Welcome back to Supercloud three. Everybody we're digging into all things cloud, multi-cloud, Supercloud, AI, and security. We're pleased to welcome into our studio Jay Chore, the CEO of Zscaler, along with CISO of Zscaler deep end size. Gentlemen, thanks so much for coming in live to the studio. Really appreciate it. Well, thank you for the opportunity. I have often enjoyed our conversations. Yeah, so ditto. We want to get into the state of security, but before we do it, John and I were talking cuz Dave, you know, there's zero trust thing. It's still a little fuzzy to me. Can you explain it? I said, you know what, why don't we have Jay and deepen explain it. Of course here in Zero Trust is a big departure of 30 years of old network security architecture and it's like going from traditional car to electric cars. They're very different. The traditional architecture said, let's put people on the network so you can move around and find applications and life is wonderful, but it is wonderful for bad guys too. Zero trust says, I won't trust you, I will only connect you to a given application or service period. You never own the network, so you had to build the different architecture. That's why firewalls of VPN based architecture doesn't work. Unfortunately, the legacy network security vendors are scared of getting disrupted. So they want to co-opt the zero trust terminology to confuse their customers and claim that they are zero trust too. That's what's the root of all this confusion. So deepen as a ciso, every CISO I talked to is now on a zero trust journey. They weren't so much before the pandemic, but now they're leaning in in a big, big way. There's some challenges. So what are the challenges that you see and how are your colleagues overcoming them? Yeah, so I do speak to a lot of cso, global CSO around the world and I, I'll share a funny comment that I heard at RSA couple months back, Hey, we have implemented zero trust for all our remote employees, right? There's no, there's no concept of implementing zero trust at one place and then having the traditional network at the other, right? A simple thing that I always call out is, if you have true zero trust architecture implemented, it should satisfy the three basic principles, which is never trust, always verify. Number two is least privileged access. And number three is assume breach with those concepts in mind, the way you should look at your strategy is, number one, is my zero trust security solution allowing me to reduce my external attack surface. Number two is, am I able to enforce consistent security no matter where my users are, whether they're at home, whether they're traveling, whether they're in the office, it should be consistent with full TLS inspection. The third piece, and this goes with the assume breed scenario, where if one of my user were to make a mistake and his machine is compromised, I want to contain that blast radius. This is where the lateral propagation, reducing that with proper user to app segmentation, deception, things like that, that will prevent that attack from becoming a breach. And then finally, everyone is after your data. So your zero trust security solution has to help you consistently inspect anything that leaves your assets, whether it's endpoint workload, server environment, and allow you to prevent any kind of data expectation. I have to ask you, you're a very cogent speaker and and quite eloquent, do you spend most of your time internally is security c scale or on sales guys out in the field? Okay, so, So, so let me, let me share this. I am the internal ciso. We do have a beautiful version of me. There are 12 field facing CISOs. I, I'm usually called in when, when they want to go down in the weeds on how to implement certain things. So my conversational are more tactical on how to do it rather than big picture stuff. You know, Jay, I want to get into the, your point about zero trust and super cloud security plus AI is the topic. The market growth still isn't. Security is well outpacing other parts in, in in tech. Some companies have a tailwind with this new network architecture and ai, some have a headwind. What's the difference between the, the winners and, and I won't say losers yet, but the win people who are winning, doing the right things From a customer standpoint, what are they doing differently with security and now data and ai? AI is obviously new but not new. Been around for a while, but certainly it, it's data, right? It's scaling. Yep. There's observability out there. What's your vision? Yep. Of the winners. So at the end of the day, customers want their business to be agile, competitive, secure, and cost effective solutions. Every new technology comes to help in those areas, but over time those technologies kind of lose their benefits and values. Then the new tech technology, new innovations have to be invented. We seen mobility helps, iot, OT Cloud has been helping every year. Technology incrementally gets better all the time, but disruptive changes come every 20 to 30 years. So AI