 Welcome back to Moscone West, everybody watching Silicon Angle the Cubes. Flagship coverage of RSA 2023. My name is Dave Vellante, John Furrier is also here. Jay Chaudhry is here as the CEO, founder and chairman of Zscaler J. Thanks for spending some time with us, really appreciate it. Dave, I always enjoy talking to you. I want to go back to the beginning. You know, it feels a little bit like 2007, 2008 now when you've had a lot of innovation going on. Why did you start the company back in 2007? Well, I'm a lucky product of American dream. You know, sometimes wonder if my life is real or I'm dreaming. You have to pinch yourself, yeah? Because I was born and raised in a tiny village in the Fortella de Himalayas in Northern India where we got electricity after I finished my eighth grade. We got running water after I finished my 10th grade. I came to America to do my master's in computer engineering. Got to start a world by accident. In 96, when internet was just taking off, I dreamed of building an internet security company. And since I had no experience, all VCs turned me down, talked to my wife, and I said, the only way we can realize this dream is if we put our life saving on the line. That's what we did. The business took off, then very soon comes and acquires it. And it felt kind of like a flu. Startups are supposed to be hard. It was easy. I said, let's do it again. This time, I did not need to raise any funds. So I started three companies. Good luck, good timing. They all became very successful and eventually acquired. Now, moving to 2007, 2008, I had no desire to do one more startup and sell it. I want to do something big, something lasting. And to do this big undertaking, I got inspiration of Mark Benioff's Salesforce because I have been using Salesforce since year 2001 in all of my startups. So I knew what a cloud-native, multi-tenant architecture would be. Salesforce had to compete with Siebel systems. And guess what? Who won? So I said, if I build a cloud-native platform for cloud security, I could do better than any of the legacy firewall VPN guys. And since I was doing it with my own money, so slow time, when things are kind of not moving fast, it's a good time to really put heads down and build a great fit. Thank you for that. I didn't know that story, because I was going to ask you like, because you're known for cloud security. In 2007, the cloud was just barely out. It was the Salesforce, which was kind of the original cloud. Absolutely. Right? For Salesforce and NetSuite, I used both of those companies in all my startup in 2001, when each was under $10 million in annual sales. So I was a big believer that all application should become SaaS applications. iPhone was just announced with a big screen. So I knew that we would be all more and more mobile. And by the way, AWS was just, it's an infancy in 2007 timeframe. So the notion was if applications and data moves to the cloud and we become mobile, all this firewall VPN based architecture will be no good. So let's build a switchbook. Totally opposite of firewall, opposite of network security. User comes to us, we say, who are you? Where are you going? Are you allowed to go? Are you taking some good stuff and bad stuff with you? That was the genesis, the real start, which really has evolved into being called Zero Trust. And that's really what we are very proud of because Z-Skiller pioneered this thing very, very early on. And today, over 40% of Fortune-Firing companies depend upon us. This is some of the biggest names, that's British Petroleum, Siemens, and Shell, it's United Airlines. We're very proud of helping our enterprises and our country to protect them. I know what's interesting about the story is, you know, architecture matters, we say that a lot on theCUBE. And in 2007, there were many companies who came after you that missed the cloud. So, what was it about the architecture that you saw at the time that has allowed you to sort of endure through the cloud era? No pun intended, because cloud era kind of missed the cloud. We talked about that, but what was it? So, I had a very simple mindset. I wanted to do something big, something lasting a public company. And for that, I wanted to see 15, 20 years out and say, what will be needed in the longer term? And you had to believe, at least I believe that, applications will be out there somewhere, SaaS, cloud, wherever, users will be somewhere, the architecture has to be done right. Now, people think about this cloud security or cloud being something unique. I thought of this the following way. Every new technology starts as a cottage industry. We used to have power generators at home once. We loved them because that was the best thing at the time. Then utility companies came, power utility companies, they said, plug into the socket, you get power. So, cloud computing and cloud security is essentially a utility service and that's how I looked at it from day one. And it had to be done differently. Just like you can't take a million power generators, put them in some factory and say, I'm a power utility. Or you can't take a thousand DVD players and put them in the cloud and say, I'm Netflix. That's why I don't believe the firewall and VPN companies will ever succeed. They'll try it just like Siebel System did, and then they'll go back to the roots or wherever else they need to go. You know, we were at your event last night and you pulled up a customer, just a very brief, maybe five minutes of introduction, but the customer was a forward-thinking customer. I think I'm paraphrasing, but basically the customer said, hey, if you're on my team, you got to be thinking, I think he said out of the box. It was going to tongue in cheek. And so I want to ask you about zero trust because prior to the pandemic, for most people, zero trust was a buzzword, you talk to any CISO today, they are moving forward on a zero trust architecture. My question is, can you do that without getting rid of stuff? Because you have a lot of technical debt, so it's got to be a journey. How are you seeing that evolve and what role do you play? So it's indeed a journey. And also zero trust didn't really become popular because of COVID. It became popular when SolarWinds got hit. And companies realized that, wow, this malware is on my network inside my firewall. And then suddenly we had Colonial Pipeline, a remote access VPN problem. VPN is the biggest security threat to enterprises out there. And you know what? Once you connect to the VPN, you're on the network and you move laterally as if you got in the castle, you