Cloud security doesn’t raise alarm bells: Jay Chaudhry, Zscaler

The shiny network appliances in organizations’ security infra are irrelevant as cloud is now a professionally managed utility, says Jay Chaudhry, founder & CEO at Zscaler.

tog.jpg

A serial entrepreneur, Jay Chaudhry has been introducing visionary innovations that address the demand for securely enabling emerging technology trends--innovations such as the Zscaler global security cloud for distributed and mobile enterprises. He has more than 25 years of security industry expertise, including engineering, sales, marketing and management experience with IBM, NCR and Unisys. IDG India had an extensive chat with Jay Chaudhry, CEO, Chairman & Founder, Zscaler during his India visit in the last week of May 2018. He discussed his entrepreneurial journey, cloud market and Zscaler blueprint.

Edited Excerpts

Your journey from Schooling in Chandigarh to being a serial entrepreneur in Silicon Valley to Zscaler IPO on NASDAQ is a dream run. What do you envisage as the next growth phase?

It is hard to believe when I reflect back. I've been a very lucky man and a great example of an American dream. I was born and raised in a tiny village in the foothills of Himalayas. My village had a population of 800. We got electricity in our village after I finished eighth grade. We got running water, when I finished 10th grade. I sat in any car for the first time after I finished twelfth grade and I first flew on a plane for the first time going to America for my masters.

Looking back and being able to create a leading-edge cloud security company to enable cloud transformation of world’s largest corporate customers is very satisfying. But it is all driven by having a great team who really does the execution. Ideas are wonderful; but they are dime a dozen, and the execution by a great team is key to success.

Jay Chaudhry's 4 Success Mantras

1

Explore ‘first-mover ‘advantage as me-too company is passé.

2

Willingness to take risks, think bold and then act bold. 

3

Wonderful ideas are dime a dozen, but execution by team is key.

4

Take sustainable leap else the competition will wipe you soon

There would have been one a many hiccups on the course.

This idea was a phase two of my previous two ideas. The first idea was to work in American enterprise. Reading about Internet and Netscape IPO, the next dream I ended up was building and eventually selling start-ups. It was kind of a lucky accident because I failed to raise VC funds. Hence, in January of 1997, my wife and I decided to put in our life savings, which was probably the biggest and the best gamble of our lives. It was one of my first companies. SecureIT was started and once that became successful I said, this can’t be fluke so let's try to do it again.

And I ended up doing three more successful startups and I had no more interest in doing one more startup. But I thought on changing the industry that fixes the security issues. That’s how Zscaler was started and now it’s a public listed company, and that dream has come true. The next milestone is to take this company to a billion dollar in sales. Very few security companies get through that kind of scale and size.

Cloud was very nascent in 1998 with low adoption rate and security industry trying to find a footing.  What made you bring cloud and security – often viewed as chalk and cheese - together to form Zscaler?

I have always looked at ‘first-mover’ advantage to do something that people haven't done before. A me-too company or venture doesn’t appeal me. In 2008, I asked simple questions to myself as Internet was already a big source of information.

As apps and services moves to the internet or cloud users become mobile, why should security only be restricted to data center? Security must be done in cloud which was a pretty simple idea behind Zscaler.

jc

 

Jay Chaudhry, CEO, Chairman & Founder, Zscaler

The second was about SaaS applications. I have been using Salesforce and NetSuite in my startup since the year 2001 when each of them was under USD 10 million in sales and they have been wonderful applications and very successful. More apps will move to SAAS and so on.

The third question was everyone was mobile with laptops. We were using Blackberries and iPhone was released that year in 2007/2008. The users would become more mobile. As apps and services moves the internet or cloud users become mobile, why should security still be restricted to data center? I said security must be done in the cloud. That was the pretty simple idea behind Zscaler.

Zscaler has emerged as bigger thorn for hardware-driven vendors that sell security boxes to organizations.

Security has many segments including endpoints, but the biggest chunk is the network security that’s approximately USD 17 billion as per IDC. On a corporate network, users are on the network applications and the castle is built with security appliances. That was wonderful when the apps were on the data center and the users were on the network. In today’s world, applications have left the datacenter, users are no longer sitting in the office and that’s now a problem. You don't control the network as the network is out there with Microsoft Office 365 or Salesforce as an example.

We don’t believe network security makes sense and the new notion is securely connect a user to an app - no matter where the apps is, where the user is, and what device they use. Zscaler is like a policy engine that resides across more than 100 locations around the globe. No matter where you are, you simply connect to our policy engine and we look at the business policy and securely connect to where the internet traffic needs to flow. That's a very different approach which CIOs and CSOS find appealing with Zscaler.

 

Stellar Timeline of Serial Entrepreneur Jay Chaudhry

1

2008: Founded Zscaler as the global security cloud for distributed and mobile enterprises.

2

2006:  Founded and led AirDefense, a wireless security pioneer, before its acquisition by Motorola.

3

2000: Founded and led CipherTrust, the industry’s first email security gateway, before its merger with Secure Computing.

4

1998: Founded and led CoreHarbor, a managed ecommerce solution, before it was acquired by USi /AT&T.

5

1996:  Founded and led his first company, SecureIT, first pure-play Internet security service, before it was acquired by VeriSign in 1998.

Inertia does hold us back at times as people do things a certain way and there is the lack of real competition. Zscaler has tons of competition from appliance side as they all talk about appliances. But when a customer says that they have a cloud too, they put these appliances in a data center and calling it a cloud. It’s like you can take power generators designed for home use and put them in a factory and term it as power plant.

Most vendors don't push the organizations for cloud security. Hence I wish we had more competition to really talk more about it. Many large customers like GE and Siemens of the world do help us garner lot of word of mouth and the Zscaler business is growing at a pretty fast pace.

