Zscaler on Building Cyber Resilience from the Ground Up

[00:00:05] As AI continues to lower the barrier of entry for attackers, how will your business keep up with the pace of these evolving threats, especially if you're still stuck in a reactive mode? Well, it's time to get today's guest on. Who's going to help us all avoid nasty incidents like that? So enough from me. Let's get Mark onto the podcast now.

[00:00:26] So a big warm welcome back to the show. We last spoke almost 12 months ago, but for anyone that missed that conversation, can you just remind everyone listening who you are and what you do? Thank you so much, Neil. My name is Mark Lewick. I'm the CISO in Residence at Zscaler here in the UK. CISO in Residence is a fairly new title for us because we were trying to figure out what our title should be.

[00:00:48] I am customer facing at Zscaler, but I bring to Zscaler a 30-year career, 29, 28-year career in security where I was a practitioner. I was on the other side of the commercial equation. And what I do at Zscaler is I bring that customer experience. You know, how do you build out security? How do you leverage and utilize technology? Not how do you sell it? How do you configure it? How do you architect it? How do you deploy it?

[00:01:17] But really, how do you consume it within a business? And I also represent all of our internal security to those same customers. There's so much hype around resilience and cyber resilience at the moment. It's almost drifting with the buzzword status. But what does resilience mean to you? One of the ways I like to think about resilience or cyber resilience as opposed to the methods or the philosophy we've had before is that it's very much akin to what we look at, the ways we protect ourselves against weather.

[00:01:49] And the classic way that you protect yourself from a rainstorm is an umbrella, right? You go outside, you have an umbrella. Resilience is more about planning for a hurricane because it's not just about having an umbrella. It's much more than that. And when you're planning for a hurricane in Florida, you have to understand, do your building regulations support the building of buildings that will be resistant to those level of winds? What level of winds they happen to be resistant to?

[00:02:17] Do you have the right laws around what people should do? How do you do evacuations? Do you have good weather reporting? Are you able to understand when it's going to land? Do you have priority paths so you can ensure you know what to clear first so that ambulances and other emergency services can get through? When you look at it, it's much more than carrying an umbrella, which is fundamentally we've been done with our response up to now. And it's more about ensuring that you're able to weather that storm appropriately.

[00:02:45] One of the reasons I was excited to get you back on here with me is I was reading at the very beginning of the year that you were releasing or Zscaler was releasing. Resilient by design principle. Shifting from a detect and respond model to a more proactive identify and mitigate strategy. So I've got to ask, I mean, what drove that shift and how does it better address today's cyber threat landscape, which seems to be evolving before our eyes?

[00:03:13] Well, let's let's I mean, I want to debunk it a little bit. Yes, we have released this new resilient by design resilience. It's but there is a there's a bit of sophistry and language change here rather than fundamental change. Yeah.

[00:03:28] What we have seen as an industry and those of us in the in the security intelligentsia, as it were, you know, the people who were in the know, we've been talking about the fact that that having protective controls, having the, you know, preventing things from happening in the first place. Was only so successful and that we needed to. And you've probably heard other CISOs and other security professionals say this.

[00:03:54] You know, it's not a matter of if it's a matter of when we're all going to experience some attack, whether successful or not, whether materially impactful or not. That's not really important. The point is we needed to plan for what happens when it happens rather than making sure it'll never happen because we're so good at our protective controls and protective measures. And that is this shift. And we didn't have a really good name for it.

[00:04:18] We look at our if you look at the frameworks we were using, you know, the the the the NIST CSF, for instance, was talking about how respond and recover had equal equal weighting to the protected and detect. However, resilience captures in a single word this whole concept of ensuring that the business can continue even if there's a cyber incident.

[00:04:44] Resilience, of course, is wider than cyber, but that's what we're going to narrow our discussion to today. So resilience is is the practice of being able to survive and continue to even thrive and manage important business capabilities and continue as a business, even if an attack is somewhat successful. So I guess the big question is in this current when not if era of cyber threats and the encroachment of A.I. attacks as well.

