Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Dispelling the ‘Straight Line’ Myth of Zero Trust Transformation

Published 11/04/2024

Home
Industry Insights
Dispelling the ‘Straight Line’ Myth of Zero Trust Transformation

Originally published by CXO REvolutionaries.

Written by Guido Sacchi, Former Senior Executive Vice President and Chief Information Officer, Global Payments.


Throughout my career, I always reacted to ideas of “zero trust” the same way. It sounds great in principle, but how do we execute on it? How do we demonstrate value?

Pundits have been trying to define zero trust since the term was coined and even before, but how does one actually bring it about?

For many, the term itself is still nebulous. For others—usually the IT or security professionals in charge of implementing “it”—zero trust is synonymous with complexity.

Here’s where the practitioners have it right: “zero trust” as an approach is too broad to tackle through any single initiative. Even the best intentions of becoming a “zero trust” shop can be derailed by factors outside an IT department’s control. But that need not dissuade anyone from pursuing zero trust maturity as a worthy destination.

The elephant of zero trust is best eaten one bite at a time. My decades of experience in IT and business leadership have taught me that ambitious, transformative initiatives rarely follow a straight line. Instead, the prompt for a project differs from organization to organization and measures of its success are nuanced. Better to define success criteria and metrics to capture value along the way than betting the house on all-or-nothing “transformation.”

But if your organization is still looking for a reason to start, or an excuse to progress, here’s my advice.


1. Be on the lookout for transformational triggers

It can be difficult to convince a CEO, board, investment committee, or other leadership body to earmark millions of dollars for an IT or security project when things seem to be going well. Competing priorities and budgetary constraints usually win out over grand-scale, multi-year plans, especially without a strong sponsor on the business side.

That's why I advise transformational leaders to keep an eye out for triggers, or tactical on-ramps, which could kick off a more holistic initiative.

Often, this comes in the form of a cybersecurity incident or scare. The CrowdStrike disaster of a few months ago, for instance, likely forced many companies to reexamine how they push updates from third-party providers. Ransomware incidents can be expensive, embarrassing reminders of the need for ongoing cybersecurity improvement. Discovering a larger-than-expected attack surface can be a conversation starter for proactively addressing risk before it’s exploited.

But cyber scares are not the only potential onramps for a zero trust initiative. Mergers and acquisitions also make for great use cases. Cloud migrations are another. VPN replacements, inspired by either a poor user experience or newly discovered vulnerabilities, can also prompt a network transformation.

At one point in my career, I simply had a CEO who saw the value of implementing multi-factor identification company-wide. I was able to use that straightforward ask to broach the larger topic of identity authentication and authorization, key principles for any zero trust environment—and in the process to enroll the CEO as the main business sponsor, a huge added bonus.

They say never let a good crisis go to waste, so CXOs should be on the lookout for any triggers that might kick start the adoption of zero trust principles.


2. Establish executive champions

Any of the above can open the door for a broader conversation on eliminating tech debt and increasing security. But like any good salesperson, a CXO must sell the solution rather than the product to boards and senior leaders.

Rather than spending the 30 minutes I may have before a board committee explaining a grand vision for a zero trust future, I would rather focus on pragmatic technical deliverables that will reduce risk, eliminate friction between security protocols and users, or improve time-to-value following an acquisition.

As a CIO, I found that the support of my CISO lended enhanced credibility to the security benefits we would see from implementing certain technologies. Demonstrating the potential for cost savings from eliminating point products, reducing the need for equipment upgrades, or offloading management overhead by implementing a cloud-based security architecture goes a long way toward securing the support of the CFO.

Finally, the ability to demonstrate the potential to reduce risk by shrinking the attack surface—by, say, using AI to quantitatively illustrate your risk posture across the entire IT environment to the board’s risk committee—inspires confidence in the value of a cyber investment.

Any champion you are able to convince of the value of a move toward zero trust will have his or her own pull within the organization, increasing your chances of keeping the entire initiative on track.


3. Report on strategic ambitions, but also tactical wins

Your organization will not, one day, arrive at “zero trust.” I promise you. It's a spectrum of maturity that organizations are continuously trying to refine. But that’s a reality that doesn’t tend to sit too well with boards and senior executives.

In order to earn ongoing justification for the transformation journey, it's important to be able to articulate value captured along the way. Any organization that defines success as "implementing zero trust" is setting itself up for failure. Instead, map out discrete stages of the effort and benchmarks for qualifying success. For instance, as I mentioned, I was charged with implementing MFA across the entire technology estate. In addition to the straightforward security benefits, our team was able to involve the user community to minimize friction; this, in turn, made fast adoption much easier to accomplish.

While for me, as CIO, this was wrapped into a wider effort to secure access to company resources, I packaged it to executives as a sound step toward improving access management practices, one that reduced risk and the organization's compliance standing.

That’s how I demonstrated value and sold the zero trust transformation—without ever mentioning the term—at the same time to boards, fellow executives, and senior leadership.

C-LevelEnhancing cloud security strategyTransitioning to the cloudZero Trust

Share this content on your favorite social network today!

Future Cloud
Related Resources
Certificate of Competence in Zero Trust (CCZT)
The industry's first Zero Trust certificate program.
AI Organizational Responsibilities
A blueprint for enterprises to secure AI development and deployment.
AI Safety Initiative
Addressing present and future challenges of AI safety and security.
Latest from CSA
Mark Your Calendar for Cyber Monday!
Map the Transaction Flows for Zero Trust
Advance AI Risk Management
Secure your cloud data with Zero Trust Training
Related Articles:
The Lost Art of Visibility, in the World of Clouds

Published: 11/20/2024

CSA Community Spotlight: Addressing Emerging Security Challenges with CISO Pete Chronis

Published: 11/18/2024

Group-Based Permissions and IGA Shortcomings in the Cloud

Published: 11/18/2024

9 Tips to Simplify and Improve Unstructured Data Security

Published: 11/18/2024