RSAC 2024

Interview: Zscaler VP And Global CISO On Phishing Trends, The Cost Of Security Innovation

Expert Insights interviews Sam Curry, VP & Global CISO in residence at Zscaler.

Sam Curry Zscaler

Phishing attacks jumped by over 58% last year, according to data from the Zscaler ThreatLabz 2024 Phishing Report. The surge is “Not a huge surprise,” Sam Curry, Zscaler’s VP & Global CISO in residence tells Expert Insights.

“In terms of number of phishing incidents, we blocked about 2 billion phishing attempts,” he explains. Zscaler is an in-line internet security solution that blocks access to phishing websites in real-time – providing a detailed insight into the phishing landscape. Zscaler is an in-line internet security solution that blocks access to phishing websites in real-time – providing a detailed insight into the phishing landscape.

Sam Curry is VP & Global CISO in Residence at Zscaler, and a fellow at the National Security Institute. Curry has been in the security industry for 32 years, starting his career as a crypto analyst. He was the first employee at Signal 9 Solutions, a start-up that invented the personal firewall, before joining McAfee as their Chief Security Analyst. He then spent several years at CA, RSA, Arbor Networks, MicroStrategy, and CybeReason.

Curry sits on a number of boards and works closely with his home state Massachusetts and a number of not-for-profits on improving their cybersecurity infrastructure. In March 2023, he joined the Zscaler team as their VP & Global CISO in residence.

Gone Phishing

Zscaler are seeing a “much greater use of AI,” in phishing attacks, Curry says. “It takes 10 prompts to ChatGPT to be able to set up a phishing site.” The danger with use of AI is not that it will make phishing better, he adds. Rather, it makes the volume much more challenging to deal with.

“Everyone was worried that what would happen is you’d have the perfect phishing email. But I’m not worried about that. There were errors in phishing emails for a reason. It turns out if you make a perfect phishing email, it’s more likely to get reported. If you make an imperfect one, you weed the smart people out. There’s an optimized approach there.”

“So now you’re going to have the same imperfections, but there are more of them. And you’re going to see [threat actors] using machine learning to optimize the types and audiences for phishing to get even more targeted. Which means those who are likely to get victimized are going to get victimized even more. And that’s savage.” 

Dealing with these challenges is as much a cultural issue as a technical one, Curry says. Authentication has to be enforced at all stages, for every employee, including C-level executives. “That’s not an education thing. That’s a cultural change. “They’re not even just going to go with CEO. They’ll go down to a manager level; they’ll go down to your team lead. It doesn’t have to necessarily be the CEO, CFO, CMO. They’re going to figure out who has authority in that company.”

What’s The Cost Of Security Innovation?

At RSAC 2024, Curry sat on a panel titled: Cybersecurity Innovation: Complexities of Software Regulation, along with Ari Schwartz, former Special advisor to the President for Cybersecurity, Mickey Bresman, CEO of Semperis, and Nick Leiserson, Assistant National Cyber Director for the White House’s Office of the National Cyber Director. The panel covered what the requirements are for cybersecurity companies making, improving and maintaining new software.

One of the main problems with innovation in the US, Curry says, “Is that there’s a certain standard to which you have to build in order to service the federal Government. You need six to nine people working for two years, slowing down R&D. When the federal government buys solutions, they’re usually one version behind, more expensive, and they don’t get new features and specs. The problem is: the bad guys are evolving faster.”

In sectors outside cybersecurity, this is far less of a problem. In markets like storage, the key differentiator is typically cost, and extra features are not make or break. “But in cybersecurity, the differentiation is: does it actually stop bad guys? I’m very concerned about this in the context of cyber,” Curry says.

“But what does liability mean? What does a standard of care look like? But what does it mean when AI is changing the landscape? If only 1% of vulnerabilities ever get found, and you take care of that 1%, what about the other 99% that have yet to be discovered? Are you irresponsible for not having predicted that? That sounds like an impossible task. It’s going to play out interestingly.”

Tuning Out The Noise

Curry’s final advice for CISOs is to not overact to the hype in the industry, but to stay focused on the real issues.

“Don’t overreact to everything. Take it all in stride. Deal with what is emerging, because it’s not instant. The sense is that everything is increasing, very, very fast. But have you ever heard of the Shepard Tone? It sounds like it’s always increasing, but it’s not. It’s an auditory illusion.”

“That’s how it feels every [RSAC]. “We’ve got more to do, with less in these uncertain times!” I’ve heard that one for 30 years. 30 years. It can’t always be true.”