[00:05:12] How can businesses effectively plan for failure without compromising agility and operational continuity that that they need a standard now? I mean, I challenge the assertion that those aren't necessarily on the same side of the equation. Yeah. Agility is probably one of the things that actually makes you more resilient. So you're not having to sacrifice agility in order to become more resilient.

[00:05:36] Agility is the ability to move quickly and make changes quickly and make and make decisions quickly, which absolutely is part of a resilient cyber resilient strategy to be able to understand what your environment is and make those decisions on a quick, you know, on a rapid basis is part of that.

[00:05:51] However, primarily, it is about ensuring that you have a, you know, obviously a defense in depth and ability to defend, but also that you have well-practiced and deep response capabilities so that you know what you're going to do when these things happen. And you have that connected to the business going back to that agility so that if something does happen, you know what you're going to do.

[00:06:20] How do you, you follow the money or you follow your process? If this is unavailable, how will I continue? When you have that sort of conversation and that kind of exploratory discussions in advance, it very much makes the response itself easier. And I think many enterprises are feeling the pressure and want to modernize and they keep adding more technology onto their legacy stacks. And one area that particularly springs to mind is the airline industry.

[00:06:49] They don't have the luxury of downtime and much of the modern technology that we see in airports and on airlines now is built from the built on top of technology from the 60s. So how do you help organizations better streamline their IT estates for better agility and better security? Well, I'm going to shamelessly talk about the change in architecture. Yeah. Legacy technology is a given. The architecture used to access that legacy technology is not a given.

[00:07:19] That is the flex point at which you can make significant change. The idea of taking an air traffic control system that is fundamentally built or programmed in the 80s and 90s, 60s is the more hard technology, but some of the stuff that they're using, the software stuff, is built ages ago. And yes, is it secure? No, it's not secure. Is it written? Did they understand what security was back then? Probably not.

[00:07:47] But the key point is that treating it and accessing it the way we've always accessed it is the significant problem. If we look at an architecture as an element of our resilience, as an element of our security, rather than just saying, let's layer this and wrap it in cotton wool and wrap it in protective controls. If we look at that architecture as an enabler for a resilient capability, well, then we're on a much better footing. And I hate to say it.

[00:08:16] I hate the term myself, zero trust. I think I mentioned this last year with you as well. However, that zero trust architecture, not a technology, but the architecture of saying that any session anywhere has to prove itself before it's ever allowed, rather than there is this element of implicit trust that, hey, this is coming from somewhere I know, so I'm just going to let it happen. That is a key factor in actually making legacy technology more secure.

[00:08:44] And the other big challenge is the pace of technological advancement. It keeps ramping up the speed. A lot of people say it will never move this slow again, but threat actors, they're evolving equally as quickly. So how can businesses stay ahead of sophisticated cyber threats, especially because AI makes it even easier now, while pursuing responsible digitization? It feels like quite a delicate balance. Well, let's look at that in two halves.

[00:09:12] The AI challenge, which is a significant, it's a real challenge, right? This has made the barrier to attack lower. It's made attacks more efficient and more targeted with a lower cost. So that is a significant concern. So the defense against AI, however, is just being better at what we do. We talked about resilience. And if the attacks are getting better through AI, then we just have to be better at our resilience capability.

[00:09:38] But the other one I wanted to talk about is the fact that most organizations or a significant number of organizations are kind of expecting this to happen. And the barriers to entry are really that same self-same complexity, the complexity of their security infrastructure, the legacy that you were talking about before. You know, we've done a questionnaire recently that we were saying that we asked business leaders, what were those top three barriers?

[00:10:08] And they were exactly as you were, Matt, this past two questions I've talked about, which is complexity of IT security infrastructure at a pretty large, over 40%. That legacy security and IT infrastructure, which is 35%. And of course, that last problem, which we haven't discussed, is the lack of people to do a good job with it. That skills gap, as it were, a third of people were saying that. So the key for me is doing what we do best, doing it better, but being aware of our environment.

