Download the "RNS_Sam Curry audio file directly.
RNS_Sam Curry: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Ed Gaudet:
Welcome to Risk Never Sleeps where we meet and get to know the people delivering patient care and protecting patient safety. I'm your host, Ed Gaudet.
Ed Gaudet:
Welcome to the Risk Never Sleeps podcast. I'm Ed Gaudet, your host today, and I am joined by Sam Curry, the Vice President and CISO at Zscaler. Sam, congratulations on the new position. I recognize you left Cyberreason in March, right? So a couple months.
Sam Curry:
The last day of February, February 28th. One of the hardest things I had to do, but yes, you're right.
Ed Gaudet:
After six and a half years with Cyberreason.
Sam Curry:
Yeah, that's, in my head, I think of it as seven, because yeah, you're right. It was six and a half. I joined September of 2016.
Ed Gaudet:
How was the transition?
Sam Curry:
The transition going into Zscaler was great, but coming out of Cyberreason, it was like leaving family behind.
Ed Gaudet:
It's always tough, isn't it?
Sam Curry:
Yeah, and I still believe it's one of the best technologies I've ever been associated with. It's just a wonderful group of people, a wonderful company.
Ed Gaudet:
Yeah, I would have to be for you to stay so long. I know it's especially in this industry where there's so many opportunities, to stay seven years is quite an accomplishment. It says a lot about the culture.
Sam Curry:
I have nothing but goodwill for the company and for the shareholders, and for where the technology is going, but it was timely. I think it was time for me to move on to do something new. So Zscaler is, coming on board at Zscaler it was March 1st, like the next day.
Ed Gaudet:
Oh my gosh.
Sam Curry:
And it's been an exciting ride because, of course, we're going into RSA conference at that point and a whole new technology to absorb it, and I was a customer of Zscaler, so I knew quite a bit, but not the inside, the bird's view.
Ed Gaudet:
So tell us whatever you can share. Tell us what's new at Zscaler and give us give the listeners some insight into the strategy, when you think about over the next couple of years, where you're taking Zscaler.
Sam Curry:
Yeah, so probably won't do anything like as much justice as Jay, our CEO, would do or some of the other executives because I've only been there for a couple of months, but we're here. I've only been here a couple of months. The way that we describe it is, it's really about connecting, on the one hand, people and workloads and devices like OT and IoT devices with, directly as possible and as fine-grained a way as possible with applications and with other people and workloads and devices. It's funny, when I'm an old ... guy, I'm also an old network guy, an endpoint guy, and I'm basically old.
Ed Gaudet:
We're both old.
Sam Curry:
I used to say, you know, I need a fine-grained authorization tool with enforcement at scale. That's how I described it before we had the word Zero Trust, right, which was a huge skeptic of I used to say, Hey, it's an at least trust, but effectively, Zscaler says it's not about connecting to the network, dummy. They don't use the word dummy, that's me, right? If you look at the Internet, the big idea for the longest time was it's about connectivity. It's how do we test things aside from when you call the helpdesk and say, did you reboot? The next question they say is, can you ping, Can you get through? Can you, is there signal getting through? And so if you want less tickets, if you want tickets that are open for less time, in the IT department, it's all about ensuring connectivity and then high bandwidth and then quality of service, which means it's fundamentally a networking and bandwidth challenge. What if we say that's not the challenge? Then let's take it up a few levels. Let's say, okay, mission accomplished for that. Now we get to an interesting world where we can move the compute to the edge, and we can say, all right, let's now work on that challenge that I had 15 years, it can be done now. So digital transformation, IT transformation, network transformation, security transformation, we can call that Zero Trust, you can call it anything you want. It's about fine-grained access, unique access requests, and making sure they complete, and that now has a lot of work that goes downstream from it. And once you're sitting in the pathway there as an exchange broker, as a switchboard, as Jay calls it, sometimes, although it's nothing like as mechanical as that, it's in fact blindingly fast, almost 20 ... a day goes through that. That's what you want to talk about, you want to talk about scale. It's amazing. Now that you can do that, you can see things, now you can go back and say security is not just the Department. No, it's that old wire, the brakes on the car, it's not to stop. It's, actually you can go very fast. If you do this correctly, now, you can go through, and you can instrument it, and you can improve the user experience. You can improve the quality of service. You optimize based on protocol shape, for instance, how you want to route things. So that's where we're going with Zscaler, by the way, stands for, I learned this when I came on board, Zenith of Scalability. So it actually is, right? So how do you optimize, how do you find that maximum? And that's exciting. So.
