 From the SiliconANGLE Media Office in Boston, Massachusetts, it's theCUBE. Now, here's your host, Stu Miniman. Hi, I'm Stu Miniman, and welcome to a CUBE conversation here in our Boston area studio. Happy to welcome to our program a first-time guest, Larry Biagini, who is the Chief Technology Evangelist at Zscaler, also had a long career at GE. Your last position's there. You were the Chief Technology Officer. Larry, thanks so much for joining me. Pleasure to meet you. Thanks for having us. All right. So, before we get into some of your background at GE, tell us a little bit. Zscaler, we've got some familiarity with the team. We've had some of the executives meeting the customers on our program. Tell us what part you do at Zscaler. So, when I left GE after about 26 years, I was a Zscaler customer, a very early Zscaler customer at GE. And one of the things that intrigued me about GE about Zscaler and one of the things I learned with working with them is that their vision for security and my vision for security and agility of organizations going forward or an easy match, that made a transition very simple. I was gone from GE for four weeks. That was my retirement before I got recruited into Zscaler. And the reason that it was a good match is I had big company experience. I have a very good network of people that are operating in large companies. And Zscaler needed those connections. But we also had a product that was mature, but we had a message that we had to get across to these folks. So, it was a message that was real to me, a message that mapped to what Zscaler needed to put out there. And that's why I'm the Chief Technology Evangelist. I spend my time with customers, with prospects, just understanding what they're going through, using my experience at GE and my experience with other customers to help them through that. And that's the role that I play. Yeah, I know my time when I worked on the vendor side, working with customers, being in briefing centers, working with them, were some of the most gratifying for me because it was helping them through what they were working on. Bring us, you no longer work for GE, but give us a little bit of the background as to what gave you some of the skills and so some of the scars to help customers that are now going through these journeys. Yeah, the story really starts when I was asked to become the Chief Risk Officer for GE. I was the CIO of the largest business at the time, but GE was going through a transformation and wanted to go through a transformation. They recognized that digital was an opportunity for them and could also be a threat. But at the same time, security was not, I want to say, enabling the organization. It was sort of disabling, it was in the way. Now, I had no security background at the time. It was mostly in architecture and applications. I'd run the data centers, but I was very familiar with security and what it was supposed to do and actually what it was doing. So one of the first things that we looked at is why we were doing what we were doing. And the reality is 10 years ago, it made sense doing what we were doing, which was protecting the network because everything was in the network, the users were in the network, the data was in the network, the applications were in the network. And if you protect the network by definition or by default, you're protecting everything else. But when we started to see behaviors, that's not the way people were acting. There was more and more traffic going directly to internet, whether it be for personal use or for business use, more and more business use. The mobile workforce, and I just don't mean mobile devices. The workforce itself was mobile. It were out in the field. That's where you make money is when you're with customers, when you're selling. So this notion of protecting the network allows you to protect apps and users and data actually was a fallacy. But we continue to do it because that was the problem we had to solve 10, 15 years ago. The problem changed with the introduction of cloud, with the introduction of mobility, with end users getting much, much smarter about how they could use technology without actually needing IT. You know, we used to say that everybody's their own CIO at this point. They have their own devices. They have their own networks. They have their own apps. And our job is still to secure them but not get in the way of them. We know back in the old days, it was physical things that I could wrap my arms around and if I could lock a door or build the motors we talked about in the industry, that was great. But the surface area just keeps increasing. Cloud pushed it that way. Edge is pushing it. Order of magnitude even more. So it's interesting. I think when we talked about cloud adoption, security was originally, oh, it's a reason why I might not go to the cloud. And then it was like, there's a new opportunity for it. To be honest, digital transformations, I haven't heard as much discussion about the challenges and opportunities of security there. So maybe you can help expand on that a bit. So I think what Z-Skiller does and the notion that I had that made it an easy fit was I always believed, or not always, but after I took that role, I believed that there had to be something between the user and wherever they wanted to go. And we had to put as many services as we could in that. Now, we originally thought we could build that ourselves. We couldn't. We didn't have the footprint. We didn't have the scale, even though we're a large company at the time. But I always thought that tying a user and an application to a location was a big mistake. And so when I think about digital transformation, what I'm really thinking about is safely attaining speed in order to do business in today's world. So you talked about devices. I'd argue that even five years ago, most large organizations could not tell the devices on their network. Yet we were trying to protect that. They knew the ones they knew about, but they didn't know the Raspberry Pi that was plugged in by an engineering guy. Or they didn't know that somebody just put a new machine on the factory floor and it happened to have an IP address. So we were actually kidding ourselves into what we were doing. So I think the cloud actually opened up the eyes of not only the business, but opened up the eyes of the IT and security folks that the way to, you can't control the network anymore because you don't own the network. I'd argue that you haven't for a long time. And because of that, things had to change. I also think that it became, and I've seen this in my four years with Zscaler, four years ago, security was sort of black and white. Now that the dialogue has changed to more about risk. What's really important to my company? The fact of the matter is I have to admit to my board that