When you talk about customer data, is it stored in third party data centers of say AWS or Microsoft Azure? 

We actually can use AWS, Azure. But for performance reasons, we mostly don't use. When a company’s employee goes to Facebook, Gmail, Salesforce, Office365, any of these places, all traffic goes through Zscaler network. So there's tons of traffic we control. We are almost like an X-ray machine to figure what’s good and what's bad with a full inspection without slowing down traffic flow. It’s performance at scale and robust security without compromise. There is need to ride low level software such as TCP/IP stack to get the performance. Hence we want Zscaler gear to run as close to the metal as possible. Because of that most of our data centers are using Colos. We have Zscaler hardware and software at over 100 datacenters across the globe.

With CIOs becoming business strategists and buy-in spread between IT team and business stakeholders, who’s the actual buyer or an influencer at the end customer for Zscaler technology? 

It depends upon the type of application and the ITDM changes. When an enterprise has to buy a Salesforce CRM, it is largely sales team; not IT. When you buy a marketing system, it is a marketing department. When it is analytics, branding, it's not IT, but when it comes to common shared things it is the IT team. When the decision is moving to office365 then CIO is involved and the decision to remain secure means the company’s CIOs and CSOs are involved.

CIO role has evolved as an enabler with an important role in business functions. Some CIOs are also promoted to chief digital officer and that is why we work with them to help them with that transformation driven by need to be agile and security has to be baked in. The security folks are generally not the leaders because business drives need for application which is most of the times under CIO. Thus CTO comes along and CSO must agree too which then becomes a three-party equation involved with CIO and CTO take the lead.

Do you see the expectation list of CIOs and CSOs globally change over the years from the security vendors in terms of IT architecture, security policy, hand-holding..., to name a few.

It is much broader than expectations list because the whole ecosystem of vendors is being turned upside down. In fact, the security segment today, I believe will cease to exist. Firewall is a big thing in cloud world but where to put firewalls for some functionality in the network and infra becomes challenge. The biggest change in the mindset of CIOs and CSOs is finally emerging to the level that they no longer need to buy and control security or IT gear. They need the IT services and the partners that actually deliver results.

CSOs and CIOs earlier were very uncomfortable giving up control of servers, storage, security. But they are waking up to the fact that computing is not their core business. Any new technology starts as a cottage industry; but eventually matures to become a professionally managed utility. Power generators invented for the house use were bought by people who had money. Some new entrepreneurs built and plugged power points in the path. Cloud computing is also becoming a utility and the security has to become a utility too. CIOs want to work with fewer vendors that give them expected results rather than who gives the result at later period.

GSISS survey by IDG and PwC for 2018 with 9,500 security executives globally highlighted that almost 40 percent of respondents’ companies don't have a security strategy.

At the top of pyramid, the survey with top fortune 500 companies would yield different number. For global 2000, the number is still respected. Lower down, the security is less priority partly because the bigger companies have more budgets assigned to security with security officers, dedicated staff, business buy-in who drive security strategy.

Security becomes tactic as you move lower on the pyramid. Its more product based as per need and often follows an ad-hoc buying pattern. Zscaler thus sells to larger companies first and then we go down the route as our sophisticated technology is appreciated by a larger company system than the small company.

Security is horizontal, but Zscaler was picked up very quickly by large companies with lots of offices and are distributed offices / workforce. Manufacturing and consumer goods companies picked up quickly. Financial services were slow to embrace but insurance was faster. Banking was a little bit slower, but now we have some of the biggest banks in the world as our customers as they realize the importance to embrace cloud to stay competitive. Zscaler connects the right users to right applications securely without worrying about buying, deploying security infrastructure, and you can do it from any location, any device on any network.

 

Key Takeaways of Cloud Security World : Zscaler CEO

1

The biggest myth is the fact that CISOs and CIOs often look for big credible vendors

2

When mega shifts like cloud happens, the incumbents of the old world often hold them back.

3

 

4

Rethink about traditional security companies whose primary business was selling security appliance.

A cloud security vendor born in modern era with an evolutionary approach becomes important.

5

Companies shouldn't take everything in their infra on the cloud with that great hope.

6

Relooking security with the overall application and network on a clean slate is the right approach.

   

What would be Jay’s bucket list of do's and don'ts for companies? Any pitfalls they should avoid when they're signing a cloud security vendor?

The biggest myth is the fact that CISOs and CIOs look for big credible vendors. The typical notion being the larger vendor will be here to stay which is generally true. But when mega shifts like cloud happens, the incumbents of the old world often hold them back. Like Siebel is gone and Salesforce is here. PeopleSoft is gone. CIOs should rethink about older (traditional) security companies whose primary business was selling security appliance as a safe bet and cloud is new to them. A cloud security vendor born in modern era with an evolutionary approach becomes important.

Companies shouldn't take everything that's gone out there on the cloud with that great hope. You need to look at what to eliminate rather than moving one by one. Looking at not just security, but overall application and network with a clean slate is the right approach. If you retro pick and tweak a little it makes things more complex and doesn't achieve the goal to go cloud.

I started the interaction with a flashback into your entrepreneurial journey. What success mantras of yours still stand true today or some have changed course?

I think some of them have evolved with time. The biggest lesson was the willingness to take risks, think bold and act bold.  Don't think about incremental things holds true. It’s disappointing that many entrepreneurs desire to make things 10 or 20 percent better. That doesn't take you anywhere as the competition catches up pretty quickly. You need to think 10x simplification, 10x scale which is going to be a steep climb to build something new. But it gives you a sustainable leap. Else you might be wiped down by competition.