is a disruptive change. Even though it built over time, cloud was disruptive. Similarly, security and network is being disrupted for the first time in 30 years. The architecture we use today for securing with firewalls and castle and mode goes to early nineties. So companies like Zscaler who built a clean architecture for the new world are winning companies who are based on firewalls and boxes is like, I like to call them like DVD player. They're bound to lose, but they're trying to put their DVD players in the cloud and call themselves a Netflix. Huh? You don't become Netflix. Maybe high eight tape. It would maybe a better version. No, but I mean the perimeter's dead. Okay, so the perimeter's dead, right? That's key. Now you have a surface area. Yep. That's expanding. You got hybrid. Yep. Which is gonna go edge. Multiple clouds. That's super cloud huge surface area. Yeah. So yes, it's huge surface area. If you look at the old world, in the old world, every branch office would have a firewall that says, I am here, come and attack me, or I'm here, connect with me. In the world of Zscaler with zero trust, your surface area literally disappears because your assets, your employees, your service are hidden behind are cloud or switchboard. You only get connected to the right party. Maybe I'll give a metaphor. If you want to talk to, if you want that your 500 friend should be able to reach you. You can publish your phone number, they'll find you, they'll call you. But a million other people who you don't want to talk to will also call you not spam. We all hate it. And that's how things work today. You publish your application on the internet, people can can find them, connect with them, but many people can DDoS them. Your attack surface keeps on growing. And in the new world, suppose you hired a switchboard service, you say, I will only take phone calls from these 500 people in no one. So the right party gets connected to you all. Others are dropped in the same way. We hide customers, application branches and all from the bad guys. The old model, every branch have a firewall. The new model, your branches should go dark. There's no listening port to the internet. They're all hidden behind us. So attack surface almost zero is what we advocate. It's it's it's unlimited service area, but hidden to the bad guys. Exactly. It's the best defense. Yep. Even hidden to the good guys. The good guy only gets connected to the party without divulging where you are, what your IP addresses Are. Yeah. So you have to protect yourself from everybody, not just the bad guys. Exactly. Let's talk about AI a little bit deepen and everybody says every company, whether the buyer or seller says, well we've been using AI before chat gpt of course, but, but how are you using it and and what has the, what I sometimes call the AI heard around the world. How has that affected how you think about AI and deploying it? Right, so, so we've been using AI ML for several years now. Our product has several use cases addressed where we, we identify new polymorphic malware payloads. We identify previously unknown attacker, controlled server destination. We also leverage it for flagging phishing attacks. Now with the generative AI aspect coming in, we have also started investing heavily over the past six months in the customized large language models. So the goal over here is generative AI solves certain use cases very well where you can ask question, it converts it into code and it will simplify the overall product experience for customers. But if we are able to merge that with the predictive ai, then there are several different use cases that you will be able to address. One of them that I'm personally driving is where we're trying to predict breach scenarios. Yeah. Even before they happen by using the telemetry that the product Provides. I was gonna ask that question. I mean, everyone's hoarding term, telemetry, observation, data, observability up and down the stack. Sometimes they don't even get to it, right? I mean how much that is actually used is the question that always comes up. And when people are off camera they say, oh, about 15% of it. That's a Big problem. And it's the quality of data that matters too. So, so first of all, every company will use ai, otherwise they'll go out of business. So there's no such thing as, are you an AI company or not? Yeah. It's like 10 years ago you used to say Zscaler is a cloud company. Now every company is trying to be a cloud company, but the one who had the right architecture will succeed. The one with the wrong architecture will whether away. Now the most important thing for AI is the data. Now data combined with domain expertise and and data scientists will make it happen. What's unique about Zscaler, right? Why? Why are we so excited about it? Think of the breaches. Before any breach happens, there is a reconnaissance activity that goes on. They go nine 11 before nine 11 happened. There's so much reconnaissance going on. If they really acted on it, these PI guys were getting pilot trainings