Zscaler's Ripple Effect Report Reveals The Cyber Resilience Gap

[00:00:00] - [Speaker 0]
A big thank you to Denodo for helping me make more than 60 monthly interviews possible across the Tech Talks network. And as businesses move from GenAI to Agentic AI, trusted data becomes everything. Everything from Gen AI to Agenic AI, Denodo is helping organizations build intelligent, secure, and scalable AI solutions with data access, governance, and explainable results. So build AI that you can trust and do it with Denodo. And you can learn more by simply visiting denodo.com.

[00:00:37] - [Speaker 0]
What happens when your cyber resilience plan protects your own organization but ignores the partners, platforms, and suppliers that you all rely on every day. Well, today, I'm joined by the CTO in residence at Zscaler, and we're gonna discuss the findings of Zscaler's ripple effect report and understand why resilience can no longer stop at the edge of a business. Because their report found that 61 of global organizations, yep, they have a cyber resilience strategy, but it's too inward looking. So in practical terms, that means many businesses are preparing for disruption inside their own four walls while overlooking the external dependencies that keep operations running. And this matters because modern organizations are deeply connected.

[00:01:26] - [Speaker 0]
Cloud platforms, SaaS tools, logistics partners, payment providers, managed service providers and supply chains, all of these things form part of the real operating environment. And if just one of those layers fail, the impact can spread quickly. So today, my guest will explain why cyber resilience needs to be viewed across the full organizational estate and explain how leaders can identify some of those hidden dependency risks and what it takes to build a strategy that reflects how businesses actually operate today. So many big talking points in here and big takeaways, but enough seed setting for me. Let me introduce you to my guest right now.

[00:02:08] - [Speaker 0]
So a massive warm welcome to the show. Can you tell everyone listening a little about who you are and what you do?

[00:02:15] - [Speaker 1]
Thanks, Neil. It's nice to be here today. So I sit as CTO in residence for Zscaler. I've been in IT for about twenty five years, five of those specifically in cyber. And I work for or or rather with CTO, CSOs, CIOs, all around transformation strategies, the realities and impacts of what those things mean, what comes next, and what are the things that they should care about.

[00:02:35] - [Speaker 0]
Well, it's a pleasure to have you join me today. One of the reasons I was excited to get you on here was take a closer look at Zscaler's ripple effect report. Just to set the scene, tell me a bit more about what it is, who was surveyed, etcetera.

[00:02:48] - [Speaker 1]
Yep. So we we interviewed about 1,700 global ITs across, you know, IT leaders across 14 global markets. The the the intention behind the report was based on a 2025 report that really looked at the internal resilience of businesses, infrastructure, and staff. And the ripple effect was an extended view of that to look at what external resilience kinda looked like. And, certainly, the world has changed a lot in eighteen to twenty four months.

[00:03:13] - [Speaker 1]
So, really, this is a bit of a pulse check on what people are caring about and where they really are in their cyber strategies.

[00:03:19] - [Speaker 0]
And before we take a closer look at that report, I'm curious. Why did you commission the report? Why did you think that now was the right time to review organizations' external resilience? Something going on there that that that prompted you as well?

[00:03:32] - [Speaker 1]
The world's changed a lot. Yeah. You know, there's been very several high profile breaches, you know, particularly in retail and automotive, supply chain being on top of people's minds because of because of that. But there's lot of threats coming at us faster than ever before, you know, frontier AI models like Mythos or Daybreak, Quantum, and of course, not to mention the rapid supply chain challenges coming from geopolitical tensions. So really, we wanted to get a view on, you know, how organizations were dealing with that.

[00:03:58] - [Speaker 1]
What were the things top of mind, and where were they particularly worried, you know, how do they think they would fare?

[00:04:04] - [Speaker 0]
Yeah. And there's so many big stats in there. One of them that particularly stands out is that nine in 10 organizations increased cyber resilient investment in the past year. Great times. Good news.

[00:04:16] - [Speaker 0]
But, I mean, 61% still admit, though, that their strategies are too inward looking. So why hasn't increased spend translated into stronger real world resilience? That's the first question I've got to ask, obviously.

[00:04:28] - [Speaker 1]
Yeah. I I think a lot of it's to do with the rate of change. You know, it's it's really outpacing the ability for organizations to adapt. You know, as a result, they're sort of playing catch up. Large forms of legacy, lots of technical debt are making those things very complicated, And many of them have made very tactical investments over the years.

[00:04:44] - [Speaker 1]
And these things act as bandage, which are great at a point in time, but they're not really good at sort of dealing with future looking sort of statements. So over half have experienced this third party supplier kind of failure scenario. And this is really providing a bit of a distraction. So it's taking time and energy to sort of get ahead. And this kind of tactical look is where they end up.