[00:10:37] We cannot do security in isolation. And that's where I come back to this architecture point. When you're looking at an architecture, which is fundamentally an access philosophy, it has wide-reaching change to the environment without layering in additional complexity and potentially making tomorrow's legacy. And if we zoom out, the resilient by design principle seems to emphasize proactive risk management at the heart of everything.

[00:11:06] So for business leaders listening, what practical steps should their organization be taking to adopt the right mindset and integrate it into their existing security frameworks and avoid drifting back to those old mistakes? Well, that's a really good question. Because the fundamental approach before was find a sensitive data flow and chuck a control in there, call firewall, call IPS, whatever it was, and find sensitive data or sensitive application or sensitive compute and chuck some controls around it.

[00:11:36] If you imagine drawing back like you are, that is a giant game of whack-a-mole. As the business changes, you're having to keep up with it. And as the business becomes more and more complex, you're guaranteed. And I know this is a hackneyed phrase, but I'll use it anyway, is that we have to succeed 100% of the time. The attacker only has to succeed once. Yeah.

[00:12:02] And when you're playing whack-a-mole, it is you're bound to fail once. And therefore, the cards are stacked against us. To practically address this problem, actually, we need to stop playing that whack-a-mole and start thinking a little bit more like an attacker, a little bit more like a planner, and to follow these risks. Instead of just saying there is a risk of ransomware, to say, where's the risk of ransomware?

[00:12:26] And start embarking on an activity we call, here at Zedskiller, in our CESA team at least, we call it risk hunting. We have, for far too long, our SOCs have been mired in this detect and respond cycle and never get there to look above the parapet and see what's coming in the future. By spending cycles and looking a little bit more proactively in your environments and looking wider in your environments, you actually look for what is the potential problem next.

[00:12:56] You have new tools being released into the market, like CTEM, so continuous threat and exposure management, which are actually able to start looking at where the problems will be rather than where the problems already happened. And this is a great way of refocusing our operational capability to better address that problem, to better address how and where we should be looking for the next problem, where our controls should be applied in a more holistic fashion to avoid the whack-a-mole that we've always played.

[00:13:27] And, of course, legacy systems continue to be a challenge for many enterprises who have built up a significant amount of technical debt over the years. So, how does your approach help organizations transition from reactive to proactive security without needing that complete scary overhaul of existing infrastructure? Well, that, I guess, comes back to that same architecture and that same access philosophy I was talking about before.

[00:13:52] And to go in a little bit more depth, when you have a typical classic security, network security-focused architecture, what you're saying is everything is forbidden except that this I'm allowing. And you define that you're allowing. And that definition historically has been based on very little. I mean, at its most basic, a firewall is looking at four different numbers and saying, must be good because these four numbers match what I've already got.

[00:14:20] And I know that sounds – I know I'm cheapening firewalls a little bit. I get it. But fundamentally, destination port, source port, destination IP address, source IP address. And you've got some state information and things like that. But that's what you're basing it on. So, really, a firewall is not about stopping traffic. A firewall is about allowing traffic. But that's implicitly trusting that that's okay. What's it communicating to? What is on the other end? Who is on the other end? What context do I have? It was safe yesterday.

[00:14:49] Is it safe today? And that's the zero trust architecture that says every time that this thing comes through, I want to be able to apply context, contextual threat data. Today is not necessarily the same as yesterday. Do I have identity? Do I have risk? Do I have – is this the right capability? Is this the right process on the other end? What is it – what possible context do I have in order to make a good risk-based decision on this?

[00:15:17] And by changing this philosophy to say I am going to deny absolutely everything, there is no – this is allowed because I trusted it yesterday, you move into a far different world. Now, is that a technology? Not really. Because you could apply the same philosophy to quite a few things that aren't even solved by the technology. And that's why I tend to call it a philosophy because it's a way of thinking about these challenges.