can go wherever you want to go. It's a sad story that firewall VPN companies are removing the word VPN. They're calling themselves cloud-based secure access when underneath it's VPN. They're doing a disservice to our country and enterprises, but I guess they're trying to make sure that they really don't become, they don't go out of business. But zero trust is fundamental new architecture where you don't put people on the network. You connect them to application. It seems geeky sometimes, so let me give you a simple example. Yeah, geek out a little bit. Explain it to our audience. Let me give you a simple example. Getting on the network with VPN or being on the network with firewalls and VPN is like I come to see you, they stop me at the reception, they check my ID, they give me a badge, and they say, Jay, go inside, your meeting is on the seventh floor, but go wherever you need to go. I am inside, I could wander around, wherever, snoop around, not even go to my meeting room and leave. That's what happens with network security and VPN. In the zero trust model, sure they stop me at the reception, check my ID, give me a badge, then they'll say, just stop. You will be escorted to room 22 and 22 only. You don't even need to know the room number. Once your meeting happens, we're going to escort you all, period. And if you're really security savvy, like DOD, you'll say, Jay, we're going to blindfold you and take you to the meeting room. Your meeting happens, we blindfold you again, we take you out. You really connect to a given party, a given application at a time. The biggest risk or ransomware is people getting on the network, moving laterally and finding high value target. That's really what we eliminate. That's what sets us apart from legacy security architecture. Whether it's firewall on-prem or it's firewalls in the cloud, there's still firewalls. I'm imagining like when I go through security at the airport, the CSA, you're saying that's what it's like. I can wander around the airport anywhere. It doesn't matter, you're not allowed to get into the most critical things. You could be out there exactly like Zero Trust. No, if you need to get on a certain plane, we're going to check your boarding pass, your passport, your visa, and your luggage to make sure the right person gets on the right plane for the right destination with safe luggage. It's probably a good knowledge. You're sort of a synonymous with cloud security. People think of, as you scale it, they think of cloud security, but you accommodate hybrid modes. Yeah, we only accommodate, we fully support hybrid. In the world of Zero Trust architecture, the architecture that Zscaler pioneered, your applications could be in your data center, could be in a factory, could be in a warehouse, could be in AWS, Azure, or Google Cloud, or Oracle Cloud. It doesn't matter. Like a phone switchboard, we'll connect you to the right application without you having to worry about extending your network to every place. So we very much support hybrid environments. There's a narrative in the industry. You hear it from a lot of technology vendors that we don't spend enough in security. And yet, at the same time, it's, I don't know, what, $100 billion. Pick a number, 80, 90, 100, 200 IDC numbers. It's not my business, but it's big. What, where do you land on this? I mean, it seems like we spend more every year, but we're not more safe. Is spending in and of itself the answer? It's obviously not, but why not? What is the answer? So spending on wrong technology to create complexity is actually hurting. Complexity is the enemy of security. Your question reminds me of a dialogue I had with the board of directors of a very large bank in India. So they wanted me to give me my perspective of how do I see U.S. enterprises protecting themselves. And one of the board members asked me, she said, Jay, if I look at Fortune 500 companies in America, they have sophistications, cyber experts, they spend lots of money and I read so frequently, they're all getting breached. What's wrong with it? Expertise and budget both are there. I had to think for 30 seconds. It was a real good question. I say, yes, they have a lot of money, but inertia is holding them back. Human beings like to keep on doing what they've done. We are doing the same security model since early 90s, same network model. It fundamentally has to change. So this big change is held back by inertia. It requires people who are progressive or a forward thinker. And the vendors don't help them much. You can eliminate a lot of these point products, save money and have far better security than we do today. I had a dialogue with a large retailer in Europe. They got breached. It was ransomware attack. Guess what happened next? The boards fired the CISO. They brought a new CISO in and they said, what do you need? All purses got opened up. And guess what the CISO did? Bought more and more firewall, segmentation, VPN, everything. Let's build a more tier, a more tier, a more tier. Wrong approach. Luckily, Zero Trust adoption is happening more and more. When I have 7,000 customers who talk to each other how they have helped themselves, it's actually helping. We are getting lots of business through word of mouth. CISO and CISOs go from place to place. But my guidance to customers is don't keep on buying more and more. Your tech that is getting worse and worse. Simplify, simplification with Zero Trust is what's needed. Do you think foundation models like GPT could be the catalyst for that change? You think it will shake the industry up in a way? I think GPT is going to shake things up in many ways actually. So first of all, you can see more sophisticated threats. You can ask Jack GPT, give me the attack surface of this company. Here it shows up. The amount of effort you had to do to find some of the vulnerabilities becomes a lot easier. But it's also helping companies like us to be ahead, to build protection against it. So this GPT is kind of what I said, double headed sword. It's going to help, it's going to hurt. It's a race with bad guys. We need to move faster. Enterprises need to adopt technology faster rather than keep on doing what they are doing. You see a lot of data, obviously. Have you seen hard concrete evidence that the adversaries are actually using foundation models to attack? Is there hard evidence of that? We know it's happening. We presume it's happening. Is there evidence today? So Zscaler handles over 300 billion requests throughout cloud every day. Now what does that mean? Give you a comparative data