B (6:07)

Let me ask you about integration here because a lot of teams are managing multiple security tools and they're quite often.

A (6:16)

Disjointed, each one protecting a different layer.

B (6:19)

When we're talking about AI enabled zero trust, are we unifying these into one comprehensive framework?

C (6:28)

So the point you're making is the importance of platform. You know, best of breed platform is still extremely important. But if a platform starts to claim doing everything out there, then it dilutes the effectiveness. And I'll explain what I mean by that. So at Zscaler we've always been very clear that hey, we are the switchboard. We'll connect entity A to entity B and the high level goal is to make sure nothing bad comes in nothing good leaks out. We will never do EDR like functionality or we'll never get into identity. That's where we will integrate with best of breed identity platform. Whether it's okta ping, Microsoft will integrate with best of breed endpoint security platform like CrowdStrike Single1, but our core focus is that switchboard functionality which is where we want to make sure we do a very good job. Now your question around does AI helps further integrate some of these things? It will help with these integrations between best of breed platforms, but the focus should still be on your strength where you're able to do things more effectively by integrating AI into Just like I explained at different stages of the attack.

B (7:57)

What about data discovery and being smarter about that? I mean a lot discovering sensitive data a lot of times requires manual configurations with dictionaries and policy tuning and things like that. Is that an area where AI can help automate?

C (8:14)

That's an excellent point. That was the fourth stage that I described as part of the Zero trust transformation journey where you're able to stop data exploration. We are leveraging AI very, very effectively over there in order to prevent exfiltration of data in line. So this is where there are custom ML models per organization. The organization themselves are enabled to create these custom dictionaries and models that will detect things that are sensitive to them. We're also leveraging ML for data classification. Just like you mentioned, there's a lot of data that exists in those SaaS destinations. So using API we are able to scan and tag, classify the data into several different categories. And AI does a phenomenal job at doing that with high efficacy and at scale. So you're able to protect the data that matters the most to your organization.

B (9:19)

What sort of safeguards exist to make sure that this kind of automation doesn't inadvertently create new privacy or compliance risks?

C (9:29)

That's a very good point. Look, securing the AI usage is one of the number one priorities or one of the top priorities. As I speak to global CxOs, there are three things that are top of mind. AI or secure use of AI is number one, and the way I like to describe how to go about securing AI usage is number one is discovery. This is where you need to know your AI usage and your shadow AI usage as well, because there will be a lot of those applications that are running in the environment that you're not aware of where AI is being leveraged, which can result in what you were mentioning, inadvertent data leakage. So discovery number one, you need to have a good handle on that. Zscaler helps customer with that with our switchboard technology because we will be able to see all the AI usage from the environment and give a full picture. The second piece is placing guardrails around that AI usage. An example I can give you is, hey, I am okay with this AI app that is considered a sanctioned app as long as it's used for code generation. But I'm not okay if this AI app is being used for financial data analysis. Maybe that is a completely different app. You don't want to expose your financial data to this specific application which is just sanctioned for code or test code development. So having those guardrails where you are able to inspect what goes into these AI models and what comes out of the AI model is equally important. This is where you are also able to prevent attacks like prompt injection. We're hearing about agent hijacking attacks. With proper guardrails, you're able to secure your AI usage. The number three thing, and this is where it's more proactive. You could also call it reactive. But having a red teaming approach around securing your AI or internally development environment so that you're able to discover issues before the bad guys do and fix them despite of having guardrails, you will always run into a thing or two that were missed. So having that proactive approach is important for discovering issues and continuously tightening that AI environment. And then the final piece is governance. This is again aligning with a proper data governance framework. AI governance framework. There are frameworks that are being defined by nist, other global entities. There's active work happening in that space and there is tooling that is now becoming available that can help you map where you stand when it comes to compliance and governance in your AI usage.

A (12:36)

We'll be right back.

B (12:44)

You know, deepen there's always that balance between security and usability for your employees, for the folks who are using your systems. Does AI help at all in making sure that a zero trust environment can detect and resolve user experience issues? Maybe more quickly than you could in the past.

C (13:06)

That's another very, very interesting use case where we are seeing a lot of success using our Zscaler Digital Experience product. AI can absolutely detect issues proactively. It can improve user experience. It can also do automated root cause analysis and kind of generate a report on why a user experience issue happened and recommend mitigative steps as part of that. So as a cxo, my focus was more on the cyber side of the house. But AI absolutely has many other use cases, user experience being one. There are A lot of other IT operation use cases where AI is playing a very important role. Same thing applies with many other departments like finance, marketing. We are seeing active usage of that.

B (14:05)

I would imagine that this translates into time savings for your help desk teams as well.

