>> From the SiliconANGLE Media office in Boston, Massachusetts, it's theCUBE. Now, here's your host Stu Miniman. >> Hi, I'm Stu Miniman and welcome to a Cube Conversation here in our Boston area studio. Happy to welcome to our program a first time guest, Larry Biagini, who is the Chief Technology Evangelist at Zscaler. Also had a long career at GE. Your last position there you were the Chief Technology Officer. Larry thanks so much for joining me, pleasure to me you. >> Thanks for having us. All right so you know before we get into some of your background at GE tell us a little bit... Zscaler, we've got some familiarity with the team. We've had some of the executives, many of the customers on our program. Tell us what part you do at Zscaler. >> So when I left GE after about 26 years, I was a Zscaler customer. Very early Zscaler customer at GE. And one of the things that intrigued me about GE and one of the things about Zscaler I learned with working with them is that they're vision for security and my vision for security and agility of organizations going forward were an easy match. That made a transition very simple, I was gone from GE for four weeks, that was my retirement before I got recruited into Zscaler and the reason it was a good match is I had big company experience. I had a very good network of people that are operating in large companies and Zscaler needed those connections. But we also had a product that was mature but we had a message that we had to get across to these folks. So it was a message that was real to me, a message that mattered to what Zscaler need to put out there, and that's why I'm the Chief Technology Evangelist. I spend my time with customers, with prospects. Just understanding what they're going through. Using my experience at GE and my experience with other customers to help them through that, and that's the role that I play. >> Yeah I know my time when I worked on the vendor side working with customers being in briefing centers working with them were some of the most gratifying for me. Cause it was you know helping them through what they were working on. Bring a C.E.O. in -- you no longer work for GE but give us a little bit of the background as to you know what gave you some of the skills and some of the scars to help customers that are now going through these journeys. >> The story really starts when I was asked to become the Chief Risk Officer for IT for GE. I was the CIO of the largest business at the time. But GE was going through a transformation or wanted to go through a transformation. They recognized that digital was an opportunity for them and could also be a threat, but at the same time security was not enabling the organization it was sort of disabling it. It was in the way. Now I had no security background at the time it was mostly in architecture and applications. I'd run the data centers but I was very familiar with security and what it was supposed to do and what it actually was doing. So one of the first things we looked at is why we were doing what we were doing. And the reality is ten years ago it made sense doing what we were doing which was protecting the network because everything was in the network. The users were in the network, the data was in the network, The applications were in the network and if you protect the network by definition or by default you're protecting everything else. But when we started seeing behaviors that's not the way people were acting. There was more and more traffic going directly to internet. Whether it be for personal use or for business use more and more business use. The mobile workforce and I just don't mean mobile devices the workforce itself was mobile, where we were out in the field. That's where you make money, it's when you're with customers, when you're selling. So this notion of protecting the network allows you to protect apps, users, and data actually is a fallacy. But we continue to do it because that was the problem we had to solve ten, fifteen years ago. The problem changed with the introduction of cloud, with the introduction of mobility. With end users getting much much smarter about how they can use technology without actually needing IT. You know we used to say that everybody's their own CIO at this point. They have their own devices they have their own networks, they have their own apps. Our job is still to secure them but not get in the way of them. >> Yeah we know back in the old days it was physical things that I could wrap my arms around and if I could lock a door, or you know build the moat as we talked about in the industry, that was great but the surface area just keeps increasing. Cloud pushed it that way. Edge is pushing it you know order of magnitudes even more. So it's interesting I think you know when we talked about cloud adoption, security was originally "Oh it's a reason why I might not go to the cloud," and then it was like "Wait, its a new opportunity for it." To be honest digital transformations I haven't heard as much discussion about thee challenges and opportunity's of security there so maybe you can help expand on that a bit. >> So I think what Zscaler does and the notion that I had that made it an easy fit was I always believed or not always believed after I took that role I believed that there had to be something between the user and whereever they wanted to go and we had to put as many services as we could in that. Now we originally thought we could build that ourselves. We couldn't. We didn't have the footprint, we didn't have the scale, even though were a large company at the time. But I always thought that tying a user and a application to a location was a big mistake. And so when I think about digital transformation