 Welcome back to SuperCloud 3, everybody. We're digging into all things cloud, multi-cloud, SuperCloud, AI and security. We're pleased to welcome into our studio, Jay Chaudry, the CEO of Zscaler, along with CISO of Zscaler, Deep and Decide. Gentlemen, thanks so much for coming in live to the studio, I really appreciate it. Well, thank you for the opportunity. I have often enjoyed our conversations. Yeah, so ditto. We want to get into the state of security. But before we do, John and I were talking, because Dave, you know, there's zero trust thing. It's still a little fuzzy to me. Can you explain it? I said, you know what, why don't we have Jay and Deepin explain it? Of course, here in zero trust is a big departure of 30 years of old network security architecture. And it's like going from traditional car to electric cars. They're very different. The traditional architecture said, let's put people on the network so you can move around and find applications, and life is wonderful. But it is wonderful for bad guys too. Zero trust says, I won't trust you. I will only connect you to a given application or service period. You're never on the network. So you had to build a different architecture. That's why firewalls of VPN-based architecture doesn't work. Unfortunately, the legacy network security vendors are scared of getting disrupted. So they want to co-opt a zero trust terminology to confuse their customers and claim that they are zero trust too. That's what's the root of all this confusion. So Deepin, as a CISO, every CISO I talked to is now on a zero trust journey. They weren't so much before the pandemic, but now they're leaning in in a big way. There's some challenges. So what are the challenges that you see and how are your colleagues overcoming them? Yeah, so I do speak to a lot of CISOs, global CISOs around the world, and I'll share a funny comment that I heard at RSA a couple months back. Hey, we have implemented zero trust for all our remote employees. There's no concept of implementing zero trust at one place and then having the traditional network at the other. A simple thing that I always call out is if you have true zero trust architecture implemented, it should satisfy the three basic principles, which is never trust, always verify. Number two is least privilege access. And number three is assume breach. With those concepts in mind, the way you should look at your strategy is number one is my zero trust security solution, allowing me to reduce my external attack surface. Number two is am I able to enforce consistent security no matter where my users are, whether they're at home, whether they're traveling, whether they're in the office. It should be consistent with full TLS inspection. The third piece, and this goes with the assume breach scenario, where if one of my user were to make a mistake and his machine is compromised, I want to contain that blast radius. This is where the lateral propagation, reducing that with proper user to app segmentation, deception, things like that that will prevent that attack from becoming a breach. And then finally, everyone is after your data. So your zero trust security solution has to help you consistently inspect anything that leaves your assets, whether it's endpoint, workload, server environment, and allow you to prevent any kind of data expertise. I have to ask you, you're a very cogent speaker and quite eloquent. Do you spend most of your time internally? Is it security scale or sales guys out in the field? Okay, so let me share this. I am the internal CISO. We do have a beautiful version of me. There are 12 field-facing CISOs. I am usually called in when they want to go down in the weeds on how to implement certain things. So my conversations are more tactical on how to do it, rather than big picture stuff. You know, Jay, I want to get into your point about zero trust and super cloud security plus AI as the topic. The market growth still isn't security's well outpacing other parts in tech. Some companies have a tailwind with this new network architecture and AI. Some have a headwind. What's the difference between the winners and I won't say losers yet, but the people who are winning and doing the right things from a customer standpoint, what are they doing differently with security and now data and AI is obviously new, but not new. Been around for a while, but certainly it's data. It's scaling, there's observability out there. What's your vision of the winners? So at the end of the day, customers want their business to be agile, competitive, secure and cost-effective solutions. Every new technology comes to help in those areas, but over time, those technologies kind of lose their benefits and values. Then the new technology, new innovations have to be invented. We're seeing mobility helps our IOTOT cloud has been helping. Every year, technology incrementally gets better all the time, but disruptive changes come every 22, 30 years. So AI is a disruptive change, even though it built over time, cloud was disruptive. Similarly, security and network is being disrupted for the first time in 30 years. The architecture we use today for securing with firewalls and cast-iron mode goes to early 90s. So companies like Zscaler, who built a clean architecture for the new world are winning. Companies who are based on firewalls and boxes is like, I like to call them like DVD players. They're bound to lose, but they're trying to put their DVD players in the cloud and call themselves a Netflix. You don't become Netflix. Maybe high-eight tape, maybe a better version. No, but I mean the perimeter's dead, okay? So the perimeter's dead, right? That's key. Now you have a surface area that's expanding. You've got hybrid, which is now going to go edge, multiple clouds, that's super cloud. Huge surface area. Yeah, so, yes, it's huge surface area. If you look at the old world, in the old world, every branch office would have a firewall that says, I am here, come and attack me, or I'm here, connect with me. In the world of Zscaler with zero trust, your surface area literally disappears because your assets, your employees, your services are hidden behind on cloud or switchboard. You only