Introduction (00:31) You're listening to KBkast, the cyber security podcast for all executives, cutting through the jargon and hype to understand the landscape where risk and technology meet. Now, here's your host, Karisa Breen. Karissa (00:46) Joining me today is Steve Singer, Senior Regional VP and Country Manager from Zscaler. And today we're discussing Zscaler's 2022 VPN Report. So Steve, thanks so much for joining. It's wonderful to have you here. Steve Singer (00:59) Yeah, my pleasure. Thanks for the invitation. Karissa (01:01) So, Steve, I read the report and the whole purpose of me bringing you on the show today is to really give a synopsis about the reporting to get some of the key insights. So one of the insights that we derived from the report is 44 % of cybersecurity professionals have witnessed an increase in exploits targeting their businesses' VPNs in the last year. So talk me through this. What do you know? Steve Singer (01:25) Yeah, it's a great question. And I'll just throw one other stat at you based on that report. So 44 % have witnessed an increase in exploits. There were another 20 % that weren't sure whether there had been an increase or no increase in exploits, meaning they don't have visibility to it, which is also a scary number. So before we dive into the increasing number of VPN exploits, I'd like to talk about why VPNs are a cause of concern for organizations. And so if you go back 30 years, organizations have been building and optimizing complex, wide area hub and spoke networks. They're connecting users and branches to the data center over a private network. To then access an application, users had to be on this trusted network. The hub and spoke networks were secured with a stack of appliances, and this is where VPNs come in, such as VPNs and firewalls, using an architecture known as Castle in Moat Security. So this approach was wonderful and it served them really well while businesses had their applications residing in the data centers and in their headquarters. That's not the case today. Today, most organizations are doubling down on digital transformation, meaning they're embracing the cloud, they're using cloud applications, they're mobile, they're looking at artificial intelligence, Internet of Things, and so on, all with the focus of making the business more agile and competitive. Steve Singer (02:49) And because of this, and also due to COVID, users aren't just sitting in the office anymore. They're everywhere. They're at home, they're in coffee shops, they're on planes, they're in different countries, and data isn't in the data center. And so for fast and productive collaboration, most people want direct access to applications and data from anywhere at any time. It no longer makes sense to route traffic back to the data center to securely reach applications that are sitting in the cloud. And so when we think about the traditional hub and spoke networks, they put everything on the network, the users, the applications, and devices all onto one flat plane. And since the network and applications are intertwined, application access requires users, devices, workloads to be connected to the corporate network. And once you're on the corporate network, you have access to a lot more application and data within the business. So when we go now to a remote workforce, this means organizations are extending their network with a VPN where each VPN and client is an allocated, routable IP address, which means your network just went from maybe one headquarter and five branch offices to 20,000 employees working everywhere around the world or the country or the state where they are and having VPNs on every device with a routable IP address that expands the attack surface that bad actors, cyber criminals can attack. Steve Singer (04:24) And when we look at how bad actors are attacking companies, it's really four simple steps. First, they want to find you, and they find you by looking for your attack surface such as VPNs, firewalls, and the more you have, the bigger attack surface you have. Once they find you, they then want to compromise you. So they want to use stolen credentials. They want to try to compromise users all to get through the VPN and be on your network. Because the third step is they want to move laterally. Once they're on your network, now they want to find the high value targets in your business, your crown jewel, so to speak. And then the last step is steal your data, hold it for ransomware, use double extortion. And so with the history of VPNs and the hub and spoke networks coming from a very good place into how businesses used to be run, with now everything going to the cloud, users going everywhere, and now VPN is extending to every employee, the attack surface is exponentially growing, giving huge concern for executives, cyber professionals, network professionals. And this is a huge reason we're seeing that increase of 44 % worried about these VPN exploits. Karissa (05:39) Yeah, thanks for sharing that and more fidelity, Steve. I think the other thing is as well, working in corporate historically, it's just this slowness of it as well. It's like, oh, I got to connect to the VPN and everything's super slow now. And it just is from productivity point of view, it's just not really worth it. So I hear your point. You mentioned before, though, that executives are concerned. What do you think they're concerned about, though, specifically? Anything that you can share? Steve Singer (06:06) Yeah, it's a great question. But before I answer that, just the way you described a VPN, can I assume you've used a VPN in the past, Marisa? Karissa (06:15) Many. Big company, big financial banks that we would know. And it was so frustrating and annoying. And then it's not productive because this was way before the work from home model was really employed. And you're like, Oh, I'll just go home and do it. And it was like, 30 minutes to do something super basic. Steve Singer (06:32) And you push through because it's not normal. You would work from home maybe one day a week or even one day a month a couple of years ago. Now that people are working from home three days a week, five days a week, sometimes permanently, people and employees won't stand for waiting 30 minutes to connect to a VPN or even five minutes to connect to a VPN. Karissa (06:52) Not in. Steve Singer (06:54) This day and age. There's two problems that that drives. One is poor user experience, which drives people to leave companies. And it's already a highly competitive market with a lack of resources in the space. And two, you get so sick and tired of waiting for the VPN to connect or that it keeps dropping out, is you save data on your direct laptop and applications on your direct laptop, and it exposes and gives less security and a lower security posture for organizations and the property and data of that company. So it's twofold when organizations are using VPNs. Karissa (07:28) Yeah, you're 100 % right. And I always like to look at it, yes, because I'm a by trade, security practitioner historically, but also I'm looking at it from the user perspective, like me as a consumer, what do I get frustrated about? And then, like you said, slows everything down, it drops out, takes ages to connect. But then what does that then start creating? Shadow IT, we're going to start finding things around it because it takes ages. It's too long. I'm not getting my work done. Steve Singer (07:54) Exactly. And the more VPNs that organizations deploy, as I mentioned before, it increases the attack surface, which is a little beacon that says, hey, here I am, here I am, where bad actors can try to break into that weak spot of the organization's security infrastructure. And so it is a huge concern for many executives, many security professionals. And it's funny, I was on a call today. I speak to countless CIOs and CISOs and heads of security. And one of the conversations was, I was in a board meeting yesterday, and instead of dialing in for 15 minutes to share my piece, this was a chief information security officer, he said, I'm now on the board meetings for an hour and a half. I now have a bigger voice at the table as to what our organization is doing and how we're trying to protect our business. It is that big of a topic across Australia and globally that all of these size O's and executives have a much bigger say that this is a business problem. It's not just an IT problem where we're throwing technology and features and functions, but it is a business problem as to how can we keep our employees happy, keep them in the company, and also just as importantly, how can we protect our organization? Steve Singer (09:09) How can we not wind up on the front page of the news or on TV? Karissa (09:13) Yeah, you're absolutely right. And I think that, unfortunately, with everything that's happened recently in the media, it's starting to get people to ask questions, have those longer board meetings, get a bigger voice at the table, actually listen to the size or whoever it is that's running that department. So I think there should be some change, but I think if I take a step back with some of the executives that I speak to, I still think that they just get overwhelmed by security. Would you say that, okay, you go up to an executive, you're like, all right, you need to stop using VPNs. Don't you think that's going to stress them out? Steve Singer (09:46) It could. But I would say most people are already stressed based on how can they protect their environment? They're adding. Karissa (09:55) To. Steve Singer (09:55) The stress. Right. Karissa (09:57) They're. Steve Singer (09:58) Double stressed. Yeah. So if you just go to someone and say your company is not secure, hey, stop using VPNs, you're making your company much less safe. Instead of that, it's talking about how can we help protect these organizations? And for my team here in Australia, and we've grown from 40 people in the past two years to over 130, what we're proud of is helping organizations, helping protect them. We protect well over a million people in Australia, and it's teachers, students, health care professionals, government officials, private, public. And so it's not just going and saying, Hey, this isn't good. It's, Hey, have you thought about a zero trust network access? Hey, have you thought about secure service edge? Both of these terms used very heavily by Gartner, and their approaches and their frameworks for helping organizations move away from hub and spoke networks, move away from VPN, move away from castle in moat security, and help them in this day and age as organizations are doing application transformations, moving to the cloud, network transformations, moving away from hub and spoke, security transformations, bringing security closer to the user and the device versus being on a network. Steve Singer (11:14) And so it's those conversations where we empower and help people to improve what they're doing, takes away that stress and then coming in to implement that. And so one of the things I'm not sure about your listeners or not, if they know about a secure service edge, it's SSE is what we call it, and it was coined by Gartner in 2021. And what this is is it's a combination of a secure