what I'm really thinking about is safely attaining speed in order to do business in today's world. So you talked about devices. I'd argue that even five years ago most larger organizations could not tell the devices on their network yet we were trying to protect that. Right? They knew the ones they knew about but they didn't know the Raspberry Pi that was plugged in by an engineering guy. Or they didn't know that somebody just put a new machine on the factory floor and it happened to have an IP address. So we were actually kidding ourselves into what we were doing. So I think the cloud actually opened up the eyes of not only the business but opened up the eyes of the IT and security folks that the way -- you can't control the network anymore because you don't own the network -- I'd argue that you haven't for a long time -- and because of that things had to change. I also think that it became -- and I've seen this in my four years with Zscaler -- four years ago security was sort of black and white. Now that the dialogue has changed and more about risk what's really important to my company. The fact of matter is have to admit to my board that I can't protect everything. But I need to protect certain things but you have to tell me what those things are. I can mitigate that risk. I can't do everything to everybody and so I think that's the discussion people are having now. And when in five years ago people would say "Oh Amazon, Azure, GCP, I want to see their security practices, this, that, and the other thing." Now they can't stop things from moving there. They're less concerned about the security practices because they get an attestation of those and things like that. They're more concerned about how their organizations are migrating stuff. Are they migrating the right data? Do they have the right controls around it? So I think the mindset of the CISOs has changed a bit I think the roles of CIO, the CTO, and the CISO have changed. Where the CISO is more risk-averse, The CTO is actually learning how to tie things together rather than build them. And the CIO is focused on data and business opportunities. >> Yeah, Larry maybe you can bring us inside one of the customers or you know a sample of what you're hearing from customers because so many of the things you said really resonate absolutely five years ago was like Cloud, let me get your SLA and let me read trough all of it, and hey can you adjust this for me? Amazon says no. Okay wait I need to adjust to this, but the mantra I hear from my friends in security is security is everyone's responsibility and it is a practice and therefore it needs to be embedded in there not some product or thing that gets bolted on at the end. So how are they coming to that? Is it the CISO? Organizationally, where do these conversations start and fit? >> So every organization is different, so what I'll give you is a sort of combined view of a large organization. Probably two or three large organizations. The first step is adopting the internet as your corporate network. Once you come to that realization that the internet is your corporate network and will continue to be so, then the things that you do change dramatically. And the opportunities that you have change dramatically: from a cost perspective, from a service-delivery perspective, and from an end-user satisfaction perspective. >> So let me ask that for a second, because I have you know, some peers and friends that work at big companies and it feels like there's the corporate network and then I've got my device on the other thing that I use, the public network. Is this embracing the just, "it's there," or do I still have those two separate networks? >> I think where it's going and where the more progressive companies that I deal with are, is that rather than having a corporate network supporting everything, the corporate network will actually shrink. The...only supporting what it needs to support, and will become a destination just like an AWS, or an Azure or GCP. So if you have a corporate network today that's big and wide and flat, it has users, apps, data in it, and your data centers, my view and dealing with, again, some more of the progressive companies is that corporate network will shift to just a data-center network. And it will have no users on it but users will be able to get to it. So you turn yourself into an AWS. Some people call that Hybrid Computing. I call it Hybrid Networking. But the reality is most organizations, large organizations are going to have a hard time getting rid of their data centers in the near future. So they're going to have to be part of this game. And rather than try to extend the current model to wrap around AWS and Azure and the cloud providers, why not change your model what you do control to actually act like that. So my world has the internet as a corporate network, the corporate network as a subset of the internet, no users on the corporate network, all users untrusted on the internet. That's where I think this whole thing goes and that's where the customers that I talk to are headed. >> Okay one of the biggest challenges when you talk about this transformation is usually some of the organizational dynamics there. Maybe walk us through...you talked about we understand everyone's different you know we've seen the CISO greatly elevated to where their role fits into it but you know corporate structure and the average sysadmin and the like, what are they getting rid of, what are they learning, or is it new people coming in? >> The cultural -- I don't want to say "push back" -- but the cultural challenges are real. You know if you've been in this industry... ...I've been in this industry for forty years. You gain