What Any Executive Needs to Know About Zero Trust
Why should a company executive be interested in Zero Trust? Isn’t that supposed to be obvious? Apparently, it’s not; otherwise, we wouldn’t have nearly 1 billion successful ransomware attacks between January 2021 and June 2022.
Whether we like it or not, lately, Zero Trust is becoming synonymous with modern, good cybersecurity practices. Every executive interested in maintaining a level of cyber risk within the boundaries of the risk appetite and tolerance of their organization should be educating themselves on Zero Trust and investigating how it can address current and future cybersecurity, privacy, governance, and compliance challenges.
But let’s take a step back and get a quick overview of the cyber world we live in. Cloud has become the default IT solution for organizations, remote working is increasingly the preferred option for the workforce, highly distributed supply chains are the most common way to describe our economy, the new industrial (r)evolution –– Industry 4.0 as we call it in Europe –– is well underway, and then we’ve got AI, Blockchain, Web3, etc. This is all exciting and intriguing but challenging and, frankly, also scary. All these telluric movements generate extreme complexity and unknowns that we seem unequipped to manage due to a lack of skills, expertise, financial resources, and organizational models. The surge of cyber attacks, both in volume and financial impact, demonstrates the inadequacy of our current approach (or lack thereof).
Unpack complexity and STOP with one-off risk assessments
What is the connection between these trends, Zero Trust, and the duties of a company executive? The common thread is the word ‘complexity.’ When it comes to cybersecurity, complexity (alongside laziness and ignorance) is our worst enemy. Remember Dan Greer? Complexity is an enemy of security since it hides interdependencies and creates unknowledgeable correlated risks. Complex phenomena and organizations are a fact of life, and whoever is called upon to manage complicated situations cannot simply ignore them; they must face them. How? By unpacking complexity and reducing it into simpler components - divide et impera was the Romans' approach.
How does this relate to Zero Trust? Simple, Zero Trust changes the approach to resource protection. You should no longer think of your organization as a single monolith, but focus on smaller components, which are your critical processes and assets, and build your cyber protection around them. In other terms, apply risk-based prioritization, or risk management 101.
Just that? No, not really. Let’s now touch on one of the most discomforting truths of our industry. Risk management is supposed to be for cybersecurity professionals and organization executives, the equivalent of the alphabet and multiplication tables for primary school children. Foundational. Instead, many companies are not even bothered to assess risk properly, and even when they do it, they fail to repeat the process with the necessary frequency. Zero Trust calls for the opposite of that; Zero Trust is about contextual risk. As an executive, you need to make sure that access to your crown jewels is granted based on context, and you need to factor in that environmental conditions might change suddenly and, likewise, the risk for your critical resources. In essence, apply continuous risk assessment. To do that, make sure the system you have built allows for continuous collection and analysis of relevant data points (logs and system telemetries, devices health status, etc.)
Evidence-based decision making
I mentioned our industry idiosyncrasy for proper risk management practices. There is another crucial battle that needs to be fought by executives that want to embrace Zero Trust. That is, facing the generalized incapability of organizations (and humans in general) to make evidence-based decisions, especially when it comes to trust. (For reference, you might want to read some behavioral economics books. I’d suggest Daniel Kahneman and Amos Tversky.) We tend to trust people based on feelings, and often, we forget to have a hard look at facts and data.
Similarly, we trust users (human and machines) based on their predefined role, based on their provenience (inside or outside the trusted boundaries of the organizations), or based on previous analysis, rather than based on their specific attributes in the specific moment in time when the access request was made. In other terms, decisions to give access to resources are based on assumptions. Executives need to understand that each one of these assumptions is a liability, and it is their duty to enforce a culture of sane skepticism and least privilege when it comes to deciding who is supposed to access what, how, when, and for how long.
This is a cultural shift: educate yourself, your board, and your workforce
This brings me to the last key aspect of embracing a Zero Trust approach, which is the cultural shift that is likely to be required in your organization. This is a fundamental realization not just for the company executive and managers but also, most importantly, for the board.
The board needs to understand that this is not just another request for more funds, this is not about getting additional headcount, and this is not about buying any new shiny technologies (by now, I’d hope everyone understood that Zero Trust is not a product). This is a shift towards a new organizational approach to cyber and requires a change in mindset, with all the consequences that that entails.
When a mindset shift is required, two things are necessary: total commitment and support.
In absence of that, perhaps you shouldn’t even be bothered to initiate your Zero Trust journey. You might need to wait until they are ready since this is not a tactical short-term approach adjustment; this is a long-term strategic move.
How might you achieve commitment and support? Well, educate, educate, educate. Provide evidence of the potential of Zero Trust. Show them success stories from other organizations. Build what/if scenarios for them. An example? What are the threats they are worried about the most? Ransomware? Supply chain attacks? Show them how early adopters of Zero Trust mitigate their risk comparably better than those embracing traditional perimeter-based security strategies.
While board support is crucial, there’s another necessary condition for your success; you must get the rest of the organization excited, educated, and committed to it. Your administrators, your HR, your security team, your developers, and your users will need to start doing things differently. They will need to change their current behaviors. I’ll not even try to justify the statement that people have a clear resistance to changes and departures from their comfort zone. That’s obvious. So once again, educate, educate, educate, and show them the benefits they will get by buying into the new Zero Trust approach.
Start your journey
The start of a Zero Trust journey requires some preparatory actions, pretty much the same as when you start your holiday. First, you need to have a very good understanding of what your organization looks like. You need to know what resources you must protect, their value in absolute terms, and in the business context they are in. Do you have a catalogue of your resources? Do you know what your critical assets and processes are? Do you have an updated asset and data classification system?
Also, you need to know who your users are, both human and non-human. Is your user identity directory updated? Do you know what each of the users does? What are their need-to-know and need-to-access?
Answering those questions is pretty much the same as being at the pre-check-in screening interview before flying to Tel Aviv. Either you have satisfactory answers, or you won’t get on the plane.
Did you manage to get on board? Excellent. The fun can now begin. What’s next? Well, define the scope of your first Zero Trust project. Unless you have a close to infinite budget, you better start small and agile. There will be time to grow bigger, start getting experience, and allow yourself to make some possible (and inevitable) mistakes.
And then, in sequence, define the specific assets you want to include in the first iteration (identify your ‘protect surface’ as Kindervag likes to call it).
Done? Then, move to get an understanding of how the data is flowing across the organization. Do you have a map of the transaction flows?
Next is the selection of your target architecture and the definition of your policies. Remember! Those policies are not set in stone. They will change to reflect the change in context and the environment.
And then finally, monitor, adjust, improve, and reiterate for the next stage of the journey.
Have a safe trip.
Get started on your Zero Trust journey with CSA’s Zero Trust Training. Learn more about the curriculum here.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.