Jay Chaudhry
CEO, Chairman & Founder
Zscaler
Paul Reyes
CISO, VP of Cyber Security, Risk, & Compliance
Vistra Corp
Shamoun Siddiqui
VP, CISO
Neiman Marcus
DECEMBER 2022
Digital transformation has grown from being an important business enabler to being an imperative for business survival. As remote and hybrid work environments have become an expectation, business leaders must prioritize secure digital transformation to minimize risks and increase agility. In this new world of work, how can CISOs rethink their cybersecurity strategies and communicate the value to the business?
At the Dallas CISO Executive Summit, Jay Chaudhry, CEO, Chairman & Founder of Zscaler led a keynote entitled, “Digital Transformation - Survive and Thrive,” where he discussed the value of cybersecurity transformation and how to scale and simplify cloud security across the organization. Chaudhry was joined by Paul Reyes, CISO, VP of Cyber Security, Risk, & Compliance at Vistra Corp and Dr. Shamoun Siddiqui, VP, CISO at Neiman Marcus, who shared how they have transformed their organizations for a secure future. Here are the key takeaways.
Security is an Enabler of Digital Transformation
Chaudhry expressed how secure digital transformation delivers a competitive advantage, including improved decision making, collaboration and productivity and reduced cybersecurity risk, cost and complexity.
As organizations continue to embrace cloud and mobility, their network and security architecture must change from a firewall-centric, castle-and-moat security model to a Zero Trust architecture where you connect users to specific applications and not to the network.” - Jay Chaudhry, CEO, Chairman & Founder, Zscaler
A secure digital transformation requires a combination of application, network and security transformation, and Chaudhry detailed the process. He stated that IT must first complete an application transformation, moving from the data center to the cloud. This triggers the need for network transformation, moving from a hub-and-spoke model to direct connectivity. Lastly, as the network changes, security must transform with it, moving away from castle-and-moat security to a Zero Trust architecture.
Chaudhry cited how legacy security and networks are no longer sufficient in protecting today’s mobile, cloud-centric organizations. He outlined four steps cybercriminals take to breach organizations:
- They find an attack surface - Businesses who rely on hub-and-spoke networks, such as VPNs, or use internet-facing services, such as firewalls, are increasing their attack surface and making their businesses more vulnerable. Furthermore, remote work is expanding the attack surface, as employees connect from anywhere.
- They compromise users or devices - As users or devices access the internet, hackers trick them into downloading malware or giving up their credentials in targeted phishing attacks.
- They move laterally - Once compromised, it is easy for attackers to move laterally across a routable network to infect numerous applications and find high-value targets.
- They steal your data - After discovering valuable assets, attackers steal users’ data which gets sent to the internet. They also extort businesses through ransomware.
Modernize Security with a Zero Trust Architecture
Chaudhry stated how organizations cannot afford the risks associated with legacy security and network architecture, and he introduced Zero Trust as a strategic imperative for modern businesses. He stated, “Implementing a Zero Trust strategy is fundamentally different from utilizing VPNs and firewalls to protect data assets and employees,” and he explained that in a Zero Trust approach, there is no implicit trust in a user based on their network, credentials or location. There must be verification at every step.
A Zero Trust architecture is distinct compared to legacy models. Cloud-based platforms, like Zscaler’s Zero Trust Exchange, directly connect users and applications, without connecting them to the network. While the network is needed for connectivity, it is simply used as transport or plumbing. Chaudhry explained, “Users gain access to applications - never the network - based on their verified roles. Modern, cloud-first organizations need a Zero Trust security approach - one that isn’t based on 30 years of legacy networking and security principles - in order to remain relevant and competitive in today’s dynamic business environment.”
Zero Trust Architecture in Action
Paul Reyes of Vistra Corp and Dr. Shamoun Siddiqui of Neiman Marcus transitioned to a Zero Trust approach, and they shared some of their insights.
Vistra Corp started their transformation journey before the pandemic, and Reyes shared that going “back to the basics” of focusing on identity, end point and email protections and reducing the attack surface was at the core of their Zero Trust strategy. When the pandemic struck in March 2020 and workers went remote, they already had many of the components of their Zero Trust approach in place, and they were able to transition their business to Zero Trust in just one week. To this day, whether users are at home or in the corporate offices, they are not connected to the internal network. Reyes shared that this security model has greatly reduced their attack surface, and risk has been reduced by 90%.
Neiman Marcus focuses on revolutionizing luxury experiences for their customers. They do this by securely modernizing their customer engagement tools and scaling the business digitally. Dr. Siddiqui stated that the technology teams at Neiman Marcus adopted a cloud-first strategy, years ago, in order to deliver next-generation services to their customers as well as to their associates. SDWAN and Zscaler became enabling technologies for this vision. Over the past four years since they initially started their transformation, they now estimate that they are currently between 70% to 80% in the cloud. Most of the business-critical applications have been modernized to utilize the benefits of cloud ecosystems. Dr. Siddiqui further stated that their strategy continues to be that they would be fully in the cloud within the next 3 to 5 years, at which time the need for physical data will either be eliminated or at least, further minimized.
Chaudhry added how it is critical for leadership to drive this change. He emphasized that security cannot be done in isolation, and that security, network and architecture leaders need to come together to see the greatest value. “Secure digital transformation doesn’t happen overnight and it requires a mindset change within the organization to be successful, but the CISOs who have gone through it will attest that it’s a worthwhile endeavor,” Chaudhry concluded.
To read more insights or join a discussion with your peers, visit the CISO Community page.
Content adapted from the Dallas CISO Executive Summt, “Digital Transformation - Survive and Thrive” sponsored by Zscaler.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.