certain expertise and you like to get promoted on that expertise, get recognized for that expertise and it's comfortable to deal in that area. So just think if you're a network admin. You know Cisco equipment. You know it really well. You know your Cisco rep really well. And all of this stuff is second nature to you. Now you're asked to tie it, put up a connection between yourself and AWS, a VPC because you're going to move applications out there. And really, you're not a network guy anymore. You are a design guy to help move applications to the cloud. And it's an uncomfortable space to be in. So you can sort of, there's a couple options. You could say, this too shall pass. (And it won't.) That's I think, a losing proposition. I think you can move to a network provider and say, "Look, I'm still a network guy I can do networking." Or you're going to have to find a way to take the skills that you have and the mindset that you have and work in this new environment. Now that's not easy to do and one of the things that some of the large organizations I deal with are doing is they're bringing in people who grew up in this area and they're trying to seed the education of their own people. Because they're good people right? They know the culture, they know the business. They just don't have the skills that they need today so going to training's not going to help them. Doing it by example with people who've done it before is very important. >> All right how about outcomes? Is there anything you can share from your GE experiences or some of the customers you're working through as to kind that high level of what this means now you know is there a success finish line? Or is it a continuing journey? >> I think the success finish line is actually doing what you're supposed to do for the organization without actually anybody knowing it. Not being in the way. So from my perspective its end users or be they customers, suppliers, internal people, being able to do their job in a frictionless manner but you being able to do your job and the security side is protecting them and the network side, it's making sure they're getting the best user experience out there. And the CIO side is that they're using the best tools for the job. That's it for me. I'm tired, and I have been tired and I don't think it's right for the people that we provide technology or technology solutions to choose our technology as a last technology of choice. But they'd really like to use something else? We should give them that flexibility if it meets the risk appetite of the organization. So to me it's end user satisfaction is the most important thing because that allows you to do your job. Dissatisfied users will always find a way around whatever you put in their way. And that's not good for them, not good for the organization. So that's it for me. >> Great you've been now with Zscaler for four years, tell what's changed in the landscape. Security? You said to board-level discussion absolutely, something we hear, comment I've made is it went from kind of top of mind, bottom of budget, to, you know, no, this is something that actually you're not going to put it off for another quarter or year, you're going to take care of it now. >> So I actually think it's kind of counter-intuitive, what changed...is that I believe that five years ago, security was top of mind and there was a boatload of money thrown at it and that money got spent but nobody was able to prove that they were any more secure than the next guy. The metrics weren't there. I mean if you can't define what your network is, how can you stand in front of your board and say my network is... And so I think there's been a questioning of, are we spending enough on security but not only enough, are we spending it the right areas? Because what we've been doing sort of doesn't make me feel any better. You know, sure we meet our regulatory requirements but that's compliance, that's not security. So I think people are actually questioning, are we doing the right things for the business that we're in today versus the business that we were in in the past? And do we have the right conversation going with the board? Versus a red-yellow-green chart about here's how we think we're secure. And I think that's made a big difference. And I also think the discussion around where information resides and how important that information is and then ultimately how well you mitigate any risk to it, is the most relevant conversation that happens today. It's not, I'm not going to ignore ransomware and things like that but its not "Oh my God I'm getting attacked a million times a day." It's "Do I have something that's of value to somebody else and it will kill me as an organization or hurt me drastically if I lose it." And if I don't know where it is I'm probably going to lose it. Either deliberately or by mistake. So do I have those right controls in place? >> Yeah I'd love to get your commentary, there are certain companies out there that they have the message, you know, security's broken, we need a do-over, you know, the latest- -and-greatest software-defined cloud-based something or other isn't going to solve it, but you know, you've been in this space for decades, so you know where are we as a industry with security today, you feel that we're making progress? Sounds like it. >> I do feel that we're making progress. I think as an industry we recognize that the problem exists, and the problem that exists today is different from the problem that is existed seven, eight, ten, even fifteen years ago, that's number one. Number two is the competitive landscape of companies out that are huge today versus the companies that were huge ten years ago. It's a much different