Ed Gaudet:
Here's what you need, right? You need a scale, scalability, to actually pull that off because it's so complicated. And I can't even imagine the challenge it is to get the roles right in an environment like that. So what are some of the things Zscaler does to do that?
Sam Curry:
It depends on how you do, I don't want to geek out too much unless that's your audience, but it depends on how you actually do things like authorization, right? How do you do group or individual access control? Is it ..., for instance, or how do you read that in so, under the hood, obviously, it supports things like ..., but it also supports things like skim or changing of permissions. So, how does somebody join? How do they change? How do they leave an organization? And very fine-grained at that because you don't want to just say allow or not. Fundamentally, one of the biggest problems we've had with remote access is we tend to centralize and hairpin traffic, and we make everything routable so as soon as somebody is on the network, they can get everywhere. I'm one of the original implementers of VPNs. I used to think VPNs were great because, hey, now I can encrypt and get in, but now I can encrypt and get in, so if I'm compromised or ... compromised, everything I can do can be done. But if we're doing fine-grained authorization, then my individual requests can be adjudicated. They can be filtered, they can be examined, they can be, not just allowed or blocked. They can be given partial access or sent off to a decoy or deception, honeypots. There's a lot of really interesting things, and there's no more wandering around indoors and roaming.
Ed Gaudet:
It sounds like you get to a world without a VPN, which I know a lot of people would love to.
Sam Curry:
But to answer your other question, which is where things are going, it's now, so what can you do now that you see all this and you connect all this? It's how can you determine risk? Is the basis of your podcast, right, Risk Never Sleeps, this notion of how do you instrument risk not just from an external perspective? A lot of companies are doing, let me scan your footprint. That's not easy, and that's easy, that's not challenging. So let's actually look at it outside and inside. Let's look at all these connections and authorization requests, but it's also getting business insights from all that. And now, let's tie other apps from the app world into all that. So you're going to see a lot of that scale.
Ed Gaudet:
Now, when you think about, you work in a number of different industries finance, energy, oil, gas, healthcare. What do you see that's uniquely different with healthcare from a maturity perspective, from how they think about cyber programs and they think about making investments in those programs? What's been your experience?
Sam Curry:
Well, a few things. First of all, healthcare has been regulated differently from other industries. Regulations are not all created the same. Personal health information and health information exchanges are not the same as PII or other forms of privacy-related information and the exchanges that go with them. The second thing is they've been in the crosshairs because, there's really two kinds of companies that are in the crosshairs for organized crime or two kinds of organizations. One, the ones that are very poorly protected because they're easy to break into and to hold it ransom, and then the ones that even though they're well protected, you have to pay because it's life and death. And so you wind up with things like municipalities that don't have much IT staff, let alone security and healthcare, because if a hospital suddenly can't get to health information, people die. We've seen the first case now where ransomware has led to directly to the deaths of children and newborns, for instance. And if you, nurses can manage many children because of automation and computers, and we saw where children died because computers went down and nurses were the old-fashioned system, can't suddenly handle that right.
Ed Gaudet:
And care gets disrupted, and ambulances get diverted, and oh.
Sam Curry:
A friend of mine, Josh Corman, has spoken on this publicly, and I'm just gonna shout out to him, he was at ... doing healthcare stuff. He said, he told me, and I'm not the expert here, so if I misquote him, it's on me. There's a 4.5-minute mark, he said, where, certainly when you're dealing with things like stroke, heart attacks, diabetes-related incidents, if you get beyond the 4.5-minute mark to get health support in an emergency, you'll still survive. The chances of surviving are about the same, but in the medium to long term, the death rates spike. So in other words, you'll get out, you'll go through the incident, you'll get out of the hospital, you'll seem okay, but that medium to long-term impact of the delay is what will kill you.