C (14:12)

It does. In my role I have the pleasure of talking to a lot of these global organization CXOs and the success stories that I get to hear. It's just phenomenal. I mean on the topic of help desk, I heard a large global organization switching to agents. So literally agents taking those initial questions which were otherwise being answered by your help desk and resulting in 70 to 80% less tickets that were hitting that help desk. So yes, AI does help saving time across the board.

B (14:55)

Does it have a financial impact as well? I mean we're talking about consolidating tools and automating detection. Should organizations expect that that could affect the bottom line? Maybe help save some money?

C (15:08)

Look, it's an evolving area where we are seeing cost saving happening using many different motions. Slightly controversial, but look as an industry we're going to see lot of efficiencies over the next. I mean I'm not even going to talk in years, I'm going to talk in months. Because of the pace at which things are moving. You are obviously seeing optimization in workforce that is happening across the board. The tooling sprawl absolutely can be addressed as well by unifying certain areas and doing it more effectively with the help of AI. So you will see efficiencies over there as well. And then the fact that you're able to do more with less and in less time itself will also result in efficiencies.

B (16:02)

Where do you suppose we're headed with this? Through this intersection between AI and zero trust. I've seen people have this notion of, they refer to it as self healing security systems. I mean, is that on the horizon? Is that too far off to still be a fantasy or is perhaps something like that in reach?

C (16:24)

Last year my answer was yeah, we are far. This year I feel like we're getting closer. It is still an augmentation play where these agents are getting augmented into your SOC teams. It absolutely takes care of some of the lower tier response activity. It is able to weed out noise as well, like false positives. It is able to make your tier 2, tier 3 analyst more efficient and respond to issues much more quickly. With the right tooling and technology you will be able to take actions in an autonomous fashion as well with some guardrails so that you don't end up in causing disruption so we're getting there. Probably in next 12 months when we talk again on this topic, we will have a different answer. We may have some working models as well, but this is an active area of investment for us at ZSCALER as well. The agents that we have deployed that I mentioned, one of the agent is remediation agent which will come up with these policy recommendation and it will right now assist the tier 3 tier 4 analyst, but it is fully capable of invoking those API calls if given permission to heal or to make those security posture enhancements to mitigate the attack.

B (18:00)

When you're out talking to security leaders about zero trust and AI, are there common concerns that they have or maybe even misconceptions about transitioning to this?

C (18:13)

Look, this was absolutely the case when the ChatGPT and the whole first six months of the generative AI coming to the scene. Over the last year, year and a half we've been talking agents. It was more when the generative AI thing came out. Now everyone or most of the CXOs realize that you have to enable your business to adopt this more securely, but there is definitely concern around how do I secure it in a way that doesn't result in cyber or data actual risk. There is also a bigger concern on adversarial AI usage. So if you think about it, there are three risks when it comes to AI adoption. One is insecure AI usage. We talked a lot about it, how you should go about securing it. I described four buckets. There is attacks happening on the AI itself where an adversary will come in and poison the model that you're training for production or they will steal data from that AI environment. Again, the four categories that I described will help you secure that AI application as well. But the third one is where adversaries are using AI to go after your employees, to go after your environment, to go after your business. That is an equally concerning problem because just like we've talked about efficiency scale on the good guy side, the bad guys are also able to do that using AI. And that's where the number one thing is, you need to leverage AI to fight AI. And then the second thing is the importance of zero trust. Because zero trust fundamentally will set you up, will set your architecture up in a way that you're able to defend against lot of these unknown unknowns that you're going to see when AI is being leveraged by the bad guys to attack your organization.

B (20:27)

Yeah, it strikes me that I can understand people initially having kind of a wait and see attitude when it comes to some of these AI developments. I don't want to be the first one to run out and adopt all of this stuff. But I can't help wondering, do we reach a point where there's a risk of being left behind if you don't get on board?

C (20:53)

Dave we are already in that phase where that's why I said initially a lot of the CXOs were in that boat where, hey, I want to see how things go before I they will just adopt the block everything mode. And now over the last year and a half, we are already in that boat where it's a mandate from board level from CEOs that Hey, you need to get more efficient, you need to adopt AI, you need to try it out in different departments and make sure we're able to deliver better outcomes so that fear of missing out is no longer the case. They know that they will be left behind if they don't enable the business in doing this.

A (21:47)

And that's our program. Thanks to Deep Into SAI from Zscaler for joining us and shedding a light on how AI powered. Zero Trust isn't just about better security. It's about better efficiency and visibility across the enterprise. By unifying data protection, automating discovery and accelerating troubleshooting, organizations can simplify their security stack while strengthening their distance defenses. Thanks again for tuning in to Cyberwire X where we connect ideas, people and technology shaping the cyber security landscape. I'm Dave Bittner. We'll see you here next time.