web gateway, which is secure internet access. It's a cloud access security broker, CASB, which provides secure SaaS and cloud app access, and then zero trust network access, which is for secure access to your private applications. It's a new fundamental framework that helps organizations live in the cloud, secure edge computing, and do this close to the user wherever they may be. Karissa (12:05) So you mentioned before, Steve, you're speaking to lots of executives, ISOs, heads of security. What's their main concern when they're talking to you? Steve Singer (12:14) It's a wide gamut depending who you're speaking to and when you're speaking to them. So some of it is, how do I set my business up for growth? And when we're growing and we're doing mergers and acquisitions, how can we bring together two different companies safely and securely and quickly? It's about how do we protect our organization? How do we stop bad actors and malicious attacks getting into our company? It can be how do we protect from the inside out? How do we protect our data and our private data leaving the organization? It can be our user experience right now. I'm getting phone calls every single day with complaints of how hard it is to get access to applications I need to do my job, or the VPN keeps going down. And so depending on who you're speaking to in which department, there's a whole range of challenges that we're seeing all relay back funnily enough to zero trust network access, which, once again, this isn't a product. It's a framework and policies and how you go about building your infrastructure and your transformation within your business. But it comes back to cyber security, data protection, enabling work from anywhere, and doing it all with a better user experience. Steve Singer (13:34) So another. Karissa (13:35) Insight from the report. Now, you've already touched on this quite significantly, Steve, already as to why the increase in exploits targeting companies' VPNs since adopting remote work as we just talked through. But what do you think we can expect, though, moving forward? Are we going to see a massive shift to people just dumping VPNs? Is it going to be a slow migration? What are we going to start seeing if you had to hypothesize as we move into this new territory of how we're working? Steve Singer (14:08) Yeah, it's a really good question. If I knew the answers of what happened in the future, I would be gambling right now and making a lot of money. But based on some hypothesis and some of the... Karissa (14:18) You and. Steve Singer (14:19) Me both. Based on some of the stats I'm seeing, the vast majority of companies are considering adopting alternatives to VPN. And when we see organizations go through a change, whether it's business related, it's technical related, it's usually done in phases. It's not a big bang approach where we rip out everything across all of our entities and all of our branches, we throw in something new and off we go. It's a planned phased approach. And so when companies think about looking at VPN alternatives and they think about what else can we do, one of them we talked about user experience. So with VPN, traffic is back hauled to the data center, making it painfully slow for users. And I like the example, if you're flying on a plane and you're going from Sydney to Melbourne, you want to go direct Sydney to Melbourne. You don't want to go Sydney to Brisbane to Melbourne, which is effectively what you're doing if you're trying to reach a cloud application and you're going through a VPN, you're going back to your data center, then back to the cloud versus just going on your keyboard and going to the cloud. Steve Singer (15:23) And so the user experience feels that because there's a lot of latency. With a zero trust network approach, it's cloud delivered services are designed for high availability and to go direct to the internet or direct to your applications or direct to the data that you need. The other piece that people think about when they think about what are we going to do with a VPN alternative is they look at the security side. So providing application access with a VPN requires placing users on the network, which also exposes the IP address. So one, you're increasing the attack surface, and then you're allowing people to move laterally if they get on your network. With a zero trust network access, private apps no longer require any network access. All the service is initiated with inside out connections, which means you can't attack what you can't see. So instead of having an IP routable address, it's invisible to the internet. I like to use the example of a switchboard with a phone. If I put my phone number out there in a phone book. A long time ago when I grew up, we had phone books. You put your phone number in the phone book, your friends can call you, but so can anyone else. Steve Singer (16:37) Anyone can find you and call your phone number versus me having a switchboard in between someone calling me and then picking up the phone. And so if my friend Kevin calls the switchboard, they say, Kevin, you're authorized or using an authorized device, you can get through to Steve. Whereas someone who's spamming me, it just gets disconnected. They don't know where I am. They never get to connect with me. And it removes that attack surface, which is a huge focus for a lot of organizations. How can we reduce this attack surface of bad actors trying to find us? And then the last one, complexity. So with VPN and not just VPN, firewalls and the entire stack, it's an expensive security stack that you then need to replicate across each data