[00:05:06] - [Speaker 1]
And it's not really where any of them want to be, but you know, certainly, it's it's where a lot of the money is being spent.

[00:05:12] - [Speaker 0]
And you said at the very beginning of our conversation that so much has changed, and you're bang on the money there. Because twenty years ago, IT teams have set out to try and control BYOD or bring your own devices. Another decade later, it was all about protecting the organization from shadow IT. Fast forward to present day, seven in 10 organizations now say they have limited visibility into employees' use of ShadowAI, and only half believe sensitive data is already being exposed. Why is visibility proving so hard to achieve even for security mature enterprises?

[00:05:49] - [Speaker 0]
What's going on here?

[00:05:50] - [Speaker 1]
I think, first of all, it's new, and and it's probably happening faster as part of a a trend than ever ever anything we've ever seen before. And a lot of boards are sort of using this, you know, this technology as a way of gaining competitive advantage. And as a result, some of the organizations doing it don't necessarily have the right guardrails in place. So this is perfect storm of trying to run fast, but not necessarily having the experience or tools in place. A lot of these organizations are looking at what AI can do for you, and they're not looking enough about what it can do to you.

[00:06:20] - [Speaker 1]
And, certainly, you know, they're they're not really realizing that AI is kind of being baked into, you know, behind the scenes in a lot of other products. There's a lot of focus on, you know, the mainstream sort of products that you'd be aware of, you know, whether it's Copilot or ChatTTP. But behind the scenes, you know, organizations are taking this, you know, or other software vendors are taking this view of baking in AI and that self serve mentality. And and as a result, you know, those four walls that used to protect the org, you know, this is not really with keeping up or responding as fast. And as you say, about half the respondents, you know, didn't even have a data categorization policy, you know, so the a you know, the AI risk is greater there than than we've ever seen before.

[00:06:59] - [Speaker 0]
And the research also found I think it was 68% of organizations now rely more heavily on third parties than ever before, but fewer than half have adequate third party risk controls in place. Again, big start there. So why is supply chain risk still such a blind spot for for those resilient strategies?

[00:07:17] - [Speaker 1]
I think there there's some really tough economic conditions out there. You know, far higher, as you say, have a reliance on third parties, and geopolitical tensions are really making organizations having to shift quite quickly. So perhaps spinning up new vendors and new locations to deal with those sort of economic sort of tensions, you know, as they arise to kinda keep, you know, to keep their business operating. But since the rise of, you know, cloud applications, they sit outside the organization, data is kind of flowing across organizations. So whereas before, we used to have those things within our kind of scope, but now they're they're floating outside.

[00:07:49] - [Speaker 1]
Know, and certainly that's creating some difficulties because that architecture for many, many years has been very inward looking. You know, I think that, yeah, the macroeconomic environment is driving this, you know, this really high volatility in the supply chain.

[00:08:02] - [Speaker 0]
And although there is a lot of hype around all things AI at the moment, it's easy to get distracted. But, of course, this isn't our first transformation rodeo. There's seen so many of it in the last few, decades from the the shift to mobile and cloud, etcetera. And I was reading that you argue that every major tech shift follows a pattern where security typically lags behind innovation. So I'm curious, looking back, are there any lessons from that cloud era that businesses might be have forgot about or failing to apply to AI today?

[00:08:33] - [Speaker 1]
Mhmm. I think very topical. I think that with the saying, you know, when the herd moves, it moves. You know, Shadow IT is is very much born out of that, you know, people sort of burying their heads in the sand. And I hear quite often from people that their common approach to this is just to block it.

[00:08:47] - [Speaker 1]
Now, unfortunately, that wasn't very effective in in the cloud era. You know, competitive advantage was found by those who embraced it pretty quickly. And, unfortunately, those who blocked it tended to sort of miss out. And as a result, we're lagging behind everyone else. Many of the private clouds simply don't scale.

[00:09:02] - [Speaker 1]
You know, some people are still tending to build on on, you know, on premise, and that just isn't possible with AI. There is no way of using these frontier models without sort of embracing, you know, sort of cloud. And certainly some of lessons that we've learned along the way is you've got to be inquisitive. You've got to get involved. You've got to upscale.

[00:09:16] - [Speaker 1]
You know, every organization is gonna be chasing this competitive advantage and new kind of revenue streams. You know, businesses really shouldn't wait for threats to mature before, you know, adapting their security practices. And the Cloudera, you know, with upstarts and individuals using cloud, you know, it's more accessible to the layman. You know, that this pattern is repeating. You know, say AI models are available to almost everybody to some degree, and that's really sort of permeating this this, you know, this this this idea that, you know, businesses started to fail in their their AI security strategies.