with certain kind of, you could figure it out if they really could make sense out of it. We are like a switchboard. We sit between all communication for every user to every application and application to application. So what do bad guys want to do? Reconnaissance. They want to ping you, they want to send certain things. All of that communication goes through us. So being able to leverage 300 billion transactions a day that give us logs and over 500 trillion signals, we now can leverage IML combination of predictive and generative AI to predict, breach and actually tell our customers ahead of time so they can take steps. I'm excited because this couldn't be done before. And with all the data we can put it to use. It's interesting. I mean I love your company because you guys are ahead of the curve, always been in in security. You gotta be where the puck is gonna be in the future. Yep, yep. Where is that puck gonna be again? What's your vision now? Because again, you're leveraging your data. Yep. You probably were before, but now it's even more valuable. Yep. That you got synthesized that data, you train it, you infer from it. Yep. That's the new context and behavior. It's inference and training. Yeah. So where's the next move for you guys? We are looking at where things are headed. There's a cyber side of it. There's a non-cyber side of it. I'll give you one example of each. In cyber, it's getting easier for bad guys to do bad things. If I wanted to know your attack surface for internet, which means all the branches, all of your IP addresses, firewalls, VPNs and all, it could take a few hours before or maybe a few days. Now you ask a question about giving all our tax surface for this company. It shows up in minutes so the job gets easier. So AI is going to help bad guys. But companies like Gird, also smart people who can figure out the defenses against it. So we are building defenses ahead of them. The other part is the bad guys may have open source public data about attack surface. They do not really have any of the internal data that belongs to a company. We combine external data with the inside internal communication data to come out with better defenses. I think that's our key. That's why a forward looking progressive customer, they jump on us. That's why over some 45% of Fortune five companies they trust sea skater Put the magnitude. One more question on, for the CISO to get ahead of the defenders and the offense, you gotta be better than them. You gotta think like them and think be smarter than them. How do you do that? How does a company do that? And that's the CISO opportunity for you to be better at defense. How do you beat the bad guys? So, so being a CISO at a cybersecurity vendor, I, I have lot of advantages with this. Number one, Jay kind of called out, it's the visibility that our platform provides. We have visibility across the full kill chain. So we're able to see phishing attacks, we're able to see exploitation, we're able to see malware, payload and post-infection activity. We're able to spot where these threat actors are changing and evolving their TTPs tools, tactics and procedures, including leveraging machine learning models in many of the cases. Leveraging that visibility combined with the telemetry that we're collecting. And then I have global team of security experts across seven different countries. So it's a round the clock model. We're leveraging this intel to then learn, train our models, and then deliver high efficacy security control. I, I Wonder if I could ask you, I felt as though prior to the whole chat G P T announcement that technology vendors like yourselves had an an advantage cuz you had access to that technology. Ultimately. Do you think that attackers or defenders will benefit the most from ai? No. Tell you why. Because we got smart people fig anything out now hackers are smart and passionate too. I think that big challenge is inertia in large companies. I'll tell you an interesting dialogue I had with the board of directors of a very large bank out of Asia and one board member said, Jay, you are sitting in the US leading this number one company. But some of the largest American Fortune 100 companies are getting breached. They got technology, they got money, they go, got all the knowhow. Why are they getting breached? If they are, what hope do I have was the question, I had to think about it for 30 seconds. Then I said all that is true. The biggest thing that's holding large corporations back is inertia. Think of inertia as a very powerful thing. People are comfortable, keep on doing what they're doing. The biggest thing we face is lots of people saying, I have done my fire wall and network for 30 years sometime job security comes in sometime lack of comfort comes in. And I think part of the thing is to really educate our customers to make sure they start embracing, they start taking benefit of it. Otherwise the best technology doesn't get properly used. That's the biggest risk. This the pandemic was somewhat of an awakening there. I mean we have