center you have, your headquarters, your branches, you put in the cloud because you have people all over the world, versus a zero trust network architecture approach. This serves as an alternative to an inbound VPN gateway stack. It's cloud delivered and its deployment is simple, scalable and eliminating people to have to buy all of this infrastructure, maintain the infrastructure, update the infrastructure. It's all done for you on a cloud based platform on a multi tenant architecture. Karissa (17:54) I like your analogy. I think that's great. I think that's what people can resonate with that. So I appreciate that. Okay. So talking a little bit more about the alternatives to VPNs. Now, in the report, it did say 65 % of companies are considering adopting VPN alternatives. What I want to know first is what are the other 35 % thinking? Steve Singer (18:14) I wish I knew. I wish I knew. And I think depending on who I spoke to in that report, and it was 351 cyber professionals, but it would be great to see the size of organizations how those responses changed. Because one of the myths we hear in the marketplace around zero trust network access is, this is only for large organizations. This is expensive, it's hard to implement. I don't know where to start. But in reality, small businesses need it just as much as large businesses. There is no cyber attacker who says, I'm only going after big companies, no medium or small companies. Forty three % of all cyber attacks two years ago were against small businesses. Sixty one % of small and medium enterprises have experienced a cyber attack in the last year. And even scarier than that, if you're a small business and you've had a cyber attack, 60 % of them fold their business within six months. They just don't have the resources to come back and the sufficient resource to come back from a cyber attack. And so although it sounds scary, it's something different, it's a new approach to implement in a business, I would say it's even more important for small businesses to do that because once they get hit, it's very hard for them to rebound from it. Steve Singer (19:35) And so one of my hypothesis or assumptions is the 35 % who may not be thinking about an alternative to VPNs could be smaller businesses with limited resources who are thinking, This is too big and scary for me. Karissa (19:50) I appreciate you sharing that. And I know that obviously you're not Nostradamus, you're not going to have every answer, but it's just more so trying to get into the thinking of these people because 65 % is quite high, right? So yeah, I'm always curious to see what's on the other side of that. Would you also say as well, Steve, if we focus on that 35 for a moment, that they maybe not understand the value of looking at VPN alternatives? Maybe they don't understand that. Maybe they don't understand a zero trust model. I think, again, if I zoom out out of a security practitioner lens, I still think a lot of people get confused by the terminology. They don't understand it. And then probably what are we doing to understand something? Usually just don't do it. So do you think maybe that 35 % could be, there's all these terms I'm not really sure about, and as a result, I'm probably still going to do nothing? Steve Singer (20:39) I absolutely think that's part of it. I would say part of it is fear of change. A lot of people don't like to change, but to your point, I think they also don't understand it. And part of that challenge is everyone's throwing around the terms zero trust. Almost every security company we see in the market is zero trust. It's the new buzzword that people hate to hear because it's just overused and it means something different to every single organization that says it. And so it is a problem. And what I would recommend for organizations listening and unsure is do some research on it. I would love to say look at Zscaler and we'll tell you what it is, but that's going to be a biased view. I do think we do it well. But look at Gartner. Look at the research Gartner has done. Look at other independent analysts and what they're turning zero trust. The one thing I would say is, if companies are saying zero trust and that means VPN or firewall or networks, it's not a true framework of how Gartner and different analysts look at zero trust. And so I would say, do the research, talk to people who have done it before. Steve Singer (21:48) Feel free to come and talk to ZScaler and we'll take you through it. We feel and believe very heavily in this and have built our entire company around it. Karissa (21:57) You are right. There's a lot of people floating around the market with the zero trust. And you are right, people's eyes do glaze over. So just maybe for the listeners, what is the term that Gartner coins for zero trust? W hat's their interpretation of it? Just so that we're all in the same footing here. Steve Singer (22:14) Yeah, it's a great question. I don't have their actual terminology in front of me, but what I would say, and in my best recollection of it is zero trust is not a product. You don't buy a technology and all of a sudden you have a zero trust network architecture. It's a framework for securing organizations in the cloud and mobile world that believes no user application should be trusted by default. So following key zero trust principles, it's least privileged access. Trust is established based on context, meaning who is the user, the identity, where are they, are they using an approved device, are they asking for a service that makes sense for them to use? And then all of these policies are checked at each step. So just