get connected to the right party. Maybe I'll give a metaphor. If you want to talk to, if you want that your 500 friends should be able to reach you, you can publish your phone number. They'll find you, they'll call you, but a million other people who you don't want to talk to will also call you. Spam, we all hate it. And that's how things work today. You publish your application on the internet. People can find them, connect with them, but many people can de-dost them. Your attack surface keeps on growing. And in the new world, suppose you hired a switchboard service. You say, I will only take phone calls from these 500 people in no one. So the right party gets connected to you, all others are dropped. In the same way, we hide customers, application, branches and all from the bad guys. The old model, every branch have a firewall. The new model, your branches should go dark. There's no listening port to the internet, they're all hidden behind us. So attack surface almost zero is what we advocate. It's unlimited service area, but hidden to the bad guys. It's the best defense. Yep, even hidden to the good guys, the good guy only gets connected to the party without divulging where you are, what your IP addresses are. Yeah, so you have to protect yourself from everybody, not just the bad guys. Exactly. Let's talk about AI a little bit, Deepin. Everybody says, every company, whether the buyer or seller says, well, we've been using AI before, chat GPT, of course. But how are you using it? And what has the, what I sometimes call the AI heard around the world, how has that affected how you think about AI and deploying it? Right, so you've been using AI ML for several years now. Our product has several use cases address where we identify new polymorphic malware payloads. We identify previously unknown attacker control server destination. We also leverage it for flagging phishing attacks. Now, with the generative AI aspect coming in, we have also started investing heavily over the past six months in the customized large language models. So the goal over here is generative AI solves certain use cases very well where you can ask question, it converts it into code and it will simplify the overall product experience for customers. But if we are able to merge that with the predictive AI, then there are several different use cases that you will be able to address. One of them that I'm personally driving is where we're trying to predict breach scenarios even before they happen by using the telemetry that the product provides. I was going to ask that question. I mean, everyone's hoarding telemetry, observation data, observability, up and down the stack. Sometimes I don't even get to it, right? I mean, how much that is actually used is the question that always comes up. And when people are off camera, they say, oh, about 15% of it. That's a huge problem. And what's the quality of data that matters too? So first of all, every company will use AI, otherwise they'll go out of business. So there's no such thing as are you an AI company or not? It's like 10 years ago, you used to say Zskiller's a cloud company. Now every company is trying to be a cloud company, but the one who are the right architecture will succeed. The one with the wrong architecture will wither away. Now the most important thing for AI is the data. Now data combined with domain expertise and data scientists will make it happen. What's unique about Zskiller, right? Why are we so excited about it? Think of the breaches. Before any breach happens, there is a reconnaissance activity that goes on. Think of 9-11. Before 9-11 happened, there's so much reconnaissance going on if they really acted on it. These guys were getting pilot trainings with certain kind of stuff. You could figure it out if they really could make sense out of it. We are like a switchboard. We sit between all communication for every user to every application, and application to application. So what do bad guys want to do? Reconnaissance, they want to ping you, they want to send certain things. All of that communication goes through us. So being able to leverage 300 billion transactions a day that give us logs and over 500 trillion signals, we now can leverage this AI ML combination of predictive and generative AI to predict breach and actually tell our customers ahead of time so they can take steps. I'm excited because this couldn't be done before and with all the data we can put it to use. It's interesting. I mean, I love your company because you guys are ahead of the curve. Always been. In security, you got to be where the puck is going to be in the future. Where is that puck going to be? What's your vision now? Because again, you're leveraging your data. You probably were before, but now it's even more valuable that you got synthesized that data. You train it, you infer from it. That's the new context and behavior. It's inference and training. What is the next move for you guys? We are looking at where things are headed. There's a cyber side of it. There's a non-cyber side of it. I'll give you one example of each. In cyber, it's getting easier for bad guys to do bad things. If I wanted to know your attack surface for internet, which means all the branches, all of your IP addresses, firewalls, VPNs and all, it could take a few hours before or maybe a few days. Now you ask a question about giving all attack surface for this company. It shows up in minutes. So the job gets easier. So AI is going to help bad guys. But companies like Z-Skillers, also smart people who can figure out the defenses against it. So we are building defenses ahead of them. The other part is the bad guys may have open source public data about attack surface. They do not really have any of the internal data that belongs to a company. We combine external data with the inside internal communication data to come out with better defenses. I think that's our key. That's why a forward-looking progressive customer they jump on us. That's why over some 45% of fortune-firing companies they trust Z-Skater. Put the magnet to one more question for the CISO. To get ahead of the defenders, of the offense, you got to be better than them. You