Following the recently launched AI security report from Zscaler, IoT Insider spoke to Sam Curry, Global VP and CISO-in-Residence to understand what lessons they had taken from its findings.
Zscaler specialises in zero trust, a security framework that operates under the assumption that every identity on a network and/or device needs to be verified. “We’re making sure that effectively people become less visible online and their companies and IT footprint becomes less accessible to cyber attackers,” explained Curry, “because that visibility and attack surface is proportional to risk.”
In the case of the IoT industry, many connected devices deployed on the field are legacy devices, and don’t receive many over-the-air updates, which makes them a prime target for cyber attacks, as evidenced by the infamous 2016 Mirai botnet incident which used IoT devices for DDoS attacks.
“There are a number of issues,” said Curry. “One is that with the companies making IoT devices and rolling them out, they’re not taking the time to build the tech stack and the operating system uniquely. So they take a generic one and take it off the shelf; it’s called commercial off the shelf (COTS). They take that and ship it out of the door.”
As a consequence, plenty of connected devices are being deployed into the field with features that may not be necessary. Taking the example of a connected coffee pot which may have a COTS stack, “Does it need to have a file server on it? Does it need to have the ability to do web connections?” said Curry. Other questions that are worth asking include looking at how regularly the connected coffee pot is updated; if it’s open source, how they update it; and how they fix it if there’s an issue.
“It doesn’t need to do some of these functions,” continued Curry. “Many of these services will exist out there for the lifecycle of that object.”
As a result, implementing zero trust into the coffee pot means ensuring it has an identity that will need to be authenticated, to avoid situations like the 2016 attack.
Key findings
The report Zscaler released took information from more than 536 billion AI transactions processed on its Zero Trust Exchange platform between February to December 2024. A key finding was that there has been a 3,000+% year-over-year growth in enterprises using AI/ML tools.
“If you’re a business, you have to be exploring how to use AI, because your competitors are and … data is the new oil. You must be finding out how to get the most business benefit for your core business.
“At the same time, you have to trust your AI partners.”
At the same time, enterprises blocked 59.9% of all AI/ML transactions, signifying a paradox where as much as enterprises are keen to use AI, others are refusing to use it.
“I was surprised at how much enterprises are blocking AI/ML,” said Curry. “Cybersecurity is this difference between authentication and authorisation: in classic cybersecurity, authentication is [to] prove you are who you say you are and then we let you do things, but authorisation is what should you be allowed to do?
“So there’s a yes, no approach, and then there’s a nuanced approach. I was surprised at how much it is being blocked.”
However, Curry noted that this parallel between adoption and outright blocking speaks to the significant nature of AI: “The number of applications that have AI/ML embedded in them … says it’s become a functional part built into everything.” The report noted that Zscaler had counted 800 apps with embedded AI/ML capabilities, the likes of which were ChatGPT, Microsoft Copilot, and others.
Other key findings from the report showed that ChatGPT dominated AI/ML transactions as it drove 45.2% of identified transactions on the platform as well as being the most blocked tool; Agentic AI and DeepSeek were increasing cyber risks; and the US and India were leading in AI adoption as they generated the greatest number of AI/ML transactions.
“I was also stunned at the amount of data,” noted Curry. “It was almost 3.6 petabytes, that was the number we noticed through our Cloud – a subset of the total Internet traffic, which means the actual total number is enormous – but that’s how much data was transferred by AI/ML applications.”
Takeaways
The messaging from Curry with regards to AI was to come up with “an interesting dimension, because everyone has time for the interesting parts.” One interesting part was the rise in Agentic AI, combined with an increase in compute, which would help facilitate huge strides in the technology.
“Make sure you have a governance policy and a committee that’s reviewing at least quarterly, [the] changes in technology,” said Curry. “The reason I say that is not to stop things, but to make sure you’re adopting it the right way.”
Outright blocking isn’t the right approach per se, but understanding how to adopt AI and developing a sufficient strategy will go a long way.
“But if you’re just holding it at the door, you’re going to be in a lot of trouble because AI has a material impact on business, and you can see it by the adoption rates in finance, insurance, and manufacturing, as [it] has a material impact on cost.”
Failing to adopt AI while your competitors do is a big mistake Curry warned. “Half the battle is not the things people expect, but in figuring out once you’ve said, ‘Okay we’re going to [adopt AI] now, how do we do it? Simply saying, ‘No, we’re going to keep business as usual, and we’re going to hold it back,’ is your competition doing that? And what do your customers expect?”
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