because you've accessed, let's say, Salesforce. Com, doesn't mean you can now access SAP or any other application. Every time you make a request or a connection, there is no inherent trust. We go through least privilege access, we establish who the person is, we base it on context, the device they're using, where they're based, who that person is, what application they're trying to access, what data and what information they're trying to access, and then that's repeated at every step. Steve Singer (23:33) And so scalability and being able to do this quick is very important to run a proper zero trust network architecture and be able to do it as close to the user as possible, which is part of a secure service edge, having a global footprint and data centers around the world that allows you to do this quickly while protecting the users. Karissa (23:55) Okay, so now let's focus on 65 % now for a moment. Now, I may probably already know the answer to this, but what do you think some of the considerations are for being in that 65 % around the considering the adoption to VPNs? Is it because they know that the attack surface changed? There are your exploits targeting VPNs. Is it all of the above? Can you walk me through maybe the impetus for that 65 %? Steve Singer (24:22) All of the above. I'll give you an example. When COVID hit and organizations went from out of 35,000 people to 30,000 people working in the office. Overnight, they now have 35,000 people working from home. And their VPNs, their remote access solutions, literally stopped working. They didn't have enough, they got overloaded, and businesses were worried around, how are we going to access our applications, our systems, and our data to actually keep our doors open to handle transactions if you're a bank, to handling payroll, to have people getting paid for government organizations, for health care, for teaching and classes and students. A lot of these things just wouldn't scale unless you went out and bought all the hardware, all the infrastructure, and set it up at all these different locations. Part of it is it's increasing the attack surface. It's a pain in the butt for users and any individual who's trying to use a VPN. It's backhauling traffic, increasing latency. It's the unscalability of it. It's the maintenance of managing all your infrastructure, the manual updates, and trying to do this as an organization when your key focus as a business most likely isn't cybersecurity. It's creating widgets or selling services or running governments or teaching children. Steve Singer (25:52) And so all of those combined, there's a lot of people and a lot of executives who have groups and speak about these challenges together in these groups. And it just snowballs and escalates as to how worried they are about VPNs and the attack surface and firewalls and so on. So if. Karissa (26:10) Covid didn't hit, would you say that the adoption towards VPN alternatives would still be there? I guess the answer is no. And I guess COVID has expedited this. But I guess maybe a silver lining could be we've actually evolved. We force people to evolve because you are right, people don't change. They like to do things they've always done. It's easier for them. It's not so overwhelming. But now it's forced people to be like, Okay, well, COVID's hit. We've got, like you said, thousands of employees working from wherever. We've got to do something different. But what if it didn't hit, though? Do you think that the adoption would be there or it'd be obviously a lot slower. Talk me through that. Has COVID been that silver lining for technology adoption? Steve Singer (26:52) Yeah, it's a really good question. Once again, I think you nailed it. You're on top of a lot of the trends. I hate to say a silver lining around COVID because it disrupted a lot of people's lives and ended a lot of people's lives. And it's horrible and still is. But as you said, silver lining is it's sped up the process that organizations look when they deploy IT projects and they look at deploying change within their businesses. And not just the speed at which they do it, the belief in the people in those organizations. And we've had countless clients where we were working on projects that were deploying 20,000 people using Zscaler and building a zero trust network architecture and allowing them to work from anywhere and eliminate the attack surface. And these projects were planned over 6 to 8 months. Not because that's how long it necessarily took, but the belief in how things have always been done in the past. Covid hit and we're deploying organizations 20, 30,000 people in two weeks time. And I think that the benefit there is these organizations and project managers and IT professionals now have the belief that they can roll out change, right? Steve Singer (28:05) Whether it's security, it's deploying a new CRM, it's a new ERP system. It doesn't have to be this long, drawn out, convoluted process where they try to make everything absolutely perfect before rolling it out. There's a term of most viable product, right? And then getting it to a point where we deploy it quick, we make some mistakes, we learn, we change, we learn, we change, and we're agile about how we do this. And it has been one of the silver linings, the speed of which change is now happening inside of organisations is phenomenal to see. Karissa (28:36) Yeah. And of course, COVID was an awful time. It's just definitely focused on the technology side of it. But the other way I look at it as well, which I've now seen people, of course, they're backwards against the wall. We've just got to get, I