[00:09:47] - [Speaker 0]
Generative AI has undoubtedly captured the most public attention so far, changing how we all find information, and we're now talking about getting what we need rather than just typing in a search box and getting a load of sponsored results. But in your view, in the enterprise, what security risks are organizations maybe overfocusing on, and are there anything that they're missing as a result of that focus?

[00:10:12] - [Speaker 1]
Many organizations that I speak to are really focusing on a very few number of chatbots and very specific generative AI sort of platforms. And those results, you know, they really only sort of touching the tip the tip of the iceberg there. Know, You in doing so, they're they're kind of neglecting this this proliferation of of AI that's kind of baking in behind the scenes into many of the the products that they're using on a day to day basis. You know, many are still struggling with GenAI products, you know, Gemini and Copilot, but they're, you know, they're kind of really ignoring this agentic threat that's kind of coming at them. You know, these like I say, these guardrails aren't existing yet for for many organizations.

[00:10:46] - [Speaker 1]
And I guess from another angle, they've got to be aware of what their attack surface looks like. You know, as I said, AI is is happening within their own orgs, but it's also happening to them. This idea of, you know, what happens when, you know, a threat actor is is successful is really starting to galvanize this this fear within the org about what they do. And that blast radius type thinking is certainly something top of mind about what you can do and how to limit that, you know, that impact if those those threats do translate into real world problems.

[00:11:15] - [Speaker 0]
And I was also reading you described agenda KI, which is something everyone's talking about this year, as a fundamental shift because, ultimately, systems don't just assist. They act. And I've got to admit, as an overcautious ex IT guy, the very thought of giving an AI agent permission to go out there and do stuff with without me being able to step in makes me a little nervous, especially when we're talking hundreds and thousands of them. But what makes this such a turning point for security teams, you think?

[00:11:43] - [Speaker 1]
Yeah. I I think the report showed that about almost three quarters of respondents were deploying AI or at least testing AI in their organizations, but only 50% of those actually have done it with with the necessary guardrails in place or certainly have that comfort level. And this kind of turning point in the adoption is is outpacing the governance and resilience kind of planning. You know, teams are very much in the reactive space. So this kind of creates these risks where teams don't have the visibility they might want, you know, the control or perhaps even the policies and procedures.

[00:12:12] - [Speaker 1]
And NGENTIX have this capability of really accelerating because they can act with autonomy as you as you mentioned. Yeah. So really this this idea of of not just querying and managing sort of data in and out, they're now having to worry about how these things are acting and and operating within their environments. Natural language is a is a natural way that people are interacting with these things. So the barrier of entry is really, really low.

[00:12:35] - [Speaker 1]
You know, back in days gone by, you had to have expertise or or pre prepared scripts, and that just isn't the case anymore.

[00:12:42] - [Speaker 0]
Yeah. And I think in a report, it also said that it was more than half of I IT leaders admit that their current security strategy can't defend against some of these advanced threats, while AgenciKi is, of course, already being deployed by a third of organizations and without governance. When you look at a gap like that, what do think it tells us about how companies are approaching emerging technology risk? Is it are they flying caution to the wind and just wanna be part of the AI narrative, or is it something else?

[00:13:11] - [Speaker 1]
I I think they're they're trading the competitive advantage angle, the the revenue angle for perhaps a a degree of accepted risk. But these risks are evolving all the time, and they're coming at us faster than ever before. That So kind of AI assurance is kind of this, you know, there's this watermelon effect, which is, you know, they think that things are green on the outside because that's what their sort of knobs and switches and dials are sort telling them. But behind the scenes, there's lots of this shadow AI taking place, you know, and and AI is really a scale multiplier. You know, the idea of, you know, reconnaissance, invasion, and phishing, exploiting are very real, but unfortunately, very much hidden, you know, from the organizations.

[00:13:47] - [Speaker 1]
And and like I said, these these really frontier models around, you know, OpenAI's and sort of Daybreak, you know, they have this advantage for defenders at least. So we can at least put ourselves in a good place that there are things, you know, ethical companies are helping us with. But, you know, two thirds of of the IT respondents that their architecture can't keep up with the speed of the business. And it's really that that's kind of having that negative effect on on how they can respond and the speed that they can do it.

[00:14:12] - [Speaker 0]
Yeah. 100%. And the rise of AgenTiKi has been compared to the almost earlier Internet inflection points, like that move from just static websites to dynamic applications. But, the older I get, it feels like everything happens in cycles. There's so much we can learn from our tech past.