Ed Gaudet:
That's right.
Sam Curry:
And it's hard to measure. But that happened during COVID with lack of beds, especially in rural areas where the secondary hospital failover is further away, and it's happened as well with things like ransomware and attacks on the infrastructure, so life and death situations in critical infrastructure. In fact, he's fond of saying not all critical infrastructure is created equal. Some of it is to do with food supply, water supply, life, and death, as opposed to equally important, but not the same urgency, perhaps things to do with the economic system or energy or national defense. Those are all very important, different urgency profile, if you will.
Ed Gaudet:
Exactly, exactly. So let's switch gears a little bit and talk about you. How did you get into cyber?
Sam Curry:
Oh, my goodness. I haven't heard that one in a while. Like I said, I'm getting old. We're on Zoom here, and I just love that touch-up my appearance feature, right? So if that ever comes off, suddenly I'm the crypt keeper. So I actually started in tech pubs. Prior to that, I did some cryptanalysis, but I started in tech pubs and then from there went into QA because you have to test the stuff, make sure it's writing the truth, and then from there went into engineering.
Ed Gaudet:
I did not know that about you. I started in tech pubs too.
Sam Curry:
Yeah, see, there you go. So yeah, my formal training was originally in physics and linguistics as well as English lit and philosophy. I then went back and got a graduate degree, another graduate degree. I got one in counterterrorism later. But I was in a company and we did one of the first commercial implementation, implementations of a VPN, and the first private VPN, and we accidentally invented the personal firewall and sold that company to McAfee, where I wound up doing two roles right around the dot-com bubble. The first was, I was chief security architect for Network Associates, which was the former parent company of McAfee. And ....com spun out, I ran product management there and we were the third most successful dot-com. And so it was being catapulted to the stratosphere from here in Silicon Valley and we just relocated. And I remember my commute went from 50 minutes to 15 minutes when the dot-com bubble burst, and then I moved to New York with Computer Associates and then RSA, and the rest is history. But yeah, it was a heady ride in the early days, but actually did a podcast myself called Security All In Once, which was asking people this exact question, because I didn't realize I was security guy until maybe 2002, 2003. I was, oh wow, this is like a career thing, and that was 21 years ago.
Ed Gaudet:
I think that gives you really a unique perspective being in on the product side and going through the product process, starting off with tech pubs and then going into QA and then obviously product management.
Sam Curry:
I ran up ...
Ed Gaudet:
Running RSA Labs and being a CTO.
Sam Curry:
It's huge. It was fun.
Ed Gaudet:
It gives you perspective. What keeps you up at night? I know you're only there a couple of months.
Sam Curry:
I used to see my kids, but now they're getting older.
Ed Gaudet:
That's right. When they come home, it keeps me up at night.
Sam Curry:
It's not what keeps me up at night, but what I grind my teeth over, I do have a mission, which is I sat at an IDC conference years ago and I saw projections for the market as soon as 2013 and it was, security will be $138 Billion a year, I think it said, and I did the math, oh wow, we've done, we spent a trillion in the last decade and the next person who got up was a CISO who said, there's those who've been hacked and those that don't know it. And my brain, just like the record skipped, ..., like what? And I said, how is that possible? And I realized it's because for all the money was marching up on the slide I could imagine the revenue for the bad guys was marching up faster. And so they were getting better at a faster rate than us, and I made a decision for all that I was a CTO. I joked I was the CTO of the world's largest keychain manufacturer and RSA, by the way, and I said, I'm going to make career decisions in order to apply my thumb on the scale, mixing metaphors here to try to change that. And that's why I went to Arbor, that's why I went to Cyberreason, that's also why I went to Zscaler. Where do I put my personal energy to try to make it so that we as defenders get better and faster rate than the attackers? And by the way, we're still in a similar situation and I hate it, and I hope that makes some sense.
Ed Gaudet:
No, absolutely. The thing I love about healthcare more than any other industry is that shared mission you have with your customers.
Sam Curry:
Lives, people's quality of life.
