Profiles in transformation: Stan Lowe
Stan’s interview is part of our series about Zscaler employees who once were Zscaler customers. We wanted to explore their backgrounds, the environments in which they were working when their companies deployed Zscaler services, and why they decided to join Zscaler.
Stan Lowe spent much of his 30-year career in cybersecurity working for the federal government. During his years as CISO for the Department of Veterans Affairs, he first became aware of the possibilities of the cloud as a way to make heavily regulated data accessible to the various healthcare providers serving veterans. Stan authorized the VA to be the first government agency to use cloud-based applications and storage. He joined Zscaler in 2018.
When did you start to think security needed to change?
“I was working for the Department of Veterans Affairs. I came up with this idea that trying to protect a network was going to be next to impossible because as we were moving the data and moving applications to the cloud, there was no way that I could conceivably from a cost perspective be able to afford that. My cybersecurity budget was in the billions of dollars, but as a taxpayer, like you, I couldn’t in all good conscience spend that kind of money to do that.
“So, I thought, OK, what do we do? We’ve been doing this for 25 years and obviously based on the number of breaches, we haven’t gotten it right yet. So, we need to come up with a new methodology.”
How should security be done?
“I came up with what I thought were four original principles—it turns out that I wasn’t the only person to think along these lines, but I’m happy to be in agreement with a lot of smart people on the matter. These principles outline the way we should practice cybersecurity, granting access based on what we know:
- What’s your identity: Are you ours, a contractor, vendor?
- What are you trying to access?
- Where are you physically? Internal? External? Good country or suspect country?
- What is the criticality of the data or application you’re trying to access?
By assessing all four questions, we make a decision based on risk.”
What was your role when you started using Zscaler services?
“I was CISO at a large, international biotech company. I basically looked around and said, ‘I can spend tens of millions of dollars of the shareholders’ money, or I can do this differently.’ At the time, we had a large legacy architecture that was on the cusp of needing to be refreshed. So I thought I could sort of take that methodology, those four principles, and put it into practice.
“We had legacy stuff we had to take care of, like SAP applications, but we started moving a lot of our backend office infrastructure to the cloud—Office 365, Workday, SAP S/4HANA, Salesforce. So, I’ve got one foot in one camp and one foot in the other camp. I had a lot of legacy applications that I could move to the cloud, so Zscaler fit nicely, allowing me to use that model where it was immaterial to me where the individual was, on-net or off-net. I was able to provide the same security stack whether they were internal to us or external. As well as being able to get rid of the security stack we had and move all that to the cloud, which made things much more efficient and much less complex.”
Was there resistance about moving to the cloud?
“Most of the resistance for any type of transformation activity I’ve done has not come from the business. The businesses are all for it. Their attitude is, ‘We’re going with you or we’re going without you.’ That’s why there’s a lot of shadow IT out there. But a large portion of the resistance that I experienced was internal, in my own groups. Cybersecurity folks and IT folks are often very black and white. It either is or it isn’t secure. That’s how a lot of cybersecurity people were brought up. It was a compliance-based security thing, and you were secure because your documentation said you were. However, we continued to have breach after breach, so obviously, that was and is not working.
“What I had to do is show them how what they did on a daily basis impacted the company’s ability to protect and drive revenue. And once they started understanding that, it changed their mentality from being a security person to being more of a business enablement person. The question became, ‘How you can enable business to do what it needs to do securely and resiliently?’
“One of the cool things that Zscaler allows you to do is provide a security stack in the cloud, with full SSL decryption, DLP with exact data match, sandboxing…they get all of that at a much-reduced cost, and it’s more effective and less complex, which makes their jobs easier.
“So, you put it in these terms: their job’s not going away, but their job’s going to be performed differently. You do see a lot of anxiety in the IT operations crowd, and especially the people in the SOC. But you help them understand that they’ll still be running the firewall, they simply won’t have their hands physically on it. They’ll be accessing all those tools and applications and stuff in the cloud, and, in fact, it will make life a lot easier, so they’ll be more efficient and be able to do more things.”
Should people in IT evolve their skills for the cloud-first world?
“I’ve had to retrain myself any number of times to be able to either retain the job I have or get the job I want. What got you here will not get you there.
“IT and security are constantly changing and evolving organisms, so the idea is to make sure that you’re constantly educating yourself, that you’re constantly changing the way you’re thinking and not holding onto assumptions so tightly that they’re hurting you and your organization in the end.
Explaining this is a leadership issue. You need to be able to tell these folks: this is what your job is now, this is how it’s gonna transition, and this is how we’re gonna get you from A to B. Everybody has skill sets that are valuable to the company, so the idea is to transfer those skill sets to something that the company now needs.”
How did Zscaler change security in your organization?
“With Zscaler’s approach to security, the idea is to not secure the network but to secure access to applications and data, which is a completely transformative way of thinking about this.
“What Zscaler does for you right away is it decreases your complexity enormously. You will have more visibility into your data. You’ll have more throughput. You’ll be able to apply those tools more efficiently. And you’ll be able to use the output of those tools more effectively.
“Reducing complexity in the environment is a huge driver. Because the more data you have, the more tools you have, the harder it is to see anything. The bad guys, they’re out there and they’re depending on the fact that you’re only really looking at two to 10 percent of your data that you’re gaining from your tools, and they’re just basically hiding, counting on the fact that your SOC team is not going to be able to see them.
“But by reducing complexity, you have more visibility, and since you’re not going up a security stack—everything’s applied in parallel versus serial—it works a lot faster. You get an almost instantaneous feed.”
Why did you decide to join Zscaler?
“We’ve been doing cybersecurity the same way for 30 years, and it hasn’t worked. I firmly believe that we need to change the way we do cybersecurity.
“I could go to a bunch of different companies as a CISO and change cybersecurity in those companies and have a very small impact. That wouldn’t change how we do cybersecurity writ large. The only way I could do that is at a large vendor or go back into the government, which I didn’t want to do, to change things on a frankly a global scale, and the only way I could do that was coming to Zscaler.
“Zscaler fits with my mindset, and my methodology, my internal belief system, and that’s why I’m here.”
In the coming weeks, check back for additional interviews with IT professionals who, as customers, deployed Zscaler services at their organizations and decided to join the company.