[00:14:29] - [Speaker 0]
So what does these historical parallels tell us about what's coming next, do you think, if if I were to ask you to gaze into a virtual crystal ball based on some of those things that have happened in the past?

[00:14:40] - [Speaker 1]
Yeah. I I think it's this idea that, you know, self serve and dynamic content, this idea of being more productive is this is this sort of driving force. But AI is this it's much more prolific and more stealthy that, you know, than we've ever seen before. And it's really this kind of hop, skip, and a jump sort of idea that, you know, as these things become more autonomous, you know, many more chatbots, many more agents. And certainly, as this evolves, we're we're very much gonna end up in this world of agentic to agentic across the supply chain that's really on top of my mind when I sort of think about how these things evolve.

[00:15:10] - [Speaker 1]
And, of course, the way people interact with these things is is changing all the time. So we're very much used to the keyboard approach, but voices on the rise. And that means that the barrier of entry, you know, for these things is much lower and even getting lower. So it's it's that sort of perfect storm, certainly, that evolution that we see is is sort of galvanizing attention into productivity, but also kind of those security concerns that go with it.

[00:15:32] - [Speaker 0]
And I always try and give everybody listening some valuable takeaways or something to take away and think about. So the security teams listening, what should they be doing to better protect against internal agents and and some of the problems that could arise from what we're talking about today?

[00:15:47] - [Speaker 1]
For many, this this idea of AI can be quite a scary thing. We talk about, know, AI being quite revolutionary, but, thankfully, in the security space, there's quite an evolutionary idea. You know? So in my view, treat agents like users. You know, give them this idea of an identity.

[00:16:01] - [Speaker 1]
Be very cautious in what you give access to. Segmentation is a really, really powerful sort of tool in in, you know, stopping that blast radius. You know, AI agents typically have very specific jobs, and they're limited to very specific tasks. So look out for those behavior norms, look for those anomalies. And those tools largely exist today.

[00:16:18] - [Speaker 1]
What you really need to do is just make sure you're pivoting into something that is able to cope with that scale. You know, these AI capabilities are driving more data and more signals. So, really, you need to make sure that you can cut, you know, cut across those sort of things. But, certainly, you know, treating these things like users is a very common sense approach in my view.

[00:16:35] - [Speaker 0]
Yeah. 100%. And segmentation is also something I wanted to bring up because it comes up several times as a critical control for limiting blast radius in the report. So why why does segmentation matter more now than in maybe previous security architectures?

[00:16:52] - [Speaker 1]
Yeah. The unfortunate reality is it isn't a matter of if organizations get breached. It's it's a matter of when because of the, you know, the the capabilities and waves coming at us. And, certainly, there's this tsunami of patching coming towards organizations as, you know, organizations start to use programs like Glasswing and the the model like Daybreak to find their vulnerabilities. And, really, organizations just aren't gonna be able to keep up.

[00:17:14] - [Speaker 1]
If you look at typical change control windows, getting downtime, you know, the organization doesn't move fast enough. So really segmentation is is the most effective way that organizations can limit the exposure of issues when they do translate. And it very much might save save the day if if those things do, you know, do come to pass. But if not mythos, there will be others. You know, zero day exploits, you know, they're exploding in number and, you know, certainly effectiveness.

[00:17:39] - [Speaker 1]
And that number of patches I mentioned is is certainly something that many organizations are gonna, you know, struggle with. And some don't even have those capabilities to measure their patching today. So it's it's quite a complex, you know, sphere to sort of navigate. But like I say, if I had to pick one thing, segmentation would be it.

[00:17:57] - [Speaker 0]
Love it. And for everybody listening, if you were to give them one core action from this conversation that that would improve things there, what should that organization do today to move from that reactive security that we've talked about towards a a more true resilience by design?

[00:18:14] - [Speaker 1]
I think there's really a couple of things. So the first one is moving towards this platform approach. You know, like I said, the the cloud era kinda gave this idea that people were still continuing to do things within their four walls. It simply doesn't scale. So you're gonna really have to sort of look outward, you know, for tools and hyperscalers that can deal with the volumes of data that we're looking at.

[00:18:35] - [Speaker 1]
Use that data to build that board level visibility. Many boards that we speak to just don't have AI on top of their agenda as part of a threat. They actually have it as part of a revenue generating opportunity, and that's great. But you have to measure those those messages and make sure the investment is being placed into the right place. And certainly, in my view, organizations need to move from that reactive detect and respond to more of a proactive, know, identify and sort of mitigate.