Ed Gaudet:
It's everyone's a customer, everyone's a patient. Everyone knows a patient, everyone.
Sam Curry:
I'm impatient, but yes, I'm also a patient.
Ed Gaudet:
Yeah, that's right, exactly. If your mother, father, sister, brother, hooked up one of those machines or on their way to a health system and it gets hacked, then it becomes personal. No, I absolutely understand what you mean by that. So it's been a challenging couple of years with COVID. What are you most proud of over the last couple of years, personally and professionally?
Sam Curry:
It's funny you put it that way because most of my time, I never say no to things, so I'm always trying. The reason I never say no to things is so many people always said, you gotta learn to say no, and I'm like, no, you don't. No, you don't. You, busy people, find ways to do more things, it's a thing. And I had a woman in my early career who said, never let anything go past your desk without either improving or being part of it. And it was the best advice I ever got. So I teach, right, and during COVID, I got another degree. I advise companies and I take that mission that I have very seriously. It's the yardstick by which I determine how much time I spend on things, but I very rarely sit around and go, oh, look at that, I did that. And my brother, who's also in cyberspace, oh, you should look what you've done. So sometimes he's my cheering section, but most of the time I hate failure more than I ever celebrate success. And one of my most proud of is probably the things that I have done to help others succeed. I think I'm very proud of the fact that I created a cyber terrorism course and taught it to some third-year students recently for the first time, I'm proud of that. I usually get the most happiness when I'm teaching or helping somebody achieve something, much more so than when I do something like enabling someone to do something.
Ed Gaudet:
We're like brothers from another mother, Sam.
Sam Curry:
Yeah, well, you know what? We cyber folks, risk folks, we tend to find each other.
Ed Gaudet:
Yeah, no.
Sam Curry:
If you feel that way, you'd also like my brother, Red. He's, although I don't think you can have somebody named Ed and somebody named Red on a podcast at the same time.
Ed Gaudet:
I did see the Red Curry mentions and.
Sam Curry:
It's a horrible name, right, and I chose it. So it's his older brother, he blames me for that.
Ed Gaudet:
That's fantastic. No, that makes a lot of sense. Is that Wentworth? Is that where you're teaching or?
Sam Curry:
Yeah, I teach at Wentworth and I teach at Nichols College for graduate, but yes, the cyber terrorism course, was part of the CS department as a third-year course there. And it's a wonderful school, really great students, and I've taught before elsewhere, but this was a special class for me because I created it, I won't say from scratch, because it's based on the work of others and things that I've been exposed to and seen and done over the years.
Ed Gaudet:
Interesting. So outside of cyber, and I know you spent a lot of time there. What would you be doing? What's your passion?
Sam Curry:
Oh, I have a friend who I just started working with, Shawn Cordero, who we both were talking about exactly this last week, and we discovered we both want to be writers, right? I want to be a, I wanted to be a science fiction writer, which is why my degrees were in physics and English, by the way, way back. But I, in particular, I like small social gatherings, I don't like big ones. I'm not the guy that likes to go to the party with 200 people and loud music because it's hard to have meaningful interaction, but I really love the 4 to 5 friends getting together thing and having a dinner or playing a game, especially cooperative games. When it's not COVID time, you would find me doing that. You'd have to find me bringing people over and doing something like that, and I'm just really big on that. And I love connecting with friends and peers and finding their true selves. And the funny thing is, the more I am my true self, the more I've had positive responses in my professional life. I just did a presentation actually, to a civil Air Patrol group of cadets, and one of the pieces of advice I gave them was some people will tell you, don't mix business and personal, and I'm going to say, ignore that.
Ed Gaudet:
Yes, hallelujah.
Sam Curry:
Nobody wants to be doing business with somebody who's detached and doesn't care.
Ed Gaudet:
Exactly.
Sam Curry:
Business is personal, and if you try to separate the two, you're going to be miserable.
Ed Gaudet:
It's so true. How do you manage two personas? Don't know how people do that.
Sam Curry:
You don't. Everybody does to some degree. We all wear a facade. We all have a facade, we wear masks. But I find the more I take it off, the more somebody ..., maybe this wasn't true when I was younger. Look, when I was younger, I was really into science fiction, right? I really liked my Dungeons and Dragons or whatever, right? But we didn't say it.