got to think like them and think smarter than them. How do you do that? How does a company do that? That's the CISO opportunity for you to be better at defense. How do you beat the bad guys? So being a CISO at a cybersecurity vendor, I have a lot of advantages with this. Number one, Jay kind of called out. It's the visibility that our platform provides. We have visibility across the full kill chain. So we're able to see phishing attacks. We're able to see exploitation. We're able to see malware payload and post infection activity. We're able to spot where these threat actors are changing and evolving their TTPs, tools, tactics, and procedures, including leveraging machine learning models in many of the cases. Leveraging that visibility combined with the telemetry that we're collecting. And then I have global team of security experts across seven different countries. So it's a round the clock model. We're leveraging this Intel to then learn, train our models, and then deliver high efficacy security control. I wonder if I could ask you, I felt as though prior to the whole chat GPT announcement that technology vendors like yourselves had an advantage because you had access to that technology. Ultimately, do you think that attackers or defenders will benefit the most from AI? No, tell you why. Because we got smart people figuring things out. Now hackers are smart and passionate too. I think that big challenge is inertia in large companies. I'll tell you an interesting dialogue I had with the board of directors of a very large bank out of Asia. And one board member said, Jay, you are sitting in the US leading this number one company, but some of the largest American Fortune 100 companies are getting breached. They got technology, they got money, they got all the know-how. Why are they getting breached? If they are, what hope do I have? That was the question. I had to think about it for 30 seconds. Then I said, all that is true. The biggest thing that's holding large corporations back is inertia. Think of inertia is a very powerful thing. People are comfortable keep on doing what they're doing. The biggest thing we face is lots of people saying, I have done my firewall and network for 30 years. Sometimes job security comes in, sometimes lack of comfort comes in. And I think part of the thing is to really educate our customers to make sure they start embracing, they start taking benefit of it. Otherwise, the best technology doesn't get properly used. That's the biggest risk. The pandemic was somewhat of an awakening there. I mean, we have a data partner called ETR and we look at a couple of dimensions. Momentum, spending momentum on a platform and the penetration in the market. And we would take companies that had high spending momentum and high penetration in the market that showed up in the data and we give them four stars. When we first started to do this, and it's still Zscaler, Octa, CrowdStrike, Palo Alto and Microsoft were always consistently the four stars. So I have a competitive question for you. Last week, I was in the studio all week doing preparing for SuperCloud, doing some pre-records. I came out and my guys, it was like quarter of four East Coast time, markets just about to close. And they yelled to me, security's getting hammered, Microsoft made some announcements. And so I looked at what they announced and I kind of shrugged them. Microsoft, they've always been in security. And they're sort of ubiquitous. And so I called up a bunch of my friends on Wall Street and said, there's a buying opportunity. I mean, I'm not going to trade, but you should. Think about it. And of course, the market settled down. What do you think about that competitive threat? How did you get calls on that? How did you respond to the market? Yeah, we did get calls from many investors. Investors get nervous sometimes. But part of the logic they said was, well, Microsoft went after endpoint has gone after identity. They can go here as well. I think the big difference is the following. Microsoft leverage Windows for Windows Defender. They'll leverage AD for directory. To do network security, to do zero trust, you must stay in the traffic path for all traffic in line. It's more of a network analysis play rather than identity play. Sitting in line around the globe, inspecting traffic, at speed, detecting pets and all without introducing latency is a very different core competency than being an application company and the like. So I think it's a very different play. And I think for anybody to really do this requires a little different kind of skill set of mindset. So that brings us to sort of multi-cloud, cross-cloud, super-cloud. What's your vision for what we call super-cloud? So the world will be in this super-cloud model where there are multiple cloud providers, there are edge clouds out there, there's a data center, and there'll be plants and factories where lots of work will be done. So in these things need to be, need to access information from each other. In the old world, you would have said, I'm going to have a network that connects everything like a U.S. highway system. Once I get on I-18 San Francisco, I could reach New York, Miami, or Dallas without hitting a single light. So can bad guys. So I think this communication among the super-cloud entities needs to be through zero trust exchange. Where this exchange says based on a policy, this party can access this application, that party may be a user, it may be a workload, or it may be out of your device. I think zero trust is ideal. And AI will play a more role because zero trust architecture is collecting data. The data needs to be processed and applied to the policies in a more dynamic fashion. Where we are saying some strange behavior and saying, huh, this party is connecting this party, but there are some unusual things going on. Stop it. Those are the kind of things we are doing, which is very natural to see scale. Is that data open? Or is that going to be proprietary data? How do you look at the data sharing? So what a good question. Companies that offer free services, their data is for sale often ads and all that stuff. Whether Zscaler or ServiceNow or Salesforce, we