloud Is More Secure Than On-Premises

When you’re a successful cloud company, you have to put in resources and make sure everything is done right to protect. Each enterprise, even if they’re large, don’t quite have the budget to be able to do so. And plus, there’s such a shortage of security experts. I mean there’s a huge shortage out there. And you can’t afford to have it.

Now having said that, we need to make sure when we use cloud services, we are properly configuring those services. It’s like, ‘I got this beautiful palace, it’s very safe, but the back door is open, the side door is open.’ Then it’s not safe.

We’re seeing compromises like what happened with Capital One a couple of years ago. Things were not configured right, the doors are open, and that type of stuff needs to be done right. And that’s where we start offering products that make is easy for you to assess if my cloud workloads are configured properly or not. Because to do it otherwise takes so much time, and people don’t do it. And our job is to help our enterprises to become safe.

No Roaming The Network Without An Escort

With Zscaler Private Access, you connect a user to an application, not to the network. If you connect to the network, it’s like I let someone come into my headquarters and - without escort - go wherever you want to go in the building, which is a dangerous thing. So we require an escort to take you to meeting Room A. The meeting happens, and you walk out.

In the same way, we connect users to specific applications that minimizes where a compromise machine can go. Our readers should read this article about Maersk, a big shipping company. They had a ransomware attack called NotPetya. It compromised one machine. Within an hour or two, everything around the globe was down. That’s because they had this flat network using firewall-type of castle-and-moat security, which is very dangerous …

Zero Trust Exchange is our platform, it’s purpose built. It basically starts by saying, ‘Don’t trust anybody by putting them on your network.’ It’s like I won’t let anyone come in my castle and wander around. If someone needs to come in the castle, I’m going to take them to Meeting Room 23 if that’s where the meeting is. Then I’ll escort them out. Period.

So Zero Trust Exchange has the functionality where users can go to external applications like SaaS or open internet securely without getting infected and without worrying about phishing and ransomware and the botnets of the world. Or they can go to internal applications without worrying about having to turn on VPN, which can slow them down. But when they do so, they’re only talking to the applications they’re supposed to talk to. Hence, we are reducing the attack surface. You’re really improving your business risk posture. That’s the fundamental thing we’re doing with Zero Trust Exchange.

Workloads Must Be Protected The Same Way Applications Are

Enterprises are still spending millions of dollars in security appliances that are designed not to be operated very often. So that’s where the damage is coming. The faster they move the cloud, the cloud can do real-time protection that appliances won’t do. And that’s the biggest thing that needs to be done.

Enterprises don’t need to detect threats. It’s a job of vendors like us to really figure that out. And then we cooperate. We have partnerships with 60 other parties. We do threat information exchange and the like. Because no one knows everything about these threats. So our customers are very happy with the kind of efficacy we have to reduce their business risk …

While we have done very well with zero trust for users to applications, the same thing needs to be done for workload to workload communication security. Today, when customers take workloads and build them in the public cloud, guess what? They do the old school network-based approach.

One infected workload can infect thousands of other workloads in the cloud. Then you can try to say, ‘Cloud is bad.’ No, it’s not the cloud that’s bad, it’s the network security that’s bad. So you need the same Zero Trust Exchange so Workload A can talk to Workload B through the switchboard server. That’s really what we are investing in; we have products available, and we’re expanding our products.

Partners Must Embrace New Types Of Services

There’s a significant revenue opportunity for partners in this too. Because partners need services. Reselling only brings so much value. I think what I have seen is, in the security space, there’s too many partners who just fell in love with selling boxes and some deployment services that go with it. Yes, deployment services are good, but boxes are moving away.

But there’s a bigger opportunity for bigger services to help customers move to the cloud. There’s a transformation of security needed. Because you’re not replacing one box with a faster and better box. You’re doing things differently. If I need to send traffic from 300 locations, how do I send traffic to the cloud? Customers need help.

I need to set up authentication services to go to the cloud. How do I do that? I need to configure policies. There’s so much opportunity. Partners who are smart, they are building, they’re embracing new type of services. Partners who are hoping that things will remain the same, they’re hanging onto professional services for deploying boxes …

Shake off that inertia. Look at the best solutions. No matter how smart you are, you can’t take a mediocre product and be successful with it. You shouldn’t have to sell the product; the product should sell itself. You should be adding value and delivering around it. Pick a few partners; pick new technologies that are meant for the new world; learn services around it. They will be a different kind of services. And you’ll be successful.

Legacy Security Vendors Spinning Firewalls In The Cloud Will Never Succeed

One [type of partner is] held back by inertia. And the second is a forward-thinker and progressive partner. A progressive partner says, ‘The world has changed. Old legacy technology won’t work. Let’s embrace Zscaler, and then let me figure out the new kinds of services that Zscaler offers.’ Because it’s not the same kind of box deployment services. They move on.