Ed Gaudet:
That's where the dice came from, by the way.
Sam Curry:
Is it? But we didn't say that because if we said that we weren't taking seriously.
Ed Gaudet:
No, I was going, I was going to say and I forgot, I was actually.
Sam Curry:
See, Gen X, the boomers didn't take us seriously, and the other Gen Xers, you, it puts you in a cast.
Ed Gaudet:
That's right.
Sam Curry:
Puts you in a type. It doesn't anymore. And people go, oh, so there's a real person there I can connect with. Whatever your passion is, I can connect with that. And there's a certain vulnerability when you expose that and people like it may not be my thing, but dude, that's cool. And I think that's different from.
Ed Gaudet:
Yeah, absolutely, absolutely.
Sam Curry:
I actually want to thank my Gen X friends who are going to be like, you idiot. I want to thank the millennials out there who've partly made that possible, right? Because they are their true selves pretty much 24/7, so there you go.
Ed Gaudet:
Yeah, I've. I like to fly my freak.
Sam Curry:
Look at that.
Ed Gaudet:
Look at that, huh? That's my passion, but I'm a writer, too, like you. And we've had very similar paths, and, but I do try to find time to write. Have you done that at all? Have you started to?
Sam Curry:
So this is actually a terrible story for two reasons. One, I had a really bad fire years ago and I actually lost the old computer I used to use in the hard drives on it and stuff, which is the first part, which is, okay, I could have overcome that. I have some of my old writings, but some of the stuff that I was truly passionate about. But after that, I channeled a lot of my creativity into work stuff which isn't as fulfilling in some ways, but when I write a quick blog or something, people usually respond really well to it. And I was talking to Shawn last week, as I mentioned him earlier, and we've made a pact that we're going to push each other to write more and actually do it. But this is the answer, the quick answer, the short answer is no, I haven't, but I need to. I think I need to for my, even if it stinks. Maybe, especially if it stinks.
Ed Gaudet:
Just doing it, so therapeutic. Just do it, absolutely. So what would you tell your 20-year-old self?
Sam Curry:
Wow! It's funny, somewhere around 18 or 19, I started to live by a philosophy of trying to really make the best decisions I could in the moment so that I wouldn't have as much in the way of regrets. And I, and this is a dangerous path, right? Because first of all, you can't go back in time knowing what you know now most of the time, you never can. But, and the world today isn't the same as it was then. So sometimes I get asked, how do I get to do your career? And I'm like, don't do what I did, because the world is just not the same, right? There were no ... In fact, I remember when the CBK was created, right? There was no, certainly no cyber degree. I remember the first cyber courses as part of a CS degree, but mostly it was just a chapter in some CS courses. And I remember a friend of mine who got his PhD and I was like, wow, you had a PhD in information security, that's amazing. In fact, we called it information security.
Ed Gaudet:
So what would I tell my younger self? I was in California at the time.
Sam Curry:
20, you said 20, didn't you?
Ed Gaudet:
20.
Sam Curry:
Yeah, that person I'd like to tell him to be a writer, but that's unfair. He was making the best decisions at the time. Yeah, I wish I had, the problem is my no-regrets thing. It's really hard because I am who I am now. Oh, I might exercise more, you lazy bastard. That would be like, really, you, and I don't get on the motorcycle in 1998 where you hurt your back, don't do that. Don't get into that car crash you got into in 2018, that was bad.
Ed Gaudet:
Oh boy.
Sam Curry:
Yeah, I had a fractured C2, which was, thank God I was fine, but there's little things like that.
Ed Gaudet:
Yeah, interesting. Okay, so I'd be remiss if I didn't ask you this question. This is the Risk Never Sleeps podcast. Sam Curry, what is the riskiest thing you've ever done?
Sam Curry:
Riskiest?
Ed Gaudet:
Yes.