point. Google searches in a day at up to about eight or nine billion. Now why is the number so big for Zscaler? Because when you communicate, whether to internet or SaaS applications or your apps in Google Cloud, Azure AWS data center, they all go through us. We are the switchboard. So we see all the signals out there. We actually end up seeing a lot of telltale signs ahead of me. So it's actually helping us see what bad guys are doing. But some of the signals that we are seeing, this being leveraged, are beginning to show up, but they're not at a mass scale yet. But I won't be surprised if in six months or nine months it becomes a way to further explore its situation. We see an evidence of possible signatures and that's a harbinger, things like that. I want to go back to something you said. We all used to have our own sort of power plants on site. Well, so the reason I thought of this is, you remember the Andreessen, it was Sarah Wang and Martin Casado said that cost of goods sold are going to crush many SaaS companies and they're going to have to go repatriate. So remember we asked Jeremy Burton that question and he said, everybody used to have their own power plant, that's what reminded me. Where do you stand on that? Have you thought about your business in terms of the cost of goods sold, the amount that you got to pay, a cloud provider? Do you foresee the day where you have to sort of start building your own sort of infrastructure or have you started already? It's a great question. Every home should not have a power plant. But every city or a given state needs to have a power plant. Why should one, there should be one power plant company out there? So the way I look at it is, Microsoft, AWS, Google are building power plants to build applications for enterprises. They are essentially application power plants. Zscaler is the security cloud. It is the security power plant. I can't be building my security plant on others. I need to build security plant. The requirements of security cloud are very different. We are sitting in the traffic path. Hyperscalers are destinations. They're sitting in far fewer places. We're sitting in over 150 locations around the globe. It's think of America. Would you be happy if the only four or five international airport to go and to some place? You won't. We got it, over 100. So I need to have our security cloud sitting in all kind of locations because people need to come to us, we need to inspect, verify policy and connect. So large companies in a given business will have their own clouds. And enterprises by and large will use public cloud for most of the stuff and for some applications or maybe for a resilience point of view, they may have some of their own data centers. What's your thought on the public-private partnership and the role of public policy in the government as it pertains to security generally? But there's a lot of discussion about privacy. There's been discussion that security companies like yours are basically massive surveillance systems and that's causing to, it's like, okay, what do you choose? Do you choose privacy or security? But what's your general sense as to the, particularly I'm talking about the U.S. federal government in terms of its posture with technology companies like yours and maybe even some of the big tech companies? Yeah, a couple of general points. Privacy is a big issue for vendors who offer free products. Because they take the information and they take money out of it. Zscaler or Salesforce the world don't have an issue with privacy. We don't sell that data to anybody. We get paid by enterprise customers to do what needs to be done. So privacy for enterprise class vendors is not an issue. Now GDPR and all, they want to make sure that data is kept safely and we're taking all precautions to do so. Now the next level is government regulations and whatnot. I think some level of setting, some level of standards is good but when government reaches too far it kills creativity, it kills innovation. But if you look at the federal government, unlike the focus U.S. government has put on zero trust. Unlike some of the initiative that CISA is driving. It's a good organization. It's trying to educate all these federal agencies and it is making a case for public and private sector cooperation. I think that's a good thing. So as long as government kind of says I'll do the minimum and then get out of the way, it's a great thing. Yeah, they could be a catalyst for innovation and growth. They certainly have been historically. Last question, so many people felt like, okay the security market is immune from the macro headwinds. Last summer we saw security generally kind of revert to the mean. Now it's sort of all over the place a little bit. What are you seeing at the sort of macro level? Deals are getting longer. You've talked about this. You guys have always sold to the C-suite but now there's more approvals necessary. What's it like out there? What's the climate like to the extent that you can share? So security is a lot more resilient than many other application areas. So we're seeing less impact but there is some impact. There is more scrutiny out there. But the vendors in cyber who can improve security and reduce cost at the same time will do much better. The reason Z-Skiller has done quite well is because cyber is on every CIO, C-suite and board smart. But then second part is CIOs also want to save money. When Z-Skiller goes and say here is my platform that can eliminate so many point products I can deliver ROI and cost savings. CIOs like us. So those are some of the reasons that that's going to continue the growth of platform companies for cybersecurity who can deliver cost savings like Z-Skiller does. So we are pretty bullish about the market. And that cost savings comes from consolidation? Two or three things. You eliminate a bunch of security point products. That's number one. Number two, there's operational cost in these traditional appliance companies. Also in addition, there is a net for cost savings. There's a lot of net for cost that needs to be taken out because they bring the traffic back to the choke points and data centers alike. And on top of that, the user experience goes up, productivity goes up. Jake, thanks so much for your time. You've been very generous. I got to let you go. And really a pleasure having you on. Dave, enjoyed it. Thank you for the opportunity. Oh, you're very welcome. All right, keep it right there. John Furrier and I will be back with our next guest, RSA 23 from Moscone. You're watching theCUBE.