don't know, for example, Zoom implemented. But then what I've started to see over time is people going, Oh, well, actually, we didn't do any real deep dive vendor analysis, so we didn't do any real checks and balances. Now we need to go through and assess whether, A, this was the right solution for us, whether it's from a technical perspective, but also from a security perspective. So do you think that because people were forced to move, there's been this knee jerk reaction, which maybe forced them into situations that they didn't think through because they had no time. And I get it. Do you think there's a little bit of that there? And now people are like, the dust has settled a bit more now, and people are going through things a little bit more meticulously to be like, Actually, maybe we didn't make the right decision. Now, I'm not talking specifically about zero trust. Karissa (29:34) I'm just talking more generally here. Do you think there's that going on in the market now? Steve Singer (29:38) Yeah. I think it was almost mandated. And you can't really hold people to blame for that. They had to make split second decisions and keep their businesses running and their people feeling like they're part of a team and a sense of camaraderie. And they had to do this in a matter of days and weeks. I definitely think people made knee jerk reactions and decisions with the best of the information they had available at the time, with the best intent of helping their organizations. And we're seeing a lot of people come back to start have conversations, whether it's around web conferencing, whether it's around security, whether it's around VPNs, whether it's around different technology. People had to make really quick decisions to keep the lights on and keep the businesses going. And now that it's settled down a little bit, they are reevaluating. And there's more and more people reevaluating, one, because of the decisions they made two, three years ago, but also just what they're seeing in the market, what they're seeing their counterparts doing, what they're seeing the competition doing, what they're seeing happen in different regions. And so for organizations that tend to thrive and grow, whether a good economy or bad economy, they're large or small, are the ones that continually look to change and get better. Steve Singer (30:56) And so decisions you make two years ago, the speed at which there's change in this market in this day and age, they need to reevaluate. They need to look at decisions they made and were they right? Not were they right then, are they right now? And do we need to change them now for where we want to be in the next two years? And so we're definitely seeing that. And more from companies that are looking to continue to scale and grow. So the. Karissa (31:18) Other insight as well that I took away from the report is that 68 % of companies have indicated that they are accelerating their zero trust projects, which is probably for all the reasons that you and I have spoken about today, which is up from the previous year, which was 59 %, again, I probably know the answer to why that's the case. So talk me through, though, what is specifically from your point of view, Steve, this acceleration? Is it just more so, again, talking around... And I hate to go over it again, but I'm just trying to get a very clear picture here. Is it the attack surface? Is it, again, the frustration from the user perspective? Because if you come back on here another year, is it going to be like, 99 % of people have accelerated their alternative to VPNs? Is it going to get faster? What are we dealing with here? Steve Singer (32:09) Yeah, I actually think it will grow and get faster. And it's any technology that's created 30 years ago and was used 30 years ago, 20 years ago, 10 years ago, is great at a point in time and is great for what it was meant to do when people, data, solutions were in headquarters or branch offices where people were located. But as the way we work, as the way the cloud continues to accelerate with AWS and Azure and Google, and every company that I speak to has a focus on moving more applications to the cloud, it changes the way in which technology works that was built 30 years ago. It's not built to handle that type of scale and this type of movement to cloud and mobility. And so as organizations, whether it's coming up for renewals on their current technology, whether it's speaking with their colleagues around what they're doing to better their user experience, to stop lateral movement, to reduce their attack surface, and doing all of this while improving their security posture, along with seeing some of the breaches that make the headlines, organizations are looking at better ways of protecting their business, better ways of protecting their crown jewels. Steve Singer (33:28) And right now, the premier way to do that is looking at a zero trust network architecture in order to not just protect, but also provide a great experience for people. Karissa (33:39) Yeah, I definitely hear what you're saying. Is there anything else that you know, people that are interested, they want to have a deeper dive. What should they be looking for specifically? And like, as you said, each company, they have their own definitions of zero trust. So it's just more so, again, it is that term that is being floated around the market. People still are not sure. There is different interpretations of what each organization does a little bit differently. But is that buzzword at the moment. But I think people are interested. People are asking questions. And yeah, should people be