Overcoming blockades and potholes that threaten to derail organizational change is key to any IT or security transformation initiative. Many security and risk leaders have made it a priority to adopt Zero Trust access models so they can deliver better user experiences and strengthen security. Yet before they can even think about change management, they often face pushback from within their organization.
Earlier this year I had the privilege of chatting twice with Jess Burn, senior analyst at Forrester, on some common challenges CISOs face when planning their Zero Trust journeys. I found our talks enlightening and useful, and wanted to share the key insights with as many organizations as possible who are considering or actively going down this path. Some highlights from my interview with Jess Burn follows.
Q: When organizations embark on a Zero Trust implementation, what is the biggest difference observed between the benefits they expect to get versus what they actually experience after implementing Zero Trust?
I think a lot of organizations look at the benefits of Zero Trust from the perspective of improving overall security posture, which is a great goal but one where the goalpost moves constantly. But what we’ve heard from enterprises that embark on Zero Trust journeys is that there are a lot of small victories and surprise benefits to celebrate along the way. For example, Zero Trust can empower employees, enabling them to work from anywhere with any device as long as they authenticate properly on a compliant device.
Zero Trust can also empower employees by shifting responsibility for security away from users and instead letting them rely on technical controls to do their work. For example, employees can use a digital certificate and biometrics to establish identity instead of having to remember passwords.
Additionally, Zero Trust can help consolidate tech tools by acting as a catalyst for much-needed process changes. For example, a client of ours, as part of their Zero Trust model adoption journey, classified their critical business assets and identified the tools that aligned to the zero trust approach. From there, they were able to reduce the number of point solutions, many of which overlapped in functionality, from 58 to 11 in an 18-month timeframe. There are real cost savings there.
How are enterprises measuring success and justifying Zero Trust transformation?
We advise our clients that measuring the success of Zero Trust efforts and the impact of the transformation should be focused on the ability of their organization to move from network access to granular application-specific access, increase data security through obfuscation, limit the risks associated with excessive user privileges, and dramatically improve security detection and response with analytics and automation. We guide our clients to create outcome-focused metrics that are a good fit for the audiences with whom they are sharing them, whether strategic (board/executives), operational (counterparts in IT/the business), or tactical (security team). Additionally, we think about Zero Trust metrics in the context of three overarching goals:
Protecting customers’ data while preserving their trust. Customers who suffer identity theft or fraud will stop doing business with you if they believe you were negligent in protecting their data. They might also leave you if your post-breach communication is late, vague, or lacks empathy and specific advice. For strategic metrics, exposing changes in customer acquisition, retention, and enrichment rates before and after specific breaches will help you alert business leaders to customer trust issues that could hinder growth. When thinking about tactical metrics, looking at changes in customer adoption of two-factor authentication and the percentage of customer data that is encrypted will help you determine where your security team needs to focus its future efforts.
Recruiting and retaining happy, productive employees who appreciate security. Strategic-level goals should track changes in your organization’s ability to recruit new talent and changes in employee satisfaction, as retention rates indicate morale issues that will affect productivity and customer service. Angry, resentful, or disillusioned employees are more likely to steal data for financial profit or as retaliation for a perceived slight. At a tactical level, employee use of two-factor authentication, implementation of a privileged identity management solution, and strong processes for identity management and governance will help you identify priorities for your security team.
Guarding the organization’s IP and reducing the costs of security incidents. IP may include trade secrets, formulas, designs, and code that differentiate your organization’s products and services from those of competitors. An IP breach threatens your organization’s future revenue and potentially its viability. At a strategic level, executives need to understand if the organization is the target of corporate espionage or nation-state actors and how much IP these actors have already compromised. On the tactical end, the level to which the security team encrypted sensitive data across locations and hosting models tells security staff where they need to concentrate their efforts to discover, classify, and encrypt sensitive data and IP.
What is the biggest myth holding back companies from moving to a Zero Trust strategy?