a data partner Yep. Called etr and, and we look at a couple of dimensions, momentum, spending momentum on a platform and the penetration in the market. And we would take companies that had high spending momentum and high, high penetration in the market that showed up in the data and we give 'em four stars and Zscaler when, when we first started to do this, it was, it's, and it's still Zscaler, Okta, CrowdStrike, Palo Alto and Microsoft we're always consistently the four stars. So I have a competitive question for you. Last week I was in the studio all week preparing for super loud, doing some pre-records. I came out and my guys, it was like quarter of four east coast time, the market's just about to close and they yelled to me, security's getting hammered. Microsoft made some announcements. And so I, I looked at what they announced and I kind of shrugged. I'm like Microsoft, they've always been in security and they're sort of ubiquitous. And so I called up a bunch of my friends from on Wall Street and said, I, this is a buying opportunity. I mean I'm not gonna trade, but you should think about it. And of course, you know, the market settled down. Yep. What do you think about that competitive threat? How did, did you get calls on that? How did you respond to the market? Yeah, we did get calls from many investors. Investors get nervous sometimes, but if you, and and part of the logic they said was, well, Microsoft went dropped or endpoint has gone far after identity. They can go ahead as well. I think the, the big difference is following Microsoft leverage windows for Windows defender, they'll leverage ad for directory to do network security. To do zero trust, you must state in the traffic path for all traffic in line. It's more of a network analysis play rather than identity play. Sitting in line around the globe, inspecting traffic at speed, detecting threats and all without introducing latency is a very different core competency than being an application company and the like. So I think it's, it's a very different play and I think for anybody to really do this requires a little different kind of skill set or mindset. So that brings Us to sort of multi-cloud, cross cloud, super cloud. What's your, what's your vision for what we call super cloud? So the world will be in this super cloud model where there are multiple cloud providers, there are edge clouds out there, there data center. And there'll be plants and factories where lots of work will done. So in these things need to be, need to access information from each other. In the old world you would've said, I'm gonna have a network that connects everything like a US highway system. Once I get on I 18 San Francisco, I could reach New York, Miami or Dallas without hitting a single light. So can bad guys. So I think this communication among the Supercloud entities needs to be through zero trust exchange. Where this exchange says based on a policy, this party can access this application. That party may be a user, it may be your workload or it may be out your device. I think zero trust is ideal and AI will play a more role because zero trust architecture is collecting data. The data needs to be processed and applied to the policies in more dynamic fashion. Where we are saying some some strange behavior in saying, huh, this party is connecting this party but there are some unusual things going on. Stop it. Those are the kind of things we are doing which is very natural to Zscaler. Is that data open or is that gonna be for proprietary data? How do you look at the data sharing? So, so very good question. Companies that offer free services, their data is for sale often ads and all that stuff. Whether Zscaler or ServiceNow or Salesforce, we charge for our services. The data is only meant for our customer. We don't sell it now for security. Our customers want us to anonymize it and use it to detect all these bad things. Cause all of them benefit from it. But the data is private. There's no chat G P T access to the kind of data we are talking. Yes. Data Is data's the value. Yes. My final question, and I know times tight, but I want to ask cause it comes up a lot in my conversations. A lot of companies that we talk to want to partner with you. How is your PO posture with partnering with people up and down the stack? You got a good position, you're doing extremely well on the business side. Love that traffic flow. That's the footprints. Yep. People are moving around getting that flow. Yep. You can see the packets. That's the root of trust. Absolutely. So, so we believe that the world of hundred security products, CISOs hated it. They called them appliance overload, fatigue with security boxes. But on other extreme, there's no such thing as God's security cloud that does everything. We think the market will settle around the best of breed platforms where each platform does its best. So we have focused on being the best switchboard, the best exchange, and we partner with vendors such as vendors, the identity space. Okta has been a partner for a long, long