[00:15:42] You can imagine zero trust by design would be a process you'd do during a product or an application design. You say, do I have any implicit trust built into the way I'm building the system? Can I eradicate or reduce that implicit trust? And that should hopefully change. Now, with legacy technology, as you asked in your question, that's a slightly different matter.

[00:16:05] But if you stop using that implicit trust model of access and start moving towards this explicit trust and saying I'm trusting it because of these contextual items I've been able to gather, then you are solving a lot of that problem. And I know the phrase zero trust can borderline trigger you sometimes, but we've talked about it a little today.

[00:16:28] But on a positive note, what role do you see zero trust architecture playing in building these resilient digital infrastructures and how are you supporting organizations by helping with implementing this approach too? Well, I think the biggest change we're going to see in zero trust is that zero trust up to now has been seen as a remote access alternative.

[00:16:48] In other words, it is a way of changing from a VPN based connectivity when you're at home and connecting to the work environment to a much better. Yes, a much better. The direction we're seeing zero trust move now is becoming this holistic access philosophy is that, yeah, when a person's on site, why would that access be any different when you're on site? Why do you suddenly trust the user when they walk across, you know, in through some revolving glass doors of a specific building?

[00:17:18] Why do you trust that user more than you would if they're at home? What's the big difference? Is it because you are able to look over the shoulder? It's highly likely you're not. So that is a major point is moving that approach to all traffic. And then the even finer control is that why aren't we applying the same level of zero trust philosophy to inter-application communication? In fact, to things that are even on the same network because that is what attackers want.

[00:17:48] The attacker wants to make a single beach head into a vulnerable system and then move laterally, right? Right. If we make everything, even things which would normally be completely invisible to security controls like communication on a VLAN, you know, and if we make those pass through the same model, that begins to provide a huge amount of capability and reduction in the attacker's possibilities, which should have a commensurate effect. And there's no reason that can't work for legacy technology as well.

[00:18:17] Certainly, that's what we're working in. I believe the industry as a whole – we're not working on. We're delivering that now. I think the industry as a whole is working in that direction. And I see that as the ultimate goal for the zero trust architecture. And if we dare to look ahead for the rest of 2025, maybe take a peek into next year, what emerging cybersecurity trends or threats do you think will have the most significant impact on enterprise resilience? And how should businesses be preparing?

[00:18:47] And ultimately, what's keeping you up at night? Well, if I was to make it a semi-educated guess, we are going to see more and more heavily targeted attacks. And I know – I hate using the term AI. It's just as triggering as zero trust for me. But I'm going to use it just like I use zero trust many times in this call. The AI is lowering that barrier.

[00:19:13] Now, when you are a – you've built a – I don't know. I'm going to use Emotet as an example because Emotet was a fantastic malware package built. But it was generic. You'd target – you'd use those tools to target an organization or you'd buy a targeted organization that already had the beach held built. The point is that it was a generic toolbox used for a very specific breach scenario.

[00:19:43] Imagine the situation where everything is custom, where the code is custom. The code is built based on reconnaissance that was automatically created by AI, where the phishing is custom based on the automatic reconnaissance of all of the CXO level people in that organization, where everything is custom from the malware through to the Trista sites.

[00:20:07] And then to kick it all off, they're going to leverage your implicit trust of these services you use. Good example. Microsoft. Microsoft. Nothing wrong with Microsoft. All the time in the world. What I dislike is our implicit trust of Microsoft. So how many people are really inspecting the traffic destined for 365? Well, probably not many because Microsoft historically has said don't do that.

[00:20:33] However, that's nice to say in SharePoint because you can say in SharePoint, well, I don't want to inspect my traffic. But anything else, you know, if you go into Tom, Dick and Harry's SharePoint site, I want you to inspect that and look for threats in that. But that's much harder in OneDrive. You can imagine it's much harder to apply those controls. So attackers know this. They're leveraging our trust in these systems and they're ensuring their attacks use that trust against us.