landscape. And these are all what I would call digital companies. They found a way to use information. You know things like Airbnb. It's an information business is all it is. And it's not a Marriott, it's not a Hilton, but it's a competitor to those guys. And I think that's a realization that business are having and that's filtering down into the IT organizations. You know ,we see a lot of companies -- which I don't necessarily agree with -- hiring Chief Digital Officers in addition to Chief Information Officers. And I see that as a bifurcation of the CIO as a back-room office guy and the CDO now is customer-facing. I think this whole thing has to be customer-facing and take advantage of the tools that are out there whether you provide them or whether you get them from somebody else, in a secure and safe enough manner that your business feels comfortable operating. So that's what's changed, I don't think it's...even the hardcore security guys, you know, we've had a lot of breaches in the past. Every one of those breaches, everyone had a firewall, everyone had a proxy. Everybody had all the tools that everybody else had and nobody could prevent those breaches. I think the fact of the matter is you want to prevent the harm of a breach occurring versus spending all your time making sure your breach doesn't occur. So I think that's a different mindset. >> Larry, I want to give you the final word. We've been going through this series of the digial cloud transformation, give us your final take away. >> So I don't like digital transformation as a word I think it's been overused. I think businesses are changing and adapting to what the opportunities and risks are today. With that, the whole organization has to face into that and say "This is where we can win, this is where we have to be good enough, and this is what's dragging us down." And they have to address all of them. I think in order to do that, one thing that an IT organization has to do is head-on, face its legacy debt. You can't play in this world with legacy debt. And if you don't start now, five years from now you're still going to be complaining about it. It's like that old, you know, Chinese proverb, when was the best time to plant a tree? One hundred years ago. When's the second best time? Today. If you don't address your legacy with your board head-on, your business will lose. That's number one. Number two is, don't go it alone. Get the talent who's done this before. This is not moving from, you know, from Cobalt, to C, to C++. This isn't an incremental change. Fundamentally the way that the cloud works in a way that your corporate network will work once its the internet, is fundamentally different than anything we've done before. Take advantage of people who've done it. Use that to seed your organization's growth. And then finally, there's no stopping this train. There's nothing that's going to happen cataclysmically that's going to stop this. On the other hand don't throw out the baby with the bath water, because most organizations as I said earlier are still going to have legacy applications in their data center. Just make them look as if they're modern applications, and it's a win for everybody. >> Larry Biagini, thank you so much for sharing all of your history and your customers' journeys. >> Thanks for having me. >> All right and thank you as always for watching theCUBE, I'm Stu Miniman. Thanks for watching.

(upbeat music) >> Narrator: From our studios in the heart of Silicon Valley, Palo Alto, California, this is a CUBE conversation. >> Hello and welcome to theCUBE studios in Palo Alto, California for another CUBE conversation, where we go in-depth with thought leaders driving innovation across the tech industry. I'm today's host, Peter Burris. Every business is talking about cloud transformation as a consequence of their effort to do a better job with digital business transformation. But cloud transformation too often is associated with just thinking about moving applications and data to some as yet undefined location. Whatever approach enterprises take, they will absolutely have to touch upon a couple of crucial steps along the way. At the center of those steps will be how do we think about the network transformation that's going to be required to achieve and attain our cloud objectives? How do we do it? Well to have that conversation, we're here today with Jay Chaudhry who's a CEO of Zscaler. Jay, welcome to theCUBE, welcome back to theCUBE. >> Thank you. >> So before we get into this very important conversation, give us an update on Zscaler. >> So Zscaler was designed as a cloud security platform for the world of cloud and mobility. When applications are in the cloud, users are everywhere, the traditional security that builds a castle and moat model no longer works. So I start with clean slate, 11 years ago to start this company. Today, some of the largest companies in the world are protected by Zscaler. We went public last year, on NASDAQ, the sales have done very well, our customers are very happy our employees are very happy, so we are having fun building this lasting company and making cloud and internet a safe place to do business. >> Now that's great. Now let's talk about that, 'cause you're talking to a lot of customers, about making the internet a safe place to do business. >> Yep. >> What are you encountering as you discuss their challenges? >> So with the mobility, with the desire to do digital transformation, CIOs and CTOs and CISOs, are trying to figure out, how do I get there? The biggest thing that's holding them back, is security. It's a new thing for them. If my data is sitting in the cloud somewhere, who is protecting it? How do my users access it