Lessons Learned, Four Zscaler Deployments Later

When I joined Capitec in April 2022 as CTO, the first thing I wanted to find out was whether there was a zero trust strategy in place. Capitec is the second largest bank in South Africa, and like financial institutions the world over, it’s a potential target for attackers. To compound our challenges, our country’s infrastructure problems are mounting, with outages scheduled each day to try to take the pressure off the oversubscribed electricity grid and poor connectivity in rural areas. I was confident that a zero trust architecture with the right vendor would at least help address our security concerns.

I found that, indeed, there was a zero trust project already underway at Capitec with a Zscaler competitor. The project had been dragging on for two years, but there had been no production deployment. With an open mind, I gave the competing solution a chance—but in due time, significant issues started to crop up. It soon became apparent to me that there were reasons why the project had gone on for so long.
Having successfully completed three Zscaler deployments in prior roles, I had a good basis for comparison. With all the issues and hang-ups we experienced at Capitec, I couldn’t see this other solution ever making it into production. It was time to pull the plug and move our zero trust migration to Zscaler. 

Drawing on my past experience, I set the time frame at three months to get Zscaler up and running. Maybe that sounds optimistic, but Zscaler is a premium product. And what you get with a mature product is a more efficient process, making it easy to self-solve issues as you go. 

What to expect and advice for Zscaler deployments

That’s not to say there isn’t a learning curve when transitioning to a zero trust architecture. You and your teams need to be aware of the effort it takes. In theory, when you go through a zero trust migration, everything should just work. But that’s not always the reality. Sometimes you break stuff, but that’s all part of the process. The difference with Zscaler is that it makes it really easy to find out where you might have gone awry so you can fix those issues quickly and keep up the momentum. Here’s my advice for those beginning their zero trust migration:

1: Move quickly

One of the great things about Zscaler is that you can achieve real velocity. With the other solution, when something stopped working, it would take a month or more before we could even identify the issue. We would work on it for a while, and then it would break again. 

We never had that problem with Zscaler. If anything went wrong, we could see immediately where the roadblocks were. Because of this, we were able to deploy Zscaler enterprise-wide very quickly. 

We gradually phased in our Zscaler deployment, first to groups of 500 people and then, one day later, to groups of 1,000 people. To stay on track, I recommend meeting with your team every day to talk about the problems that come up and develop a plan on how to resolve them. 

2: Start with simple policies

My second piece of advice is this: Don’t break your user experience by locking everything down. You need to consider both cyber risk and user productivity. You may be tempted to enforce an isolation for all websites, but that completely throttles users from getting their jobs done. The end result of overprotection is that sites load more slowly—and that makes for a poor user experience. Instead, start with pragmatic global policies, and then use Zscaler’s risk insights to fine-tune those policies.

For example, we started off with the default policy of making the internet read-only. That eliminated the risk of data loss without breaking the user experience, and it helped us speed up the rollout process. After setting the global default policies, we started tweaking things. For instance, we opened up LinkedIn so users could create posts. In time, you can adjust the default policies on an individual basis. When it comes to setting policies, Zscaler is granular and flexible.

3: Take advantage of the ZIA dashboard

With the ZIA dashboard, you’re getting a powerful data and analytics platform that will help you run your business. As a senior cyber professional, you’ll be amazed at what you can see in the dashboard from a risk perspective. It’s great to be able to see where we began with Zscaler compared to where we are now.

Looking at our company risk score on the insights report, we found that we’ve cut our risk by 50%. I’ve used other security products that are supposed to tell you what your organization’s risk is, but the actionable insights they give you are not that meaningful. Zscaler shows us insights that truly help us get a handle on risk. I don’t know how anyone can manage a financial services company without the insights from Zscaler.

For example, we have 16,000 people in our organization. We don’t have the time or the energy to go through 16,000 internet logs. Zscaler shows us specifically which 20 out of those 16,000 people have a high risk score, so our focus is on those 20 people—now that’s meaningful.

4: Establish a cross-functional team

I’d recommend establishing cross-functional teams from security, networking, IT, and others. If you keep them separate, teams will struggle to work together and the whole deployment will falter. To ensure the project succeeds, make sure your deployment team has all the disciplines under its belt and is guided by a single leader.

Also, don’t be afraid to lean on Zscaler for support. The account and support people I have met from Zscaler are incredibly helpful, and their feedback on incidents is truly impressive. It shows that Zscaler sets a high bar. And they are highly responsive, so consider them part of your temporary deployment team.

5: Deploy the most recent version

In my experience, the cadence and delivery of features and enhancements in Zscaler are consistently excellent. I’ve seen a lot of improvements in the product since I first used it. Our general policy is to always adopt the most recent versions.

Lastly, celebrate 

When you get zero trust right, it’s a big day in your company’s history. Granted, you’ll continue hardening your infrastructure for a long, long time, but the day you get that basic zero trust architecture in place, you’ll see a massive drop in risk. The Zscaler Zero Trust Exchange will change the risk posture of your organization forever. That’s something to celebrate. 

And, lest we forget, my projection for time-to-deployment was spot-on. In three months, zero trust was enabled. Plus, Zscaler even set up a local point of presence expressly for Capitec in Cape Town to facilitate faster connectivity. It doesn’t get any better than that!

Learn more about Capitec’s implementation of the Zscaler Zero Trust Exchange by reading the case study.