I can't protect everything, but I need to protect certain things and you have to tell me what those things are. I can mitigate that risk. I can't do everything to everybody. And so I think that's the discussion that people are having now. And when in five years ago, people would say, oh, Amazon, Azure, GCP, I want to see their security practices this, that and the other thing. Now, they can't stop things from moving there. They're less concerned about the security practices because they get an attestation of those and things like that. They're more concerned about how their organizations are migrating stuff. Are they migrating the right data? Do they have the right controls around it? So I think the mindset of the CISOs has changed a bit. I think the roles of the CIO, the CTO and the CISO have changed, where the CISCO is more risk-averse. The CTO is actually learning how to tie things together rather than build them. And the CIO is focused on data and business opportunities. Larry, maybe you can bring us inside one of the customers or a sample of what you're hearing from customers because so many of the things you said really resonate. Absolutely. Five years ago, it was like, right, Cloud, let me get your SLA and let me read through all of it. Hey, can you adjust this for me? Amazon says no. Okay, wait, I need to adjust to this. But the mantra I hear from my friends in security is security is everyone's responsibility and it is a practice. And therefore it needs to be embedded in there, not some product or thing that gets bolted on at the end. So how are they coming to that? Is it the CISO, organizationally, where do these conversations start and fit? So every organization is different. So what I'll give you is sort of a combined view of a large organization, probably two or three large organizations. The first step is adopting the internet as your corporate network. Once you come to that realization that the internet is your corporate network and will continue to be so, then the things that you do change dramatically. And the opportunities that you have change dramatically from a cost perspective, from a service delivery perspective and from an end user satisfaction perspective. So let me ask you that for a second because I have some peers and friends that work at big companies and it feels like there's the corporate network and then I've got my device on the other thing that I use the public network. Is this embracing that just, is there or do I still have those two separate networks? I think where it's going and where the more progressive companies that I deal with are is that rather than having a corporate network supporting everything, the corporate network will actually shrink to only supporting what it needs to support and will become a destination just like an AWS or an Azure or GCP. So if you have a corporate network today that's big and wide and flat that has users, apps, data in it and your data centers, my view in dealing with again, some more of the progressive companies is that corporate network will shift to just a data center network and it will have no users on it but users will be able to get to it. So you turn yourself into an AWS. Some people call that hybrid computing. I call it hybrid networking but the reality is most organizations, large organizations are going to have hard time getting rid of their data centers in the near future. So they're going to have to be part of this game and rather than try to extend the current model to wrap around AWS and Azure and the cloud providers, why not change your model which you do control to actually act like that? So my world has the corporate internet, the internet as the corporate network, the corporate network as a subset of the internet, no users on the corporate network, all users untrusted on the internet. That's where I think this whole thing goes and that's where the customers that I talked to are headed. Okay, one of the biggest challenges when you talk about this digital transformation is usually some of the organizational dynamics there. Maybe walk us through, you talked about, we understand everyone's different, we've seen the CISO greatly elevated into where their role fits into it but kind of corporate structure and the kind of average, let's say a CIS admin and the like, what are they getting rid of? What are they learning? Or is it people coming in? Yeah, so the cultural, I don't want to say perspective, but the cultural challenges are real. You know, if you've been in this industry, I've been in this industry for 40 years and you gain certain expertise and you like to get promoted on that expertise, recognize for that expertise and it's comfortable to deal in that area. So just think of your network admin, you know Cisco equipment, you know it really well, you know your Cisco rep really well and all of this stuff is second nature to you. Now you're asked to tie, put up a connection between yourself and AWS, a VPC because you're going to move applications out there and really you're not a network guy anymore, you are a design guy to help move applications to the cloud and it's an uncomfortable space to be in. So you can sort of, there's a couple options, you could say, this too shall pass and it won't. That's I think a losing proposition. I think you can move to a network provider and say look, I'm still a network guy, I can do networking or you're going to have to find a way to take the skills that you have and the mindset that you have and work in this new environment. Now that's not easy to do and one of the things that some of the larger organizations I deal with are doing is they're bringing in people who grew up in this area and they're trying to see the education of their own people because they're good people, right? They know the culture, they know the business, they just don't have the skills that they need today. So going to training is not going to help them. Doing it by example with people who've done it before is very important. All right, how about outcomes? Is there anything you can share from your GE experiences or some of the customers you're working through as to kind of that high level, what this means now? Is there a success finish line or is it a continuing journey? I think the success finish line is actually doing what you're supposed to do for the organization without actually anybody knowing it, not being in the way. So from my perspective, it's end users or be they customer, suppliers, internal people being able to do their job in a frictionless manner but you being able to do your job and the security side it's protecting them in the network side. It's making sure that they're getting the best user experience out there and the CIO side is that they're using the best tools for the job. That's it for me. I'm tired and I have been tired and I