Cushman & Wakefield Blocks Millions of Threats & Accelerates M&A Integrations

Shifting from a legacy infrastructure to the cloud

When CISO Erik Hart joined Cushman & Wakefield about five years ago, his vision was to shift the company’s approach to security away from infrastructure, devices, and appliances to thinking about cloud-based security as a service (SECaaS).

A globally distributed company with hundreds of branch offices and a mostly mobile workforce, Cushman & Wakefield needed to improve SaaS application performance for users, simplify its network architecture, and accelerate M&A integrations. In 2019, the company adopted SD-WAN and the Zscaler Zero Trust Exchange as its compatible cloud-based security solution. Since then, Cushman & Wakefield has pushed ahead with its cloud-first goals even more aggressively, significantly minimizing reliance on the data center and SD-WAN.

“We’ve had a big shift in how we operate our business. Given that SaaS is 80% of what powers Cushman & Wakefield, we’re continuing to simplify our infrastructure and shrink the size of our data centers as we move to a cloud-first and partner-first model,” said CISO Erik Hart. “As a security practitioner, my goal is to work with a trusted security partner who can provide a streamlined, simple-to-manage service that has the ability to scale—and that’s exactly where the Zscaler Zero Trust Exchange fits into our strategy.

The zero trust journey begins with securing application access for mobile users

Because of the nature of Cushman & Wakefield’s business, many employees—property managers, building engineers, and other technicians—work out in the field. Even before the COVID-19 pandemic, only about 30% of users worked in a corporate office.

When Cushman & Wakefield rolled out SD-WAN to improve connectivity, Hart sought out a security solution that would provide the benefits of a next-generation firewall at a lower cost, with less maintenance, and with greater flexibility. He and his team selected Zscaler Internet Access (ZIA), part of the Zero Trust Exchange. Zscaler integrated seamlessly and enabled secure local internet breakouts without the expense and complexity of traditional on-premises firewall appliances.

Zscaler also provided identical protection for users using any device, wherever they connected to the internet or accessed Microsoft 365, Salesforce, Mimecast, Workday, or SaaS-based real estate applications. The combined solution also gave the team complete visibility over what was happening on the network and who was using which applications. Zscaler enabled the IT team to prioritize traffic to business-critical applications over traffic going to YouTube or social media.

Following the user with unified security policies and rapid SaaS access

Cushman & Wakefield was fully prepared for remote work when the time came. Hart recounted: “In 2020, when the pandemic hit, a C-level technology peer asked me, ‘So, what do we have to do to pivot with security?’ I answered, ‘Nothing. We’re all set. Zscaler is already on everyone’s computer.’" 

For Hart, the big advantage of Zscaler is that it follows the user. No matter where employees work—in the field, at home, or at the office—they have consistent protection and policy enforcement along with fast, direct access to the SaaS applications they need to do their jobs.

Hart and his team plan to continue modernizing branch office connectivity while strengthening security. They are beginning to set up new offices following a café model, where users can securely connect to corporate resources without the need for outdated point-to-point VPN or SD-WAN. To enable access to private applications, he intends to broaden his implementation of Zscaler Private Access.

Comprehensive protection covers all the bases

When it comes to cybersecurity, one of Hart’s primary areas of focus is protecting the company’s systems and sensitive data from ransomware and other advanced attacks, breaches, and insider threats motivated by malice or resulting from carelessness.

“The Zscaler Zero Trust Exchange plays a critical role in keeping threats at bay by minimizing the attack surface. Because a user is connected only to a single application and not to the network, lateral movement of a potential attacker is eliminated,” Hart pointed out.

To prevent compromise, Zscaler performs TLS/SSL traffic inspection before establishing connectivity to SaaS applications in order to identify malware and leaked data hidden in encrypted traffic. AI-powered cloud security services further enhance protection, preventing ransomware, phishing, zero-day malware, and advanced attacks based on threat intelligence gathered from 300 trillion daily signals by Zscaler ThreatLabz. 

Zscaler also protects mobile users and their devices from phishing and web-based attacks through configurable URL filtering rules and policies that control access to specified categories of websites and sites with high risk scores.

Integrations support a coordinated, extensible zero trust platform

The interoperability between Zscaler and other strategic solutions in Cushman & Wakefield’s technology ecosystem is fundamental to the company’s cloud-first and zero trust transformation. With its open API, Zscaler simplifies integration with these critical solutions, making consolidated infrastructure and defense-in-depth a reality.

In 2019, when the company decided to use SD-WAN, it deployed Zscaler to secure connections to the open internet and SaaS applications at its more than 400 branch offices. With the integration, branch offices manage cloud and internet traffic without backhauling it to the data center, resulting in faster connections and a better user experience. The integration also provides consistent protection for all users, regardless of location, and policy-based access company-wide, without the maintenance headaches and high costs of on-premises firewall appliances.

“To advance our goal of achieving cloud agility and simplicity, it made sense to go with Zscaler because it  integrates so seamlessly with SD-WAN,” said Hart. 

