“Zero Trust is critical because it addresses the core weakness of traditional security” says expert
The digital threat landscape is evolving at an unprecedented pace. From the rise of generative AI to the complexities of global compliance, organisations are grappling with challenges that require a fundamental shift in strategy. BW Security World sat down with Deepen Desai, the Chief Security Officer and Head of Security Research at Zscaler, to discuss his journey, the new face of cyber threats, and the architecture needed to defend against them.
You’ve spent over two decades in cybersecurity, from building anti-cheat software as a student to leading Zscaler’s ThreatLabz. What was the turning point that set you on this path, and how has that journey shaped your view of the threat landscape today?
It was during my student days when I was developing anti-cheat software that I saw the other side of the house for the first time—how malicious actors could leverage the same applications to achieve different, often financially motivated, outcomes. That experience was a lightbulb moment for me. I realised that cybersecurity is a field where there will never be a dull day. You don’t have to be an expert in just one language; you must constantly tackle new technologies and evolve alongside the threats. We are now in the age of generative AI, which has become the next big thing for both software development and the threat landscape. We have to gear ourselves up for a new era of sophisticated attacks.
With AI adding a new layer of complexity, how is the compliance landscape getting trickier for organisations?
I was at the World Economic Forum’s annual cybersecurity summit last year, and a major sore point for security leaders was the sheer number of different, disparate compliance initiatives from various countries and industries. This is actually causing CISOs to spend resources on things that don’t always directly reduce risk. It’s becoming more about satisfying a long list of controls—a kind of ‘checkbox compliance’—than about true security. There is an absolute need for harmonisation. Too many fragmented regulations simply exhaust the limited resources every organisation has.
As the head of Zscaler’s ThreatLabz, you’ve built a team of over 150 experts. How have you structured that team to tackle the modern threat landscape, especially with the rise of AI?
I’ve always believed a research team should be structured by attack stages, mirroring how threat actors operate. Just as bad actors have a supply chain model—from initial access brokers to ransomware groups—our team is organised to counter each step.
The first group focuses on phishing and initial delivery vectors, blocking the ways attackers try to enter an environment.
The second group focuses on vulnerability exploitation, discovering new flaws and tracking in-the-wild exploitation to ensure our platform protects customers. We’re also seeing how AI is being leveraged for this.
Our third group, Malware Labs, deals with the actual malware delivery. We have automated the reverse engineering of over 300 different malware families, which allows us to extract indicators of compromise and proactively defend against new threats, including those with AI-driven evasions.
The final group, our Command and Control group, focuses on the last stage of an attack—data exfiltration and communication with attacker infrastructure. They decode these protocols to block data leaks and disrupt the attacker’s operations.
AI is often called a ‘double-edged sword.’ How are adversaries leveraging it, and how can enterprises use it to defend themselves?
AI is absolutely a double-edged sword. But because of its immense potential for efficiency, especially in areas like security research, we must not shy away from using it. Having said that, there are three key considerations. First, enterprises must use AI securely to prevent their own intellectual property from being leaked. Second, they must be aware that AI can be leveraged by adversaries. We are already seeing sophisticated phishing and impersonation attacks, where criminals use AI to mimic the voices of executives. The third and most important point is that you will need to use AI to fight AI. Unlike a human adversary, AI can generate a lot of ‘unknown unknowns’ that a traditional playbook can’t anticipate. It can figure out a path to a victim’s most valuable data that a human would never have thought of. That’s where we must leverage AI on the defensive side to continuously verify every access request.
Why is Zero Trust critical in defending against these AI-driven threats, and how can enterprises adopt it effectively?
Zero Trust is critical because it addresses the core weakness of traditional security. The threat landscape is evolving so rapidly that adversaries can use generative AI to scale attacks and bypass traditional detection with greater speed and precision. Zero Trust solves this by continuously verifying every access request from a user or workload based on their identity, posture, and context. It enables inline inspection of encrypted traffic and real-time enforcement of Data Loss Prevention (DLP) policies, which is critical as GenAI blurs enterprise visibility. When adopting it, organisations should prioritise platforms that offer unified coverage across users, apps, and infrastructure. The goal is simple: never trust by default, verify every interaction, and assume breach. That is where a true Zero Trust architecture can significantly minimise the impact of a breach.
India’s new DPDP Act is a major legislative step. How does it reshape enterprise data protection strategies, especially in the context of AI?
As AI becomes more deeply embedded in enterprise operations, the volume of personal data processed through prompts, models, and outputs is rapidly growing. The DPDP Act aligns India with global frameworks like GDPR, setting clear obligations for consent, breach reporting, and user rights. However, when combined with the scale and unpredictability of generative AI, the complexity increases significantly. Personal data is no longer just stored; it is now dynamically processed, making visibility and control more critical than ever. Enterprises must go beyond ‘checkbox compliance’ and use technology to meet these demands through inline inspection and policy-based controls. DPDP compliance isn’t just about mitigating risk; it’s about embedding trust into the AI infrastructure from the ground up.