don't think it's right for the people that we provide technology or technology solutions to choose our technology as a last technology of choice but they'd really like to use something else. We should give them that flexibility if it meets the risk appetite of the organization. So to me it's end user satisfaction is the most important thing because that allows you to do your job. This side of the fight end users will always find a way around whatever you put in their way and that's not good for them, not good for the organization. So that's it for me. Great, you've been now with Zscaler for four years. Tell what's changed in the landscape? Security, you said to board level discussion absolutely something we hear, come and I've made as it went from kind of top of mind bottom of budget to know this is something that actually you're not going to put it off for another quarter or a year, you're going to take care of it now. So I actually think it's kind of counterintuitive what changed is that I believe the five years ago security was top of mind and there was a boat of money thrown at it and that money got spent but nobody was able to prove that they're any more secure than the next guy. The metrics weren't there. I mean, if you can't define what your network is how can you stand in front of your board and say my network is, and so I think there's been a question of are we spending enough on security but not only enough, are we spending in the right areas because what we've been doing sort of doesn't make me feel any better. You know, sure, we meet our regulatory requirements but that's compliance, that's not security. So I think people are actually questioning are we doing the right things for the business that we're in today versus the business that we were in in the past and do we have the right conversation going with the board versus a red, yellow, green chart about here's how we think we're secure and I think that that's made a big difference and I also think the discussion around where information resides and how important that information is and then ultimately how well you mitigate any risk to it is the most relevant conversation that happens today. It's not, you know, I'm not going to ignore ransomware and things like that but it's not, oh my God, I'm getting attacked a million times a day. It's do I have something that's of value to somebody else and it will kill me as an organization or hurt me drastically if I lose it and if I don't know where it is I'm probably going to lose it either deliberately or by mistake. So do I have those right controls in place? Yeah, I'd love to get your commentary. There are certain companies out there that they have the message, you know, security is broken, we need to do over, you know, the latest and greatest software-defined cloud base, something or other, is it going to solve it? But, you know, you've been in this space for decades. So, you know, where are we as an industry with security today? You feel that, you know, we're making progress, it sounds like it, you know. I do feel that we're making progress. I think as an industry we recognize that the problem exists and the problem that exists today is different than the problem that existed seven, eight, 10, even 15 years ago. That's number one. Number two is the competitive landscape of companies out that are huge today versus the companies that were huge 10 years ago. It's a much different landscape. And these are all what I would call digital companies. They found a way to use information. You know, things like Airbnb. It's an information business is all it is. And it's not a Marriott, it's not a Hilton, but it's a competitor to those guys. And I think that's a realization that businesses are having and that's filtering down into the IT organizations. You know, we see a lot of companies which I don't necessarily agree with, hiring chief digital officers in addition to chief information officers. And I see that as a bifurcation of the CIO as a back room office guy and the CDO now is customer facing. I think this whole thing has to be customer facing and take advantage of the tools that are out there whether you provide them or whether you get them from somebody else in a secure and safe enough manner that your business feels comfortable operating. So that's what's changed. I don't think it's even the hardcore security guys. You know, we've had a lot of breaches in the past. Every one of those breaches, everyone had a firewall, everyone had a proxy, everybody had all the tools that everybody else had and nobody could prevent those breaches. I think the fact of the matter is you want to prevent the harm of a breach occurring versus spending all your time to make sure a breach doesn't occur. So I think that's a different mindset. All right. Larry, I want to give you the final word. We've been going through the series of the digital cloud transformation. Give us your final takeaway. So I don't like digital transformation as a word. I think it's been overused. I think businesses are changing and adapting to what the opportunities and risks are today. With that, the whole organization has to face into that and say, this is where we can win. This is where we have to be good enough and this is what's dragging us down and you have to address all of them. I think in order to do that, one thing that an IT organization has to do is head on, face its legacy debt. You can't play in this world with legacy debt. And if you don't start now, five years from now, you're still going to be complaining about it. It's like that old, you know, Chinese problem of when was the best time to plant a tree 100 years ago? When's the second best time? Today, if you don't address your legacy with your board, head on. Your business will lose. That's number one. Number two is don't go it alone. Get the talent who's done this before. This is not moving from, you know, from COBOL to C to C++. This isn't an incremental change. Fundamentally, the way that the cloud works and the way that your corporate network will work once it's the internet is fundamentally different than anything we've done before. Take advantage of people who have done it. Use that to seed your organization's growth. And then finally, there's no stopping this train. There's nothing that's going to happen cataclysmically that's going to stop this. On the other hand, don't throw out the baby with the bathwater because most organizations, as I said earlier, are still going to have legacy applications in their data center. Just make them look as if they're modern applications and it's a win for everybody. Larry, be a Jamie. Thank you so much for sharing all of your history and your customer's journeys. Oh, thanks for having me. All right. And thank you, as always, for watching theCUBE. I'm Stu Miniman. Thanks for watching.