An IT Veteran’s Guiding Principles for Successfully Implementing Zero Trust
Published 09/09/2024
Originally published by CXO REvolutionaries.
Written by Guido Sacchi, Former Senior Executive Vice President and Chief Information Officer, Global Payments.
Over the course of my career as a consultant, executive, and advisor, I have spent a good deal of time reflecting on my personal imperatives for making IT initiatives successful.
What guiding principles, honed over multiple decades of experience, anchor my thoughts and actions as I approach a project? I can point to at least three key tenets for navigating periods of technological change, whether those be a migration to the cloud or an embrace of zero trust network architecture, both of which I oversaw as CIO of Global Payments, Inc.
So, if you are considering a transformative initiative of your own, here are some concepts that have helped me tackle tough challenges.
Balance acute needs with broad strategy
Zero trust is a broad concept encompassing principles including identity management, least privilege, user-to-resource connections, context-based access, and more. While it’s possible to explain its fundamental underpinnings to non-technical executives, it can be tough to sell to business leaders as a complete package.
As a result, zero trust transformations often begin in response to an event like a disappointing audit or, worse, a serious security incident. This is simply the reality. Like the old adage says, the best time to start was yesterday. The second-best time is today. If it’s easier to sell a new system of identity management or set of enforcement policies, let that be the trigger. Never let a crisis go to waste!
But, if you are starting your transformation in response to an event, it’s nevertheless important to ensure there is a broader strategy underpinning it. Use the immediate need as a catalyst to formulate an overarching plan for getting the organization from where it is today (in need of solving some immediate issue) to where it’s ultimately headed (to becoming a mature organization guided by zero trust principles that enable its workforce and make it more resilient against cyber attacks).
That said, it’s important to note that there will be no day when you and your staff say, “This is it. We have arrived at zero trust.” There are milestones along the way, to be sure, like eliminating all corporate data centers, but zero trust is an ongoing process rather than a journey with a fixed destination.
Put people first
Security is ultimately about people and, more specifically, the user experience. So be guided by the principle of maximum security with minimum friction. Every intended outcome of the zero trust transformation should take the end user into account, whether that user be a SOC analyst, finance manager, HR lead, or most importantly a customer.
MFA is a good example. It’s understandably an accepted best practice in many industries like financial services, but how is it best implemented? What are the UX and security tradeoffs between secondary authentication over the phone or with biometric data? What is the feasibility of implementing each?
With each new security implementation, it’s critical to consider how the user will be impacted. With zero trust, transformation leaders are already taking an important step in addressing one of enterprise users’ most common complaints: slow connection speeds and performance bottlenecks arising from the use of VPN solutions.
According to Zscaler’s most recent VPN Risk Report, more than half of respondents reported experiencing slow connection speeds, dropped connections, or inconsistent experiences across devices. Since 91% of respondents expressed concerns about VPNs compromising their IT security environment, this is a positive example of security and UX being enhanced in tandem.
It all comes down to execution
Ultimately, the success or failure of your transformation initiative hinges on execution. Blue-sky strategies don’t manifest themselves on their own. It comes down to management, contributors, and evaluators working together to bring your desired future state into reality. Each employee must adopt the mindset of seeing their responsibilities through the lens of zero trust.
Crucially, the “execution” phase begins long before the first IT-specific steps are taken–or even agreed upon. That’s because articulating the benefits of zero trust security in terms of effectiveness and cost savings to senior business leaders is a step in executing on the plans you’ve envisioned as a CXO. So it is critical to make sure that the entire company is behind your zero trust transformation, from the executives holding the purse strings to the practitioners with hands on keyboards.
Of course, it’s one thing to understand zero trust principles, it’s another thing to implement them. This is why it’s critical for transformational leaders to be able to convey not just how zero trust satisfies an acute need (to go back to my second point) but also how it ties into the organization’s broader strategy. Importantly, setting specific milestones that are tied to business value will greatly help the success of the overall program – for example, securing application access with an improved user experience, one of the key practical benefits of Zero Trust.
Remember, all of the IT capacity in the world is for naught if it doesn’t help the company achieve its objectives. For that, you need a well-considered strategy, people-first focus, and a relentless commitment to executing on your goals.
Related Articles:
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Why Application-Specific Passwords are a Security Risk in Google Workspace
Published: 11/19/2024
Top Threat #5 - Third Party Tango: Dancing Around Insecure Resources
Published: 11/18/2024