charge for our services. The data is only meant for our customer, you don't sell it. Now for security, our customers want us to anonymize it and use it to detect all these bad things because all of them benefit from it. But the data is private. There's no chat, GPT, access to the kind of data we are talking. Data is the value. My final question, I know time's tight, but I want to ask, it comes up a lot in my conversations. A lot of companies that we talk to want to partner with you. How is your posture with partnering with people up and down the stack? You got a good position. You're doing extremely well on the business side. Love that traffic flow. The answer to the footprints, people are moving around, getting that flow. You can see the packets as the root of trust. Absolutely. So we believe that the world of 100 security products, ASISOs hated it. They called them appliance overload fatigue with security boxes. But on the other extreme, there's no such thing as God's security cloud that does everything. We think the market will settle around the best of breed platforms, but each platform does its best. So we have focused on being the best switchboard, the best exchange, and we partner with vendors such as vendors in the identity space. Okta has been a partner for a long, long time with identity with endpoint vendors, with networking vendors and the like. So we have 100 partners. We have certified their work with Z-Skillers platform. Are there new kinds of partners that may emerge in this preferred future as they escape to the next buck where it's going to be in the future? Do you see a new kind of partner emerging? Yeah. So one new kind of partners that emerge, and I already see dialogue going on, is building application on top of the 300 billion transactional logs we're doing. So different applications can be written. We will write some, partners will write some together. They're going to help our customers. Are you suggesting, Jay, that the narrative of consolidation is maybe a little bit overplayed really best of breed is ultimately going to win? No, best of breed platforms. So probably a handful of platforms that do the best job. But trying to have one vendor be the best in each area won't help. So for example, take endpoint security. There's a different kind of expertise needed. That's where crowd strikes will do very well. We are the best one to be in line. So that's why we work together. But a firewall company trying to say, oh, I bought this endpoint company, so I do it all. Have you seen that kind of thing happen? Every firewall company has an endpoint offering. Never seen them out there. So I would rather be in a few areas and be the best or partner with others. So you can't be all things to all people and best of breed in each of those different sectors. Within a pretty broad sector, you can be, but you can't, and from a CISO's perspective, that's how you want to buy. It is extremely important to have that these segments defined where there is consolidation happening. And I'll talk from threat perspective, especially in case of ransomware attacks, where these things move so quickly, they're able to encrypt, say, 100,000 files in an organization within five minutes. So if you have best of breed point products and you're relying on a third product to correlate and generate a signal or rely on your team to generate a signal, it's game over. That's where having that platform in place that's able to feed the signal and take action at the time the attack is happening becomes very, very important. You know what I find interesting, but also challenging at the same time in the industry, love to get your perspective is, security is like a pro sport. The speed of the game is fast. So entrepreneurship is harder. You can't just start a company and get in the game and be defending at scale. And certainly as the data starts coming in there's a value there at scale and speed. It's a speed game. The pace to defend is so fast. It's like pro ball. Absolutely. What's your reaction? What's the opportunity and challenges? That's where I think I see Z-skiller best position. We have built a platform. We're still acting like a startup in many, many ways. And we do pick up some of the startups who bring some new ideas and integrate them in our platform the right way. That's the way I think about it and I want to just follow up before we end is that the startups all want to know one thing. Love Z-skiller. Where's the white space? Where can I win? Because I want to play pro ball but I don't want to do all the heavy lifting to get to the acceleration. So if you look at some of the example I've given you recently we bought a company in the SaaS supply chain space. While we have been really offering solutions that tell you if this SaaS company like Salesforce service now, configuration, misconfiguration and like. And then Salesforce connects to 40 other SaaS companies out there and probably 30 of them are small startups. Are they properly, do they take a risk and whatnot? So we bought a company that extends a SaaS risk beyond to the other party that connect. So it's adjacent space. The hardest thing to figure out is the new threats that are coming and new angles. We love to partner with companies who are in that space. So you would say that you enable startups? We love to, yes. And we are investing in startups too. And you mentioned some M&A. What's the climate out there like now? I mean, there must be some good opportunities. Barken's everywhere for you guys. Lots of them. The number of calls, inbound calls have kind of quadrupled or maybe higher than that. The key is finding out what's real, what's not. In fact lately there's so many calls coming out that I am the AI company, okay? I got an LLM bias, don't be the data. Guys, it's such a pleasure having you in our Palo Alto studios. Thanks for your time and your insights. Really appreciate it. Gentlemen, thank you for the opportunity and hope to see you again. I hope so. Thank you guys. Okay, keep it right there. Dave Vellante and John Furrier will be back. John had Kit Colbert in the studio last week, one of the original super cloud advocates. Stay tuned. Watching theCUBE.