Sam Curry:
Probably in 1996, I had a suitcase and 90 bucks and I moved to Ottawa for a job that was really just a short-term contract, and if I hadn't done that, I wouldn't have my career. I was going up there because I was going to go work for a guy named Phil Hadfield who had a startup, and I really wanted to get into the biotech industry, but I couldn't find any openings anywhere, and yeah, I just went.
Ed Gaudet:
And where were you living at the time?
Sam Curry:
I was living in Massachusetts.
Ed Gaudet:
You were? Okay, that's a big move. That's Ottawa? That's a, are you a Bruins fan?
Sam Curry:
No, I'm a Canadiens fan.
Ed Gaudet:
No.
Sam Curry:
I'm actually actually, I was born in Montreal.
Ed Gaudet:
You're the devil.
Sam Curry:
I know, right? I know. But the senators didn't exist then, right?
Ed Gaudet:
Ottawa Senators. That's true.
Sam Curry:
I'm sure there's other stuff I'm not thinking of, and maybe I'm not thinking of, like.
Ed Gaudet:
No, that's a huge risky thing to do that, I remember having, and doing things like that. And it is a, you wouldn't do it today or you'd think hard about it today.
Sam Curry:
So before my first, after my first fire, I've had two. Yeah, crazy, right? Oh, I was struck by lightning, but that's for another podcast.
Ed Gaudet:
That's pretty risky, isn't it?
Sam Curry:
If this is an ancestor simulation, like, clearly I shouldn't be alive. But so, right after, literally after my apartment burned down, I did the same thing again. I moved to San Jose with a suitcase and two cats this time. Oh, but I had a check from the insurance company.
Ed Gaudet:
Oh, so that's, yeah.
Sam Curry:
That was not as risky. Apparently not as risky. I take far more risks in my personal life than I do in my professional, by which I mean for the companies I represent. Yes, I do crazy things in like, for me, personally, that I would not do the things I'm entrusted with, so. I was told once, hey, spend the money that, in your budget, it's your personal money. I'm like, you do not want me doing that. I am not the smartest person with my personal money, like with my professional money. I'm good.
Ed Gaudet:
That would be me ...
Sam Curry:
I have a recent risk. My wife and I did a silly thing, we opened a business. We opened a small business. We, she lost a lot of weight. I won't say how much for her dignity, but she lost a lot of weight just pre-COVID and going into COVID, and she developed a passion for spin and pilates and weight training. So we opened up here in Massachusetts, in Middleton, Mass. We opened up a business called Form Fitness. It's a 3500 square foot personal training and a 3000 square foot spin studio. And she works there like 14 hours a day, and I say it was dumb because it, opening a business, if I knew it going in, if you knew how hard it was, you either take, you're either taking a risk with your eyes wide open and you're an idiot, which is me, or you don't know what you're getting into. It's like having children. If you remembered how hard the first one was, you would never have the second. But I have two kids because clearly, I'm a sucker for punishment, so maybe those are risks too.
Ed Gaudet:
I always say that the world would be a smaller place if we had good memories.
Sam Curry:
There's something, I think, about the human brain that says when you go through either trauma or a really difficult experience, over time, you remember the positive and you tell yourself a narrative that's uplifting and then you stupidly do it again.
Ed Gaudet:
Exactly. Sam, this has been terrific. Any last comments for the listeners? Anything you want to?
Sam Curry:
No, I thank you for doing this podcast and for having me on, but it's been great, and thanks for pushing into some of those personal places. I just hope it's interesting for the listeners.
Ed Gaudet:
It absolutely will. And thank you, Sam, for joining, and thank you listeners for joining the Risk Never Sleeps podcast. This is Ed Gaudet. Until next time, stay vigilant, especially for those folks that are on the front lines protecting patient safety.
Ed Gaudet:
Thanks for listening to Risk Never Sleeps. For the show notes, resources, and more information on how to transform the protection of patient safety, visit us at Censinet.com. That's C E N S I N E T.com. I'm your host, Ed Gaudet, and until next time, stay vigilant because Risk Never Sleeps.
Sonix has many features that you'd love including enterprise-grade admin tools, share transcripts, upload many different filetypes, transcribe multiple languages, and easily transcribe your Zoom meetings. Try Sonix for free today.
