Zero Trust: Win Friends, Influence People, and Improve Your Organizational Maturity

Written by the CSA Zero Trust Working Group Co-Chairs: Jason Garbis, Jerry Chapman, and Christopher Steffen.

In our roles as co-chairs, we spend a lot of time and energy talking with enterprises and promoting the idea that Zero Trust needs to be more than just a security initiative – it has to deliver business value in addition to improving security. For security teams, proactively connecting with the Line of Business, working to understand their needs, and actively involving them in your Zero Trust initiative will make the difference between a significant positive impact and lukewarm success.

By deliberately performing this outreach and prioritizing and highlighting the value you’re delivering to the business, you’ll be able to gain supporters – ideally, enthusiastic supporters – for your Zero Trust initiative. This is important because Zero Trust initiatives will require changes, and change won’t be automatically embraced. Without obtaining buy-in and support from the Line of Business, you risk encountering resistance, including culturally or politically imposed obstacles.

That’s the “Win Friends and Influence People” part of the story - and if you’re interested in further information about this topic, you can access the CSA research publication Communicating the Business Value of Zero Trust and watch the CSA Zero Trust Summit 2023 panel discussion Understanding, Communicating, and Delivering Business Value.

For the remainder of this article, we want to introduce the idea that in addition to those benefits, Zero Trust can also improve organizational maturity.

Zero Trust policies are at the heart of Zero Trust, and are important to be precisely, accurately, and thoroughly defined. After all, policies are the codification of the “who, what, when, why, where, and how” of access. The most effective Zero Trust policies are automated, meaning they automatically respond to external systems or processes by adjusting access permissions. This automation leads to defined and repeatable processes and, therefore, comprises things that can be measured and metricized.

Here are two simple examples:

• User access to a given application is based on Identity group membership - which in turn is based on a defined identity governance and lifecycle process
• Application-to-application access is based on workload metadata attributes, which are assigned during an automated workload deployment process – which in turn is defined “as code”

The fact that automated policies are built on the outcomes of defined processes will drive repeatability and improve maturity. Revisiting our first example, the enterprise will need to ensure that membership in that particular identity group is initially accurate and remains accurate over time across the entire identity lifecycle. Not having exceptions or ad hoc access brings strength and pays dividends in terms of operational repeatability and maturity.

Thanks for listening. While Improving Operational Maturity may never become a Billboard #1 Hit song, it deserves some attention as a perhaps unexpected benefit of your Zero Trust initiative.