starting with Gartner? And then what else should people be looking for when they're doing their research around zero trust? Steve Singer (34:19) There's a lot of spots, right? The internet is a wonderful thing, but Gartner is a great place to go. The ACS, Australian Cybersecurity Center, talking to your network, talking to a network of people who are doing these exact things in the market. And it's being aware of just the basics of zero trust. It means do not trust. Do not trust automatically. You need to verify, you need to validate. You have policies based on who can do what and when, and you have conditions around that. And so doing your research with industry experts, the Gartners, the Australian Cybersecurity Center, Forester, talking to your network, reach out to organizations you trust, and they'll take you through it. For us, we'll spend hours and hours educating, helping people do risk assessments. We've hired over 40 different CIOs and CISOs from different organizations around the world who have done these types of projects. And we'll do this with the intent of educating without charging a dollar or taking anything. It's to help spread the word of how we can protect our communities, our businesses, our schools, our governments, the organizations that we all work for. And we're very passionate about it. Steve Singer (35:40) So there's lots of places to go and get that information. Karissa (35:43) My last question, you mentioned it before, what we did 30 years ago, we can't keep doing now. It's absolutely true. But I guess there's still companies out there that have legacy systems and technical debt. So how do they start to think about a zero trust approach? Because maybe they are still set in their ways of 30 years ago. What would you say to shift the mindset of people, perhaps, that are sitting on the fence or are apprehensive about this zero trust approach? Steve Singer (36:14) I would say start slow. And I mentioned it earlier, it doesn't need to be this big bang approach where you rip out all the technologies you've had for the past 10 years or 20 years and you rip out every VPN in every firewall. Start simple. And one of the places we sometimes recommend people to start is with partners and web based applications. And so when we talk to Gartner as well, they're suggesting with a targeted area where you can see, not just a targeted area, but where you can see immediate value in improving your overall security posture of an organization. And with partners accessing your business and web based applications, it's a great starting point that brings instant benefits. Partners are going to introduce significant risk to the business, not because they're bad partners, but they're outside of the business and often by having direct access to an entire corporate network is risky. And moreover, partners often use their own devices, many of which they can't or won't allow vendors to put clients deployed right on their end point. And seeing that some of a zero trust network architecture, the technologies can be deployed with a browser, meaning you don't need to put something on the partner's end user device. Steve Singer (37:30) You can start with browser access capabilities. You begin with web based apps. It makes logical sense and it removes a lot of risk from the business from people external to your company. And once you've done that, you're going to make mistakes, you're going to fix those mistakes and things are going to start working well for you. Maybe step two, you open it up to your internal employees. And the benefit here is you've now had some experience. You've deployed it for partners, you've deployed it for web based applications. You can now take all of those learnings and use that in deploying this to your employees and continue to scale and continue to add different capabilities, whether it's data loss protection or it's CASB or secure web gateway, there's lots of different starting points where you don't have to do everything all at once. And I think that's a big take away for people that aren't sure where to start or what to do is start small. A great spot often is with third party access and web based applications and talk to the partners you're working with. Talk to the Z scalers of the world or the gardeners of the world, and we'll take you through an approach that makes sense for your business that does it in baby steps so that we're learning as we go and we're delivering value at the same time. Karissa (38:49) Well, thanks for that, Steve. Thanks for being quite meticulous and very logical with your thinking because, again, like Zero Trust, so many companies are out there doing it. People do feel confused. They feel pulled in different directions. I wanted to understand the impetus to the alternatives away from VPNs, things that people should start asking when it comes to researching Zero Trust and where people can start that conversation today. I really appreciate you coming on the show, sharing your thoughts, your insights, and really giving a better insight around what zero trust means for you at Zscaler. Thanks very much. Steve Singer (39:23) No, it's been a pleasure, Karissa. Thanks for the time today and look forward to the next one. Karissa (39:27) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. Steve Singer (39:38) This podcast is brought to you by Mercsec, the specialists in security, search and recruitment solutions. Visit mercsec.com to connect today. If you'd like to find out how KBI can help grow your cyber business, then please head over to Kbi.Digital. This podcast was brought to you by KBI. Media, the voice of cyber.