CASE STUDY
Zscaler
Transforming information security with a new vision and a new model
Industry: TECHNOLOGY
About the company
Zscaler is a cloud-based security company that is completely transforming the way companies approach information security. Many of the world’s largest and most forward-thinking companies rely on Zscaler to move their security off the network and into the cloud. Gartner has named Zscaler a leader in its Magic Quadrant for SWGs for seven consecutive years and the company recently went public. Clearly, Zscaler is moving the needle.
Today, mobility and the cloud enable all of us to be more productive and agile, yet it poses a new problem for security. How do you protect users, data, systems and applications when they aren’t always visible? How do you control security when traffic isn’t going through the traditional security stack?
Changing how information security is viewed
While many business systems have moved to the cloud, security has been slow to transition. The hesitation comes less from cost or efficiency concerns, as most companies realize the cloud improves both, but more from the questions of complexity and scope.
Zscaler recognized the opportunity to make modern security not only attainable, but comprehensive, with the scalability to encompass all of the ways people now work. The company took security hardware out of the enterprise data center and built its own multi-tenant, cloud-based stack around the globe, enabling companies to step away from managing their own stack and forwarding their traffic through the Zscaler stack instead.
Zscaler has been attractive to many of the world’s largest companies with distributed workforces and multiple locations. Smaller companies have taken notice as well, realizing they can finally afford an enterprise-grade security platform they don’t have to manage themselves. Zscaler is also a preferred partner for service providers who want to offer security to their customers through a SaaS-based platform.
For Zscaler’s CISO, Michael Sutton, attracting customers and partners is only a small part of the vision. Changing how information security (IS) is viewed is the bigger goal.
“Gone are the days when IS dictates security within the company. Users have so much power now and IS doesn’t have the control or visibility they once had. CISOs have to rethink how they achieve their mission and find ways to empower users instead of being the ‘Office of No’ that employees will just bypass. Security can be flexible without giving up protection.”
Security has always been based on our control of devices and networks. Zscaler has turned that upside down. We enable companies to secure users, no matter where they work, what network they use or what devices they’re on.
Michael Sutton, CISO at Zscaler
The Zero Trust Model
Visibility is a fundamental challenge for many in IT and IS. Protecting what isn’t seen is a common pain point. From BYOD, remote employees and cellular networks, to uploading data and unsanctioned apps, security leaders are hard pressed to control this seemingly rogue atmosphere. Even if they could gain visibility into all of this traffic, much of it today is encrypted and therefore unusable.
“You can’t control what every employee is doing – it’s simply not possible and companies will waste an inordinate amount of energy trying to do so,” says Sutton.
“We built Zscaler with this perspective in mind. We don’t care where employees work, which device they use, or how they choose to connect. We had to build a solution that would enable IS to see all of the traffic, inspect it appropriately, and be alerted of anything suspicious. The Zero Trust model insists we treat all devices and all websites as untrusted until they can be authenticated and users can be authorized. It’s not about changing the user habits. It’s about changing the IS model.”
Radically rethinking security
Changing perspectives is never easy, yet companies large and small are accepting the zero-trust model and taking steps to incorporate it into their methodology. Zscaler solutions are intentionally built to make this process easier and more adoptable. Zscaler built its security stack from the ground up and all of its capabilities are tightly integrated, so there is only one proxy through which all traffic runs. Controls as simple as blacklisting a site to more complex sandboxing can be performed through one system, making security more efficient and easily visualized.
As Zscaler continues to lead the cloud security market, it is taking a top-down approach. “It’s no longer selling a product to a line-level person in charge of firewalls,” Sutton says. “It’s so much bigger than that. We are pitching a new vision that C-level executives can champion to lead the transformation into the cloud. Zscaler is helping companies take their security to the next level—not with a specific product, per se, but by radically rethinking their approach to security.”
About Michael Sutton, CISO at Zscaler
Being the CISO at a security company is what Michael Sutton compares to being a skating coach on a hockey team. Everyone at Zscaler is a security pro, making his job unconventional. Instead of convincing employees to adopt his security protocols, he spends his time selling his vision and best-practice expertise to companies who he believes need to rethink their entire approach to internal security. Sutton is also a mentor and advisor to the next generation of security startup founders at Mach37. He has been with Zscaler since its inception in 2008, starting as vice president of security research. Prior to Zscaler, Sutton was a security evangelist at Hewlett-Packard and SPI Dynamics.

For close to a decade, SpyCloud has automated identity threat protection for more than 4+ billion employee and consumer accounts. Our focus is making darknet data actionable to protect businesses from cyberattacks, safeguard employee and consumer identities, and streamline cybercrime investigations. Customers globally – including more than half of the Fortune 10 – count on SpyCloud to thwart identity-based attacks including ransomware, account takeover, session hijacking, and online fraud.