Now, back from New Orleans, I can confidently report that last week's Zscaler CXO Exchange in the Big Easy was a resounding success. Nearly 70 executives in security and networking were on hand to hear six keynotes. They took part in eight sessions designated for CISOs and CTOs and 12 interactive sessions where attendees could share their expertise with peers in a charming historic setting.
Often, these engagements are valuable because they offer Zscaler customers and prospects the opportunity to voice their feedback and desires directly to executive staff. The CXO Exchange in New Orleans was no exception. AI was a frequent topic of conversation, both from speakers and in peer conversations.
Throughout our interactions, we encountered the pervasive belief that cloud-enabled AI solutions held promise for enabling automated threat prediction and data loss prevention. This technology is widely expected to make it simpler for security teams to recognize and measure organizational exposure to cyber threats. This will make it an invaluable resource for boards and senior leaders who are hoping to gain a more accurate understanding of their risk profiles.
The consensus is that this focus on prevention and automation will ultimately lead to more informed decision-making, lowering risk, cost, liability, and friction for CXOs, resulting in better outcomes. This optimism, though, was measured with a degree of skepticism. During our two days together, the executives we heard from were also wary of vendor hype, a lack of a unifying approach within their organizations, and understandable fears of data loss or leakage.
Exploring bite-sized steps for SASE implementation
We were honored to hear from a selection of Zscaler customers, including CISO Joe Mendel and Senior Director of Security Architecture Drew Pekkarinen from The Kellogg Company, who joined Zscaler Founder & CEO Jay Chaudhry onstage to provide an update on their organization’s transformation journey.
While the company may be most recognizable for its breakfast foods, Kellogg’s maintains over a thousand products across its cereal, snack, and plant-based food divisions. Their IT and security departments are also responsible for securely connecting over 19,000 users in 180 countries.
The company’s biggest cyber-related risk was a disruption of its production environment, where even short-term outages could cost dearly. This worried leadership in light of increasing attacks like browser-based phishing and ransomware attacks. For optimal protection and performance, Mendel and Pekkarinen decided the best course of action was to adopt a zero trust framework based on the SASE framework.
As a part of its phased journey, Kellogg’s began by focusing on rooting out threats through URL filtering, endpoint antivirus protection, and advanced threat protection to guard against threats like zero day vulnerabilities. Next, the company turned to local internet breakouts to directly access SaaS applications at manufacturing and other remote sites rather than route traffic back through corporate data centers.
It initiated browser isolation for risky use cases, which helps the company further limit its risk exposure while still allowing employees to access the resources they need to fulfill their duties without prompting additional support calls. Finally, Kellogg’s opted to phase out its VPNs for remote users and VDIs for third-party partners in favor of a zero trust approach enabled by Zscaler’s internet and private app access solutions.
Eventually, the company plans to implement even greater segmentation as its approach matures, always striving for the correct balance between preventative security and employee enablement.
Joe and Drew offered the following advice for those embarking on their own digital transformations:
- Keep the focus on the end-user experience. By phasing out VPNs, Kellogg's was able to eradicate one of its users’ most frequent sources of frustration. It didn’t hurt that it also reduced the company’s attack surface significantly.
- Align network, identity, and application teams. Internal champions are critical to the success of any transformation initiative, and Kellogg’s discovered that having multiple spread across functional units helped ensure the project's success.
- Balance risk reduction and policy complexity. Policy sprawl was a source of concern, as it could have a paralyzing effect on security teams. It was important for Kellogg’s to walk the line between risk reduction and excessive management and user overhead.
Cybersecurity in the boardroom
I also had the honor of hosting an accomplished panel of cybersecurity experts for a wide-ranging conversation on the CISO’s evolving mandate. Not surprisingly, given the impact of its new regulations, we spent much of our time discussing the SEC’s new reporting mandate and how it has further elevated the importance of cyber leadership for the C-suite and beyond.
During our discussion, panelists stressed the importance of taking a unified measurement approach to risk management, whether that risk falls in financial, legal, operational, or cyber. All must be accurately quantified for boards to understand their relative weight fully.
The panel also had the following advice for their CISO peers:
- Use Sarbanes-Oxley Act (SOX) compliance outputs as an input for cyber materiality assessments. Understand financial statements and value chains, including how they relate to the organization's applications, systems, and data. This should form the basis of cyber materiality and assessment of risk.
- Cyber materiality assessments can and should inform your reporting of risks (retrospective) and your strategy (looking forward) for managing and mitigating risks.
- Focus on how an information asset can be compromised. Look for direct and indirect relationships that could cause exposure. Adopt an adversary's mindset to go beyond the attack surface and look at possible attack depth or areas where a threat actor could cause maximum impact.
- Prioritize and automate. Otherwise, time and complexity will overwhelm you and your team.
If you are a CISO who reports to boards or on a board yourself, you should download a copy of Cybersecurity: Seven Steps for Boards of Directors. Written by board members for board members and security executives, these books were quite the hit at the CXO Exchange.
CXOs, we’ll see you in Amsterdam
Ultimately, as heard repeatedly during the CXO Exchange, IT and cybersecurity are in tremendous flux, often requiring new ways of thinking to succeed in leadership positions. Some, like Kellogg’s, have taken some of the initial and most important steps to modernize are reaping the benefits. Others are ready to embark but unsure of how to do so.
CXO Exchanges are designed for both groups and, if you missed us in New Orleans, I encourage you to consider attending our next installment in Amsterdam in March 2024. Hope to see you there.
What to read next