while the bad guys don't? So security ends up being at the center of the whole discussion. In fact a few years ago, CISOs would talk to me and say, "Security is not getting enough attention, "it's being ignored." Now the same CISOs are complaining a little bit that I'm being asked to present to the board every quarter. >> Right >> So it's a good thing but the CISOs have a challenge of figuring out what solutions work for the cloud, what do not, because quite often, when the market changes, the incumbents, the legacy vendors, kind of whitewash the solutions overnight and everyone becomes a cloud security provider. >> We get a lot of marketing responses, I think one of the centerpieces of this whole thing is, digital business really places an emphasis on the value of data as an asset. >> Yep. >> And how it changes the way you engage your customers, how it changes the way they think about operations, how it impacts the way you govern the overall business. >> Yep. >> When data emerges as the asset, we move away from a focus especially in the security world, from securing devices to securing the new classes of data. >> Yep. >> Is that kind of solution direction that you're seeing companies taking, is how do I think about up leveling beyond perimeter to actually building security. >> Yeah. >> Embedded deep within my workings? >> To really understand how security came about. Earlier on it used to be, I protect my device with antivirus software, then we built networks and we expected users to be on the network and applications and data to be sitting in my data center on my network. So the easiest way to secure your enterprise was, to secure the network. >> Mm. By building a moat around your data center. That's why we call it network security, securing your network, it made sense for years but now, with applications sitting in Azure or AWS Office 365, Workday, the like. And the users being everywhere, at airport, coffee shops, at home and wherever. How do you protect the network? The users aren't even on your network and applications aren't even on your network. So the notion of network security is becoming irrelevant. At the end of the day, the sole purpose of IT is, that a user should be able to access an application, no matter where the application is and no matter where the user is. So all this network and security and all, are a byproduct of that. So when I start Zscaler, I said, what needs to be protected? Data. Where is data? Data is generally sitting with the application, behind the application. So rather than building this moat, rather than doing this network security, rather than trying to build an appliance and try to move it to the cloud, let's take a look at it totally different. Assume that we need a policy engine, a business policy engine that sits in, 100s of locations around the globe, a user connects to the policy engine, the policy engine looks and says, should this user have access to this application or not? Based on that, we connect a user to an application, internal or external, no matter where the user is coming from. So that's the approach that's needed and that's the approach Zscaler pioneered and that's why the biggest of the big companies from GE, to Siemens, to DHL, they all are becoming Zscaler customers. So we are helping them transform from this old world where network is a hub-and-spoke network, security is this castle and moat to the new world, where a user can go directly to the application over any network. And network is important, it's an important transport but it doesn't need to be secure. Security is about, securing the right user to a right application, irrespective of the location of the user or the application. >> So I want to build on this because, what a lot of companies are starting to recognize is that, they want to get their application and the services provided by the application and the data proximate to the commercial activity that generates, you know, that pays the rent so to speak. >> Yep, yep. >> And that means, an increase in distribution of function offer. >> Of course. >> So the notion of the cloud as a place where we're going to centralize things, is giving way to a notion of the cloud as a technique for further distributing. >> Yes. >> And that means ultimately that, the services that we're going to provide have to have security embedded in them, in policy so that the data, the security and all those services are moving to where they're required. >> Yes, so in my view, cloud was never meant to say, things must be centralized. Actually a data centers were highly centralized. >> Right. >> The cloud notion should be, it's a responsibility of the cloud provider to make sure that data and application can be pushed where there needs to be. So when Microsoft is offering Office 365, your emails aren't sitting at one place, it's Microsoft's job to make sure if your employees are in Singapore, some of these things move to Singapore so you can have faster access to it. So that's the application side or for the data side of it. A company like Zscaler, we sit between the user and the application as a check post. In fact, think of us as an international airport. >> mm >> When you go in and out, you need to make sure that, the person is authorized to do so and isn't carrying any guns and weapons that could cause damage to somebody out there. So a user going to Salesforce or user going to Office 365 or a user going to application Azure, they simply connect with us, the business defines a policy, says, this person is okay to go here and based on then, we are connecting those people securely. Now if you're in London, you want to go through Zscaler's check post in London, if you're in Tokyo, you want to go through