They’re very good partners. They’re generating lots of business for us, and they’re generating lots of services for themselves. But there’s other kind who are kind of saying, ‘Well, I can take this box and spin it in the cloud and it kind of works.’ I like to say, ‘You’re trying to build a Netflix streaming service using DVD players. It just doesn’t work.’

Siebel Software tried to spin VMs to compete with Salesforce. PeopleSoft used to dominate in HR services, tried to spin virtual machines to compete with Workday. We know what happened.

In the same way, my message to my partners who are reading and listening to this is, ‘The legacy security vendors who are trying to take the firewalls and proxies and spin in as virtual machines in the cloud will never succeed. You need to embrace cloud-native services that are meant for the cloud; and our business model is 100 percent partner centric.’

Partners Will Wake Up And Realize That Legacy Approaches Aren’t Working

For the last 10 years, we had lots of competition. Where did that competition come from? It was Symantec, Blue Coat, McAfee, and Cisco for the web gateway. Now they all were appliance vendors. When they saw Zscaler’s success, they essentially started to build, spinning this appliance service in the cloud. It didn’t work. So they’ve kind of gone away.

Now we are seeing firewall companies try to do the same thing. I think when you don’t have the right architecture, you don’t work, you don’t scale. And that’s why I think the partners who wake up sooner rather than later to say that the legacy approach is not going to work, they will embrace companies like Zscaler and will be successful.

We have many partners who are smart, who have taken up Zscaler for cloud, companies like Okta for identity, and CrowdStrike for endpoint. They’re taking the best-of-breed modern platform, and the customer needs help to put it all together and deploy it. There’s tons of opportunities for them, and we are investing.

Legacy Vendors Moving To The Cloud Was The Worst Of Both Worlds

We are big believers in doing what we do best and partnering with third parties. As I mentioned to you earlier, in identity, we have a strong partnership; in endpoint, we have a partnership. So it helps all of us, it helps our customers. Because when companies try to say, ‘I am doing your gateway. I’m doing your security analytics. I’m doing your endpoint. I’m trying to do it all.’ They really don’t do it all. They do none of them well.

For example, I have been asked and people say, ‘Why didn’t you get into the endpoint business?’ I say my core competency has been the switchboard. I got great partners in the endpoint business. So we integrate, we work well together, and we go to market together as well. That helps both of our companies …

Any of the proxy vendors - take the Symantec’s of the world, the McAfee’s of the world - they tried to make cloud work, along with appliances. And so their message was, ‘I’ll give you the best of both worlds, the best appliance and the best cloud.’ Well, frankly, it was the worst of both worlds.

All those customers are essentially coming to us. Every quarter, when we announce some of the wins, most of those customers have already tried a cloud version of these appliance vendors. It’s back to DVD players trying to deliver you Netflix streamlining service. Can a demo work for it? Yes. Can it still in real life? Not really.

Containers Are Good For Developing Apps, But Can’t Secure The Cloud

The vendors will talk about containerized security as a gateway. It’s another fancy name. It is essentially they’re operating via virtual machines. A single tenant architecture for a security vendor will not work. Imagine if Salesforce had to create a virtual machine for each of its 200,000 customers and update each virtual machine. It’s impossible.

You’ve got to have a multitenant architecture if you want to be a cloud provider. And that’s what we have done. That’s what sets us apart from everyone else out there …

Containers are very good for developing applications you need to use in your enterprise. So I would encourage every enterprise customer, containers are leaner and better than virtual machines. They have less overhead. But for a cloud security provider or a SaaS provider, if they don’t build multitenant, they will not work well. They will not scale well.

VARs Can Safely Walk Away From Legacy Box Vendors

In the past 12 months, we’ve seen a significant change where partners realize that the change is happening. So we’re getting a lot of inbound calls. As a philosophy, we’re not going to say, ‘I want to go after 2,000 partners.’ I want to go after X hundred partners who are focused, who are willing to invest with us, and we will invest with them.

And the joint goal is helping customers and raise cloud network changes and security changes. I think for that, they need some new skillsets, because traditionally they don’t have it. We are investing in training our partners. We’ve got certification programs. We will cross-sell, we will work with them. And we’re seeing a lot of success. I’m always selective. Either I do something well or I don’t do it at all …

I will put channel in the following buckets. There are service provider channel partners who have been working with us because it is for network transformation. They play a role there. Then there’s system integrators, some large, some smaller ones. They have a big role to play. They actually in many ways are better suited, because they actually do integration work, less focus on reselling. So they are actually good partners for us.

The third area is VARs. That’s the biggest channel out there. And I see some VARs are still fixated on boxes. Other VARs are moving and realize they need to change. So we are actually spending a lot of time and effort on working with VARs who actually have good customer relationships, and their customers are asking for help. And we are there to show them that they can safely walk away from legacy box vendors and come and work with us. Yes, they may see a lot of pain for a quarter or two, but their business will grow in the long term.