I think there are several myths about moving to Zero Trust, but one of the most pervasive ones is that it costs too much and will require enterprises to rip and replace their systems and tools.
The first thing we say to Forrester clients who come to us with this objection from their peers in IT leadership or from senior executives is that you’re likely not starting from scratch. Look at Forrester’s pillars of Zero Trust — data, workloads, networks, devices, people, visibility and analytics, and automation and orchestration — and then line that up with what your organization already has in place or is in the process of implementing, such as two-factor and privileged access management under the people pillar, cloud security gateways under workload, endpoint security suites under devices, vulnerability management under networks, and data loss prevention (DLP) under data.
You probably have endpoint detection and response (EDR) or managed detection and response (MDR) for security analytics, and maybe you’ve started to automate some tasks in your security operations center (SOC). This should be very encouraging to you, your peers in IT operations, and executives from a cost perspective. Zero Trust doesn’t need to be a specific budget line item.
You may need to invest in new technology at some point, but you’re likely already doing that as tools become outdated. Where you’ll need some investment, we’ve found, is in process. There may be a fair amount of change management tied to the adoption of the zero trust model. And you should budget for that in people hours.
What is a common theme you observe across organizations that are able to do this well?
Executive buy-in, for sure, but also peer buy-in from stakeholders in IT and the business. A lot of the conversations and change management needed to move some Zero Trust initiatives forward — like moving to least privilege — are big ones. Anything that requires business buy-in and then subsequent effort is going to be time consuming and probably frustrating at times. But it’s a necessary effort, and it will increase understanding and collaboration between these groups with frequently competing priorities.
Our advice is to first identify who your Zero Trust stakeholders are and bust any Zero Trust myths to lay the groundwork for their participation.
Once you’ve identified your stakeholders and addressed their concerns, you need to persuade and influence. Ask questions and actively listen to your stakeholders without judgment. Articulate your strategy well, tell stakeholders what their role is, and let them know what you need from them to be successful. They may feel daunted by the shifts in strategy and architecture that Zero Trust demands. Build a pragmatic, realistic roadmap that clearly articulates how you will use existing security controls and will realize benefits.
What is a common theme you observe across organizations that struggle with a Zero Trust implementation?
Change is uncomfortable for most people. This discomfort produces detractors who continuously try to impede progress. Security leaders with too many detractors will see their Zero Trust adoption plans and roadmaps fizzle. Security leaders we speak to are often surprised by criticism from stakeholders in IT, and sometimes even on the security team, that portrays change as impossible.
If you’re in this situation, you’ll need to step back and spend more time influencing stakeholders and address their concerns. Not everyone is familiar with Zero Trust terminology. You can use Forrester’s The Definition of Modern Zero Trust or NIST’s Zero Trust architecture to create a common lexicon that everyone can understand.
This approach allows you to use the network effect as stakeholders become familiar with the model. Additionally, your stakeholders may feel daunted by the fundamental shifts in strategy and architecture that Zero Trust demands. Build a pragmatic, realistic roadmap that clearly articulates how you will use existing security controls and tools and realize benefits.
From there, develop a hearts-and-minds campaign focusing on the value of Zero Trust. Highlight good news using examples that your stakeholders will relate to, such as how Zero Trust can improve the employee experience — something that most people are interested in both personally and organizationally.
Lastly, don’t go it alone. Extend your reach by finding Zero Trust champions who act as extra members of the security team and as influencers across the organization. Create a Zero Trust champions program by identifying people who have interest in or enthusiasm for Zero Trust, creating a mandate for them, and motivating and developing your champions by giving them professional development and other opportunities.
If you missed the webinar, be sure to view it on-demand here. You can also download a copy of Forrester’s “A Practical Guide To A Zero Trust Implementation” here. This report guides security leaders through a roadmap for implementing Zero Trust using practical building blocks that take advantage of existing technology investments and are aligned to current maturity levels.
We also have more Zero Trust content available for you, including multiple sessions from our Google Cloud Security Talks on December 7, available on-demand.