[00:21:00] So going back to that hypothetical, which is not so hypothetical, super custom environment. Not only are they going to customize their communications based on their automated reconnaissance of you, they're going to build malware based on potentially families, but potentially written from scratch. And that will be custom built to leverage the trust that you have as an organization that they were able to determine based on their reconnaissance of you, which was also automated.

[00:21:28] So that for me is the sophisticated attacks. And what can we do about it? Just get better at what we're already trying to do. And I realize I'm playing a dangerous game repeatedly mentioning trigger words like zero trust and AI on the podcast today. I don't bite. I don't bite. So before I let you go, I'm going to bring you back now. We'll have a little fun before I let you go. And I always like to ask my guests this. Who would you love to have a breakfast or lunch with?

[00:21:55] They can be alive or have passed on, but I'd love to find out more information about how you think and who you'd love to have a sit down and a chat about this stuff with. Well, I think that's a great question. And I was pondering before the call who I would really like to have that lunch with. And the importance of encryption has never been more. I mean, we're looking at quantum resistant encryption algorithms. Now we're looking at encryption is literally in everything we do every single day.

[00:22:24] The fondle slabs we have in our pockets, the computers, the applications we use, everything is based on encryption.

[00:22:29] And if you go back to when encryption was first properly broken, I like to think that I'd love to have lunch with Alan Turing and ask him if you really could have possibly envisaged the applications and the prevalent, the absolute universal use of the technologies that he was working in deeply back in the post-war, well, during war period.

[00:22:56] And his understanding of how computing would have expanded to the way it has as well. That fascinating look from the past into the future. I'd love to get a real view of what he thought of or what he would have thought about today's computing world. Wow. What a fantastic answer. Absolutely love that. And for anybody listening wanting to dig a little bit deeper on the subject of resilient by design principle that we explored together today, where would you like to point everyone listening?

[00:23:24] Well, on our website, we have our new questionnaires available, the survey. And talking about resilient by design, we also have an alternative podcast that you can listen in. I was the inaugural interviewee of that podcast called About Resilience. And we can provide the links as part of your podcast. Awesome. Well, I will gather those links. I'll embed them into the podcast and the blog post that will be associated with this episode.

[00:23:52] So people can find that nice and easily, including the rival podcast. There's plenty of room for us all out there. And I just, as always, love sitting down and chatting with you about this resilient by design principle, how it's helping businesses move away from the traditional detect and respond reactive approach to threats towards a more proactive identify and mitigate strategy for risk. Pure gold for me. A pleasure, as always. We had a little fun along the way as well. But thank you for joining me again today. Thank you, Neil.

[00:24:22] It's been a pleasure. I think resilience isn't just about reacting faster, is it? It's about being prepared in the first place, being proactive. And Zscaler's resilient by design approach seems to be shifting the focus from chasing down those threats after they've breached your defenses to proactively identifying and mitigating those risks before they actually become a problem. And sorry, Mark. Yes, one of my takeaways is that Zero Trust isn't just about securing remote workers anymore.

[00:24:52] It's about securing everything. Whether that be on-premise applications, cloud services or inter-application traffic, a context-aware security model is becoming essential in an era where AI-powered attacks are getting more targeted.

[00:25:10] And I think it was also great to touch upon the big challenge of legacy infrastructure and technical debt and how businesses can apply these principles we're talking about without the need for a complete overhaul. And ultimately, cyber resilience must go hand-in-hand with business agility. So, is your business still operating in a reactive security model? Or are you taking steps to build resilience from the ground up?

[00:25:37] Love to hear your thoughts, especially around how your organization is improving your cybersecurity strategy to keep up with these threats. But as always, techblogwriteroutlook.com, LinkedIn, X, Instagram, at Neil C. Hughes. If you're not following me and sending me a DM on those platforms, why not? I'm the easiest guy in the world to find. And if social's not your thing, maybe just come back tomorrow and have a listen to another interview with one of my guests. Good answer. I will see you all then. Good answer.

[00:26:07] Good answer.