About the Company
Zscaler is a cloud-based security company that is completely transforming the way companies approach information security. Many of the world’s largest and most forward-thinking companies rely on Zscaler to move their security off the network and into the cloud. Gartner has named Zscaler a leader in its Magic Quadrant for SWGs for seven consecutive years and the company recently went public. Clearly, Zscaler is moving the needle.
For the past decade, Zscaler has brought its revolutionary vision to a rather fixed mindset. It realized early on that employees had begun working differently than in the past. They weren’t attached to a static office and they weren’t consistently on a secure, corporate-controlled network using company-owned devices. The traditional security models were no longer aligned with culture. Today, mobility and the cloud enable all of us to be more productive and agile, yet it poses a new problem for security. How do you protect users, data, systems and applications when they aren’t always visible? How do you control security when traffic isn’t going through the traditional security stack?
Changing How Information Security is Viewed
While many business systems have moved to the cloud, security has been slow to transition. The hesitation comes less from cost or efficiency concerns, as most companies realize the cloud improves both, but more from the questions of complexity and scope. Zscaler recognized the opportunity to make modern security not only attainable, but comprehensive, with the scalability to encompass all of the ways people now work. The company took security hardware out of the enterprise data center and built its own multi-tenant, cloud-based stack around the globe, enabling companies to step away from managing their own stack and forwarding their traffic through the Zscaler stack instead.
“Security has always been based on our control of devices and networks,” says Michael Sutton, CISO at Zscaler. “Zscaler has turned that upside down. We enable companies to secure users, no matter where they work, what network they use or what devices they’re on.”
Zscaler has been attractive to many of the world’s largest companies with distributed workforces and multiple locations. Smaller companies have taken notice as well, realizing they can finally afford an enterprise-grade security platform they don’t have to manage themselves. Zscaler is also a preferred partner for service providers who want to offer security to their customers through a SaaS-based platform.
For Sutton, attracting customers and partners is only a small part of the vision. Changing how information security (IS) is viewed is the bigger goal. “Gone are the days when IS dictates security within the company. Users have so much power now and IS doesn’t have the control or visibility they once had. CISOs have to rethink how they achieve their mission and find ways to empower users instead of being the “Office of No” that employees will just bypass. Security can be flexible without giving up protection.”
The Zero-trust Model
Visibility is a fundamental challenge for many in IT and IS. Protecting what isn’t seen is a common pain point. From BYOD, remote employees and cellular networks, to uploading data and unsanctioned apps, security leaders are hard pressed to control this seemingly rogue atmosphere. Even if they could gain visibility into all of this traffic, much of it today is encrypted and therefore unusable.
“You can’t control what every employee is doing—it’s simply not possible and companies will waste an inordinate amount of energy trying to do so,” says Sutton. “We built Zscaler with this perspective in mind. We don’t care where employees work, which device they use, or how they choose to connect. We had to build a solution that would enable IS to see all of the traffic, inspect it appropriately, and be alerted of anything suspicious. The zero-trust model insists we treat all devices and all websites as untrusted until they can be authenticated and users can be authorized. It’s not about changing the user habits. It’s about changing the IS model.”
Radically Rethinking Security
Changing perspectives is never easy, yet companies large and small are accepting the zero-trust model and taking steps to incorporate it into their methodology. Zscaler solutions are intentionally built to make this process easier and more adoptable. Zscaler built its security stack from the ground up and all of its capabilities are tightly integrated, so there is only one proxy through which all traffic runs. Controls as simple as blacklisting a site to more complex sandboxing can be performed through one system, making security more efficient and easily visualized.
As Zscaler continues to lead the cloud security market, it is taking a top-down approach. “It’s no longer selling a product to a line-level person in charge of firewalls,” Sutton says. “It’s so much bigger than that. We are pitching a new vision that C-level executives can champion to lead the transformation into the cloud. Zscaler is helping companies take their security to the next level—not with a specific product, per se, but by radically rethinking their approach to security.”
About Michael Sutton
Being the CISO at a security company is what Michael Sutton compares to being a skating coach on a hockey team. Everyone at Zscaler is a security pro, making his job unconventional. Instead of convincing employees to adopt his security protocols, he spends his time selling his vision and best-practice expertise to companies who he believes need to rethink their entire approach to internal security. Sutton is also a mentor and advisor to the next generation of security startup founders at Mach37. He has been with Zscaler since its inception in 2008, starting as vice president of security research. Prior to Zscaler, Sutton was a security evangelist at Hewlett-Packard and SPI Dynamics.