Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust
The switch to Zero Trust doesn’t happen overnight, so how do you bring every stakeholder to the table and get everyone on board?
No one likes change. As technology and security practitioners, we’re hardwired to expect everyone to embrace shiny, new technologies and services, and rush to give them a try as they’re rolled out. But ask anyone who’s led the introduction of a new IT initiative, and they can tell you otherwise.
It’s hard to get an IT team on the same page, let alone a company with thousands of employees. In cybersecurity, where you’re only as strong as your weakest link, it's paramount to have protection for and from every person across an organization. Look at it this way: it doesn’t matter that you lock your doors and windows if you leave even a single one open. Bad actors will always find the path of least resistance.
In the face of these odds, Zero Trust is rapidly gaining popularity as a proven alternative to traditional security tactics, which can no longer effectively secure the perimeter to let the “good guys” in and keep the “bad guys” out. The Zero Trust motto is “never trust, always verify,” and this approach ensures that every person and device with access are who and what they say they are.
However, the shift to Zero Trust doesn’t happen overnight. Technology is an important element, but the fact is you can’t go out and “buy” a Zero Trust anything. Much like freedom, happiness and New York City, Zero Trust is a state of mind – an idea that holistic organizational shift happens around. In order for it to work, everyone needs to be looking through the same cybersecurity lens.
Bringing Everyone to the Table
When executives ask about the best cybersecurity solution, I always say: “Easy, just unplug everything from the Internet, power down all the computers, and destroy all the smartphones — then you’re secure.” Having the “best” security protocols doesn’t mean anything if the barriers you construct stop the bad guys dead in their tracks, but also kill productivity of the good guys.
For example, most organizations need to find a balance between the end-user experience and improving the security posture. In fact, on average, business users spend 11 hours per year entering and/or resetting passwords, which costs organizations an estimated average of $5.2 million annually in lost labor and productivity, according to Ponemon. That’s where Zero Trust comes in, improving access control without compromising business agility and convenience.
But when it comes to any kind of organizational change, people are always at the heart. It doesn’t necessarily matter if a new login experience like single sign-on (SSO) is a more secure and seamless experience, ultimately it’s still different for users. Employees who left on Friday doing it one way, came back Monday and everything was changed. If they weren’t anticipating that, they might even call the help desk.
That’s why it must always start with the people. It’s important to communicate the reasons for change, the benefits to the user, and the importance to the organization. You can’t get to Zero Trust without that education and culture element to get people on board.
Assess the Strength of Your Hand
The fact is that a lot of the elements of Zero Trust are already implemented in some pockets of every organization. There might be key features like single sign-on (SSO) or multi-factor authentication (MFA) for certain apps or services, but for a holistic Zero Trust practice, those ideas must extend across the organization and touch everything you do.
Zero Trust provides a strategic lens to evaluate where the organization stands on cybersecurity and the resources you’re trying to protect. Once everyone is looking through the same lens, you can determine the strength of your hand, and come up with your next move.
This set of initiatives should be calculated and prioritized based on your greatest risks. For example, it might be most important for the organization to protect customer data, or maintain compliance around financial or healthcare records, or help employees gain access to critical services more quickly.
Betting it all on Zero Trust doesn’t mean you should throw away your currently deployed technologies that keep the perimeter safe. Rather it’s a philosophical approach to improving your security posture over time.
Zero Trust is a lot like building code. You can’t just drop in a new string of code if it causes the existing system to crash. For new code (IT initiatives) to be put in place successfully, you need to be sure it conforms to the (cybersecurity) standard already set. It must be tied into and governed by the same access system that everything else is. And you’re never really done making updates.
That’s why it’s important to have broad evangelism and buy-in from across the organization. When they see Zero Trust in action as part of a proactive and strategic approach, instead of a random change that is viewed as disruptive, it makes it much easier to roll-out both new user and customer experiences.
In our next blog, we’ll talk more about that road to becoming Zero Trust, and how to seamlessly unite old with the new when it comes to your cybersecurity technology stack.