Dispelling the ‘Straight Line’ Myth of Zero Trust Transformation

Originally published by CXO REvolutionaries.

Written by Guido Sacchi, Former Senior Executive Vice President and Chief Information Officer, Global Payments.

Throughout my career, I always reacted to ideas of “zero trust” the same way. It sounds great in principle, but how do we execute on it? How do we demonstrate value?

Pundits have been trying to define zero trust since the term was coined and even before, but how does one actually bring it about?

For many, the term itself is still nebulous. For others—usually the IT or security professionals in charge of implementing “it”—zero trust is synonymous with complexity.

Here’s where the practitioners have it right: “zero trust” as an approach is too broad to tackle through any single initiative. Even the best intentions of becoming a “zero trust” shop can be derailed by factors outside an IT department’s control. But that need not dissuade anyone from pursuing zero trust maturity as a worthy destination.

The elephant of zero trust is best eaten one bite at a time. My decades of experience in IT and business leadership have taught me that ambitious, transformative initiatives rarely follow a straight line. Instead, the prompt for a project differs from organization to organization and measures of its success are nuanced. Better to define success criteria and metrics to capture value along the way than betting the house on all-or-nothing “transformation.”

But if your organization is still looking for a reason to start, or an excuse to progress, here’s my advice.

1. Be on the lookout for transformational triggers

It can be difficult to convince a CEO, board, investment committee, or other leadership body to earmark millions of dollars for an IT or security project when things seem to be going well. Competing priorities and budgetary constraints usually win out over grand-scale, multi-year plans, especially without a strong sponsor on the business side.

That's why I advise transformational leaders to keep an eye out for triggers, or tactical on-ramps, which could kick off a more holistic initiative.

Often, this comes in the form of a cybersecurity incident or scare. The CrowdStrike disaster of a few months ago, for instance, likely forced many companies to reexamine how they push updates from third-party providers. Ransomware incidents can be expensive, embarrassing reminders of the need for ongoing cybersecurity improvement. Discovering a larger-than-expected attack surface can be a conversation starter for proactively addressing risk before it’s exploited.

But cyber scares are not the only potential onramps for a zero trust initiative. Mergers and acquisitions also make for great use cases. Cloud migrations are another. VPN replacements, inspired by either a poor user experience or newly discovered vulnerabilities, can also prompt a network transformation.

At one point in my career, I simply had a CEO who saw the value of implementing multi-factor identification company-wide. I was able to use that straightforward ask to broach the larger topic of identity authentication and authorization, key principles for any zero trust environment—and in the process to enroll the CEO as the main business sponsor, a huge added bonus.

They say never let a good crisis go to waste, so CXOs should be on the lookout for any triggers that might kick start the adoption of zero trust principles.

2. Establish executive champions

Any of the above can open the door for a broader conversation on eliminating tech debt and increasing security. But like any good salesperson, a CXO must sell the solution rather than the product to boards and senior leaders.

Rather than spending the 30 minutes I may have before a board committee explaining a grand vision for a zero trust future, I would rather focus on pragmatic technical deliverables that will reduce risk, eliminate friction between security protocols and users, or improve time-to-value following an acquisition.

As a CIO, I found that the support of my CISO lended enhanced credibility to the security benefits we would see from implementing certain technologies. Demonstrating the potential for cost savings from eliminating point products, reducing the need for equipment upgrades, or offloading management overhead by implementing a cloud-based security architecture goes a long way toward securing the support of the CFO.

Finally, the ability to demonstrate the potential to reduce risk by shrinking the attack surface—by, say, using AI to quantitatively illustrate your risk posture across the entire IT environment to the board’s risk committee—inspires confidence in the value of a cyber investment.

Any champion you are able to convince of the value of a move toward zero trust will have his or her own pull within the organization, increasing your chances of keeping the entire initiative on track.

3. Report on strategic ambitions, but also tactical wins

Your organization will not, one day, arrive at “zero trust.” I promise you. It's a spectrum of maturity that organizations are continuously trying to refine. But that’s a reality that doesn’t tend to sit too well with boards and senior executives.

In order to earn ongoing justification for the transformation journey, it's important to be able to articulate value captured along the way. Any organization that defines success as "implementing zero trust" is setting itself up for failure. Instead, map out discrete stages of the effort and benchmarks for qualifying success. For instance, as I mentioned, I was charged with implementing MFA across the entire technology estate. In addition to the straightforward security benefits, our team was able to involve the user community to minimize friction; this, in turn, made fast adoption much easier to accomplish.

While for me, as CIO, this was wrapped into a wider effort to secure access to company resources, I packaged it to executives as a sound step toward improving access management practices, one that reduced risk and the organization's compliance standing.

That’s how I demonstrated value and sold the zero trust transformation—without ever mentioning the term—at the same time to boards, fellow executives, and senior leadership.