July 18, 2019
Zero Trust

Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust

Corey Williams – Idaptive
Corey Williams Vice President, Marketing

The switch to Zero Trust doesn’t happen overnight, so how do you bring every stakeholder to the table and get everyone on board?

cards zero trust

No one likes change. As technology and security practitioners, we’re hardwired to expect everyone to embrace shiny, new technologies and services, and rush to give them a try as they’re rolled out. But ask anyone who’s led the introduction of a new IT initiative, and they can tell you otherwise.

It’s hard to get an IT team on the same page, let alone a company with thousands of employees. In cybersecurity, where you’re only as strong as your weakest link, it's paramount to have protection for and from every person across an organization. Look at it this way: it doesn’t matter that you lock your doors and windows if you leave even a single one open. Bad actors will always find the path of least resistance. 

In the face of these odds, Zero Trust is rapidly gaining popularity as a proven alternative to traditional security tactics, which can no longer effectively secure the perimeter to let the “good guys” in and keep the “bad guys” out. The Zero Trust motto is “never trust, always verify,” and this approach ensures that every person and device with access are who and what they say they are. 

However, the shift to Zero Trust doesn’t happen overnight. Technology is an important element, but the fact is you can’t go out and “buy” a Zero Trust anything. Much like freedom, happiness and New York City, Zero Trust is a state of mind – an idea that holistic organizational shift happens around. In order for it to work, everyone needs to be looking through the same cybersecurity lens. 

Bringing Everyone to the Table

When executives ask about the best cybersecurity solution, I always say: “Easy, just unplug everything from the Internet, power down all the computers, and destroy all the smartphones — then you’re secure.” Having the “best” security protocols doesn’t mean anything if the barriers you construct stop the bad guys dead in their tracks, but also kill productivity of the good guys. 

For example, most organizations need to find a balance between the end-user experience and improving the security posture. In fact, on average, business users spend 11 hours per year entering and/or resetting passwords, which costs organizations an estimated average of $5.2 million annually in lost labor and productivity, according to Ponemon. That’s where Zero Trust comes in, improving access control without compromising business agility and convenience. 

But when it comes to any kind of organizational change, people are always at the heart. It doesn’t necessarily matter if a new login experience like single sign-on (SSO) is a more secure and seamless experience, ultimately it’s still different for users. Employees who left on Friday doing it one way, came back Monday and everything was changed. If they weren’t anticipating that, they might even call the help desk. 

That’s why it must always start with the people. It’s important to communicate the reasons for change, the benefits to the user, and the importance to the organization. You can’t get to Zero Trust without that education and culture element to get people on board.

Assess the Strength of Your Hand  

The fact is that a lot of the elements of Zero Trust are already implemented in some pockets of every organization. There might be key features like single sign-on (SSO) or multi-factor authentication (MFA) for certain apps or services, but for a holistic Zero Trust practice, those ideas must extend across the organization and touch everything you do. 

Zero Trust provides a strategic lens to evaluate where the organization stands on cybersecurity and the resources you’re trying to protect. Once everyone is looking through the same lens, you can determine the strength of your hand, and come up with your next move. 

This set of initiatives should be calculated and prioritized based on your greatest risks. For example, it might be most important for the organization to protect customer data, or maintain compliance around financial or healthcare records, or help employees gain access to critical services more quickly. 

Going All-In

Betting it all on Zero Trust doesn’t mean you should throw away your currently deployed technologies that keep the perimeter safe. Rather it’s a philosophical approach to improving your security posture over time. 

Zero Trust is a lot like building code. You can’t just drop in a new string of code if it causes the existing system to crash. For new code (IT initiatives) to be put in place successfully, you need to be sure it conforms to the (cybersecurity) standard already set. It must be tied into and governed by the same access system that everything else is. And you’re never really done making updates. 

That’s why it’s important to have broad evangelism and buy-in from across the organization. When they see Zero Trust in action as part of a proactive and strategic approach, instead of a random change that is viewed as disruptive, it makes it much easier to roll-out both new user and customer experiences.

In our next blog, we’ll talk more about that road to becoming Zero Trust, and how to seamlessly unite old with the new when it comes to your cybersecurity technology stack. 

Corey Williams

Corey Williams – Idaptive
Corey
Williams
Vice President, Marketing

Corey Williams is the Vice President of Marketing & Strategy and lead evangelist for Idaptive, leading all marketing functions, as well as market development and strategy. Corey served as the Senior Director of Products and Marketing for more than a decade at Centrify where he was the visionary behind, and the first product manager of, the set of products that were ultimately spun out of Centrify to become Idaptive, including leading SaaS services for Single Sign-on (SSO)Adaptive Multi-factor Authentication (MFA)endpoint and mobile context, and User Behavior and Risk Analytics (UBA).

 While at Centrify, Corey defined and brought to market seven net-new product offerings directly contributing to the growth of the existing customer base from less than 400 customers to over 5000 customers. He also led efforts with major industry analysts that directly resulted in Centrify being named as a leader in all of the major analyst reports including the Gartner Magic Quadrant and Critical Capabilities reports for Access Management, Worldwide; Forrester IDaaS Wave; KuppingerCole Cloud MFA Leadership Compass; and Network World Clear Choice Winner for Single Sign-on Solutions.

Corey is a frequent speaker and commentator on IT Security and IT Management. He has authored several publications, including “Zero Trust Security for Dummies”, a leading guide for enterprise managers.

Prior to Centrify, Corey led products and marketing for SpikeSource (acquired by Black Duck Software), Syndera (acquired by Tibco), and Journee Software (acquired by Initiate Systems). Earlier in his career, he managed pre- and post-sales consulting for Active Software (acquired by webMethods). 

Corey holds degrees in Mathematics (BS) and Computer Science (BS) from New Mexico State University, as well as an MS in Engineering and an MBA from San Jose State University. 

CHAMELEON-LIKE SUPERPOWER

If Corey could have any chameleon-like superpower, it would be the chameleon's tongue, which is ridiculously fast. Some of the world's smallest chameleons have the world's fastest tongues. In automotive terms, the tongue could go from 0 to 60 miles per hour in a hundredth of a second! “I would be able to complete webinars in 4.5 seconds instead of 45 minutes!”