Zero Trust is a Journey. Not a Single Project.

Originally published by CXO REvolutionaries.

Written by Larry Biagini, Chief Technology Evangelist, Zscaler.

A successful digital transformation cannot be achieved while using antiquated networking concepts, tiptoeing toward change, and avoiding risk. Thinking about enterprise security in terms of hub-and-spoke architecture and VPNs is taking a long journey down a dead-end path. There is only one network, the internet, and it is beyond the control of any business organization. In fact, maintaining secure access to cloud services via the internet is key to many organizations’ survival. Legacy networks and the technologies that support them are simply incapable of providing the level of secure cloud access modern businesses need.

Consider the stark differences between yesterday’s enterprise control framework and one facilitating secure cloud/mobile transactions today:

The differences between these two models should be evident to IT professionals, yet explaining them to other executives and the board can be tricky. Unfortunately, many security leaders are overly technical when having conversations on why their organization must digitally transform. They rely on doom-and-gloom scenarios and hypothetical attack costs to persuade their audience. Instead, IT leaders should ensure their message focuses on adding business value and highlights the immediate benefits of doing things a new way.

Here are some key ways IT leaders can reframe conversations on digital transformation to achieve better results:

Successful CIOs, CTOs, and CISOs of tomorrow will approach technology problems much differently than those who currently think in terms of traditional networks.

Specifically, forward-looking CIOs/CTOs will:

• Focus on growth and move fast – speed is the new currency
• Move from being an IT shop to acting as a digital enabler
• Be honest with the board about technology debt
• Address the legacy environment head-on
• Embrace the cloud, but thoughtfully, for relevant applications
• Realize the internet is the new corporate network
• Transform traditional hub-and-spoke networks to a direct-to-cloud architecture

Likewise, successful CISOs will:

• Stop talking to the board in terms of security, but instead focus on risk
• Create a risk assessment and risk appetite that provides the business a means to make decisions
• Separate critical resources from the consumers of those assets (don’t put users and servers on the same network)
• Get identity right – invest in identity and access management
• Realize securing the traditional network as if it was a hard shell is no longer effective and focus on providing trusted users access to authorized applications, irrespective of the origin and destination networks.

Business and technology are not slowing down. Today’s executives face a simple choice: climb aboard the train to a cloud-based, zero trust world or be crushed by it. Technology leaders should be thinking, speaking, and acting in terms of business risk, not security. No combination of products can address the fundamental vulnerabilities endemic to the traditional network. Adding more security layers on top of an insecure foundation is pointless–those scrambling to protect everything wind up protecting nothing.

It is time to retire the network in favor of app-based and user-based connectivity. To accomplish this, an organization must know the identity of people, devices, machines, and APIs. Once an organization can securely connect a trusted user to an authorized resource, the network layer (and all of its vulnerabilities) becomes largely irrelevant.