Interview: Why cybersecurity wants everyone

#BHMEA23 speaker Sam Curry (CISO at Zscaler) has ridden many waves of change within the Information Security industry. From working with organisations including RSA, Arbor Networks, and McAfee, to his (relatively new) leadership role at Zscaler, he’s dedicated to enabling a world that is both connected and safe.

We caught up with Curry to talk about everything from his career journey so far, to the power of diversity in cybersecurity – and why the industry needs to prioritise mental health.

Could you briefly share your career journey so far - what drew you to cybersecurity, and any pivotal moments along the way?

“It’s a little like with children: the days are long, but the years are fast. When I started in the 90s, it wasn’t called cybersecurity: it was only just called information security, and there were no degree programs. There were classes in things like cryptography and security considerations in programming, or principles for secure practices generally, but that was about it. It has changed a lot since then!

“I think it was right around the dot com bubble burst, when I was at McAfee that I realised ‘hey, I am a security person!’ Sort of like the apocryphal frog who realises the water is warm. The pivotal moments for me after I started out were being acquired and moving to Silicon Valley, joining Computer Associates and really understanding B2B, RSA of course and again the RSA Breach indelibly burned its way into my shoulder. Having children, resolving to make career choices to change what I see is the trend of adversaries improving faster than defenders, going back to school to study counterterrorism and making a conscious decision to give back through mentoring, teaching – and opening the industry as much as possible to new people and experiences.”

What are the basics of Zscaler's approach to cloud security, and what makes it different from competitors?

“I’m relatively new, but I would say the heart of it is connecting users to applications, not networks. For years, we’ve been on a mission as an industry to connect everything-to-everything, and that isn’t really the problem anymore. It’s about not simply connecting things to networks and networks to everything. Rather, it’s about zero trust in networks and getting fine-grained in our authorization.

“We can have a faster, more specific, more accountable and more secure experience accessing applications and interacting with data. The goal of IT isn’t about connecting networks, it’s about enabling the right people to have the right access to the right data at the right times in the right ways and only then. That is achievable.”

What do you wish more people knew about cybersecurity?

“We need you! And there is room for everyone in Cybersecurity. I used to play rugby, and I loved that there was a place on the team for every body type and shape. Cybersecurity is like that: we want everyone and every perspective. It’s not just the right thing, but it is a competitive advantage because we have human adversaries. That means gender, religious, ethnic, neurological and every other form of diversity enriches us, and it’s not just for technical people!”

What's your take on the potential of generative AI as a source of new threats?

“I have said a lot about this publicly and even have two masterclasses on it. I welcome conversation. I think it’s a great thing. It is like what calculators did for mathematics or what Google did for research: it can help us in defence and can help us in performing PT and red/purple teaming. It can help bridge with the business and train people faster. There are dangers because the adversary can use it too and can even poison it to limit our thinking or innovation, and we can get stuck in rats or suffer in thoroughness of training. But if we’re smart about it, it can up-level our game and improve our capabilities.”

You recently shared a post on LinkedIn about mental health in cybersecurity. What aspects of the industry are particularly challenging from a mental health and well-being perspective – and why is it important for the industry to recognise these challenges?

“We are under tremendous pressure and strain, and the biggest problem is dialogue with businesses who think we are technologists first. We need better dialogue and not just to live with risk. Because burnout is high and substance abuse, from drugs and alcohol to food abuse and sedentarism are rampant. Taking the time to be healthy and social and active, and taking the time for self-care matters!”

Finally, what's the value of an event like Black Hat MEA for you/your work?

“I love connecting with people, innovating, seeing the new stuff and living security instead of staring at screens. Black Hat is a chance to do that with new faces and not just the usual bunch in San Francisco and Las Vegas!”

Thanks to Sam Curry at Zscaler. Want to learn more? Register now to attend Black Hat MEA 2023.