[00:19:01] - [Speaker 1]
And this really has got to extend past the current perimeter. You've really got to look at, you know, the enterprise suppliers, partners, platforms, all those regulatory, you know, regulatory environments. And, you know, prioritizing that end to end visibility is is certainly key, you know, to managing that AI and third party risk profile.

[00:19:18] - [Speaker 0]
Yeah. Completely agree. So much to look at in that report. But before I let you go, it's now time to have a little bit of fun with you. Now we have a an Amazon wish list here where I ask my guests to leave a book that they'd recommend.

[00:19:32] - [Speaker 0]
Anyone wanting to carry on reading about this stuff? Anything that's caught your attention, a holiday read, or something that you would, just recommend people pick up and take a look at? What would that be?

[00:19:41] - [Speaker 1]
Yeah. I think there's certainly two. So I'm I'm reading Sapiens by Yovall Noah Harari. Really great read. Think I'm a bit behind the curve on that one, but I'm a bit of a fantasist.

[00:19:51] - [Speaker 1]
So Fourth Wing by Rebecca Yaros is something I would definitely recommend. Nice attachment around dragons and, you know, behind the scenes code wars are quite an interesting quite an interesting read.

[00:20:01] - [Speaker 0]
Awesome. Well, I will get both of those added to our Amazon wish list. And as a thank you for spending a little bit of time with me, some of the biggest names in business, VC funding, tech, even the occasional celebrity have been on here, maybe even listen to it. So through that six degrees of separation, is there a person you'd love to have a private breakfast or lunch with? Who would it be and and why?

[00:20:23] - [Speaker 0]
Hopefully, he or she might just get to hear this, but who would it be?

[00:20:27] - [Speaker 1]
I'm probably quite old fashioned, but Leonardo da Vinci is certainly up there for me. It's not on the wall right now, but I have a a nice image of some of his sketches, he's always fascinated me, certainly ahead of his time. So anybody who's forward thinking like Leonardo da Vinci is certainly on top of my wish list.

[00:20:42] - [Speaker 0]
I'm good, but not that good. But it is a great choice nonetheless. And for people listening that would like to check out the report we've mentioned, connect with you, can carry the carry the conversation on, or just find out more information about Zscaler and some of the information that will keep coming out this year. Where do you would you like me to point everyone?

[00:20:59] - [Speaker 1]
So zscaler.com is our primary interface to the world, but, you know, by all means, reach out to me on LinkedIn. Always happy to have a conversation.

[00:21:07] - [Speaker 0]
Awesome. Well, I will add a link to both of those. I'll also include a link to the report just to make it nice and easy for people to find as well. So many big insights there. I'll I'll encourage people to check those out at techtalksnetwork.com.

[00:21:19] - [Speaker 0]
I'll have a blog post associated with this episode with useful links. Check that out, and let me know what you thought, and we'll carry this conversation on. But more than anything, just thank you to you for sharing it and starting it today. Thanks so much.

[00:21:31] - [Speaker 1]
Thank you, Neil.

[00:21:33] - [Speaker 0]
So a big thank you to my guest today. I think one of the many things that stood out is that danger of thinking about resilience too narrowly. A business can invest heavily in its own defenses, but ultimately still be exposed if a partner, platform or supplier, if these are the things that become the point of failure. So cyber resilience has to include the full ecosystem that the organization depends on, whether it be internal systems or external services and supply chain. So I guess the bigger question here is whether businesses are willing to map those dependencies, dare to stress test them properly, and accept that operational resilience is now a shared responsibility.

[00:22:13] - [Speaker 0]
So you can find out more about Zscaler and the ripple effect report in the show notes. I'll include links to everything there. But as always, love to hear your thoughts. Is your organization looking far enough beyond its own four walls when planning for cyber resilience? Techtalksnetwork.com.

[00:22:30] - [Speaker 0]
You will find everything that you need there. Send me a message. I'd love to hear from you. If you are listening and you're responsible for security or IT, you will know the reality that most of your risk now sits inside SaaS apps and browser activity. That gap is exactly what NordLayer is addressing with its new business browser.

[00:22:50] - [Speaker 0]
So instead of bolting security on from the outside, it builds it directly into the browser itself. This means you can control access, monitor activity, enforce policies, and reduce shadow IT all from one single place. And most importantly, it does it without adding deployment headaches or complex onboarding. You get things like browser based data loss prevention, SaaS access control, and zero trust browsing, but delivered in a way that your team can actually use. So if you've been trying to simplify your stack while improving visibility, please check it out at nordlayer.com/browser.

[00:23:33] - [Speaker 0]
But I have taken up far too much of your time, so I'm gonna get out of here now, and I'll speak to you all again real soon. Bye for now.