Zero trust is about to get real.
According to Gartner, "by 2026, 10% of large enterprises will have a mature and measurable zero-trust program in place, up from less than 1% today."
Indeed, analysts and security practitioners alike appear to agree that zero trust is ready to evolve from a concept floating in the digital transformation ether to a practical framework with tangible outcomes. Still, executing a zero-trust strategy takes substantial investments of budget and planning.
This blog will outline some of the steps CISOs and their security teams can take to help ensure the success of a zero-trust initiative.
A successful zero-trust implementation will offer faster response times, greater staff efficiency, fewer incidents, and a hardened security posture with no additional burden to non-security staff.
Even non-technical business leaders are coming around to the idea that cybersecurity directly impacts the business’s most critical operations and that zero trust holds particular promise as a cybersecurity strategy. Now, they are ready to talk dollars and cents. CISOs need to answer the more pragmatic questions around a potential zero-trust initiative.
What is the scope of the project?
How long will it take to stand up a zero-trust framework?
How much will it cost?
How will its effectiveness be measured?
How much money will zero-trust return to the business?
One key exercise is to lead a workshop where the Board and Executive leadership teams can quantify their risk tolerance in terms they will understand. In other words, what is an acceptable amount of money to lose due to a cybersecurity incident? If this financial reality is paired with a reporting on probability, non-security leaders can better understand the impact of implementing (or, not implementing) a zero-trust strategy.
The zero-trust model is maturing from the thinkable to the doable. That said, zero trust is still a mindset adjustment that requires a new way of approaching both cybersecurity and access management. Perhaps most import to recognize, zero-trust is not a one-and-done project.
When scoping and approaching your zero-trust implementation, it helps to remember the old adage about how to eat an elephant (hint: one bite at a time). Elephants aside, you can make your project more manageable and see results more quickly by breaking your zero-trust adoption initiative into three distinct stages.
First, secure access for high-risk users. Some types of users pose a higher risk to organizational security than others. These high-risk users include third parties (such as vendors, partners or contractors), new employees onboarded following a merger or acquisition, and workers who need to access critical operational technology (OT) systems. These user groups are most likely to cause enormous damage to the business (whether done maliciously or through simple human error), and securing their access first rapidly brings the greatest benefit.
Next, secure access for remote users. Remote employees present a greater security vulnerability than an equivalent employee who works in the office because the environment they are working from lies outside the control of the organization. Their bad security hygiene has a greater potential for compromise.
Finally, secure hybrid and on-premises users. At this point, you have cleared the biggest hurdles in your zero-trust project. Now it’s time to secure everyone else. On-premises users generally receive more trust, but the wide lateral network access they enjoy makes them prime targets for threat actors, especially if they are over-permissioned.
Most bad actors seek the path of least resistance. Even if organizations only secure the first two groups, this will exponentially reduce their attack surface and encourage threat actors to move along in search of easier targets.
Adopting zero trust may not be easy, but it is significantly more manageable when divided into smaller projects, each with tangible results.
In addition to a lack of standardization around zero-trust metrics, security success is hard to quantify because success is the absence of disaster. In a context where the best-case scenario is that literally nothing happens, doing enough will always feel like doing too much.
There’s a bit of good faith and culture-building to be done here. To get support for a zero-trust initiative in the first place, the CISO must have developed relationships and trust with other business leaders. To do something completely new, the organization's culture must already have some degree of buy-in around security.
Though some industry-wide standards and best practices will come into focus over the next few years, organizations will always need to customize their performance evaluations to fit their unique operations and priorities.
Many organizations are looking to zero trust to secure their hybrid work infrastructures while also smoothing out the user experience around access. These access speed bumps are becoming more impactful to productivity, business agility, and revenue.
According to Zscaler's "State of Zero Trust Security Transformation, 2023" report:
52% of respondents said employees face inconsistent access experiences for on-premises and cloud-based applications and data.
46% said employees face productivity loss due to network access issues.
39% said employees are not able to access applications and data from personal devices.
A lot of this friction comes from access policies categorized by data. Many security vendors require a complex categorization of data. From there, they identify who has access to what and tailor controls accordingly.
Zero trust seeks to eliminate this friction by categorizing access by user. Part of the pre-work of implementing zero-trust access is determining exactly which resources are needed by particular user groups. This type of user-driven categorization greases the wheels for widespread adoption.
The caveat here is that zero-trust frameworks must be built on a deep, realistic understanding of users and their workflows. When zero-trust programs are designed without an understanding or consideration of user workflows and user needs, users will simply continue to employ bad practices like account sharing, weak passwords, and shadow IT.
And as noted above, securing the highest-risk users first allows security leaders to start small with zero trust and hone their approach as they expand to lower-risk groups.
Recent years have accelerated the evolution of remote and hybrid work and the associated cyber threats. Five years from now, some new threat or development will likely dominate the landscape and demand even more change.
But do not fear that zero-trust access will become yesterday’s solution. Remember, zero trust is a mindset update, and though its tactics may change or grow, the strategic aspect of the framework will allow organizations to rapidly adapt to whatever comes next.
At Cyolo, we believe in starting both smart and strong with your zero-trust initiative. Our zero-trust access platform provides you with the controls you need to securely enable your business. We can help you retrofit existing policies, systems, and processes rapidly to support modern authentication best practices, with no change management required. This allows you to make tangible progress right away, maximizing ROI and minimizing time-to-value on your project.
Cyolo offers the only zero-trust access solution that can secure everyone, everything, everywhere — no exceptions. Our platform can extend zero trust to the highest risk parts of your infrastructure, including legacy and offline systems, all while offering users a single-click experience that removes security as a barrier to productivity.
Wherever you are in your zero-trust journey, we can help. Schedule a time to tell us more about your project and see how we fit in your environment.
Author
Jennifer Tullman-Botzer is a cybersecurity nerd by day and a history nerd by night. She has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. Jennifer joined Cyolo in 2021 and currently serves as Head of Content. Prior to Cyolo, she worked in a variety of marketing roles at IBM Security. She lives in Tel Aviv, Israel.