More recently, the Zscaler integration with CrowdStrike has enhanced endpoint protection by sharing real-time threat intelligence, data alerts, and device health information. The Zscaler-CrowdStrike integration continually assesses the security of devices in real time. Only devices that meet the designated Zero Trust Assessment (ZTA) score threshold can access sensitive applications. Shared threat intelligence and automated workflows help minimize the number of security incidents.

“The ZTA score, threat intelligence, and automated workflow provide our team with insight into the threat landscape to apply appropriate access policies, reduce the attack surface, prevent lateral movement, and deliver timely threat detection and response,” noted Hart

Tailoring security to meet clients’ data privacy and compliance requirements

As a global organization, Cushman & Wakefield works with clients of all types, all with varying data privacy requirements and security postures depending on their size and location. The agile, scalable Zscaler architecture enables his team to customize protection as needed. 

“Zscaler gives us the flexibility to address the security and compliance needs of clients in each of our locations without having to invest in additional security point products. We may need strong data loss prevention for our large financial sector clients and other capabilities for a single building that's owned by a real estate investor who wants to look after the needs of his or her tenants. Zscaler is perfect for us in that regard,” said Hart

Scalable security and streamlined infrastructure foster business agility

The positive impacts of Zscaler are readily apparent at Cushman & Wakefield. Not only can the platform scale to process upwards of 20 billion transactions every quarter; it also reduces business risk by monitoring traffic for data leaks and malware. In just three months, Zscaler detected and blocked 2.3 million encrypted threats. Furthermore, Zscaler elevates protection, stopping 513.2M policy violations and blocking 3.3 million threats in one quarter.

“With the Zscaler Zero Trust Exchange, we’re pleased to say that we’ve had no major security events that negatively affected our clients or users,” remarked Hart.

Looking at the big picture, Zscaler fully supports the Cushman & Wakefield business model, with its mainly SaaS-focused highly mobile workforce. For the most part, Zscaler has eliminated legacy solutions, such as VPN and firewalls, that the company relied on in the past. The net result is a more streamlined IT environment, a unified and improved user experience, a more robust security posture, and greater agility

How zero trust addresses the needs of a global company

Over the course of his career, Hart noted that one of the biggest digital transformation lessons he has learned is the importance of evolving the focus of security—away from infrastructure and toward supporting how, where, and when employees perform their jobs. That’s why zero trust is central to his philosophy of less security infrastructure and more attention to creating a seamless security experience for all users.

By moving core security to the cloud with Zscaler, Cushman & Wakefield can protect its users anywhere. With zero trust architecture, Hart and his team have not only gained visibility; they have reduced response time when protecting the organization and its assets from today’s sophisticated threats. Hart underscored that Zscaler has enabled Cushman & Wakefield to swiftly meet its security and technology goals without getting bogged down with “unhelpful legacy infrastructure that doesn't address immediate needs.”

“In a post-COVID world, we still have good reasons for prioritizing remote work enablement. As a CISO of a global company, with global responsibilities, it simply makes more sense for me to prioritize communicating with distant geos over commuting to an office most days,” he explained.

“The Zscaler Zero Trust Exchange lets us establish a centralized overview of where users are connecting from, which devices they are using, and the posture of those devices. And unlike our legacy security stack, it has helped us become more efficient by consolidating practices like monitoring and blocking.”

What’s next: better visibility into risk, continued integrations, simplifying M&As

As Hart plans for the future, he has three items on his priority list: continued security ecosystem consolidation, getting a better handle on Cushman & Wakefield’s security risk profile, and mapping out a strategy to simplify and accelerate the M&A process.

Streamlining Cushman & Wakefield’s security infrastructure is always top-of-mind for Hart. He is looking at building a coordinated security ecosystem through additional Zscaler integrations. This includes making the most of recent investments in additional CrowdStrike products such as Falcon LogScale, its next-generation SIEM and log management tool, and integrating with other existing solutions such as Mimecast, a cloud-based email security and management system used by all employees.

“An important action item for me is to look more deeply into how we can increase operational efficiencies by taking full advantage of Zscaler’s open API. We’re looking at ways to broaden threat intelligence sharing, enable better visibility, and engage automation to a greater degree,” said Hart.

To better understand Cushman & Wakefield’s security risk, Hart is evaluating Zscaler Risk360. This intuitive quantification and visualization framework generates a detailed risk posture profile based on real data ingested from an organization’s Zscaler environment and Zscaler ThreatLabz security research. Risk360 is a practical data-driven risk management tool that can help Cushman & Wakefield gain complete visibility to risk in all areas of its environment and drive continual cybersecurity improvement. 

Finally, M&As is another area where Hart expects to more fully utilize Zscaler. While M&A activity slowed down for Cushman & Wakefield during the pandemic, it is expected to ramp up soon. Zscaler will be instrumental in quickly integrating acquired companies as well as getting users up and running on business-critical applications in days rather than months.

“So many vendors make big promises, but Zscaler actually does what it says it can do. I see that Zscaler, as a vendor, has a well-defined technology roadmap that provides opportunities for future exploration and expansion,” summarized Hart