KEY TAKEAWAYS - The Zscaler Virtual CXO Summit, Spring 2021 Episode #1 - The new CXO agenda: measure the threat, fortify cybersecurity, reduce risk

About the Zscaler CXO Summit

The new cyber-threat era is complex, accelerated, and unrelenting. It demands leaders who can prioritize agility over complexity, security over complacency, and innovation over stagnation. Achieving those enterprise objectives requires perseverance, collaboration, and secure digital transformation. The Zscaler Virtual CXO Summit brings together industry-leading CIOs, CTOs, CDOs, and CISOs to share insights, expertise, and experience. The Spring 2021 Series focuses on the theme “IT Leadership in a New Cyber-threat Era: The Business, Technical, and Security Demands of Digital Transformation.”

Watch episode #1, “The new CXO agenda: measure the threat, fortify cybersecurity, reduce risk” - Americas/International

CIO Fireside Chat - “The new corporate governance mission: Secure the enterprise”

Zscaler CEO Jay Chaudhry and I spoke with CIOs and CEOs to get their perspective on how executive leadership cybersecurity responsibilities are evolving. These are some of the key takeaways.

Corporate boards are (finally) prioritizing cybersecurity.

In the International session, VINCI Energies CIO Dominique Tessaro observed that enabling remote access isn’t a temporary solution for COVID response. Instead, the hybrid workforce is here to stay. At VINCI Energies, Dominique led the successful pivot to work from anywhere, focusing his attention on end-user training and exec evangelism.

“The good news is that [with training],” explained Tessaro, “after just a couple of weeks, we were able to operate again as previously, and that was really the good part. The second good part I would say of this crisis is that suddenly the C-level executives, well, they just discovered that you are able to operate from any time, anywhere, any point, any home, every office, thanks to the investment [in cloud] we had been making the previous year."

Sand Hill East Founder and CEO Andy Brown noted that boards today are beginning to acknowledge the cracks in their legacy armor, due in part to high-profile supply-chain attacks like the recent SolarWinds hack.

"Most boards now understand that there are many Achilles heels in legacy infrastructure,” said Brown, “and a way I describe it is to think about an iceberg and think about the part you can see, and the part you can't see. And the part you can't see is often, sometimes hundreds of security people running large parts of legacy infrastructure, and that legacy infrastructure served a purpose at the time when it was deployed, but now could probably be replaced by something more effective, so you can retarget those resources further up the stack.”

Graphic Packaging International SVP & CIO Vish Narendra oversees cybersecurity for the packaging conglomerate. In the past year, he has seen a change in his interaction with the organization’s board of directors.

“[Cyber threats are an] urgent board topic,” said Narendra. “Discussion is centered around, where do we think we stand relative to what has happened at some of these other places...there is this feeling of 'this is just a matter of time before we have some sort of impact, so if it does happen, how do we respond?' Focus in the past was primarily around 'Hey, what are you doing to keep me safe?' On top of that, our board is also asking 'I know you're doing everything in your power to keep us safe, but if something does happen, then how do we respond, how do we react?' And so I think for all companies, dust off your business continuity plan, understand your disaster recovery plan...all of those are critical topics and areas of interest for our board."

Threats are accelerating, requiring CIOs to become more agile

VINCI Energies’ Tessaro emphasized the need for enterprise agility to both recognize and respond to growing adversarial threats.

"[The SolarWinds-type supply-chain] attack is very, very dangerous, we all know that because it's zero-day,” said Tessaro. “You have to react extremely rapidly. That means as a CIO, that you have to manage all the assets which you have in the enterprise...The guys that are using, or exploiting these vulnerabilities, they want money! There are billions of Euros to make with these attacks. And well, more people are searching for vulnerabilities in many many products.”

Zero Trust is no longer just an ideal. It’s a real cost of doing business.

As threats have evolved, cybersecurity has struggled to keep up. In the past, the ideals of Zero Trust have seemed unattainable in practice. But as Narendra noted, the way of work has changed, and the way of security must change with it.

"We're in 'Gen 2' of cybersecurity. Gen 1 was a castle-and-moat approach, harden the perimeter, you know, guards at the watchtower, do all those things,” explained Narendra. “Well, COVID happened, and people were at home and doing work. All your standard controls get bypassed! So then, your dispersed architecture has forced a shift in security design. That's why you need Zero Trust. Essentially, I want to know who you are, what device you are using, what you have entitlement in terms of access to. Those are the three critical things. If I don't know those things, I'm not going to let you touch anything."

Tessaro focused on the practical aspects of getting to a Zero Trust model: "We are living now in a world where by principle, I have to say, I don’t want to trust anyone, or any machine that’s trying to connect to my network to do whatever they want to do, even if I’m 200%, 300%, 400% sure that the person or the machine which is on the other side trying to connect is the right machine, the right person. And that this machine has not been infected, by something -- even if it is the right machine, the right person -- it will not get through my security."

Enterprises must embrace cloud technologies to support hybrid workforces.

Brown observed how the shift to a new hybrid way of work is requiring enterprises to embrace cloud technologies.

"What's happening now is that the level of automation both around the way that computer-hosting or application-hosting is done has changed, but so has the automation of work for just regular workers,” explained Brown. “Platforms like ServiceNow, as an example, have been much more broadly adopted and have been used as a mechanism to make digital workers, and hybrid [workers], and home workers much more effective. I think there's been a productization if you like of processes that deliver work for people to do at home. Whereas before, that might have been done via email, or word-of-mouth, or at the water cooler, or whatever. There's been a formalization, if you like, of work processes."

Want to reduce corporate risk? Get your cybersecurity to the cloud. Fast.

Graphic Packaging International’s Narendra addressed the reality of new threats and recommended CXOs move quickly to shore up cyber defenses with a cloud solution like Zscaler. He also noted the positive end-user connectivity performance impact after he sunsetted the company’s VPN technology: “You put ZPA in, and you take out VPN? You actually get phone calls from people that say 'Wow, thank you!' When does that ever happen?”

Narendra suggests CXOs pursuing digital transformation seek out quick wins: “Start small! Set some boundaries around a proof-of-concept. Deploy ZIA, or deploy ZPA, depending on your environment or circumstance. Get some quick wins! Use that to get some advocates and ambassadors that you can then use to amplify the message within the environment. And you're going to go very quickly, very fast.”

Sand Hill East CEO Brown concurs with that approach and preaches the importance of translating security value into shared benefits, including cost, simplicity, and velocity.

“There is a massive cost takeout opportunity if you do this the right way,” said Brown. “Having a good view of that makes it much easier to communicate in the language of the business, to the business, what the benefits are going to be from a cost perspective. Your ability to be agile and drive change faster is very important. And a lot of people underestimate how important the simplicity of Zscaler's architecture is to the future of being able to drive change.”