a check post in Tokyo because you want the shortest path. The old approach where we built a hub-and-spoke network, you brought people back to the data center. >> Back to the hub. >> To a hub, to go out. It's very painful. Imagine flying from San Fran to Chicago, via Houston? It's very painful and that's what gets done in the old world of security appliances because you can build only so many moats and that's what Zscaler is making redundant or irrelevant. So with a 100 plus locations around the globe with multi-tenant technology, you fly to Paris tomorrow, as soon as you connect to the internet from your hotel or the airport, we automatically redirect your traffic through our Paris data center. Your policy and security magically shows up, gets enforced, you're getting localized content, you're getting amazing response time without having to do anything. >> You're getting the same services that you get anywhere else 'cause it's policy driven with a common infrastructure for ensuring that-- >> And-- >> The issue of distribution is not the determining consideration. >> So it is the heavy lifting we did. >> Right. >> To make sure your policy can automatically show up where it is. And to do that, you're to build some serious technology. The old technology was, policy needs to be pushed once in a while, let's do a batch push. That's what traditional security appliances like firewalls do, they're single tenant, we came with a concept policy on demand per user, it works beautifully and then logs. Any time you go through any check post, the logs are created just like when I go in a building, they have me sign that say Jay went to see Peter at this time, same colored logs are created and they must be secured. So, you may be going to our 50 data centers but your logs are created in 50 locations but in line in real time, without ever writing the disk locally, they get sent to one central logging cluster and they're available within seconds. That's really an example of a purpose-built security cloud as compared to what we are calling imitation clouds. >> Mm >> Where people take a stack of appliances, stick them as virtual machines in Google or AWS cloud and they become a cloud service. I was talking to a customer the other day, he said hey, here was a network security vendor making a pitch and he said, "I thought of it, "as if someone is trying to build a Netflix service "using a bunch of DVD appliances." >> Mm-hmm >> All right so, to do security right, one has to build it for the world of cloud, it's multi-tenant, it's distributed, have you seen it before? Think of Salesforce.com, think of Workday, these were young companies a few years ago like Siebel used to dominate CRM. >> Right. >> PeopleSoft used to dominate HR, what happened to them? Well the world moved to its cloud, the world move to SAS service and these companies tried to use that legacy technology, tried to move to the cloud, it just doesn't work and that's why all these investors and customers love Zscaler's platform. We like to call it born in the cloud for the cloud platform. >> One of the things you didn't mention is that, when you're not doing that huge amount of backhaul traffic, your costs are going to go down pretty dramatically. So if I kind of summarize what you've talked about, we're going to go through, we're in the midst of a cloud transformation. >> Mm-hmm >> We have to rethink applications in the context of improve security, bake it right in which is going to lead to a rethinking of network and finally a rethinking of security. >> That's correct. When your network changes from hub-and-spoke to direct to cloud, you can't have a direct path without security so it drives security transformation. So that's where a security platform like Zscaler comes in. So your traffic from any of your say, X 100 branches or from your mobile device or from your laptop, it simply goes through Zscaler to get the same policy, same protection. So Zscaler gets viewed as an enabler of cloud transformation because without us, you can't transform the network and then security has to be done right. >> Right, so you've had a lot of conversations with customers, give us some sense of what kinds of how it's changing the way they work, how it's changing their operations, how it's changing their cost profiles. >> You know three, four or five years ago, we had to do a fair amount of evangelism but when you're the pioneers, you expect to do that. Like three years ago, three CIOs will tell me, "I like cloud, I'm moving in that direction." Three will say, "I'm thinking about it." And remaining four will say, "Mm-hmm I don't think cloud will happen." Today, all of them want to embrace cloud because they've seen the benefits of it. It's making business more agile, more competitive. Now they're figuring out, how do we do security right, how do I do this transformation without, if I may say, messing it up? >> Mm-hmm >> And that's where, it all starts with thought leader, visionary customers. When I saw GE, Larry Biagini, a global CTO or global CISO driving cloud eight, nine years ago, seeing Siemens saying, I need to make my business more competitive and these are the type of leaders who actually help drive adoption because when they do this stuff, others followed. >> Yeah the recode system responds. >> Exactly, exactly >> Jay Chaudhry, talking about cloud transformation and the crucial role that security is going to play in that transformation. Thanks very much for being on theCUBE. >> Peter, thank you, I appreciate the opportunity. >> And once again we've been speaking with Jay Chaudhry who's the CEO of Zscaler. Thanks for joining us for another CUBE conversation, I'm Peter Burris, see you next time. (upbeat music)