time with identity, with endpoint vendors, with networking vendors and the like. So we have over 100 partners. We have certified their work with Zscaler Platform. Are there, are there new kinds of partners that may emerge in this preferred future as they you skate to the next puck where it's gonna be in the future you see a new kind of partner emerging? Yeah, so one new kind of partners that emerge and I already see dialogue going on is building application on top of the 300 billion transactional logs we are doing. So different applications can be written, we will write, some partners will write some together, they're gonna help our customers are, Are you suggesting Jay, that the narrative of consolidation is maybe a little bit overplayed that really best of breed is ultimately going to win Or no, best of breed platforms. So probably a handful of platforms that do the best job, but trying to have one vendor be the best in each area won't help. So for example, take endpoint security. This is a different kind of expertise needed. That's where crowd strikes the world do very well. We are the best one to be in line. So that's why we work together. But a firewall company trying to say, oh I bought this endpoint company so I do it all. Have you seen that kind of thing happen? Every firewall company has an endpoint offering. Never seen them out there. So I would rather be in a few areas and be the best or partner with others. So You can't be all things to all people. Right. And best of breed in each of those different SEC sectors. Within a pretty broad sector. You, you can be, but you can't. And from a CISO's perspective, that's how you wanna buy It. It is extremely important to have that these segments defined where there is consolidation happening, and I'll talk from threat perspective, especially in case of ransomware attacks where these things move so quickly, they're able to encrypt, say a hundred thousand files in, in an organization within five minutes. So if you have best of breed point products and you're relying on a third product to correlate and generate a signal or or rely on your team to generate a signal, it's game over. So that's where having that platform in place that's able to feed the signal and take action at the time the attack is happening becomes very, very important. You know what I find interesting but also challenging at the same time in the industry, love to get your perspective is security is like a pro sport, right? The speed of the game is fast. Yep. So entrepreneurship is harder. You can't just start a company and get in the game and be defending at scale. And certainly as the data starts coming in where there's a value there at scale and speed, it's a speed game. The pace to defend is so fast. Yep. It's like pro ball. Absolutely. That's what's your reaction? What's the opportunity and Challenges? That's where I think I see Zscaler vest position. We have built a platform. We are still acting like a startup in many, many ways and, and we do pick up some of the startups who bring some new ideas and integrate them in our platform the right way. That's The way I think about it and I wanna just follow up before we end, is that the startups all wanna know one thing, love Zscaler, where's the white space? Where can I win? Because I wanna play pro ball, but I don't wanna do all the heavy lifting. Yep. To get to the, yep. Acceleration. So If you look at some of the example I give you recently we bought a company in the SaaS supply chain space while we have been really offering solution that tell you if this SaaS company like Salesforce, ServiceNow configuration misconfiguration alike, and then Salesforce connects with 40 other SaaS companies out there and probably 30 of them are small startups. Are they properly, do they take a risk and whatnot? So we bought a company that extends a SaaS risk beyond to the other party that connect. So it's adjacent space. The hardest thing to figure out is the new threats that are coming on new angles. We love to partner with companies who are in that space. So you say it's you, so you would say that you enable startups. We'd love to, yes. And we are investing in startups too. And, and you mentioned some m and a what? What's the climate out there like now? I mean there may be some, must be some good opportunities Bargains everywhere for You guys. Lots of them. The number of calls, inbound calls have kind of quadruple or maybe higher than that. The key is finding out what's real, what's not. In fact, lately there's so many calls coming out, I am the AI company. Okay, I got an LLM bias. Tell me the data. Guys, it's such a pleasure having you in our Palo Alto Studios. Thanks for your time and, and your insights. Really appreciate it Gentlemen, thank you for the opportunity and hope to see you again. I hope so indeed. Thank you guys. Indeed. Our pleasure. Okay, keep it right there. Dave Ante and John Furry will be back. John had Kit Colbert in the studio last week, one of the original Super Cloud advocates. Stay tuned. Watching the Cube.